Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

How to police outbound dot1q-tunnel interface


We are using Cat 3550.

We have tried to use the following config.

mac access-list extended MAClist

permit any any

class-map match-any MAC

match access-group name MAClist

policy-map 5Megatunnel

class MAC

police 5000000 32000 exceed-action drop

This only can be applied on inbound direction of a port.

We also tried:

policy-map 5Megatunnel

class class-default

police 5000000 32000 exceed-action

This had no effect at all.

Is there a way to shape outbound direction with switchport mode dot1q-tunnel configured on the port ?

Thanks in advance,



Re: How to police outbound dot1q-tunnel interface

QoS policing in the Catalyst 3550 complies with this leaky bucket concept:

The number of tokens proportional to the incoming traffic packet sizes are placed into a token bucket; the number of tokens equals the size of the packet. At a regular interval, a defined number of tokens derived from the configured rate is removed from the bucket. If there is no place in the bucket to accommodate an incoming packet, the packet is considered out-of-profile and is dropped or marked down according to the configured policing action

New Member

Re: How to police outbound dot1q-tunnel interface

The problem is that when class-map matches against mac access-list the service-policy can be applied only on inbound direction.

When class-map matches class-default or "everything" the policer has no effect at all. My question is that is it possible to police dot1q-tunnel traffic on a outbound direction of port.

New Member

Re: How to police outbound dot1q-tunnel interface

You may have to police on the ingress port of the links coming into the switch. Another way of doing it on the 3400 (not sure if this is supported on 3560) is to use qos-group. You would set up a service-policy and match say a vlan and put it into the qos group. Then you can police on inbound. Note, this needs to be a child policy. I think cisco is missing the boat on this as many other vendors can do what your asking.

New Member

Re: How to police outbound dot1q-tunnel interface

I said that wrong. You would mark the packets on the inbound of the inbound(upstream) ports and police on the outbound of the port your referring to. The policy would

interface GigabitEthernet0/2

service-policy output FLIP_OUT

policy-map FLIP_OUT

class QOS1

police cir 2000000

conform-action transmit

exceed-action drop


class-map match-all QOS1

match qos-group 1

and on incoming ports:

interface GigabitEthernet0/4

description coming into your switch from the outside world

service-policy input DOWN

policy-map DOWN

class DLL

service-policy QOS_1

class-map match-all DLL

match vlan 13

policy-map QOS_1

class class-default

set qos-group 1

all their switches are different, but that is a way you can police.