10-08-2009 02:01 AM - edited 03-06-2019 08:02 AM
Hi All,
Sorry if this thread sounds familiar as I am sure it is.
I am trying to implement policing on some ports on a 3560 to limit the amount of bandwidth a client can send into our network. Pretty stock standard stuff.
My problem is that the policy map doesnt appear to match any packets regardless of how I implement it, and thus traffic is not policed.
Ive tried implementing this in a number of different ways:
* aggregate policers
* policy map using a class
* policy map using class-default
Unfortunately srr-queue is not suitable for my deployment as it is not as granular as I need it to be.
Oh, and I do have "mls qos" enabled, have tried rebooting the switch after enabling this command, tried ipbase and ipservices images, but nothing.
Below are some of the configurations that I have tried:
class-map match-any any-any
match access-group name ip-any-any
!
policy-map police-50mbit-in
class any-any
police 50000000 1000000 exceed-action drop
!
interface GigabitEthernet0/13
service-policy input police-50mbit-in
!
ip access-list extended ip-any-any
permit ip any any
!
or
class-map match-any any-any
match access-group 99
!
policy-map police-50mbit-in
class any-any
police 50000000 1000000 exceed-action drop
!
interface GigabitEthernet0/13
service-policy input police-50mbit-in
!
access-list 99 permit ip any
!
or
policy-map police-50mbit-in
class class-default
police 50000000 1000000 exceed-action drop
!
interface GigabitEthernet0/13
service-policy input police-50mbit-in
!
or
mls qos aggregate-policer 50mbit 50000000 1000000 exceed-action drop
!
policy-map police-50mbit-in
class class-default
police aggregate 50mbit
!
interface GigabitEthernet0/13
service-policy input police-50mbit-in
!
etc etc
Everything I have tried just doesnt seem to work.
Essentially what I see is the following:
#sh policy-map int gi0/13
GigabitEthernet0/13
Service-policy input: police-50mbit-in
Class-map: class-default (match-any)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: any
0 packets, 0 bytes
5 minute rate 0 bps
But "sh int gi0/13" clearly shows that packets are comming into the interface, and "sh mls qos int gi0/13 statistics" shows packet counters incrementing aswell.
Can someone tell me what Im doing wrong? Im pulling my hair out over this. :-)
Thanks,
Tom
10-08-2009 03:25 AM
I'm not at a 3560/3750 at the momemet, but I recall the 3560/3750 do not register policy map stats, as you would expect. One of the mls qos commands might record them; but don't recall a specific command. If someone else doesn't respond, I'll try to remember to look at a production 3750 later today that I configured with a policer about a two years ago and see what I can find. I do remember the policer does function.
BTW, what IOS version are you using?
10-08-2009 03:29 AM
Thanks for your reply.
Thats an interesting statement you make. I have also tried with a 1mbit policer and I dont believe that it worked then either, but I will certainly do a bit more testing/digging tomorrow.
I am using 12.2(52)SE (have tried both base and services), and have also tried 12.2(46)SE (but only base).
edit:
I think I see what you mean. e.g. in "sh mls qos int gi0/13 stat" I see the following down the bottom:
Policer: Inprofile: 1595351 OutofProfile: 0
Would that mean that 0 packets have been in excess of the policer?
Thanks,
Tom
10-08-2009 04:54 AM
Are you seeing the interface counter go over 50Mbps? If not, you aren't violating the policer hence no drops. As stated, the policy-map is a software counter and QoS is performed in hardware on the 3560.
If you want to see your syntax is working, I recommend lowering the police value to 8000 and you will automatically see packet drops.
Additionally, I recommend going with class class-default for this configuration as the class any-any is only checking for 'ip' packets and you aren't policing other type of traffic, for instance L2 broadcast and such.
Regards
Edison
10-08-2009 05:32 AM
Hi Edison,
That was just one of the methods I tried. I tried a couple.
As I mentioned in my first post I also tried a 1mbps policer and I wasnt sure that worked either, but I will definitely try again tomorrow when I am at work.
Thanks,
Tom
10-08-2009 08:22 AM
"Would that mean that 0 packets have been in excess of the policer? "
Believe that's correct.
"Mls qos interface x stats" was the command I couldn't remember. From a production 3750 with policer . . .
core1#sh run int g 1/0/1
Building configuration...
Current configuration : 176 bytes
!
interface GigabitEthernet1/0/1
description Connection to sw01
switchport access vlan 83
switchport mode access
load-interval 30
service-policy input Inbound
end
core1#sh policy-map Inbound
Policy Map Inbound
Class FTP
police 10000000 15000 exceed-action drop
Class TLM
police 10000000 15000 exceed-action drop
Class HP-ED
police 10000000 15000 exceed-action drop
core1#sh mls qos interface g 1/0/1 st
GigabitEthernet1/0/1
dscp: incoming
-------------------------------
0 - 4 : 2599624734 1 741 234 10540
5 - 9 : 0 41597 0 1935 0
10 - 14 : 1 1 0 0 0
15 - 19 : 0 196 0 279 0
20 - 24 : 36 0 0 0 69077
25 - 29 : 0 2 1 3 0
30 - 34 : 0 0 186 0 222
35 - 39 : 0 0 0 0 0
40 - 44 : 12311599 0 0 0 1946508
45 - 49 : 0 9423739 0 6140947 0
50 - 54 : 0 0 0 0 0
55 - 59 : 0 207629 0 0 0
60 - 64 : 0 0 0 0
dscp: outgoing
-------------------------------
0 - 4 : 1092522257 0 0 0 0
5 - 9 : 0 0 0 0 0
10 - 14 : 0 0 0 0 0
15 - 19 : 0 0 0 0 0
20 - 24 : 0 0 0 0 0
25 - 29 : 0 0 0 0 0
30 - 34 : 0 0 0 0 0
35 - 39 : 0 0 0 0 0
40 - 44 : 0 0 0 0 0
45 - 49 : 0 0 0 1352408 0
50 - 54 : 0 0 0 0 0
55 - 59 : 0 0 0 0 0
60 - 64 : 0 0 0 0
cos: incoming
-------------------------------
0 - 4 : 2630841317 0 0 0 0
5 - 7 : 0 0 0
cos: outgoing
-------------------------------
0 - 4 : 1092569620 0 0 0 0
5 - 7 : 0 1352408 55662
Policer: Inprofile: 2447458808 OutofProfile: 313430755
10-08-2009 03:05 PM
Ok, seems it does work.
It may have been because the "sh policy-map" command didnt display anything, so I figured it wasnt working, but I now know that this probably wont display anything, and the correct command to find out.
Thanks for all of your responses, this has cleared the issue up for me!
Cheers,
Tom
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: