Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1061
Views
0
Helpful
5
Replies

policy-map based rate-limiting per vlan

Robert Kondrat
Level 1
Level 1

‎11-11-2013 04:08 AM - edited ‎03-07-2019 04:32 PM

Hi

I was thinking if someone could help me to come up with solution to a problem. Scenario as follow:

I have a trunk interface with multiple vlans on:

interface GigabitEthernet2/0/3

description TRUNK-to-*********

switchport trunk encapsulation dot1q

switchport trunk allowed vlan 415,416,610,1191-1193,1195

switchport mode trunk

duplex full

storm-control broadcast level pps 1k

storm-control multicast level pps 3k

storm-control unicast level pps 250k

storm-control action trap

spanning-tree portfast trunk

spanning-tree bpdufilter enable

I'm trying to rate limit two of the vlans that are present on this trunk interface - vlan 415 and vlan 1192.

So I'm putting the class-map (to be later applied under the policy-map which is not significant here):

(config)#class-map match-any 120-mbps-class

(config-cmap)#match input-interface vlan 415

(config-cmap)#match input-interface vlan 1192

Now, when you show the class-map I created, I can see this:

sh class-map 120-mbps-class

Class Map match-any 120-mbps-class (id 1)

   Match input-interface  Vlan415

   Match input-interface  FastEthernet0

For some bizzare reason class-map is matching the Fa0. I have researched this, and this is most probably because you can only match 1 vlan instance under the class-map.

And here's my problem - I can't police whole interface as the other vlans should not be policed - how can I police those two vlans ?

Any thoughts ? All help appreciated as always.

Rob.

Labels:
0 Helpful
5 Replies 5

daniel.dib
Level 7
Level 7

‎11-11-2013 05:59 AM

Which platform is this?

Generally you would use mls qos vlan-based and apply policy-map to SVI for 3560/3750 and so on.

Daniel Dib
CCIE #37149

Daniel Dib
CCIE #37149
CCDE #20160011

Please rate helpful posts.
0 Helpful

Robert Kondrat
Level 1
Level 1
In response to daniel.dib

‎11-11-2013 07:18 AM

Hi Daniel,

Sorry it's 3750E - I have just been reading about the mls qos vlan-based. My concern is that I'm not using the SVI on this switch, only L2 vlans and the traffic is passed further up for routing. Do I jut create the SVI apply the policy and this would work ? I think I'll grab 3750 and put the lab together to see how is this going to work.

Thanks!

0 Helpful

daniel.dib
Level 7
Level 7
In response to Robert Kondrat

‎11-11-2013 10:22 AM

You could create a SVI with an available IP in the subnet. You still don't have to route for that subnet. You could just use it for applying the policy. Sounds a good idea to lab it up, unfortunately QoS on the Catalysts is a bit of a nightmare.

Daniel Dib
CCIE #37149

Daniel Dib
CCIE #37149
CCDE #20160011

Please rate helpful posts.
0 Helpful

Robert Kondrat
Level 1
Level 1
In response to daniel.dib

‎11-12-2013 04:27 AM

Hi Daniel,

I have labed it and unfortuantely it does not work as expected. I have put 1x 3750 and 1x 2960 trunk between them, each box had an access port for laptop to create some traffic across. All vlan-based qos has been applied on 3750G.

3750G config

Interface g1/0/20

descriprion trunk

swicthport trunk encapsulation dot1q

switchport mode trunk

switchport trunk allowed vlan 100,120

Interface g1/0/1

description access

switchport mode access

switchport access vlan 100

Interface vlan 100

ip address 192.168.100.254

service-policy input PARENT-POLICER

Interface vlan 120

ip address 10.10.10.1

Policy-map PARENT-POLICER

class PERMIT-ANY-CLASS

trust COS

service-policy CHILD-POLICER

class-map match-any PERMIT-ANY-CLASS

match access-group name POLICY-LIST

Extended IP access list POLICY-LIST

    10 permit ip any any

Policy-map CHILD-POLICER

class INTERFACE-POLICE-CLASS

  police 100000 8000 exceed-action drop

Class Map match-any INTERFACE-POLICE-CLASS

Match input-interface  GigabitEthernet1/0/20

2960 config:

interface g0/20

switchport mode trunk

switchport trunk allowed vlan 100,120

interface g0/1

switchport mode access

switchport access vlan 100

interface vlan 100

ip address 192.168.100.253

interface vlan 120

ip address 10.10.10.2

So as you can see vlan 100 is the one it need to be rate limited (I have only rate limited to 100kbps just to see if it's working) and vlan 120 is only on the trunk ports to confirm if the traffic  for this one is not affected.

Unfortunately when the policing is applied on 3750 vlan 100 (and policing is working fine) then I can see the packet loss while pinging between switches on vlan 120 suggesting that the policy is affecting the other vlan as well. When I take the policy out of the vlan 100 I cannot observe the packet loss on vlan 120 meaning is no longer affected.

Not sure if I have explained this clear enough so far, if not let me know.

Do you have any suggestions ?

Thanks!

0 Helpful

Robert Kondrat
Level 1
Level 1
In response to Robert Kondrat

‎11-13-2013 05:04 AM

Hi

This is now resolved,

Thanks.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card