Per client policing

Unanswered Question
May 22nd, 2009

We have a Catalyst 3560 that connects to a metro E circuit. It also has 1 uplink into each of our core L3 switches. All ports are layer 2.

We are trying to police bandwidth on a per-client basis. We have setup the following, but it doesn't seem to be working. We're seeing clients spike above the limits we have configured. Any ideas?

class-map match-any ClientA_CM

match access-group 109

class-map match-any ClientB_CM

match access-group 105

policy-map Rate_Limit_Clients

class ClientA_CM

police 5000000 48000 exceed-action drop

class ClientB_CM

police 3000000 24000 exceed-action drop

access-list 105 permit ip any 209.X.X.120 0.0.0.7

access-list 105 permit ip 209.X.X.120 0.0.0.7 any

access-list 110 permit ip any 66.X.X.160 0.0.0.2

access-list 110 permit ip 66.X.X.160 0.0.0.2 any

Then, we have this applied on both the metro E interface and the 2 uplinks to our core L3 switches:

service-policy input Rate_Limit_Clients

Here is the VLAN interface on our core for the client we're trying to rate-limit:

interface Vlan24

ip address 66.X.X.162 255.255.255.252

load-interval 30

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
jordan.bean Fri, 05/22/2009 - 13:37

Also, "show policy-map interface gig 0/24" shows 0 on all counters.

cisco_lad2004 Sat, 05/23/2009 - 13:18

Jordan,

Policing on 3560 is not straight forward. for starters you can see any counters on "show policy-map interface X/Y".

I also do not recall that policing works OUTBOUND.

I had a similar scenario recently, I and this is how I resolved it:

Each customer was assigned either a VLAN out of a single port or had a Layer 3 port. I was able to police INBOUND Only.

For OUTBOUND, I had to police uplink (inbound) since traffic IN is the traffic OUT to customers. my class maps had to match each customer allocated IP range.

I validated my config by using a traffic generator.

Remember to enable QOS globally "mls qos"...and in which case you might want to also remark inbound traffic from customers.

HTH

Sam

Actions

This Discussion