service-policy input

Answered Question
Oct 17th, 2011

Hello everyone,

my service-policy is not working on inbound.  it works on outbound, but I need to apply it on IN as well.

please check what I am doing wrong.  thank you in advance.

!

mls qos

!

ip access-list extended ACL-TEST-LIMIT50

permit ip any any

!

class-map match-all CLASS-TEST-LIMIT50

  match access-group name ACL-TEST-LIMIT50

!

policy-map MAP-TEST-LIMIT50

  class CLASS-TEST-LIMIT50

    police 50000000 40000 conform-action drop exceed-action drop violate-action drop

!

int vlan 103

service-policy input MAP-TEST-LIMIT50

!

P.S.

with traffic up to 100mb/s, I almost don't see the matches:

sh ip access-lists ACL-TEST-LIMIT50

Extended IP access list ACL-TEST-LIMIT50

    10 permit ip any any (1 match)

c7600 / Version 12.2(33)SRE2

--

Have a nice day,

Dmitry

I have this problem too.
0 votes
Correct Answer by mlund about 2 years 6 months ago

Hi Dimity

You said " when I put it on the interface it blocked all traffic to host"

That is exactly what is going to happen, because of Your policy.

The policy states " conform-action drop"

/Mikael 





Correct Answer by balajk about 2 years 6 months ago

hi,

do we have 'mls qos vlan-based' configured on the physical port through which the traffic is ingressing.

  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 5 (2 ratings)
nkarpysh Wed, 10/19/2011 - 09:46

Hi Dmitry,

can you please paste the following output when this policy is attached in IN direction with some traffic passing through VLAN (not sent to VLAN):

show policy-map int Vlan 103

Nik

kozorezdi Wed, 10/19/2011 - 23:07

Hi Nikolay,

Thank you for your help. 

sh policy-map interface vlan 103

Vlan103

  Service-policy input: MAP-TEST-LIMIT50

    class-map: CLASS-TEST-LIMIT50 (match-all)

      Match: access-group name ACL-RODINA-LIMIT50

      police :

        50000000 bps 40000 limit 40000 extended limit

      Earl in slot 5 :

        59009454 bytes

        5 minute offered rate 0 bps

        aggregate-forwarded 0 bytes action: drop

        exceeded 59009454 bytes action: drop

        aggregate-forward 0 bps exceed 0 bps

      Earl in slot 6 :

        0 bytes

        5 minute offered rate 0 bps

        aggregate-forwarded 0 bytes action: drop

        exceeded 0 bytes action: drop

        aggregate-forward 0 bps exceed 0 bps

      Earl in slot 7 :

        0 bytes

        5 minute offered rate 0 bps

        aggregate-forwarded 0 bytes action: drop

        exceeded 0 bytes action: drop

        aggregate-forward 0 bps exceed 0 bps

      Earl in slot 9 :

        0 bytes

        5 minute offered rate 0 bps

        aggregate-forwarded 0 bytes action: drop

        exceeded 0 bytes action: drop

        aggregate-forward 0 bps exceed 0 bps

    Class-map: class-default (match-any)

      0 packets, 0 bytes

      5 minute offered rate 0000 bps, drop rate 0000 bps

      Match: any

        0 packets, 0 bytes

        5 minute rate 0 bps

--

Dmitry

Correct Answer
balajk Wed, 10/19/2011 - 11:35

hi,

do we have 'mls qos vlan-based' configured on the physical port through which the traffic is ingressing.

kozorezdi Wed, 10/19/2011 - 23:20

Hi Balaji,

I see, it's the right direction.  Let me expain the scheme:

router(SVI 103---port-channel1)----------trunk-------------L2 switch(access-port)--------------host

I haven't had the connand 'mls qos vlan-based' on int port-channel1, as result the policy was not working.

When I put it on the interface, it blocked all traffic to the host.  Please give me an idea what is wrong.

some details:

interface Port-channel1

switchport

switchport trunk encapsulation dot1q

switchport mode trunk

end

!

interface Vlan103

bandwidth 100000

ip address *.*.*.49 255.255.255.252

no ip redirects

no ip unreachables

no ip proxy-arp

ip verify unicast source reachable-via any

ip flow ingress

mls netflow sampling

service-policy input MAP-TEST-LIMIT50

end

!

L2 switch:

interface GigabitEthernet0/15

switchport access vlan 103

switchport mode access

speed 100

end

!

Thank you in advance.

--

Dimitry

Correct Answer
mlund Thu, 10/20/2011 - 00:18

Hi Dimity

You said " when I put it on the interface it blocked all traffic to host"

That is exactly what is going to happen, because of Your policy.

The policy states " conform-action drop"

/Mikael 





kozorezdi Thu, 10/20/2011 - 01:06

Hi Mlund,

sorry for my blindness.  yes, it is working now!  THANK YOU VERY MUCH!

--

Dimitry

Actions

Login or Register to take actions

This Discussion

Posted October 17, 2011 at 6:22 AM
Stats:
Replies:7 Avg. Rating:5
Views:789 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard

Rank Username Points
1 15,007
2 8,150
3 7,725
4 7,083
5 6,742
Rank Username Points
165
82
70
69
55