cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
638
Views
3
Helpful
6
Replies

Policing on a 3560

tom.storey
Level 1
Level 1

Hi All,

Sorry if this thread sounds familiar as I am sure it is.

I am trying to implement policing on some ports on a 3560 to limit the amount of bandwidth a client can send into our network. Pretty stock standard stuff.

My problem is that the policy map doesnt appear to match any packets regardless of how I implement it, and thus traffic is not policed.

Ive tried implementing this in a number of different ways:

* aggregate policers

* policy map using a class

* policy map using class-default

Unfortunately srr-queue is not suitable for my deployment as it is not as granular as I need it to be.

Oh, and I do have "mls qos" enabled, have tried rebooting the switch after enabling this command, tried ipbase and ipservices images, but nothing.

Below are some of the configurations that I have tried:

class-map match-any any-any

match access-group name ip-any-any

!

policy-map police-50mbit-in

class any-any

police 50000000 1000000 exceed-action drop

!

interface GigabitEthernet0/13

service-policy input police-50mbit-in

!

ip access-list extended ip-any-any

permit ip any any

!

or

class-map match-any any-any

match access-group 99

!

policy-map police-50mbit-in

class any-any

police 50000000 1000000 exceed-action drop

!

interface GigabitEthernet0/13

service-policy input police-50mbit-in

!

access-list 99 permit ip any

!

or

policy-map police-50mbit-in

class class-default

police 50000000 1000000 exceed-action drop

!

interface GigabitEthernet0/13

service-policy input police-50mbit-in

!

or

mls qos aggregate-policer 50mbit 50000000 1000000 exceed-action drop

!

policy-map police-50mbit-in

class class-default

police aggregate 50mbit

!

interface GigabitEthernet0/13

service-policy input police-50mbit-in

!

etc etc

Everything I have tried just doesnt seem to work.

Essentially what I see is the following:

#sh policy-map int gi0/13

GigabitEthernet0/13

Service-policy input: police-50mbit-in

Class-map: class-default (match-any)

0 packets, 0 bytes

5 minute offered rate 0 bps, drop rate 0 bps

Match: any

0 packets, 0 bytes

5 minute rate 0 bps

But "sh int gi0/13" clearly shows that packets are comming into the interface, and "sh mls qos int gi0/13 statistics" shows packet counters incrementing aswell.

Can someone tell me what Im doing wrong? Im pulling my hair out over this. :-)

Thanks,

Tom

6 Replies 6

Joseph W. Doherty
Hall of Fame
Hall of Fame

I'm not at a 3560/3750 at the momemet, but I recall the 3560/3750 do not register policy map stats, as you would expect. One of the mls qos commands might record them; but don't recall a specific command. If someone else doesn't respond, I'll try to remember to look at a production 3750 later today that I configured with a policer about a two years ago and see what I can find. I do remember the policer does function.

BTW, what IOS version are you using?

Thanks for your reply.

Thats an interesting statement you make. I have also tried with a 1mbit policer and I dont believe that it worked then either, but I will certainly do a bit more testing/digging tomorrow.

I am using 12.2(52)SE (have tried both base and services), and have also tried 12.2(46)SE (but only base).

edit:

I think I see what you mean. e.g. in "sh mls qos int gi0/13 stat" I see the following down the bottom:

Policer: Inprofile: 1595351 OutofProfile: 0

Would that mean that 0 packets have been in excess of the policer?

Thanks,

Tom

Are you seeing the interface counter go over 50Mbps? If not, you aren't violating the policer hence no drops. As stated, the policy-map is a software counter and QoS is performed in hardware on the 3560.

If you want to see your syntax is working, I recommend lowering the police value to 8000 and you will automatically see packet drops.

Additionally, I recommend going with class class-default for this configuration as the class any-any is only checking for 'ip' packets and you aren't policing other type of traffic, for instance L2 broadcast and such.

Regards

Edison

Hi Edison,

That was just one of the methods I tried. I tried a couple.

As I mentioned in my first post I also tried a 1mbps policer and I wasnt sure that worked either, but I will definitely try again tomorrow when I am at work.

Thanks,

Tom

"Would that mean that 0 packets have been in excess of the policer? "

Believe that's correct.

"Mls qos interface x stats" was the command I couldn't remember. From a production 3750 with policer . . .

core1#sh run int g 1/0/1

Building configuration...

Current configuration : 176 bytes

!

interface GigabitEthernet1/0/1

description Connection to sw01

switchport access vlan 83

switchport mode access

load-interval 30

service-policy input Inbound

end

core1#sh policy-map Inbound

Policy Map Inbound

Class FTP

police 10000000 15000 exceed-action drop

Class TLM

police 10000000 15000 exceed-action drop

Class HP-ED

police 10000000 15000 exceed-action drop

core1#sh mls qos interface g 1/0/1 st

GigabitEthernet1/0/1

dscp: incoming

-------------------------------

0 - 4 : 2599624734 1 741 234 10540

5 - 9 : 0 41597 0 1935 0

10 - 14 : 1 1 0 0 0

15 - 19 : 0 196 0 279 0

20 - 24 : 36 0 0 0 69077

25 - 29 : 0 2 1 3 0

30 - 34 : 0 0 186 0 222

35 - 39 : 0 0 0 0 0

40 - 44 : 12311599 0 0 0 1946508

45 - 49 : 0 9423739 0 6140947 0

50 - 54 : 0 0 0 0 0

55 - 59 : 0 207629 0 0 0

60 - 64 : 0 0 0 0

dscp: outgoing

-------------------------------

0 - 4 : 1092522257 0 0 0 0

5 - 9 : 0 0 0 0 0

10 - 14 : 0 0 0 0 0

15 - 19 : 0 0 0 0 0

20 - 24 : 0 0 0 0 0

25 - 29 : 0 0 0 0 0

30 - 34 : 0 0 0 0 0

35 - 39 : 0 0 0 0 0

40 - 44 : 0 0 0 0 0

45 - 49 : 0 0 0 1352408 0

50 - 54 : 0 0 0 0 0

55 - 59 : 0 0 0 0 0

60 - 64 : 0 0 0 0

cos: incoming

-------------------------------

0 - 4 : 2630841317 0 0 0 0

5 - 7 : 0 0 0

cos: outgoing

-------------------------------

0 - 4 : 1092569620 0 0 0 0

5 - 7 : 0 1352408 55662

Policer: Inprofile: 2447458808 OutofProfile: 313430755

Ok, seems it does work.

It may have been because the "sh policy-map" command didnt display anything, so I figured it wasnt working, but I now know that this probably wont display anything, and the correct command to find out.

Thanks for all of your responses, this has cleared the issue up for me!

Cheers,

Tom

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco