Cisco 3560 Shaping/Policing options

Unanswered Question
Mar 31st, 2010

Hi All,

I am after a bit of advice. I currently have a 1Gbps connection between two sites. The server guys are looking to locate a backup of the companies TSM Backup solution at each of the sites - this will involve a lot of replication traffic between the sites as the Backup DB's synchronise.

I want to be able to police or at least shape the traffic to/from these servers to 80% of the available capacity. Currently, the link in question has one end connected to a Cisco 6509 (Native IOS) and one end is connected to a brand new Cisco 3560 (IOS12.2(35)).

We are currently running a basic AutoQos config on the interface on the 3560 and a pretty standard QoS config on the 6509 as we have IP telephones at each site. The current setup is that the two devices are OSPF neighbors over a native VLAN, with a couple of other VLANs trunked on the same link.

I have found a way to Police traffic on the ingress interface on the 3560 - this gives me the option to police at source (I.e where the TSM servers connect into the network) but ideally, I would only like to do this over the inter-site connection.

My current thinking is that I could mark the TSM servers with a specific DSCP value at source, then configure an srr-queue shape x x x x command on the 3560 to set a specific shaped limit to the queue that I place the TSM traffic in. For example, if I mark all TSM traffic with a DSCP value of 21, the current config on my 3560 would place it in queue 3:

mls qos srr-queue output dscp-map queue 3 threshold 3  16 17 18 19 20 21 22 23

On the interface in question, I could then specify:

srr-queue bandwidth shape  10  0  80  0

Or am i missing something? (DSCP values are trusted throughout the network) Any advice would be much appreciated, this stuff really confuses me sometimes!

Many thanks


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (2 ratings)
Lei Tian Wed, 03/31/2010 - 19:45

Hi Jonathan,

Few thoughts

1, If you want police the traffic from TSM, why do you want do it on inter-site connection? If the out of profile traffic will be dropped, why waste resource to send them?

2, the srr-queue command is for egress queueing, so I suppose you want put them on the inter-site connection? If you reserve 80% of the bandwidth to queue 3, then other traffic will be lack of bandwidth.

3, srr-queue bandwidth shape  10  0  80  0 will not give queue 3 80% of the bandwidth; it should be read as 1/80 of the bandwidth.


Lei Tian

jonathanaxford Thu, 04/01/2010 - 07:36


Thanks for the advice, really helpful.

If i can help it, i want the local TSM traffic at each site to be allowed to use the full 100% of its interface if necessary, i am only concerned about restricting it once it crosses the link. As far as i know, the only time TSM will be attempting to use the intersite conenction is when it is replicating its storage pools, that why i only want to limit that.

Would you have any advice on the best way of acheiving this? We have QoS running on the link to prioritise DSCP EF traffic at the moment to protect our telephones, but the main worry is that the TSM replication will easily chew up the entire link iof it is allowed to. Now, it is to be scheduled to run overnight, but if it overuns and ends up running during the working day, our current QoS config should protect the voice, but all other general user traffic will suffer, such as internet browsing, file copies etc.

Would it be a simple process to simply police TSM traffic to 80% of the bandwidth?

Any idea's much appreciated!



P.S I do have the QOS SRND guide and have found it to be very helpful, i guess I just need to spend a bit more time with this stuff to really understand it properly.

Lei Tian Thu, 04/01/2010 - 20:18

Hi Jonathan,

If I understand you correctly, TSM only uses the intersite connection during storage replication, and this should be on none-working hour. So if it is in none working time, you donot want to restrict the TSM data replication traffic; however if it is in working time, you want rate limit the TSM data replication traffic to a reasonable rate so other traffic will not be saturated. Is that correct?

I would think you can use time-based ACL to do that. First, you need to create a time range for working hours; then configure ACL match TSM traffic and the working hours time range; create a class as TSM_working_time and match the ACL; create a policy-map to rate limit that class to a reasonable rate, and trust other traffic; apply that policy-map on the intersite link.


Lei Tian


This Discussion