Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Per client policing

We have a Catalyst 3560 that connects to a metro E circuit. It also has 1 uplink into each of our core L3 switches. All ports are layer 2.

We are trying to police bandwidth on a per-client basis. We have setup the following, but it doesn't seem to be working. We're seeing clients spike above the limits we have configured. Any ideas?

class-map match-any ClientA_CM

match access-group 109

class-map match-any ClientB_CM

match access-group 105

policy-map Rate_Limit_Clients

class ClientA_CM

police 5000000 48000 exceed-action drop

class ClientB_CM

police 3000000 24000 exceed-action drop

access-list 105 permit ip any 209.X.X.120 0.0.0.7

access-list 105 permit ip 209.X.X.120 0.0.0.7 any

access-list 110 permit ip any 66.X.X.160 0.0.0.2

access-list 110 permit ip 66.X.X.160 0.0.0.2 any

Then, we have this applied on both the metro E interface and the 2 uplinks to our core L3 switches:

service-policy input Rate_Limit_Clients

Here is the VLAN interface on our core for the client we're trying to rate-limit:

interface Vlan24

ip address 66.X.X.162 255.255.255.252

load-interval 30

2 REPLIES
New Member

Re: Per client policing

Also, "show policy-map interface gig 0/24" shows 0 on all counters.

Re: Per client policing

Jordan,

Policing on 3560 is not straight forward. for starters you can see any counters on "show policy-map interface X/Y".

I also do not recall that policing works OUTBOUND.

I had a similar scenario recently, I and this is how I resolved it:

Each customer was assigned either a VLAN out of a single port or had a Layer 3 port. I was able to police INBOUND Only.

For OUTBOUND, I had to police uplink (inbound) since traffic IN is the traffic OUT to customers. my class maps had to match each customer allocated IP range.

I validated my config by using a traffic generator.

Remember to enable QOS globally "mls qos"...and in which case you might want to also remark inbound traffic from customers.

HTH

Sam

203
Views
0
Helpful
2
Replies