Catalyst 4500 IOS Police question

highontcp · ‎04-13-2007

Using police (because rate-limit doesn't work on a vlan) to control traffic in and out of a VLAN, but it isn't working. I want to limit traffic to 256k/386 Burst, but when I do a speed test I am getting FAR more than that.

here is my config:

class-map match-all GuestVLAN3-256k

match any

policy-map GuestVLAN3-256k

class GuestVLAN3-256k

police 256000 bps 3840 byte conform-action transmit exceed-action drop

interface Vlan3

description GuestVLAN (Internet Only at 256k)

ip address 10.146.3.1 255.255.255.0

ip access-group GuestVLAN3 in

ip helper-address x.x.x.x

no ip redirects

service-policy input GuestVLAN3-256k

service-policy output GuestVLAN3-256k

what am I doing wrong?

thanks,

Erik

b.henshaw · ‎04-14-2007

If you have service policies attached to the physical interface receiving or sending packets for VLAN 3, you'll need to enable VLAN-based QoS on these physical interfaces.

Otherwise, instead of using the GuestVLAN3-256k class with match any, maybe you could refer to class-default in your policy-map instead:

policy-map GuestVLAN3-256k

class class-default

police 256000 bps 3840 byte conform-action transmit exceed-action drop

HTH

highontcp · ‎04-17-2007

That didn't help either, still able to pass our full internet bandwidth across this vlan.

the reason I am using Police rather than rate-limit is because it isn't a physical interface, it is a vlan that I want to control traffic on.

Anyone else have any ideas?

Erik