Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Webcast-Catalyst9k
New Member

QoS Limit specific VLAN within trunk

Hi there,

Need to limit the amount of bandwidth a specific VLAN can use on a 802.1q trunk port.

Situation is that we have a pair of Catalyst 4506 switches which have 802.1q trunk ports into a Checkpoint Firewall, this in turn is connected to a managed WAN router (to which I can't apply a QoS policy).

If the 4506 was routing the traffic it would be easy to setup a class-map to match the IP traffic and then QoS the traffic, but the VLAN in question is trunked directly into the firewall (no L3/IP presence on the 4506 next hop for all clients on this VLAN is the firewall).

What I need to do is restrict any traffic from this specific VLAN to 10Mbps on the uplink to the Checkpoint Firewall so it cannot impact the onward WAN.

My original thought was to do a class map with "match vlan" then set a policy map to "police" the traffic to 10Mbps and then apply this as a service-policy to the uplink but the 4506 can't seem to do a class map with "match vlan" something like this:

!

class-map v270

match vlan 270

!

policy-map v270_bw_limit

class v270

police 10240000 1920000 3840000 conform-action transmit exceed-action drop

!

interface GigabitEthernet2/1

  service-policy input v270_bw_limit

  service-policy output v270_bw_limit

!

Any ideas how to achieve this on a Catalyst 4506 with Supervisor IV running cat4500-entservicesk9-mz.122-46.SG.bin?


Regards

Michael

1 REPLY
New Member

QoS Limit specific VLAN within trunk

Hi, Mike,

just configure on your interface:

vlan-range 270

service policy input v270_bw_limit

I don't remember wether "service policy output" is possible here.

The policer apply on ingress only. If you want to limit the traafic on egress, you should use thing like

tx-queue 1

   bandwidth percent 15

tx-queue 2

   bandwidth percent 30

tx-queue 3

   bandwidth percent 10

   priority high

tx-queue 4

   bandwidth percent 45


By the way, you could also use classical IP ACL, they will work even without any routing in the switch.

Also, you could try to configure an interface vlan 270, without any ip@, and configure a policer under this interface (I am not sure it is possible on this hdw&IOS couple).

1014
Views
0
Helpful
1
Replies
CreatePlease to create content