I started deploying Catalyst 4948 switches as TOR devices about 3 months ago. The policing and packet-handling have been behaving quite nicely. Physical ports are mapped to SVIs and the SVIs have policers attached. The primary reason for SVIs is to allow a paired 4948 to act as an HSRP partner across a dot1q trunk for the individual interfaces.
Up until last night, everything seemed to be working fine. We moved our Checkpoint firewall from behind the core down to behind aggregation (new mantra; no customers attach at the core - everybody is a customer. We had some ad-hoc stuff attached to the core that I'm slowly pruning). >From spot-checking, all of the SVIs and physical interfaces report bits/sec and packets/sec properly, other than the new interfaces I lit up for the firewall. Only the physical port interfaces show activity on bits/packets/sec. I am, however, seeing L3 Switched counters. The only differences I can think of are; a) firewall isn't policed, and b) Checkpoint does weird stuff with unicast-IP-on-multicast-MAC for its load-balancing and failover. I added a policer to the firewall interface, and added the magic static arp on (that Checkpoint uses) to an existing interface and the behavior didn't change. Checkpoint interface is weird, others are OK. Any suggestions on what to look for? Thanks, ----- --> Working: interface GigabitEthernet1/1 switchport access vlan 101 switchport mode access spanning-tree portfast spanning-tree bpduguard enable end #show int g1/1 GigabitEthernet1/1 is up, line protocol is up (connected) 5 minute input rate 215000 bits/sec, 53 packets/sec 5 minute output rate 258000 bits/sec, 47 packets/sec interface Vlan101 description Normal customer ip address x.y.34.226 255.255.255.248 no ip redirects no ip proxy-arp standby 101 ip x.y.34.225 standby 101 timers 5 15 standby 101 priority 110 standby 101 preempt service-policy input BW_12M service-policy output BW_12M end #show int vlan 101 Vlan101 is up, line protocol is up 5 minute input rate 210000 bits/sec, 55 packets/sec 5 minute output rate 236000 bits/sec, 46 packets/sec L3 in Switched: ucast: 487633 pkt, 188595448 bytes - mcast: 0 pkt, 0 bytes L3 out Switched: ucast: 439823 pkt, 245564925 bytes - mcast: 0 pkt, 0 bytes --> Weird: interface GigabitEthernet1/46 description Checkpoint Firewall "A" switchport access vlan 146 switchport mode access spanning-tree portfast end #show int g1/46 GigabitEthernet1/46 is up, line protocol is up (connected) 5 minute input rate 25263000 bits/sec, 3476 packets/sec 5 minute output rate 15737000 bits/sec, 5351 packets/sec interface Vlan146 description Checkpoint Firewall "A" ip address x.y.1.82 255.255.255.248 no ip redirects no ip proxy-arp standby 146 ip x.y.1.81 standby 146 timers 5 15 standby 146 priority 110 standby 146 preempt end #show int vlan 146 Vlan146 is up, line protocol is up 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec L3 in Switched: ucast: 94104774 pkt, 91006951231 bytes - mcast: 0 pkt, 0 bytes L3 out Switched: ucast: 44127262 pkt, 16712790232 bytes - mcast: 0 pkt, 0 bytes _______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/