Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

egress policing doesn't work on 6509 (PFC3BXL)

Policing is configed on both ingress and egress. Only ingress works as expected. I can see packets have been dropped as exceeded on egress, but from the monitoring gragh the bandwidth could reach 4Mbps sometime.  related config as following:

interface Vlan504
ip address 192.168.255.254 255.255.255.0
no ip proxy-arp
no mls qos tiny-fragment
service-policy input CAR-2M
service-policy output CAR-2M

interface GigabitEthernet1/16
mtu 9216
no ip address
logging event link-status
logging event trunk-status
load-interval 30
speed 100
duplex full
mls qos vlan-based
switchport
switchport trunk encapsulation dot1q
switchport mode trunk

policy-map CAR-2M
  class IPALL
     police 2048000 64000 64000 conform-action transmit exceed-action drop

Class Map match-all IPALL (id 5)
   Match access-group  101

Extended IP access list 101
    10 permit ip any any (911113 matches)

rtr-1#sh policy-map int vlan 504
Vlan504

  Service-policy input: CAR-2M

    class-map: IPALL (match-all)
      Match: access-group 101
      police :
        2048000 bps 64000 limit 64000 extended limit
      Earl in slot 1 :
        32726043091 bytes
        5 minute offered rate 200816 bps
        aggregate-forwarded 31176541751 bytes action: transmit
        exceeded 1549501340 bytes action: drop
        aggregate-forward 63600 bps exceed 0 bps
      Earl in slot 2 :
        0 bytes
        5 minute offered rate 0 bps
        aggregate-forwarded 0 bytes action: transmit
        exceeded 0 bytes action: drop
        aggregate-forward 0 bps exceed 0 bps
      Earl in slot 4 :
        0 bytes
        5 minute offered rate 0 bps
        aggregate-forwarded 0 bytes action: transmit
        exceeded 0 bytes action: drop
        aggregate-forward 0 bps exceed 0 bps
      Earl in slot 5 :
        0 bytes
        5 minute offered rate 0 bps
        aggregate-forwarded 0 bytes action: transmit
        exceeded 0 bytes action: drop
        aggregate-forward 0 bps exceed 0 bps
      Earl in slot 7 :
        0 bytes
        5 minute offered rate 0 bps
        aggregate-forwarded 0 bytes action: transmit
        exceeded 0 bytes action: drop
        aggregate-forward 0 bps exceed 0 bps
      Earl in slot 8 :
        0 bytes
        5 minute offered rate 0 bps
        aggregate-forwarded 0 bytes action: transmit
        exceeded 0 bytes action: drop
        aggregate-forward 0 bps exceed 0 bps

  Service-policy output: CAR-2M

    class-map: IPALL (match-all)
      Match: access-group 101
      police :
        2048000 bps 64000 limit 64000 extended limit
      Earl in slot 1 :
        3536312 bytes
        5 minute offered rate 24 bps
        aggregate-forwarded 3536312 bytes action: transmit
        exceeded 0 bytes action: drop
        aggregate-forward 176 bps exceed 0 bps
      Earl in slot 2 :
        0 bytes
        5 minute offered rate 0 bps
        aggregate-forwarded 0 bytes action: transmit
        exceeded 0 bytes action: drop
        aggregate-forward 0 bps exceed 0 bps
      Earl in slot 4 :
        0 bytes
        5 minute offered rate 0 bps
        aggregate-forwarded 0 bytes action: transmit
        exceeded 0 bytes action: drop
        aggregate-forward 0 bps exceed 0 bps
      Earl in slot 5 :
        3536428 bytes
        5 minute offered rate 8 bps
        aggregate-forwarded 3536428 bytes action: transmit
        exceeded 0 bytes action: drop
        aggregate-forward 0 bps exceed 0 bps
      Earl in slot 7 :
        5437317083 bytes
        5 minute offered rate 40408 bps
        aggregate-forwarded 5432314640 bytes action: transmit
        exceeded 5002443 bytes action: drop
        aggregate-forward 80584 bps exceed 0 bps
      Earl in slot 8 :
        3026877043 bytes
        5 minute offered rate 11440 bps
        aggregate-forwarded 3025220090 bytes action: transmit
        exceeded 1656953 bytes action: drop
        aggregate-forward 4768 bps exceed 0 bps

anyone got ideas? thanks.

Everyone's tags (1)
3 REPLIES
Cisco Employee

Re: egress policing doesn't work on 6509 (PFC3BXL)

Hi Kevin!

There are some restrictions on egresspolicing as per:

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/qos.html#wp1727272

From the output you attached looks like there are modules with DFCs in the system:

So of particluar interest are the following statements:

----------------

... snip ...

Aggregate policing works independently on each DFC-equipped switching module and independently on the PFC, which supports any non-DFC-equipped switching modules. Aggregate policing does not combine flow statistics from different DFC-equipped switching modules. You can display aggregate policing statistics for each DFC-equipped switching module and for the PFC and any non-DFC-equipped switching modules supported by the PFC.

Each PFC or DFC polices independently, which might affect QoS features being applied to traffic that is distributed across the PFC and any DFCs. Examples of these QoS feature are:

Policers applied to a port channel interface.

Policers applied to a switched virtual interface.

Egress policers applied to either a Layer 3 interface or an SVI. Note that PFC QoS performs egress policing decisions at the ingress interface, on the PFC or ingress DFC.

Policers affected by this restriction deliver an aggregate rate that is the sum of all the independent policing rates.

... end snip...

-----

Thanks,

Sergey

New Member

Re: egress policing doesn't work on 6509 (PFC3BXL)

Thanks for your input

Sergey.

The egress policy was deployed on VLAN interface and your extracts doesn't say policing will not be working on it.

an aggregate rate that is the sum of all the independent policing rates. but that should not exceed the rate I set on policy map, shouldn't it?

Cisco Employee

Re: egress policing doesn't work on 6509 (PFC3BXL)

Hi Kevin,o

The follwing statements on CCO are of interest:
-----------
Each PFC or DFC polices independently, which might affect QoS features being applied to traffic that is distributed across the PFC and any DFCs.
Examples of these QoS feature are:

–Egress policers applied to either a Layer 3 interface or an SVI.
Note that PFC QoS performs egress policing decisions at the ingress interface, on the PFC or ingress DFC.
Policers affected by this restriction deliver an aggregate rate that is the sum of all the independent policing rates.
----

As per description the egress policing will apply the policing action into the ingress interfaces which located in the linecards with
DFC installed. Then it will make the final policed rate times to the expected
one, if there are multiple ingress linecards with DFC.
Thats say you have egress policy for 2MB on SVI1.
The traffic comming on port of one LC w DFC in slot 1 going out SVI1 w egress policing will be
policed to 2MB on ingress LC slot 1 side.
And the traffic coming on port from another LC w DFC (slot 2) out SVI1 will be policed to 2MB, but again on ingress LC slot2.
As a result depending on incoming traffic flows the sum of output rates out SVI1 could be 2+2=4MB, not 2Mb as configured on egress plicing SVI1.

Thanks,
Sergey

2501
Views
0
Helpful
3
Replies
CreatePlease to create content