Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
657
Views
0
Helpful
4
Replies

How to police outbound dot1q-tunnel interface

armin.kask
Level 1
Level 1

‎03-06-2008 08:27 AM - edited ‎03-05-2019 09:35 PM

Hello,

We are using Cat 3550.

We have tried to use the following config.

mac access-list extended MAClist

permit any any

class-map match-any MAC

match access-group name MAClist

policy-map 5Megatunnel

class MAC

police 5000000 32000 exceed-action drop

This only can be applied on inbound direction of a port.

We also tried:

policy-map 5Megatunnel

class class-default

police 5000000 32000 exceed-action

This had no effect at all.

Is there a way to shape outbound direction with switchport mode dot1q-tunnel configured on the port ?

Thanks in advance,

Armin

Labels:
0 Helpful
4 Replies 4

aghaznavi
Level 5
Level 5

‎03-13-2008 07:12 AM

QoS policing in the Catalyst 3550 complies with this leaky bucket concept:

The number of tokens proportional to the incoming traffic packet sizes are placed into a token bucket; the number of tokens equals the size of the packet. At a regular interval, a defined number of tokens derived from the configured rate is removed from the bucket. If there is no place in the bucket to accommodate an incoming packet, the packet is considered out-of-profile and is dropped or marked down according to the configured policing action

0 Helpful

armin.kask
Level 1
Level 1
In response to aghaznavi

‎03-13-2008 07:29 AM

The problem is that when class-map matches against mac access-list the service-policy can be applied only on inbound direction.

When class-map matches class-default or "everything" the policer has no effect at all. My question is that is it possible to police dot1q-tunnel traffic on a outbound direction of port.

0 Helpful

jwilde
Level 1
Level 1
In response to armin.kask

‎03-13-2008 12:52 PM

You may have to police on the ingress port of the links coming into the switch. Another way of doing it on the 3400 (not sure if this is supported on 3560) is to use qos-group. You would set up a service-policy and match say a vlan and put it into the qos group. Then you can police on inbound. Note, this needs to be a child policy. I think cisco is missing the boat on this as many other vendors can do what your asking.

0 Helpful

jwilde
Level 1
Level 1
In response to jwilde

‎03-13-2008 01:02 PM

I said that wrong. You would mark the packets on the inbound of the inbound(upstream) ports and police on the outbound of the port your referring to. The policy would

interface GigabitEthernet0/2

service-policy output FLIP_OUT

policy-map FLIP_OUT

class QOS1

police cir 2000000

conform-action transmit

exceed-action drop

priority

class-map match-all QOS1

match qos-group 1

and on incoming ports:

interface GigabitEthernet0/4

description coming into your switch from the outside world

service-policy input DOWN

policy-map DOWN

class DLL

service-policy QOS_1

class-map match-all DLL

match vlan 13

policy-map QOS_1

class class-default

set qos-group 1

all their switches are different, but that is a way you can police.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card