Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
401
Views
0
Helpful
2
Replies

Per client policing

jordan.bean
Level 1
Level 1

‎05-22-2009 01:22 PM - edited ‎03-06-2019 05:53 AM

We have a Catalyst 3560 that connects to a metro E circuit. It also has 1 uplink into each of our core L3 switches. All ports are layer 2.

We are trying to police bandwidth on a per-client basis. We have setup the following, but it doesn't seem to be working. We're seeing clients spike above the limits we have configured. Any ideas?

class-map match-any ClientA_CM

match access-group 109

class-map match-any ClientB_CM

match access-group 105

policy-map Rate_Limit_Clients

class ClientA_CM

police 5000000 48000 exceed-action drop

class ClientB_CM

police 3000000 24000 exceed-action drop

access-list 105 permit ip any 209.X.X.120 0.0.0.7

access-list 105 permit ip 209.X.X.120 0.0.0.7 any

access-list 110 permit ip any 66.X.X.160 0.0.0.2

access-list 110 permit ip 66.X.X.160 0.0.0.2 any

Then, we have this applied on both the metro E interface and the 2 uplinks to our core L3 switches:

service-policy input Rate_Limit_Clients

Here is the VLAN interface on our core for the client we're trying to rate-limit:

interface Vlan24

ip address 66.X.X.162 255.255.255.252

load-interval 30

Labels:
0 Helpful
2 Replies 2

jordan.bean
Level 1
Level 1

‎05-22-2009 01:37 PM

Also, "show policy-map interface gig 0/24" shows 0 on all counters.

0 Helpful

cisco_lad2004
Level 5
Level 5
In response to jordan.bean

‎05-23-2009 01:18 PM

Jordan,

Policing on 3560 is not straight forward. for starters you can see any counters on "show policy-map interface X/Y".

I also do not recall that policing works OUTBOUND.

I had a similar scenario recently, I and this is how I resolved it:

Each customer was assigned either a VLAN out of a single port or had a Layer 3 port. I was able to police INBOUND Only.

For OUTBOUND, I had to police uplink (inbound) since traffic IN is the traffic OUT to customers. my class maps had to match each customer allocated IP range.

I validated my config by using a traffic generator.

Remember to enable QOS globally "mls qos"...and in which case you might want to also remark inbound traffic from customers.

HTH

Sam

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card