xlocker

Имеется свитч - catalyst 3750. cat3750#sh ver Cisco IOS Software, C3750 Software (C3750-IPBASE-M), Version 12.2(25)SEB4, RELEA SE SOFTWARE (fc1) Copyright © 1986-2005 by Cisco Systems, Inc. Compiled Tue 30-Aug-05 15:47 by yenanh ROM: Bootstrap program is C3750 boot loader BOOTLDR: C3750 Boot Loader (C3750-HBOOT-M) Version 12.2(25r)SEC, RELEASE SOFTWAR E (fc4) cat3750 uptime is 7 weeks, 1 day, 23 hours, 41 minutes System returned to ROM by power-on System image file is "flash:c3750-ipbase-mz.122-25.SEB4/c3750-ipbase-mz.122-25.S EB4.bin" cisco WS-C3750G-24T (PowerPC405) processor (revision L0) with 118784K/12280K byt es of memory. Processor board ID CAT1005N3GH Last reset from power-on 4 Virtual Ethernet interfaces 24 Gigabit Ethernet interfaces The password-recovery mechanism is enabled. 512K bytes of flash-simulated non-volatile configuration memory. Base ethernet MAC Address : 00:17:0E:52:9D:80 Motherboard assembly number : 73-9679-09 Power supply part number : 341-0048-03 Motherboard serial number : CAT10051G5F Power supply serial number : LIT100108JP Model revision number : L0 Motherboard revision number : A0 Model number : WS-C3750G-24T-S System serial number : CAT1005N3GH Top Assembly Part Number : 800-25855-01 Top Assembly Revision Number : C0 Version ID : V05 CLEI Code Number : COMR100BRA Hardware Board Revision Number : 0x02 Switch Ports Model SW Version SW Image ------ ----- ----- ---------- ---------- * 1 24 WS-C3750G-24T 12.2(25)SEB4 C3750-IPBASE-M Configuration register is 0xF cat3750# Свитч режет по скорости пользовательские ip. Порт GigabitEthernet1/0/1 идет в Интернет, порт GigabitEthernet1/0/2 идет в мой роутер и дальше к пользовательским ip. Оба порта во влане по умолчанию (влан 1). cat3750#sh run ! version 12.2 no service pad service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname cat3750 ! no logging console ! no aaa new-model switch 1 provision ws-c3750g-24t ip subnet-zero ! ! mls qos ! ! no file verify auto spanning-tree mode pvst spanning-tree extend system-id ! vlan internal allocation policy ascending ! class-map match-all cl.241.1 match access-group name al.241.1 class-map match-all cl.241.2 match access-group name al.241.2 class-map match-all cl.241.3 match access-group name al.241.3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . class-map match-all cl.241.64 match access-group name al.241.64 ! ! policy-map pm-1 class cl.241.1 police 408000 51000 exceed-action drop class cl.241.2 police 408000 51000 exceed-action drop class cl.241.3 police 408000 51000 exceed-action drop . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . class cl.241.64 police 208000 26000 exceed-action drop ! ! interface GigabitEthernet1/0/1 switchport mode access service-policy input pm-1 duplex full speed 100 ! interface GigabitEthernet1/0/2 switchport mode access duplex full speed 100 ! interface GigabitEthernet1/0/3 shutdown ! interface GigabitEthernet1/0/4 shutdown ! . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ! interface GigabitEthernet1/0/24 shutdown ! ! interface Vlan1 no ip address ! no ip classless no ip http server ! ip access-list extended al.241.1 permit ip any host xxx.yyy.241.1 ip access-list extended al.241.2 permit ip any host xxx.yyy.241.2 ip access-list extended al.241.3 permit ip any host xxx.yyy.241.3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ip access-list extended al.241.64 permit ip any host xxx.yyy.241.64 ! no cdp run ! control-plane ! ! line con 0 line vty 0 4 password 123 no login line vty 5 15 password 123 no login ! ! end cat3750# Policy-map pm-1 отрабатывает, ip зарезаются. Возникла необходимость сделать больше нарезок. По цисковским докам на порту может быть 64 полисера. А всего на свитч - 255. Создаю влан (влан 200) и объединяю порты GigabitEthernet1/0/3 и GigabitEthernet1/0/4 в этот влан. Далее соединяю патчкордом порты GigabitEthernet1/0/2 и GigabitEthernet1/0/3. И соединяю порт GigabitEthernet1/0/4 с моим роутером. Вешаю на порт GigabitEthernet1/0/3 policy-map pm-2 с двумя полисерами. Все policy-map-ы отрабатывают, скорость режется на обоих портах. Добавляю в новый policy-map pm-2 еще классов, но через некоторое время он перестает отрабатывать, при этом pm-1 прекрасно работает. cat3750#sh run ! version 12.2 no service pad service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname cat3750 ! no logging console ! no aaa new-model switch 1 provision ws-c3750g-24t ip subnet-zero ! ! mls qos ! ! no file verify auto spanning-tree mode pvst spanning-tree extend system-id ! vlan internal allocation policy ascending ! class-map match-all cl.241.1 match access-group name al.241.1 class-map match-all cl.241.2 match access-group name al.241.2 class-map match-all cl.241.3 match access-group name al.241.3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . class-map match-all cl.241.64 match access-group name al.241.64 class-map match-all cl.241.65 match access-group name al.241.65 class-map match-all cl.241.66 match access-group name al.241.66 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . class-map match-all cl.241.129 match access-group name al.241.129 ! ! policy-map pm-1 class cl.241.1 police 408000 51000 exceed-action drop class cl.241.2 police 408000 51000 exceed-action drop class cl.241.3 police 408000 51000 exceed-action drop . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . class cl.241.64 police 208000 26000 exceed-action drop policy-map pm2 class cl.241.65 police 208000 26000 exceed-action drop class cl.241.66 police 208000 26000 exceed-action drop . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . class cl.241.129 police 208000 26000 exceed-action drop ! ! interface GigabitEthernet1/0/1 switchport mode access service-policy input pm-1 duplex full speed 100 ! interface GigabitEthernet1/0/2 switchport mode access duplex full speed 100 ! interface GigabitEthernet1/0/3 switchport access vlan 200 switchport mode access service-policy input pm-2 duplex full speed 100 ! interface GigabitEthernet1/0/4 switchport access vlan 200 switchport mode access duplex full speed 100 ! . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ! interface GigabitEthernet1/0/24 shutdown ! ! interface Vlan1 no ip address ! no ip classless no ip http server ! ip access-list extended al.241.1 permit ip any host xxx.yyy.241.1 ip access-list extended al.241.2 permit ip any host xxx.yyy.241.2 ip access-list extended al.241.3 permit ip any host xxx.yyy.241.3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ip access-list extended al.241.64 permit ip any host xxx.yyy.241.64 ip access-list extended al.241.65 permit ip any host xxx.yyy.241.65 ip access-list extended al.241.66 permit ip any host xxx.yyy.241.66 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ip access-list extended al.241.129 permit ip any host xxx.yyy.241.129 ! no cdp run ! control-plane ! ! line con 0 line vty 0 4 password 123 no login line vty 5 15 password 123 no login ! ! end cat3750# Уменьшаю в pm-2 количество class-ов - не помогает. Вообще снимаю pm-2 с порта GigabitEthernet1/0/3 создаю новый policy-map с одним class-ом - теперь не работает!! Попробовал аналогичную конструкцию на другом каталисте - та же ситуация - сначала работает потом - нет. В чем причина не могу понять.