Limit bandwidth on different vlans on 3560

Unanswered Question
Collin Clark Tue, 09/02/2008 - 07:12

You can't perform VLAN-based QoS on a 3560. AFAIK it's only supported on 3550, 4500, and 6500's.

Hope that helps.

Can you please double check this.As I can see standard qos guidelines on 3560 it says something like;

1. You can configure QOS on physical ports and SVIs.If a vlan based qos is configured on physical port then switch remove all the port based policy map on the port.Even in SVI we do have the flexibilty of non hierarical and hierarical policy maps.

I am not very sure what does that mean?

So 3550 is not on sale and equivalnet is 3560.So won't 3560 will do that.Very strange!!!!



simontibbitts Wed, 09/03/2008 - 03:38

Hi Sushil.

It would be nice to know what your config is. It sounds like you are limiting all the traffic on the switch to pass it out across an E1? In that case the easiest way is to just police the traffic on the port/interface that is leaving the switch to the E1?

The 3560 doesn't make it easy to do true VLAN policing/shaping. You can use an Aggregate policer but this is not allowed on SVIs or to be configured on separate interfaces.

The problem is you can limit an individual port's VLAN to 200K, but if there are 5 ports on that VLAN then that's a possible 1MB of total traffic.

If you are just trying to police traffic exiting the switch then just configure MQC QoS with a different class for each of the VLANs subnets.

If you are routing on the switch with SVIs then you can try using an individual policer on the SVI. This will not limit the traffic within the VLAN but will limit it being routed out. An example of this configuration is below, its only possible in 12.2(25)SE or later. My example configures single rate two color policing to 200K on VLAN100

policy-map POLICE_200K

class-map class-default

police 200000

conform-action transmit

exceed-action drop


interface vlan100

service-policy input POLICE_200K

- Simon

Hi Simon,

The configuration is something like this.


broadly 24 port switch and 10 vlans.Vlan2..vlan10.

A set of 5-6 users connects to this vlans on say port2 on this switch randomly/concurrently.This is something where vlan2 attached to port 2 on 3560 and a cable goes to small 8 port switch and serving 5-6 users.That goes for all the interfaces/ vlan assigned to one port only and serving 3-6 users by connecting through small switches.

What scenario would you recommend in this case?



simontibbitts Wed, 09/03/2008 - 08:37

Hi Sushil.

Ok, so if you have just one VLAN per port then you can just police each port.

The configuration below will limit port 2 and all its traffic (for all the 5-6 users) to 200K

mls qos


policy-map POLICE_200K

class class-default

police 200000

conform-action transmit

exceed-action drop


interface FastEthernet0/2

switchport mode access

switchport access vlan 2

service-policy input ALL_VLAN2

You can create as many of the policy maps as you like. Or you can reuse the same policy map if you want to limit another port to 200K.

Each port will be limited, so even if your E1 connection is underutilized, this port will still only be able to send at 200K.

Hope that's what you are after


Marwan ALshawi Fri, 09/05/2008 - 05:22

hi sushil if u wanna check it work just make download and see the transfere rate

by the way i have a comment

although simon config is right and configureable

but it will limit the port bandwidth to 200K regard less of the type or path of communication so lets asume there is a shared drive in the network and on of the client wanted to get a file from it the rate limit will be 200K !!!

what i suggist u to do is to use the ASA

to achieve the bandwidth managment for example if u have to connection to outside through the ASA and u have a different IP network for each vln u can limit the bandwidth based on the source vlan for eaxmple on ASA:

lets say vlan 100 is /24

vlan 200 /24

and we will limit vlan 100 to 200K and vlan 200 to 250K

access-list 100 permit ip any

access-list 200 permit ip any

class-map vlan100

match access-list 100

class-map vlan200

match access-list 200

policy-map policy1

class vlan100

police output 200000

class vlan200

police output 250000

then apply it to the outside interface like:

service-policy policy1 interface outside

this was a simple example

u can use the same idea if u have a routed interface between the switch and the ASA i this case u can do the same idea but on the switch and appy it in the outbound direction on the routed switch interface

good luck

if helpful Rate

simontibbitts Fri, 09/05/2008 - 05:47

Hi Sushil.

To determine if its working you can try a transfer for yourself from one of the machines.

Otherwise to give you an indication you can look at the counters under the command

show policy-map int f0/1 input


simontibbitts Fri, 09/05/2008 - 05:49

Oops Sorry, just seen a mistake in my config I sent before. Should have been this

mls qos


policy-map POLICE_200K

class class-default

police 200000

conform-action transmit

exceed-action drop


interface FastEthernet0/2

switchport mode access

switchport access vlan 2

service-policy input POLICE_200K

Show command for statistics

show policy-map int f0/2 input


Simon Yes I was aware of that and made the correction by my own.

Marvan,I am already using ASA at Gateway.But all my VLANS are on Switch.Even with this config Is this possible on ASA???

Routing enabled on Switch but Intervlan communication is blocked by access-list.I would be more than happy doing this on ASA..looking forward for your reply.


Marwan ALshawi Sat, 09/06/2008 - 00:41

hi Sushil

ofcourse u can do it on ASA and i sent u config example and on ASA beeter than on the switch in ur case

now i just want u to post the switch config and if u can the ASA to let me know the config stracture and tell me exaclty how much u wanna limit each vlan and i will do it for u :)


Marwan ALshawi Mon, 09/08/2008 - 02:01

hi sushi

first the connectivity betweent he switch and ur ASA looks strange cant see routed interface or trunk going to the ASA why u send all traffic through the inside asa to the vlan 1??

if u dont do routing between vlans

creat a layer three port on the switch known as routed interface this port will be connected to the ASA inside interface

for eaxmple

interface FastEthernet0/24

no switchport

ip address

no shut

change the inside ASA ip to be in the same subnet with routed switch interface

interface Ethernet0/1

nameif inside

security-level 100

ip address

and remove this one with no comand:

no route inside 1

make like:

route inside 1

also on the switch change the default route u have to the following one:

ip route

now lets go to bandwidth managment on ASA:

acees-list 101 permit any

acees-list 102 permit any

acees-list 103 permit any

acees-list 104 permit any

acees-list 105 permit any

acees-list 106 permit any

acees-list 107 permit any

acees-list 108 permit any

acees-list 109 permit any

acees-list 110 permit any

i wil make the rest of the config for only three vlans u need to make the idea for al of ur vlans:

class-map vlan1

match access-list 101

class-map vlan2

match access-list 102

class-map vlan3

match access-list 103

policy-map limit-policy

class vlan1

police output 100000 conform-action transmit exceed-action drop

class vlan2

police output 100000 conform-action transmit exceed-action drop

class vlan3

police output 150000 conform-action transmit exceed-action drop

now apply it on the ASA inthe outbound direction i mean the policy:

service-policy limit-policy interface outside

and the same idea add all vlan each with its calss map and becareful with config of the connection between the ASA and the switch

the config i have given you enough to get it work

good luck

if helpful Rate


This Discussion