Good afternoon everybody,
I'm working on a big project involving a dark fiber architecture where we're putting 3 Cisco switches (type pointed in the subject with advanced IP services IOS) as the core network. The network will be really simple:
1 - you can think about the core network's hardware topology as a triangle.
2 - on the top angle we have the 3750-1 as our main POP connected through a trunk port to an aggregator device where the ethernet over copper service is handed off; through EoC client's VLANs will be handed off from their respective branches.
3 - on the bottom left corner there is the 3750-2 that acts as another POP to our DR site: it is connected through a couple of fibers (one fibre per optic port bondedwith a etherchannel) to 3750-1 and switchport mode trunk configuration is placed under that etherchannel.
4 - on the bottom right corner there s our PRIMARY SITE device 3750-3 connected like the DR's one to 3750-1.
5 - THERE'S NO CONNECTION BETWEEN 3750-2 AND 3750-3.
6 - Under each 3750 at DR and PRIMARY site there is a Cisco 2821 (connected through a 1Gb trunk port) acting as our LAN's EDGE router. In terms of routing we're using EIGRP: AS 20 for the 3750s and clients, AS 150/200 for DR and PRIMARY site. The demarcation will be on the EDGE routers, where both router EIGRP are configured. Then redistributed into each other (at DR 20 into 150 and viceversa, at PRIMARY 20 into 200 and viceversa)
-------
I I
-------
0 0
0 0
----- -----
I I I I
----- -----
0 0
------ -----
I I I I
------ -----
7 - since we can not policing outbound on 3750, we decided to implement per-vlan based QoS on the trunk port going to our CLIENTS, each client's VLAN policed at 10M. The configuration of those parent-child (required by per-vlan based QoS) policy maps is done matching the etherchannels on 3750-1 facing 3750-2 and 3750-3, then matching IP traffic coming from each LAN. Like this:
!
class-map match-any INTERNAL
match access-group 1
class-map match-any INTERNAL2
match access-group 2
class-map match-all OUT-to-CLIENTS_UW
match input-interface GigabitEthernet1/0/13
class-map match-all OUT-to-CLIENTS_SC
match input-interface GigabitEthernet1/0/1
!
policy-map POLICE
class OUT-to-CLIENTS_UW
police 10000000 1000000 exceed-action drop
class OUT-to-CLIENTS_SC
police 10000000 1000000 exceed-action drop
!
policy-map CLIENT-X
class INTERNAL
trust dscp
service-policy POLICE
class INTERNAL2
trust dscp
service-policy POLICE
!
access-list 1 permit LAN_DR
access-list 2 permit LAN_PRIMARY
!
--> then I put under the VLAN used for connecting through EIGRP the three 3750s the command service-policy input CLIENT-X. NOT UNDER THE VLAN DEDICATED TO THE CLIENT (because in that case I would intercept traffic coming FROM the client inside client's VLAN over 3750-1)
7 - the problem is that in this situation I'd have 10Mb policed for each traffic!!! But we want a 'shaped' flow for each client to 10Mb.
I tried everything: rate limiting client's VLAN (doesn't work), the command bandwidth under client's VLAN (doesn't work), play up with policy-maps, access-lists, put under the same class the two match input interface (doesn't work), create an aggregate policer (doesn't work), etc.
Can you suggest me something?
Little note: the configuration WORKS, I mean, the policy-map CLIENT-X is policing. But for each traffic.
Thanks.
