class-map not matching

tgregorics · ‎06-06-2008

Hi,

I have a 876 router, configured with 2 VLANs. Fe0-Fe2 are in VLAN1 and Fe3 is configured as a trunk port. There is a wifi AP connected to Fe3, the AP is configured with 2 separate ssids, one is member of VLAN1 the other VLAN10.

Everything works perfectly (the 2 VLANs, 2 different subnet with dhcp, NAT), but I can not match the VLAN traffic with a class-map.

What I want to do, is limit VLAN1 traffic to 500kbit/40kbit up/downstream.

This is the config i used, but obviously something is wrong with it, because i get 0 packets matched.

class-map match-all limited-vlan

match vlan 1

!

policy-map limited-vlan-out

class limited-vlan

police 40000 conform-action transmit exceed-action drop

policy-map limited-vlan-in

class limited-vlan

police 500000 conform-action transmit exceed-action drop

interface Dialer0

ip address negotiated

ip access-group 101 in

no ip redirects

no ip unreachables

no ip proxy-arp

ip mtu 1452

ip nat outside

ip inspect DEFAULT100 out

ip virtual-reassembly

encapsulation ppp

dialer pool 1

dialer-group 1

no cdp enable

ppp authentication pap callin

ppp pap sent-username *removed* password 7 *removed*

service-policy input limited-vlan-in

service-policy output limited-vlan-out

penthecisco#show policy-map interface dialer 0

Dialer0

Service-policy input: limited-vlan-in

Class-map: limited-vlan (match-all)

0 packets, 0 bytes

5 minute offered rate 0 bps, drop rate 0 bps

Match: vlan 1

police:

cir 500000 bps, bc 15625 bytes

conformed 0 packets, 0 bytes; actions:

transmit

exceeded 0 packets, 0 bytes; actions:

drop

conformed 0 bps, exceed 0 bps

Class-map: class-default (match-any)

0 packets, 0 bytes

5 minute offered rate 0 bps, drop rate 0 bps

Match: any

Service-policy output: limited-vlan-out

Class-map: limited-vlan (match-all)

0 packets, 0 bytes

5 minute offered rate 0 bps, drop rate 0 bps

Match: vlan 1

police:

cir 40000 bps, bc 1500 bytes

conformed 0 packets, 0 bytes; actions:

transmit

exceeded 0 packets, 0 bytes; actions:

drop

conformed 0 bps, exceed 0 bps

Class-map: class-default (match-any)

2100 packets, 270030 bytes

5 minute offered rate 3000 bps, drop rate 0 bps

Match: any

penthecisco#show policy-map interface virtual-access 2

Virtual-Access2

Service-policy input: limited-vlan-in

Class-map: limited-vlan (match-all)

0 packets, 0 bytes

5 minute offered rate 0 bps, drop rate 0 bps

Match: vlan 1

police:

cir 500000 bps, bc 15625 bytes

conformed 0 packets, 0 bytes; actions:

transmit

exceeded 0 packets, 0 bytes; actions:

drop

conformed 0 bps, exceed 0 bps

Class-map: class-default (match-any)

3346 packets, 1451559 bytes

5 minute offered rate 23000 bps, drop rate 0 bps

Match: any

Service-policy output: limited-vlan-out

Class-map: limited-vlan (match-all)

0 packets, 0 bytes

5 minute offered rate 0 bps, drop rate 0 bps

Match: vlan 1

police:

cir 40000 bps, bc 1500 bytes

conformed 0 packets, 0 bytes; actions:

transmit

exceeded 0 packets, 0 bytes; actions:

drop

conformed 0 bps, exceed 0 bps

Class-map: class-default (match-any)

59 packets, 2128 bytes

5 minute offered rate 0 bps, drop rate 0 bps

Match: any

foxbatreco · ‎06-06-2008

pls narrow down the match criteria from vlan1 to access-group involving the ip subnets defined for vlan1 in the class-map.

create an acl to identify the traffic for vlan1 and refer it to in class-map.

Pls rate if this helps!!!

tgregorics · ‎06-08-2008

I tried the same thing with ACLs, didn't work. However, if i used for example match protocol http, it did hit the class, but thats not what i want.

Also, what is the point of narrowing down the criteria if i want to match based on vlan id? Only one match rule, can't be narrower than that.