3560 QoS / Policing

Unanswered Question
Feb 9th, 2009
User Badges:


Currently we are enrolling Catalyst 3560 switches in our network to connect to our MPLS backbone. We've used Catalyst 3550 before and based on that platform we've developed a “standard” configuration we are using.

In this template we apply a “policy map out” on the interface to the backbone for real-time traffic. BW allocation is 50 30 10 10, priority queue out and policing 2Mb.

How can I do this on a 3560? By using wrr shaping I can allocate 2Mb to a queue but this queue will act different than the policing on a 3550 does. By configuring 'priority queue out' the full bandwidth will be consumed for real time traffic when bandwidth is needed … How can this be solved?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Joseph W. Doherty Mon, 02/09/2009 - 04:11
User Badges:
  • Super Bronze, 10000 points or more

You could police the real-time traffic upon ingress. Although you should be able to match ingress real-time traffic going to your MPLS backbone, if there are multiple ingress ports, unclear (to me) whether you can easily define an overall cap of 2 Mbps without defining individual ingress interface real-time police caps.

miek.bosmans Tue, 02/10/2009 - 00:25
User Badges:

I'm not sure ingress policing is the answer. I've been thinking about it, but on an ingress interface we're marking. Depending of the kind of traffic, the packet gets an dscp value. For all dscp "ef" values, I wanted to police on egress. I can't see how I can solve this on ingress interface ...

andrew.butterworth Tue, 02/10/2009 - 04:50
User Badges:
  • Gold, 750 points or more

I looked into this a while ago and hit the same wall as you have. The 3560/3750 series are good switches but there seems to be a few features that were in the 3550 that haven't been implemented in them.

You would need to deploy a 'real' router at the handoff point to implement egress policing. You could also look at the Metro Ethernet switches (ME3400?) as these have the ability to apply policers on egress.



Joseph W. Doherty Tue, 02/10/2009 - 06:09
User Badges:
  • Super Bronze, 10000 points or more

I agree that I too am unsure ingress policing is the answer, not though due to identification, which I think can be done via a class map identifing both VoIP and destination off the LAN, but due to there might a limitation to number of ports if working with a SVI two level policer and/or policing at the intended aggregate outbound level.

I agree with Andrew, the 3560/3750 LAN switches fall IOS feature short in some aspects. A sure solution, as Andrew also notes would be a more suitable device between the LAN and WAN, such as perhaps an ISR or Metro Switch. Another possible device might be a very small 2960 (e.g. 8 port). As long as there's only one ingress to egress port, believe its inbound ingress policer would work.


This Discussion