cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4630
Views
0
Helpful
18
Replies

service-policy input or output

shaun.white
Level 1
Level 1

I have a 3750 switch, with 150MB internet coming into g1/0/1...i have 15 ports g1/0/2-15 that go out to customers, i want to put a policier on the ports to hold them at 10MB, my question is should i do a service-policy input or output here?

i want to limit them to 10MB download...would that be input since its coming IN from the internet, or is Input in from the switch port??

TIA

18 Replies 18

Danilo Dy
VIP Alumni
VIP Alumni

I think switches can only perform ingress QoS.

so if i apply the policy in, does that police the download speed or upload speed of that port?

I have a 3550-EMI with multiple User VLAN running DHCP. One VLAN is uplink to a router connected to internet.

mls qos, class-map, policy-map, ACL.

I use and create two policy-map, one applied to the port connected to the router (ingress) to control download from internet to all User VLANs, another to the port connected to access switches per User VLAN (ingress) to control upload to internet from all User VLans.

!

interface fastethernet0/1

description to internet router

no ip address

service-policy input DONWLOADFROMINTERNET

duplex full

speed 100

no cdp enable

!

interface fastethernet0/2-48

description to User VLAN access switches

switchport trunk encapsulation dot1q

switchport mode trunk

no ip address

service policy input UPLOADTOINTERNET

duplex full

speed 100

no cdp enable

!

rajivrajan1
Level 3
Level 3

hi shaun,

There are few questions before answering.

1Which switch you r using?

2Do you want to control on both sides or only ingess (download from internet) traffic?

any way 6500 & 7600 with PFC3 do bidirectional flow control.but with PFC2 you can control only in one side.

while doing service policy you are imagine that you are siting in side the swith.When you are appliing a policy to a particular port each and every packet exiting that port is for "service policy -out" and comming from that port is "service policy - in"

you may start from here

http://www.cisco.com/en/US/products/ps6558/products_ios_technology_home.html

HTH

im using a 3750G with advanced IP services...the only thing i want to control is 10MB download to each port

My real issue here is like you say above, packets coming in and out, which way is the real coming "IN", is that traffic from the internet coming IN, thats routed out that port, or is it traffic coming in from the host to the port???

hi shaun,

3750 will do traffic policing.

you can follow these link for details.

http://www.cisco.com/en/US/products/hw/switches/ps5023/products_configuration_guide_chapter09186a00805a6504.html

http://www.cisco.com/en/US/netsol/ns577/networking_solutions_white_paper09186a00801eb831.shtml

And you second Question .

You are going to apply policy to a port or interface not for the whole switch.more over you will be doing that for customer ports and not for internet port.

So outgoing packet through customer's port is customers download and incomming of customer port is customer's upload.(remember you are sitting inside the switch)

You can apply outbound policy to you customer ports or to customer Vlan interfaces(i'm still in a dilemma weather it will work with VLan interfaces in 3750)

So that the outgoing packets through those ports will get limited and your customers downloading speed is controlled.

I hope it will work.

Here is what i have, will this work to ratelimit customer downloads to 10MB?

policy-map INTERNET

class class-default

police 10000000 10000 exceed-action drop

interface GigabitEthernet1/0/2

description GigE to XXXXXX

no switchport

ip address x.x.x.x 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

service-policy output INTERNET

yeah it should work.

Apply "service-policy output xxxx" to the interface connecting to internet.

The catalyst 3750 doesnt support service-policy output on its interfaces..atleast thats the error im getting...

anyone have an idea as to what the best/easiest way to permit 10MB download to each port would be (g1/0/1 is my internet pipe and g1/0/2-15 are L3 routed ports to the customers border router)

Take a look at my response above one more time and try to visualize it in your environment. You don't need "service-policy output" in all ports (g1/0/2-15) for download, you need "service-policy input" in g1/0/1.

Wont that just rate limit 10MB download from the internet period, not 10MB to all ports?

This is what i have:

policy-map INTERNET

class class-default

police 10000000 10000 exceed-action drop

For example;

Customer1 Network = 192.168.1.0/24

Customer2 Network = 192.168.2.0/24

.

.

.

Customer14 Network = 192.168.14.0/24

!

mls qos

mls qos aggregate-policer DL_10.0M 10000000 64000 exceed-action drop

!

class-map match-all Customer1

match access-group 2101

class-map match-all Customer2

match access-group 2102

.

.

.

class-map match-all Customer14

match access-group 2114

!

policy-map DOWNLOAD

class Customer1

police aggregate DL_10.0M

class Customer2

police aggregate DL_10.0M

.

.

.

class Customer14

police aggregate DL_10.0M

!

interface gigabitethernet1/0/1

service-policy input DOWNLOAD

!

access-list 2101 remark Customer1

access-list 2101 permit ip 192.168.1.0 0.0.0.255 any

access-list 2102 remark Customer2

access-list 2102 permit ip 192.168.2.0 0.0.0.255 any

.

.

.

access-list 2114 remark Customer14

access-list 2114 permit ip 192.168.14.0 0.0.0.255 any

Couldnt i do this:

policy-map DOWNLOAD

class Customer1

police 10000000 64000 exceed-action drop

class Customer2

police 10000000 64000 exceed-action drop

whats the advantage to the aggregate policier?

And should the ACL be the other way around:

access-list 2101 permit ip any 192.168.2.0 0.0.0.255 since the traffic is coming in from the internet towards the destination of the customer??

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco