class-map match-all Outbound

match access-group 111

class-map match-all Inbound

match access-group 110

policy-map Inbound

class Inbound

police flow mask src-only 1000000 2000 conform-action transmit exceed-action drop

class Outbound

police flow mask dest-only 1000000 2000 conform-action transmit exceed-action drop

interface GigabitEthernet2/3

switchport

switchport trunk encapsulation dot1q

switchport trunk allowed vlan 2055,3000,3001

switchport mode trunk

switchport nonegotiate

load-interval 30

mls qos vlan-based

spanning-tree portfast trunk

interface Vlan3000

ip address 172.16.1.65 255.255.255.252

ip pim sparse-mode

load-interval 30

service-policy input Inbound

access-list 110 permit ip 11.11.11.0 0.0.0.255 any

access-list 111 permit ip any 11.11.11.0 0.0.0.255

7606-2-PLR#sh ip route 11.11.11.0

Routing entry for 11.11.11.0/24

Known via "bgp 100", distance 20, metric 0

Tag 666, type external

Last update from 172.16.1.66 05:04:25 ago

Routing Descriptor Blocks:

* 172.16.1.66, from 172.16.1.66, 05:04:25 ago

Route metric is 0, traffic share count is 1

AS Hops 1

Route tag 666

7606-2-PLR#sh policy-map interface

Vlan3000

Service-policy input: Inbound

Class-map: Inbound (match-all)

0 packets, 0 bytes

30 second offered rate 0 bps, drop rate 0 bps

Match: access-group 110

Class-map: Outbound (match-all)

0 packets, 0 bytes

30 second offered rate 0 bps, drop rate 0 bps

Match: access-group 111

Class-map: class-default (match-any)

11 packets, 725 bytes

30 second offered rate 0 bps, drop rate 0 bps

Match: any

11 packets, 725 bytes

30 second rate 0 bps

Hi,

You config looks ok and your hardware supports flow policers on a Layer 3 Interface. Seems like a MLS problem.

1) Locate all the port which are under Vlan 3000 and issue the command,

"mls qos vlan-based"

2) Verify If the ports have been enabled with Vlan Based QOS "show mls qos"

The enabled ports should be showing as Vlan Based QOS enabled.

This should help to solve the issue.

If it doesnt send the output of step 2 as an attachment.

HTH-Cheers,

Swaroop

policy-map Inbound

class Inbound

police flow mask src-only 1000000 2000 conform-action set-prec-transmit 5 exceed-action drop

class Outbound

police flow mask dest-only 1000000 2000 conform-action set-prec-transmit 5 exceed-action drop

class-map match-all Inbound

match access-group 110

class-map match-all Outbound

match access-group 111

7606-2-PLR#sh vlan id 3000

VLAN Name Status Ports

---- -------------------------------- --------- -------------------------------

3000 VLAN3000 active Gi2/3

VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2

---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------

3000 enet 103000 1500 - - - - - 0 0

Remote SPAN VLAN

----------------

Disabled

Primary Secondary Type Ports

------- --------- ----------------- ------------------------------------------

interface GigabitEthernet2/3

description *** Multicast Sources - PORT 1 ***

switchport

switchport trunk encapsulation dot1q

switchport trunk allowed vlan 2055,3000,3001

switchport mode trunk

switchport nonegotiate

no ip address

load-interval 30

mls qos vlan-based

spanning-tree portfast trunk

interface Vlan3000

ip address 172.16.1.65 255.255.255.252

load-interval 30

isis circuit-type level-2-only

service-policy input Inbound

7606-2-PLR#sh mls qos

QoS is enabled globally

Policy marking depends on port_trust

QoS ip packet dscp rewrite enabled globally

Input mode for GRE Tunnel is Pipe mode

Input mode for MPLS is Pipe mode

QoS is vlan-based on the following interfaces:

Gi2/3

Vlan or Portchannel(Multi-Earl) policies supported: Yes

Egress policies supported: Yes

----- Module [3] -----

QoS global counters:

Total packets: 2273

IP shortcut packets: 0

Packets dropped by policing: 0

IP packets with TOS changed by policing: 273

IP packets with COS changed by policing: 29

Non-IP packets with COS changed by policing: 9

MPLS packets with EXP changed by policing: 0

----- Module [5] -----

QoS global counters:

Total packets: 222

IP shortcut packets: 0

Packets dropped by policing: 0

IP packets with TOS changed by policing: 46

IP packets with COS changed by policing: 6

Non-IP packets with COS changed by policing: 14

MPLS packets with EXP changed by policing: 0

----- Module [6] -----

QoS global counters:

Total packets: 0

IP shortcut packets: 0

Packets dropped by policing: 0

IP packets with TOS changed by policing: 0

IP packets with COS changed by policing: 0

Non-IP packets with COS changed by policing: 0

MPLS packets with EXP changed by policing: 0

7606-2-PLR#sh policy-map interface

Vlan3000

Service-policy input: Inbound

Class-map: Inbound (match-all)

0 packets, 0 bytes

30 second offered rate 0 bps, drop rate 0 bps

Match: access-group 110

Class-map: Outbound (match-all)

0 packets, 0 bytes

30 second offered rate 0 bps, drop rate 0 bps

Match: access-group 111

Class-map: class-default (match-any)

1178 packets, 80300 bytes

30 second offered rate 0 bps, drop rate 0 bps

Match: any

Bindar

Also did you try using the command specified "mls qos vlan-based"

Reply back what is the status of this issue.

HTH-Cheers,

Swaroop

Bindar,

Can u try enabling "mls qos bridged" on the SVI where you apply this policy.

And give the output here.

HTH-Cheers,

Swaroop

7606-2-PLR#sh run interface vlan 3000

Building configuration...

Current configuration : 186 bytes

!

interface Vlan3000

ip vrf forwarding QOS

ip address 172.16.1.65 255.255.255.252

load-interval 30

mls qos bridged

isis circuit-type level-2-only

service-policy input Inbound

end

7606-2-PLR#sh run int gi

7606-2-PLR#sh run int gigabitEthernet 2/3

Building configuration...

Current configuration : 310 bytes

!

interface GigabitEthernet2/3

description *** Multicast Sources - PORT 1 ***

switchport

switchport trunk encapsulation dot1q

switchport trunk allowed vlan 2055,3000,3001

switchport mode trunk

switchport nonegotiate

no ip address

load-interval 30

mls qos vlan-based

spanning-tree portfast trunk

end

7606-2-PLR#sh vlan id 3000

VLAN Name Status Ports

---- -------------------------------- --------- -------------------------------

3000 VLAN3000 active Gi2/3

VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2

---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------

3000 enet 103000 1500 - - - - - 0 0

Remote SPAN VLAN

----------------

Disabled

Primary Secondary Type Ports

------- --------- ----------------- ------------------------------------------

7606-2-PLR#

7606-2-PLR#

7606-2-PLR#sh pol

7606-2-PLR#sh policy-map in

7606-2-PLR#sh policy-map interface

Vlan3000

Service-policy input: Inbound

Class-map: Inbound (match-all)

0 packets, 0 bytes

30 second offered rate 0 bps, drop rate 0 bps

Match: access-group 110

Class-map: Outbound (match-all)

0 packets, 0 bytes

30 second offered rate 0 bps, drop rate 0 bps

Match: access-group 111

Class-map: class-default (match-any)

52 packets, 3458 bytes

30 second offered rate 0 bps, drop rate 0 bps

Match: any

All the counters are zero even after 14Mbps traffic load through that interface.

Hi Bindar,

I dont see any document which says two way micro flow policing is not supported on a SVI. Also I dont see a document confirming it either. I dont have internal product level feture compliance information.

But anyways, can u try this, lets hope it works.

#config t

mls flow ip full

ip flow ingress layer2-switched vlan 3000

HTH-Cheers,

Swaroop

so, after the mls flow ip full was applied the following messages appears :

%FM-2-FLOWMASK_CONFLICT: Features configured on interface Vlan3000 have conflicting flowmask requirements, traffic may be switched in software

maybe because the mask in my scenario is src-only or dest-only.

ok did u try enabling flow detection on layer 2 and try.

"ip flow ingress layer2-switched vlan 3000"

let us know...whats the result...

Ok..

Can u give the output of these commands,

"show mls netflow module 2"

"show mls netflow source 11.11.11.0"

"show mls netflow destination 11.11.11.0"

?show mls netflow ip"

"show mls netflow flowmask"

HTH-Cheers,

Swaroop

7606-2-PLR#sh mls netflow ip

Displaying Netflow entries in Supervisor Earl

DstIP SrcIP Prot:SrcPort:DstPort Src i/f :AdjPtr

-----------------------------------------------------------------------------

Pkts Bytes Age LastSeen Attributes

---------------------------------------------------

0.0.0.0 11.11.11.1 0 :0 :0 -- :0x0

359926 38152156 398 08:09:15 L3 - Dynamic

0.0.0.0 11.11.11.4 0 :0 :0 -- :0x0

359925 38152050 398 08:09:15 L3 - Dynamic

0.0.0.0 11.11.11.5 0 :0 :0 -- :0x0

359925 38152050 398 08:09:15 L3 - Dynamic

0.0.0.0 11.11.11.2 0 :0 :0 -- :0x0

359926 38152156 398 08:09:15 L3 - Dynamic

0.0.0.0 11.11.11.3 0 :0 :0 -- :0x0

359925 38152050 398 08:09:15 L3 - Dynamic

0.0.0.0 0.0.0.0 0 :0 :0 -- :0x0

559177 58444378 192 08:09:53 L3 - Dynamic

7606-2-PLR#sh mls netflow flowmask

current ip flowmask for unicast: null

current ipv6 flowmask for unicast: null

7606-2-PLR#sh mls netflow ip module 2

No forwarding engine in module 2

the ip flow ingress command was already issued

in the previous post.

7606-2-PLR#sh mls netflow ip source 11.11.11.0

Displaying Netflow entries in Supervisor Earl

DstIP SrcIP Prot:SrcPort:DstPort Src i/f :AdjPtr

-----------------------------------------------------------------------------

Pkts Bytes Age LastSeen Attributes

---------------------------------------------------

7606-2-PLR#sh mls netflow ip dest 11.11.11.0

Displaying Netflow entries in Supervisor Earl

DstIP SrcIP Prot:SrcPort:DstPort Src i/f :AdjPtr

-----------------------------------------------------------------------------

Pkts Bytes Age LastSeen Attributes

---------------------------------------------------

Ok Thats great,

Now can u enable the source-destination flowmask as below and record the observation.

In global

"mls flow ip destination-source"

once you enable this command simply take the output of

1) show policy int

2) show mls flow ip

3) show mls netflow flowmask

thats it...

HTH-Cheers,

Swaroop