Per client policing

Unanswered Question
May 22nd, 2009
User Badges:

We have a Catalyst 3560 that connects to a metro E circuit. It also has 1 uplink into each of our core L3 switches. All ports are layer 2.


We are trying to police bandwidth on a per-client basis. We have setup the following, but it doesn't seem to be working. We're seeing clients spike above the limits we have configured. Any ideas?


class-map match-any ClientA_CM

match access-group 109

class-map match-any ClientB_CM

match access-group 105


policy-map Rate_Limit_Clients

class ClientA_CM

police 5000000 48000 exceed-action drop

class ClientB_CM

police 3000000 24000 exceed-action drop


access-list 105 permit ip any 209.X.X.120 0.0.0.7

access-list 105 permit ip 209.X.X.120 0.0.0.7 any

access-list 110 permit ip any 66.X.X.160 0.0.0.2

access-list 110 permit ip 66.X.X.160 0.0.0.2 any


Then, we have this applied on both the metro E interface and the 2 uplinks to our core L3 switches:


service-policy input Rate_Limit_Clients



Here is the VLAN interface on our core for the client we're trying to rate-limit:


interface Vlan24

ip address 66.X.X.162 255.255.255.252

load-interval 30





  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
jordan.bean Fri, 05/22/2009 - 13:37
User Badges:

Also, "show policy-map interface gig 0/24" shows 0 on all counters.

cisco_lad2004 Sat, 05/23/2009 - 13:18
User Badges:
  • Gold, 750 points or more

Jordan,


Policing on 3560 is not straight forward. for starters you can see any counters on "show policy-map interface X/Y".


I also do not recall that policing works OUTBOUND.


I had a similar scenario recently, I and this is how I resolved it:


Each customer was assigned either a VLAN out of a single port or had a Layer 3 port. I was able to police INBOUND Only.


For OUTBOUND, I had to police uplink (inbound) since traffic IN is the traffic OUT to customers. my class maps had to match each customer allocated IP range.


I validated my config by using a traffic generator.


Remember to enable QOS globally "mls qos"...and in which case you might want to also remark inbound traffic from customers.


HTH


Sam


Actions

This Discussion