11-11-2013 04:08 AM - edited 03-07-2019 04:32 PM
Hi
I was thinking if someone could help me to come up with solution to a problem. Scenario as follow:
I have a trunk interface with multiple vlans on:
interface GigabitEthernet2/0/3
description TRUNK-to-*********
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 415,416,610,1191-1193,1195
switchport mode trunk
duplex full
storm-control broadcast level pps 1k
storm-control multicast level pps 3k
storm-control unicast level pps 250k
storm-control action trap
spanning-tree portfast trunk
spanning-tree bpdufilter enable
I'm trying to rate limit two of the vlans that are present on this trunk interface - vlan 415 and vlan 1192.
So I'm putting the class-map (to be later applied under the policy-map which is not significant here):
(config)#class-map match-any 120-mbps-class
(config-cmap)#match input-interface vlan 415
(config-cmap)#match input-interface vlan 1192
Now, when you show the class-map I created, I can see this:
sh class-map 120-mbps-class
Class Map match-any 120-mbps-class (id 1)
Match input-interface Vlan415
Match input-interface FastEthernet0
For some bizzare reason class-map is matching the Fa0. I have researched this, and this is most probably because you can only match 1 vlan instance under the class-map.
And here's my problem - I can't police whole interface as the other vlans should not be policed - how can I police those two vlans ?
Any thoughts ? All help appreciated as always.
Rob.
11-11-2013 05:59 AM
Which platform is this?
Generally you would use mls qos vlan-based and apply policy-map to SVI for 3560/3750 and so on.
Daniel Dib
CCIE #37149
11-11-2013 07:18 AM
Hi Daniel,
Sorry it's 3750E - I have just been reading about the mls qos vlan-based. My concern is that I'm not using the SVI on this switch, only L2 vlans and the traffic is passed further up for routing. Do I jut create the SVI apply the policy and this would work ? I think I'll grab 3750 and put the lab together to see how is this going to work.
Thanks!
11-11-2013 10:22 AM
You could create a SVI with an available IP in the subnet. You still don't have to route for that subnet. You could just use it for applying the policy. Sounds a good idea to lab it up, unfortunately QoS on the Catalysts is a bit of a nightmare.
Daniel Dib
CCIE #37149
11-12-2013 04:27 AM
Hi Daniel,
I have labed it and unfortuantely it does not work as expected. I have put 1x 3750 and 1x 2960 trunk between them, each box had an access port for laptop to create some traffic across. All vlan-based qos has been applied on 3750G.
3750G config
Interface g1/0/20
descriprion trunk
swicthport trunk encapsulation dot1q
switchport mode trunk
switchport trunk allowed vlan 100,120
Interface g1/0/1
description access
switchport mode access
switchport access vlan 100
Interface vlan 100
ip address 192.168.100.254
service-policy input PARENT-POLICER
Interface vlan 120
ip address 10.10.10.1
Policy-map PARENT-POLICER
class PERMIT-ANY-CLASS
trust COS
service-policy CHILD-POLICER
class-map match-any PERMIT-ANY-CLASS
match access-group name POLICY-LIST
Extended IP access list POLICY-LIST
10 permit ip any any
Policy-map CHILD-POLICER
class INTERFACE-POLICE-CLASS
police 100000 8000 exceed-action drop
Class Map match-any INTERFACE-POLICE-CLASS
Match input-interface GigabitEthernet1/0/20
2960 config:
interface g0/20
switchport mode trunk
switchport trunk allowed vlan 100,120
interface g0/1
switchport mode access
switchport access vlan 100
interface vlan 100
ip address 192.168.100.253
interface vlan 120
ip address 10.10.10.2
So as you can see vlan 100 is the one it need to be rate limited (I have only rate limited to 100kbps just to see if it's working) and vlan 120 is only on the trunk ports to confirm if the traffic for this one is not affected.
Unfortunately when the policing is applied on 3750 vlan 100 (and policing is working fine) then I can see the packet loss while pinging between switches on vlan 120 suggesting that the policy is affecting the other vlan as well. When I take the policy out of the vlan 100 I cannot observe the packet loss on vlan 120 meaning is no longer affected.
Not sure if I have explained this clear enough so far, if not let me know.
Do you have any suggestions ?
Thanks!
11-13-2013 05:04 AM
Hi
This is now resolved,
Thanks.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide