service-policy input or output

Unanswered Question
Feb 23rd, 2007

I have a 3750 switch, with 150MB internet coming into g1/0/1...i have 15 ports g1/0/2-15 that go out to customers, i want to put a policier on the ports to hold them at 10MB, my question is should i do a service-policy input or output here?

i want to limit them to 10MB download...would that be input since its coming IN from the internet, or is Input in from the switch port??

TIA

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
shaun.white Fri, 02/23/2007 - 18:53

so if i apply the policy in, does that police the download speed or upload speed of that port?

Danilo Dy Fri, 02/23/2007 - 19:12

I have a 3550-EMI with multiple User VLAN running DHCP. One VLAN is uplink to a router connected to internet.

mls qos, class-map, policy-map, ACL.

I use and create two policy-map, one applied to the port connected to the router (ingress) to control download from internet to all User VLANs, another to the port connected to access switches per User VLAN (ingress) to control upload to internet from all User VLans.

!

interface fastethernet0/1

description to internet router

no ip address

service-policy input DONWLOADFROMINTERNET

duplex full

speed 100

no cdp enable

!

interface fastethernet0/2-48

description to User VLAN access switches

switchport trunk encapsulation dot1q

switchport mode trunk

no ip address

service policy input UPLOADTOINTERNET

duplex full

speed 100

no cdp enable

!

rajivrajan1 Sat, 02/24/2007 - 03:20

hi shaun,

There are few questions before answering.

1Which switch you r using?

2Do you want to control on both sides or only ingess (download from internet) traffic?

any way 6500 & 7600 with PFC3 do bidirectional flow control.but with PFC2 you can control only in one side.

while doing service policy you are imagine that you are siting in side the swith.When you are appliing a policy to a particular port each and every packet exiting that port is for "service policy -out" and comming from that port is "service policy - in"

you may start from here

http://www.cisco.com/en/US/products/ps6558/products_ios_technology_home.html

HTH

shaun.white Sat, 02/24/2007 - 03:55

im using a 3750G with advanced IP services...the only thing i want to control is 10MB download to each port

My real issue here is like you say above, packets coming in and out, which way is the real coming "IN", is that traffic from the internet coming IN, thats routed out that port, or is it traffic coming in from the host to the port???

rajivrajan1 Sat, 02/24/2007 - 04:46

hi shaun,

3750 will do traffic policing.

you can follow these link for details.

http://www.cisco.com/en/US/products/hw/switches/ps5023/products_configuration_guide_chapter09186a00805a6504.html

http://www.cisco.com/en/US/netsol/ns577/networking_solutions_white_paper09186a00801eb831.shtml

And you second Question .

You are going to apply policy to a port or interface not for the whole switch.more over you will be doing that for customer ports and not for internet port.

So outgoing packet through customer's port is customers download and incomming of customer port is customer's upload.(remember you are sitting inside the switch)

You can apply outbound policy to you customer ports or to customer Vlan interfaces(i'm still in a dilemma weather it will work with VLan interfaces in 3750)

So that the outgoing packets through those ports will get limited and your customers downloading speed is controlled.

I hope it will work.

shaun.white Sat, 02/24/2007 - 04:58

Here is what i have, will this work to ratelimit customer downloads to 10MB?

policy-map INTERNET

class class-default

police 10000000 10000 exceed-action drop

interface GigabitEthernet1/0/2

description GigE to XXXXXX

no switchport

ip address x.x.x.x 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

service-policy output INTERNET

bvsnarayana03 Mon, 02/26/2007 - 01:15

Apply "service-policy output xxxx" to the interface connecting to internet.

shaun.white Mon, 02/26/2007 - 09:31

The catalyst 3750 doesnt support service-policy output on its interfaces..atleast thats the error im getting...

anyone have an idea as to what the best/easiest way to permit 10MB download to each port would be (g1/0/1 is my internet pipe and g1/0/2-15 are L3 routed ports to the customers border router)

Danilo Dy Mon, 02/26/2007 - 09:40

Take a look at my response above one more time and try to visualize it in your environment. You don't need "service-policy output" in all ports (g1/0/2-15) for download, you need "service-policy input" in g1/0/1.

shaun.white Mon, 02/26/2007 - 09:52

Wont that just rate limit 10MB download from the internet period, not 10MB to all ports?

