Policing is configed on both ingress and egress. Only ingress works as expected. I can see packets have been dropped as exceeded on egress, but from the monitoring gragh the bandwidth could reach 4Mbps sometime. related config as following:
interface Vlan504 ip address 192.168.255.254 255.255.255.0 no ip proxy-arp no mls qos tiny-fragment service-policy input CAR-2M service-policy output CAR-2M
interface GigabitEthernet1/16 mtu 9216 no ip address logging event link-status logging event trunk-status load-interval 30 speed 100 duplex full mls qos vlan-based switchport switchport trunk encapsulation dot1q switchport mode trunk
policy-map CAR-2M class IPALL police 2048000 64000 64000 conform-action transmit exceed-action drop
Class Map match-all IPALL (id 5) Match access-group 101
Extended IP access list 101 10 permit ip any any (911113 matches)
From the output you attached looks like there are modules with DFCs in the system:
So of particluar interest are the following statements:
... snip ...
•Aggregate policing works independently on each DFC-equipped switching module and independently on the PFC, which supports any non-DFC-equipped switching modules. Aggregate policing does not combine flow statistics from different DFC-equipped switching modules. You can display aggregate policing statistics for each DFC-equipped switching module and for the PFC and any non-DFC-equipped switching modules supported by the PFC.
•Each PFC or DFC polices independently, which might affect QoS features being applied to traffic that is distributed across the PFC and any DFCs. Examples of these QoS feature are:
–Policers applied to a port channel interface.
–Policers applied to a switched virtual interface.
–Egress policers applied to either a Layer 3 interface or an SVI. Note that PFC QoS performs egress policing decisions at the ingress interface, on the PFC or ingress DFC.
Policers affected by this restriction deliver an aggregate rate that is the sum of all the independent policing rates.
Re: egress policing doesn't work on 6509 (PFC3BXL)
The follwing statements on CCO are of interest: ----------- Each PFC or DFC polices independently, which might affect QoS features being applied to traffic that is distributed across the PFC and any DFCs. Examples of these QoS feature are:
–Egress policers applied to either a Layer 3 interface or an SVI. Note that PFC QoS performs egress policing decisions at the ingress interface, on the PFC or ingress DFC. Policers affected by this restriction deliver an aggregate rate that is the sum of all the independent policing rates. ----
As per description the egress policing will apply the policing action into the ingress interfaces which located in the linecards with DFC installed. Then it will make the final policed rate times to the expected one, if there are multiple ingress linecards with DFC. Thats say you have egress policy for 2MB on SVI1. The traffic comming on port of one LC w DFC in slot 1 going out SVI1 w egress policing will be policed to 2MB on ingress LC slot 1 side. And the traffic coming on port from another LC w DFC (slot 2) out SVI1 will be policed to 2MB, but again on ingress LC slot2. As a result depending on incoming traffic flows the sum of output rates out SVI1 could be 2+2=4MB, not 2Mb as configured on egress plicing SVI1.
We are pleased to announce availability of Beta software for 16.6.3.
16.6.3 will be the second rebuild on the 16.6 release train targeted
towards Catalyst 9500/9400/9300/3850/3650 switching platforms. We are
looking for early feedback from customers befor...
Introduction Featured Speakers Luis Espejel is the Telecommunications
Manager of IENova, an Oil & Gas company. Currently he works with Cisco
IOS® and Cisco IOS XE platforms, and NX to some extent. He has also
worked as a Senior Engineer with the Routing P...
In this session you can learn more about Layer 3 multicast and the best
practices to identify possible threats and take security measures. It
provides an overview of basic multicast, the best security practices for
use of this technology, and recommendati...