I have some communication across a LAN I would like to police before it leaves on a WAN interface. The device transmitting traffic across the LAN is connected to a trunked switchport of a switch connected to a "core" switch stack.
The traffic I am trying to police is in VLAN1 and the default gateway of the transmitting device is the SVI of VLAN1 on the core switch. Because of a port channel spanning multiple stack members between the two switches it is not possible to configure a hierarchical policy-map on the SVI of the core switch with multiple match input-interface commands. I would like to configure a hierarchical policy-map on the SVI (VLAN1) of the directly connected switch. Whenever I configure this and apply I do not see any matched traffic in the policy map for the class I specified nor the default class. I have checked ACLS, class maps, etc and configured vlan based QoS on the physical port connected to the device.
Will the policy-map work on a switch that is not the default gateway of the endpoint I am trying to police?
Yes, I believe this would work. However, the transmitting device is a virtual machine and could move from one physical port to another. I was hoping to get the policy-map working with one "match input-interface " command and then add additional "match input-interface " commands for each possible port this machine could reside on.
The scenario I am describing in this discussion is for one device with one IP address. Ultimately I have a range of IP addresses on a few different physical physical ports on this switch and I would like to have a maximum bandwidth policer applied to the group.
I see your case. Would it work if you match IP address on the policy-map, and apply the policy to all possible ports? Alternatively, can you enforce the policy on VM level? So the policy can move with the VM?
I configured the ACL and policy-map to match the IP addressing of the communication. I also set the match input-interface to all applicable interfaces. I did this on the switch between the transmitting device and the core switch stack. When I applied this to the SVI I don't see any increments on the class-map I had hoped for or on the class-default class. Is it a valid design to configure this on this particular switch? Or does it need to be configured on the core switch stack because that is the default gateway and where the routing occurs?
I would prefer to police the traffic on the intermediate switch for two reasons: 1. This is as close to the source as possible, 2. The traffic comes into the core switch stack on a port-channel across multiple stack members and the SVI policy-map is not supported to match input interfaces on multiple stack members.
This document gives several answers on frequently asked questions for PFRv3 channel state behavior.
Q1: What are all the channel operational states from a BR (border role) perspective and what are the rules/conditions to be in each st...
The need was to reach an host inside a LAN through a VPN connection managed by the LAN gateway (Cisco 1921).
The LAN gateway performs NAT and there was a dedicate nat rule for the host i wanted to reach through VPN.
I couldn't connect to the hos...
We have 3 identical switches configured by someone else and would like to claim some of the Gigabit ports(G1/G2/G3/G4) for use on servers. When we try to change the wiring and configuration, we run in to connectivity issues. Attached is a des...