This is what i have:

policy-map INTERNET

class class-default

police 10000000 10000 exceed-action drop

Danilo Dy Mon, 02/26/2007 - 10:01

For example;

Customer1 Network = 192.168.1.0/24

Customer2 Network = 192.168.2.0/24

.

.

.

Customer14 Network = 192.168.14.0/24

!

mls qos

mls qos aggregate-policer DL_10.0M 10000000 64000 exceed-action drop

!

class-map match-all Customer1

match access-group 2101

class-map match-all Customer2

match access-group 2102

.

.

.

class-map match-all Customer14

match access-group 2114

!

policy-map DOWNLOAD

class Customer1

police aggregate DL_10.0M

class Customer2

police aggregate DL_10.0M

.

.

.

class Customer14

police aggregate DL_10.0M

!

interface gigabitethernet1/0/1

service-policy input DOWNLOAD

!

access-list 2101 remark Customer1

access-list 2101 permit ip 192.168.1.0 0.0.0.255 any

access-list 2102 remark Customer2

access-list 2102 permit ip 192.168.2.0 0.0.0.255 any

.

.

.

access-list 2114 remark Customer14

access-list 2114 permit ip 192.168.14.0 0.0.0.255 any

shaun.white Mon, 02/26/2007 - 11:47

Couldnt i do this:

policy-map DOWNLOAD

class Customer1

police 10000000 64000 exceed-action drop

class Customer2

police 10000000 64000 exceed-action drop

whats the advantage to the aggregate policier?

And should the ACL be the other way around:

access-list 2101 permit ip any 192.168.2.0 0.0.0.255 since the traffic is coming in from the internet towards the destination of the customer??

Danilo Dy Mon, 02/26/2007 - 18:08

Oh yes, the ACL is the other way round. I was copying my config for upload :)

Revised example;

Customer1 Network = 192.168.1.0/24

Customer2 Network = 192.168.2.0/24

.

.

.

Customer14 Network = 192.168.14.0/24

!

mls qos

mls qos aggregate-policer DL_10.0M 10000000 64000 exceed-action drop

!

class-map match-all Customer1

match access-group 2101

class-map match-all Customer2

match access-group 2102

.

.

.

class-map match-all Customer14

match access-group 2114

!

policy-map DOWNLOAD

class Customer1

police aggregate DL_10.0M

class Customer2

police aggregate DL_10.0M

.

.

.

class Customer14

police aggregate DL_10.0M

!

interface gigabitethernet1/0/1

service-policy input DOWNLOAD

!

access-list 2101 remark Customer1

access-list 2101 permit ip any 192.168.1.0 0.0.0.255

access-list 2102 remark Customer2

access-list 2102 permit ip any 192.168.2.0 0.0.0.255

.

.

.

access-list 2114 remark Customer14

access-list 2114 permit ip any 192.168.14.0 0.0.0.255

NOTE: All subnet/networks should be in policy.

shaun.white Mon, 02/26/2007 - 17:16

So i tried this in my lab...i did the following:

mls qos

mls qos aggregate-policer DL_10.0M 10000000 64000 exceed-action drop

class-map match-all Customer1

match access-group 2101

access-list 2101 remark Customer1

access-list 2101 permit ip any 192.168.13.0 0.0.0.255

policy-map DOWNLOAD

class Customer1

police aggregate DL_10.0M

int f0/23

service-policy input DOWNLOAD

then i tried to do a windows file transfer from a file server on a different subnet to simulate a large download...i was trying to download a 60MB ISO...the windows transfer wouldnt even start, it just hung...i deapplied the policy an it worked...

Any one have any ideas here??? TIA

Danilo Dy Mon, 02/26/2007 - 18:01

You put 192.168.13.0/24 in the policy and you test another subnet to download? Do you have other policy in the switch, please remove them for the test.

Take note that 192.168.13.0/24 should be in the switch port other than f0/23. The other subnet should be in f0/23. For this test, you should not have any other Qos policy and you should have only two networks 192.168.13.0/24 and the other network which is connected to fa0/23 where you put the "service-policy input DOWNLOAD"

shaun.white Mon, 02/26/2007 - 19:09

there are no QoS policies on my box other then what i have posted...f0/23 is a trunk from my dist switch to my core, the 192.168.13.0 subnet is on the dist switch, the 192.168.1.0 subnet (the "other" subnet) is on the core switch....

Actions

This Discussion