rate limit not working for vlan

Answered Question
Oct 21st, 2011

Hi Guyz,

I want to restrict internet traffic for guests on a free SSID to 1MB.

I configured my CORE Switch as follows. all seems well but traffic is never dropped.

any help to solve this is highly appreciated.

I want this vlan (50) to be restricted to 1 MB for outgoing and incoming traffic.

configuration for vlan 50

-----------------------------------

interface Vlan50
description ***  Interface for VLAN 50
ip address 10.1.22.1 255.255.255.0
ip access-group 105 in
rate-limit input 1000000 1000000 1000000 conform-action transmit exceed-action drop
rate-limit output 1000000 1000000 1000000 conform-action transmit exceed-action drop
end

no traffic is dropped

-----------------------------
SW-3560-1#sh int vlan 50 rate-limit
Vlan50 *** Interface for VLAN 50
  Input
    matches: all traffic
      params:  1000000 bps, 1000000 limit, 1000000 extended limit
      conformed 0 packets, 0 bytes; action: transmit
      exceeded 0 packets, 0 bytes; action: drop
      last packet: 2853770291ms ago, current burst: 0 bytes
      last cleared 2w0d ago, conformed 0 bps, exceeded 0 bps
  Output
    matches: all traffic
      params:  1000000 bps, 1000000 limit, 1000000 extended limit
      conformed 0 packets, 0 bytes; action: transmit
      exceeded 0 packets, 0 bytes; action: drop
      last packet: 2853770291ms ago, current burst: 0 bytes
      last cleared 2w0d ago, conformed 0 bps, exceeded 0 bps

thanks in advance.

I have this problem too.
0 votes
Correct Answer by kishore.chennupati about 2 years 5 months ago

Hi,

you can apply this to trunk interfaces as well. you just need to put the trunk interface in the  "match input-interface"

class-map vlan50

match input-interface


and just put the mls qos vlan-based under the trunk interfaces and it will work.

abukuru95 wrote:

thanks Kishore,

the configuration is successfully applied, but helas no traffic is dropped. i have three trunk interfaces on my core switch where i need to apply this. I guess i can only apply it on physical interfaces? thanks w bunch anyway. i am still awaiting new ideas.

You cannot apply service-policy output to physical interfaces on 3560 due to ASIC limitations

HTH

Kishore

  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 5 (1 ratings)
abukuru95 Mon, 10/24/2011 - 00:52

Hello Smitesh,

I cannot apply some commands that are on the link you provided such as

match class-map class -default

I am running version (C3560-IPSERVICESK9-M), Version 12.2(35)SE5

any more ideas?

regards.

naiduccnp Mon, 10/24/2011 - 02:11

Hi,

Try below may help you...

Policy a specific VLAN number on VLAN interface.

class-map vlan5
match vlan 5
match class-map class-default

policy-map vlan5-limit
class vlan5
police 2000000 250000 exceed-action drop

int vlan5
service-policy input vlan5-limit


After you apply this configuration, the traffic with VLAN 5 coming from any will be policed at 2Mbps.


Hope this will help you.


Please rate the helpfull posts.
Regards,
Naidu.

abukuru95 Mon, 10/24/2011 - 10:12

Hi Latchum,

when i apply the command

int vlan5

service-policy input vlan5-limit,

i receive this error %QoS: policy-map with police action at parent level not supported on Vlan5 interface.

i am running ios version 12.2(35)SE5

any ideas on a way out ?

Marwan ALshawi Mon, 10/24/2011 - 14:03

What you can do use same policy suggest above as child policy

Example

Policy-map p1

Class-class default

Service-policy vlan5-limit

Then apply the p1 policy at the clan interface level

You mY need to change the behavour of the qos to vlan based on the physical interface level

Using the command mls qos vlan-based

Hope this help

If helpful rate

abukuru95 Tue, 10/25/2011 - 01:06

Hi Marwanshawi,

I dont get you quiet well using the same policy as child policy?

thanks for the help.

naiduccnp Tue, 10/25/2011 - 01:21

Hi,

What that meant is...

configure everything like in my previous post then configure the child policy like below and apply to the vlan interface.

Policy-map p1
Class-class default
Service-policy vlan5-limit

int vlan5
Policy-map p1

Please rate the helpfull posts.
Regards,
Naidu.

abukuru95 Tue, 10/25/2011 - 02:26

Hi Natchum,

i do not have this command under the interface vlan options

interface vlan 5

policy-map p1

when i go to the

conf t

interface vlan 5

?

it does not exist on the ios

thanks for the help anyway.

abukuru95 Tue, 10/25/2011 - 03:47

hi Kishore, yes.

this is the output i am getting now.

3560(interface vlan 5

3560(config-if)#service-policy input p1

%QoS: policy-map vlan_5-limit with MATCH INPUT-INTERFACE matching non-physical interfaces or other unsupported

Service Policy attachment failed

3560(config-if)#

3560(config-if)#service-policy input p1

%QoS: policy-map vlan_5-limit with MATCH INPUT-INTERFACE matching non-physical interfaces or other unsupported

Service Policy attachment failed

3560(config-if)#

thanks for your help guys.

kishore.chennupati Tue, 10/25/2011 - 05:39

Ah the reason is that the match statement under the class-map is not correct.

match vlan 5  is only available on 6500's 4500's and metro ethernet switches. not on a 3560

please remember the following points while using child policy's

Key things to remember:

    Child classes use match input-interface

    Child policies use police

    Parent classes match ACL (I think you can also match dscp, maybe others)

    Parent policies must have an action (e.g. set or trust)

    Apply parent policies to SVI

So you need to use match input-interface and match all the interfaces where vlan 50 is configured.

For eg: lets assume that you have vlan 50 configured on interface fa1/0/1 then the class-map will be like this

access-list 100 permit ip any any


class-map match-any cm-1

match access-group 100

class-map vlan50
match input-interface fa1/0/1

policy-map vlan50-limit
class vlan50
police 2000000 250000 exceed-action drop

policy-map vlan-50-limit-2Mbps

class cm-1

trust dscp

service-policy vlan50-limit

int vlan50
service-policy input vlan-50-limit-2Mbps

int fa1/0/1

mls qos vlan-based

Please apply the above and let me know how you go

HTH

Regards,

Ksihore

Please rate if helps

abukuru95 Tue, 10/25/2011 - 06:35

thanks Kishore,

the configuration is successfully applied, but helas no traffic is dropped. i have three trunk interfaces on my core switch where i need to apply this. I guess i can only apply it on physical interfaces? thanks w bunch anyway. i am still awaiting new ideas.

Correct Answer
kishore.chennupati Tue, 10/25/2011 - 13:30

Hi,

you can apply this to trunk interfaces as well. you just need to put the trunk interface in the  "match input-interface"

class-map vlan50

match input-interface


and just put the mls qos vlan-based under the trunk interfaces and it will work.

abukuru95 wrote:

thanks Kishore,

the configuration is successfully applied, but helas no traffic is dropped. i have three trunk interfaces on my core switch where i need to apply this. I guess i can only apply it on physical interfaces? thanks w bunch anyway. i am still awaiting new ideas.

You cannot apply service-policy output to physical interfaces on 3560 due to ASIC limitations

HTH

Kishore

Actions

Login or Register to take actions

This Discussion

Posted October 21, 2011 at 9:32 AM
Stats:
Replies:14 Avg. Rating:5
Views:1099 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard

Rank Username Points
1 14,997
2 8,150
3 7,725
4 7,083
5 6,732
Rank Username Points
180
84
70
59
55