Solved: 3750 Rate Limiting Not Working

caplinktech · ‎05-19-2008

Have a Network layed out like this:

3750

| (Trunk)

Dell Powerconnect

| (Access)

Server

The Powerconnect switch 18 VLANs on it. The server in question is connected to a switchport on the Powerconnect with setup as an access port with VLAN assignment. The uplink from the powerconnect to the 3750 is a trunk. My goal is to rate limit the bandwidth coming from the server going out to internet (connected to a L3 port on the 3750). From my reading a service policy should have been able to handle this (also read didn't work on egress interfaces). As such I setup an ACL:

ip access-list extended Rate_Limiter_ACL

permit ip host x.x.x.22 any

Setup a class map:

class-map match-all Rate_Limiter_Map

match access-group Rate_Limiter_ACL

Created policy map to rate-limit (Police):

policy-map Rate_Limited_Policy

class Rate_Limiter_Map

police 2400000 65536 exceed-action drop

Applied service-policy to the TRUNK interface connecting to the powerconnect as the outbound traffic from the server should be ingress to the trunk interface on the 3750.

interface GigabitEthernet1/0/20

service-policy input Rate_Limiter_Map

Problem is, rate is not limited often times spikes to 7+ Mbps.

Am I misunderstanding the way policing works? Is something configured wrong?

I tried switching the access-list's source and destination and that did not help either.

sho policy-map int g1/0/20 shows the policy and class applied to the interface but nothing is getting matched, not even in the "class-default". Does a class-default have to be configured even if it is for all other traffic for the policy map to work?

Any help is appreciated.

vman1976nj · ‎05-20-2008

DO you have QOS enabled with the

mls qos

statement? Your config looks correct and similiar to one I've used.

View solution in original post

Edison Ortiz · ‎05-19-2008

policy-map Rate_Limited_Policy

class Rate_Limiter_Map

police 2400000 65536 exceed-action drop

....

Problem is, rate is not limited often times spikes to 7+ Mbps.

Your policed policy is set to 2.4Gbps which you aren't violating at 7Mbps, unless I'm missing something...

__

Edison.

caplinktech · ‎05-20-2008

Cisco IOS "help", indicates the speed should be in bps not kbps so the speed set should be 2.4 Mbps, unless you are trying to indicate that the "help" is incorrect. However a quick search for some examples all show the speed set in bps as well so I don't think that is the issue.

See below:

myhost(config-pmap-c)#polic ?

<8000-1000000000> Bits per second

aggregate Choose aggregate policer for current class

Edison Ortiz · ‎05-20-2008

My mistake, you are correct.

Can you provide the output from typing

show policy-map interface

__

Edison.

vman1976nj · ‎05-20-2008

DO you have QOS enabled with the

mls qos

statement? Your config looks correct and similiar to one I've used.

caplinktech · ‎05-20-2008

Well I thought that might have been it because I did forget to enable it.

However, sho policy-map int still showing all zeroes. At the same time traffic hasn't spiked on the interface in question, but it has only been 10 minutes of monitoring, but I will update the thread in an hour or so after reviewing the traffic.

I still have my doubts however, as like I said the service-policy is not catching any packets and I thought the class-default should catch everything not part of the access-list.

Amit Singh · ‎05-20-2008

You are using a wrong policy map on the interface.

Check this :

interface GigabitEthernet1/0/20

service-policy input Rate_Limiter_Map <---- This is the class-map that you have defined.

Policy map that you have defined is -----> policy-map Rate_Limited_Policy

class Rate_Limiter_Map

The config should be :

interface GigabitEthernet1/0/20

service-policy input Rate_Limited_Policy

HTH, Please rate if it does.

-amit singh

caplinktech · ‎05-20-2008

Hi Amit,

Nice catch, however, all the names correctly match in the actual config. I simply made an error when copying over names for the post.

I think forgetting to enable Qos was the issue as it appears to be properly rate-limiting now. I would still be curious to any insight as to why despite it correctly limiting is "sho policy-map int" not showing any stats.

andrew.butterworth · ‎05-20-2008

This is a known (and well documented) 'feature' of the standalone Catalysts (2960, 3560 & 3750) whereby none of the policy counters work. The best you are going to get is 'show mls qos interface statistics' - there is a 'in policy' and 'out policy' counter per interface.

It is very annoying not having this command though...

Andy

caplinktech · ‎05-20-2008

Nice feature, did I have to pay extra for that or was it standard equipment :-)?