cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
878
Views
0
Helpful
10
Replies

3560 qos

josephschung
Level 1
Level 1

Dear Sir,

We have three web servers connected to 3560 switch and we would like to limit the max bandwidth of them as 30M, 15M and 15M. Is it ok to do the qos at the uplink port such as f0/24?

Any sample for reference?

Thanks.

3 Accepted Solutions

Accepted Solutions

Kerem Gursu
Level 1
Level 1

Hi Joseph,

You can apply the following configuration to your switchports. I have used gig 17 , 18 and 19 as an example. Please remember that you are able to apply policy maps to the inbound direction on 3560 routers.

Hope to help,

Kerem

class-map match-all SERVER-1

match access-group name SERVER-1

class-map match-all SERVER-2

match access-group name SERVER-2

class-map match-all SERVER-3

match access-group name SERVER-3

policy-map SERVER-1

class SERVER-1

police 30000000 8000 exceed-action drop

policy-map SERVER-2

class SERVER-2

police 15000000 8000 exceed-action drop

policy-map SERVER-3

class SERVER-3

police 15000000 8000 exceed-action drop

ip access-list extended SERVER-1

permit ip any any

ip access-list extended SERVER-2

permit ip any any

ip access-list extended SERVER-3

permit ip any any

!

!

interface GigabitEthernet0/17

service-policy input SERVER-1

!

interface GigabitEthernet0/18

service-policy input SERVER-2

!

interface GigabitEthernet0/19

service-policy input SERVER-3

!

View solution in original post

did you enable "mls qos"?

View solution in original post

Depending on your model of 3560, "resource" might not be much of an issue. The 24 port gig models, I believe, offer nearly wirespeed to all ports. The 48 port gig models, I also believe, has capacity to offer about wirespeed to half the ports. Assuming you don't provide 24 gig or so that could be allowed in externally, it should be difficult to impact the 3560's resources. (Do note, there are other types of DoS attacks which might not require much bandwidth, so simple rate limiters offer little protection against those.)

From one of your prior posts, "We limit the bandwidth of individual server so as to prevent external attack from eating up the entire bandwidth and influence other servers. ", unless you control the bandwidth before the critical bandwidth limited link (usually the WAN link), downsteam rate limiters or shapers might be totally ineffective. Especially, if traffic is non-TCP and/or an intentional DoS.

[edit]

From you post, suspect the 3560 in question is a 3560-24TS/PS. If it is, it too supports wirespeed for all its ports (6.6 Mpps, 8.8 Gbps).

View solution in original post

10 Replies 10

andrew.prince
Level 10
Level 10

Read the below link - all you need to know:-

http://www.cisco.com/univercd/cc/td/doc/solution/esm/qossrnd.pdf

HTH>

Kerem Gursu
Level 1
Level 1

Hi Joseph,

You can apply the following configuration to your switchports. I have used gig 17 , 18 and 19 as an example. Please remember that you are able to apply policy maps to the inbound direction on 3560 routers.

Hope to help,

Kerem

class-map match-all SERVER-1

match access-group name SERVER-1

class-map match-all SERVER-2

match access-group name SERVER-2

class-map match-all SERVER-3

match access-group name SERVER-3

policy-map SERVER-1

class SERVER-1

police 30000000 8000 exceed-action drop

policy-map SERVER-2

class SERVER-2

police 15000000 8000 exceed-action drop

policy-map SERVER-3

class SERVER-3

police 15000000 8000 exceed-action drop

ip access-list extended SERVER-1

permit ip any any

ip access-list extended SERVER-2

permit ip any any

ip access-list extended SERVER-3

permit ip any any

!

!

interface GigabitEthernet0/17

service-policy input SERVER-1

!

interface GigabitEthernet0/18

service-policy input SERVER-2

!

interface GigabitEthernet0/19

service-policy input SERVER-3

!

Dear Sir,

I config the following commands on one 2960 switch.

=====================

interface FastEthernet0/8

description SERVER01

switchport access vlan 80

switchport mode access

spanning-tree portfast

spanning-tree bpduguard enable

service-policy input SERVER01

class-map match-all SERVER01

match access-group name SERVER01

policy-map SERVER01

class SERVER01

police 15000000 8000 exceed-action drop

ip access-list extended SERVER01

permit ip any any

============

And expect the speed is controlled at 15M. However, when I use ftp to upload/download file to a web site. I found the speed is up to 8000KB/s, which is 64M.

Any ideas why?

Thanks.

did you enable "mls qos"?

Is there any way to limit the output traffic? 2960 allows input control only.

Thanks.

I don't think so.

From command reference, service-policy can only be applied to "input" direction.

http://www.cisco.com/en/US/partner/docs/switches/lan/catalyst3560/software/release/12.2_50_se/command/reference/cli2.html#wp6193114

We have web server connected to the port. We limit the bandwidth of individual server so as to prevent external attack from eating up the entire bandwidth and influence other servers.

Any work around for this?

Thanks.

saying your server is connected to a 3560, you can still apply the ingress service-policy on 3560 swiitch's uplink. You can use the sample config posted by Kerem but using more specified ACL for each server instead of "permit ip any any".

Thanks. But I have concern on the resource needed on the 3560 switch. Any experience for the specific IP matching on 3560 regarding resource?

Thanks.

Depending on your model of 3560, "resource" might not be much of an issue. The 24 port gig models, I believe, offer nearly wirespeed to all ports. The 48 port gig models, I also believe, has capacity to offer about wirespeed to half the ports. Assuming you don't provide 24 gig or so that could be allowed in externally, it should be difficult to impact the 3560's resources. (Do note, there are other types of DoS attacks which might not require much bandwidth, so simple rate limiters offer little protection against those.)

From one of your prior posts, "We limit the bandwidth of individual server so as to prevent external attack from eating up the entire bandwidth and influence other servers. ", unless you control the bandwidth before the critical bandwidth limited link (usually the WAN link), downsteam rate limiters or shapers might be totally ineffective. Especially, if traffic is non-TCP and/or an intentional DoS.

[edit]

From you post, suspect the 3560 in question is a 3560-24TS/PS. If it is, it too supports wirespeed for all its ports (6.6 Mpps, 8.8 Gbps).

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: