I'm doing rate-limiting on the customer, they only subscribe to a certain amount of bandwidth. There is no other way to classify the traffic that I can see except by vlan. Doesn't it make sense to provide QoS on a particular VLAN? That's what cisco does for voip phones! Force10 networks can do it in their box equivalent to the 3560. Any other suggestions?

What I do is classify the data coming in (on the customers interface on my switch) and then police it.

and you classify the data based on?

IP subnet, port/protocol, or ?

can you share an example?

Here's an example

This example shows how to create a policy map and attach it to an ingress interface. In the configuration, the IP standard ACL permits traffic from network 10.1.0.0. For traffic matching this classification, the DSCP value in the incoming packet is trusted. If the matched traffic exceeds an average traffic rate of 48000 bps and a normal burst size of 8000 bytes, its DSCP is marked down (based on the policed-DSCP map) and sent:

Switch(config)# access-list 1 permit 10.1.0.0 0.0.255.255

Switch(config)# class-map ipclass1

Switch(config-cmap)# match access-group 1

Switch(config-cmap)# exit

Switch(config)# policy-map flow1t

Switch(config-pmap)# class ipclass1

Switch(config-pmap-c)# trust dscp

Switch(config-pmap-c)# police 48000 8000 exceed-action policed-dscp-transmit

Switch(config-pmap-c)# exit

Switch(config-pmap)# exit

Switch(config)# interface gigabitethernet0/1

Switch(config-if)# service-policy input flow1t

**********************************************

class-map match-all c_Outbound

match access-group 101

class-map match-all c_MarkDSCP

match access-group 102

class-map match-all c_Inbound

match ip dscp 60

!

!

policy-map p_Outbound

class c_Outbound

police 1528000 8000 exceed-action drop

policy-map p_MarkDSCP

class c_MarkDSCP

set dscp 60

policy-map p_Inbound

class c_Inbound

police 1528000 8000 exceed-action drop

!

interface FastEthernet0/11

switchport access vlan 110

switchport mode access

service-policy input p_MarkDSCP

spanning-tree portfast

!

interface FastEthernet0/12

switchport access vlan 12

switchport mode access

service-policy input p_Outbound

service-policy output p_Inbound

spanning-tree portfast

access-list 101 permit ip host 12.18.16.17 any

access-list 102 permit ip any host 12.18.16.17

Thanks for the example Ceclark!

I tried the top configuration and it works! Any idea though why these stats don?t show anything?

GVS-3560#sho policy-map int g0/11

GigabitEthernet0/11

Service-policy input: flow1t

Class-map: ipclass1 (match-all)

0 packets, 0 bytes

offered rate 0 bps, drop rate 0 bps

Match: access-group 1

Class-map: class-default (match-any)

0 packets, 0 bytes

offered rate 0 bps, drop rate 0 bps

Match: any

0 packets, 0 bytes

rate 0 bps

Also, I'd like to do fixed port based rate limiting but that doesn't seem to be available on the 3560? How can I limit both inbound and outbound on one particular port?

Thanks again!

-JGR

I'm not sure why you do't see anything and to be honest, I've never looked at mine (I need physical access to the switch)! I tested it to make sure it worked, but never looked at the stats. The script above should limit both in and out. The second part is for egress. It first marks, then polices, since it's not trusted initially.

set dscp 60 !-- Tags all incoming (egress)traffic