Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

service-policy input

Hello everyone,

my service-policy is not working on inbound.  it works on outbound, but I need to apply it on IN as well.

please check what I am doing wrong.  thank you in advance.

!

mls qos

!

ip access-list extended ACL-TEST-LIMIT50

permit ip any any

!

class-map match-all CLASS-TEST-LIMIT50

  match access-group name ACL-TEST-LIMIT50

!

policy-map MAP-TEST-LIMIT50

  class CLASS-TEST-LIMIT50

    police 50000000 40000 conform-action drop exceed-action drop violate-action drop

!

int vlan 103

service-policy input MAP-TEST-LIMIT50

!

P.S.

with traffic up to 100mb/s, I almost don't see the matches:

sh ip access-lists ACL-TEST-LIMIT50

Extended IP access list ACL-TEST-LIMIT50

    10 permit ip any any (1 match)

c7600 / Version 12.2(33)SRE2

--

Have a nice day,

Dmitry

2 ACCEPTED SOLUTIONS

Accepted Solutions
Cisco Employee

service-policy input

hi,

do we have 'mls qos vlan-based' configured on the physical port through which the traffic is ingressing.

Silver

service-policy input

Hi Dimity

You said " when I put it on the interface it blocked all traffic to host"

That is exactly what is going to happen, because of Your policy.

The policy states " conform-action drop"

/Mikael 

7 REPLIES
Cisco Employee

service-policy input

Hi Dmitry,

can you please paste the following output when this policy is attached in IN direction with some traffic passing through VLAN (not sent to VLAN):

show policy-map int Vlan 103

Nik

New Member

service-policy input

Hi Nikolay,

Thank you for your help. 

sh policy-map interface vlan 103

Vlan103

  Service-policy input: MAP-TEST-LIMIT50

    class-map: CLASS-TEST-LIMIT50 (match-all)

      Match: access-group name ACL-RODINA-LIMIT50

      police :

        50000000 bps 40000 limit 40000 extended limit

      Earl in slot 5 :

        59009454 bytes

        5 minute offered rate 0 bps

        aggregate-forwarded 0 bytes action: drop

        exceeded 59009454 bytes action: drop

        aggregate-forward 0 bps exceed 0 bps

      Earl in slot 6 :

        0 bytes

        5 minute offered rate 0 bps

        aggregate-forwarded 0 bytes action: drop

        exceeded 0 bytes action: drop

        aggregate-forward 0 bps exceed 0 bps

      Earl in slot 7 :

        0 bytes

        5 minute offered rate 0 bps

        aggregate-forwarded 0 bytes action: drop

        exceeded 0 bytes action: drop

        aggregate-forward 0 bps exceed 0 bps

      Earl in slot 9 :

        0 bytes

        5 minute offered rate 0 bps

        aggregate-forwarded 0 bytes action: drop

        exceeded 0 bytes action: drop

        aggregate-forward 0 bps exceed 0 bps

    Class-map: class-default (match-any)

      0 packets, 0 bytes

      5 minute offered rate 0000 bps, drop rate 0000 bps

      Match: any

        0 packets, 0 bytes

        5 minute rate 0 bps

--

Dmitry

Cisco Employee

service-policy input

hi,

do we have 'mls qos vlan-based' configured on the physical port through which the traffic is ingressing.

New Member

service-policy input

Hi Balaji,

I see, it's the right direction.  Let me expain the scheme:

router(SVI 103---port-channel1)----------trunk-------------L2 switch(access-port)--------------host

I haven't had the connand 'mls qos vlan-based' on int port-channel1, as result the policy was not working.

When I put it on the interface, it blocked all traffic to the host.  Please give me an idea what is wrong.

some details:

interface Port-channel1

switchport

switchport trunk encapsulation dot1q

switchport mode trunk

end

!

interface Vlan103

bandwidth 100000

ip address *.*.*.49 255.255.255.252

no ip redirects

no ip unreachables

no ip proxy-arp

ip verify unicast source reachable-via any

ip flow ingress

mls netflow sampling

service-policy input MAP-TEST-LIMIT50

end

!

L2 switch:

interface GigabitEthernet0/15

switchport access vlan 103

switchport mode access

speed 100

end

!

Thank you in advance.

--

Dimitry

New Member

service-policy input

THANK YOU VERY MUCH !!!

Silver

service-policy input

Hi Dimity

You said " when I put it on the interface it blocked all traffic to host"

That is exactly what is going to happen, because of Your policy.

The policy states " conform-action drop"

/Mikael 

New Member

service-policy input

Hi Mlund,

sorry for my blindness.  yes, it is working now!  THANK YOU VERY MUCH!

--

Dimitry

1011
Views
0
Helpful
7
Replies