A customer with a shared office wants to limit the traffic out to the internet for all his customers. They have a 4m link at present.
He wants one customer to have 1.75 meg only another to have .25meg and the rest to share the other 2m between them.
The switch that is doing this is a Cat 3560. They way that was first thought to do this was with a rate limit policy on the VLANS for the customers with the specific sizes and then a policy map for all the others. The config I have done is above.
The traffic for all customers is coming in from a netgear switch which is then trunked (dot1q) to the Cisco switch. Then there is an outbound connection to a sonic firewall.
The issue I have is that there doesn't seem to be any traffic going across the VLANS ( see doc above ) so the rate control command doesn't seem to work.
VLANS 5 and 8 have the fixed rate limit command as you will see in the config
Are VLANs on the Netgear Switch configured with the same VID as that on the Cisco 3560?
Is the original deployment? or have you attempted to segment the customer addressing for the purpose of this excerise? As you mention that there doesn't seem to be any traffic, I assume that the is new?
Does the status of the Cisco trunk show as 'connected', if it not connected then there is an issue with the trunk negotiation, or fundamentally spanning-tree mode PVST/MST?
Is it possible to consolidate users from the Netgear switch into the Cisco 3560, this will remove any interoperability issues between them.
If this is possible, then it would be recommended to simply configure a single output policy-map on the outgoing interface towards the Internet.
The class-maps should classify by source address using the ACLs you have already created for your customers 'Glass and Inni' I assume? All other remaining traffic will then fall within the class-default:-
class-map match-all Glass-256Kbps
match access-group name glass
class-map match-all Inni-1750Kbps
match access-group name inni
police cir 256000 bc 8000 conform-action transmit exceed-action drop
police cir 1750000 bc 54688 conform-action transmit exceed-action drop
police cir 2000000 bc 62500 conform-action transmit exceed-action drop
service-policy output PoliceCIR-4Mpbs
This would avoid policing on ingress from the VLAN. This will ensure that traffic is limited to the thresholds in the outbound policy towards the Internet.
Traffic sourced from the Netgear will have to have the same VID as that configured on the Cisco in order for traffic to be classified on the SVI.
If this is not the case then traffic from the Netgear will fall within the native vlan, which is VLAN 1 by default. This is why you will be seeing traffic on the main trunk interface but not on the individual SVIs, all the traffic will be untagged.
Question We run asr9001 with XR 6.1.3, and we have a very long delay to
login w/ SSH 1 or 2 to the device compare to IOS device. After
investigation, the there is 1s delay between the client KEXDH_INIT and
the server (XR) KEXDH_REPLY. After debug ssh serv...
Introduction The purpose of this document is to demonstrate the Open
Shortest Path First (OSPF) behavior when the V-bit (Virtual-link bit) is
present in a non-backbone area. The V-bit is signaled in Type-1 LSA only
if the router is the endpoint of one or ...
Hi, I am seeing quite a few issues with patch install and wanted to
share my experience and workaround to this. Login to admin via CLI, then
access root with the “shell” command Issue “df –h” and you’ll probably
see the following directory full or nearly ...