Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Ratelimit to internet

A customer with a shared office wants to limit the traffic out to the internet for all his customers. They have a 4m link at present.

He wants one customer to have 1.75 meg only another to have .25meg and the rest to share the other 2m between them.

The switch that is doing this is a Cat 3560. They way that was first thought to do this was with a rate limit policy on the VLANS for the customers with the specific sizes and then a policy map for all the others. The config I have done is above.

The traffic for all customers is coming in from a netgear switch which is then trunked (dot1q) to the Cisco switch. Then there is an outbound connection to a sonic firewall.

The issue I have is that there doesn't seem to be any traffic going across the VLANS ( see doc above ) so the rate control command doesn't seem to work.

VLANS 5 and 8 have the fixed rate limit command as you will see in the config

New Member

Re: Ratelimit to internet

Rate-limit is not supported on 3560 switcches. The IOS takes the commands but they do not work.

Re: Ratelimit to internet

Are VLANs on the Netgear Switch configured with the same VID as that on the Cisco 3560?

Is the original deployment? or have you attempted to segment the customer addressing for the purpose of this excerise? As you mention that there doesn't seem to be any traffic, I assume that the is new?

Does the status of the Cisco trunk show as 'connected', if it not connected then there is an issue with the trunk negotiation, or fundamentally spanning-tree mode PVST/MST?

Is it possible to consolidate users from the Netgear switch into the Cisco 3560, this will remove any interoperability issues between them.

If this is possible, then it would be recommended to simply configure a single output policy-map on the outgoing interface towards the Internet.

The class-maps should classify by source address using the ACLs you have already created for your customers 'Glass and Inni' I assume? All other remaining traffic will then fall within the class-default:-


class-map match-all Glass-256Kbps

match access-group name glass

class-map match-all Inni-1750Kbps

match access-group name inni


policy-map PoliceCIR-4Mbps

class Glass-256Kbps

police cir 256000 bc 8000 conform-action transmit exceed-action drop

class Inni-1750Kbps

police cir 1750000 bc 54688 conform-action transmit exceed-action drop

class class-default

police cir 2000000 bc 62500 conform-action transmit exceed-action drop


Interface ?/?

service-policy output PoliceCIR-4Mpbs

This would avoid policing on ingress from the VLAN. This will ensure that traffic is limited to the thresholds in the outbound policy towards the Internet.



Pls rate helpful posts..

New Member

Re: Ratelimit to internet

VLANs are configured on the Cisco Switch which is connected to Netgear via trunk. The main interface see the traffic on the Cisco Switch but no traffic is seen on the VLANs.

Re: Ratelimit to internet

Traffic sourced from the Netgear will have to have the same VID as that configured on the Cisco in order for traffic to be classified on the SVI.

If this is not the case then traffic from the Netgear will fall within the native vlan, which is VLAN 1 by default. This is why you will be seeing traffic on the main trunk interface but not on the individual SVIs, all the traffic will be untagged.

CreatePlease login to create content