Thanks for the prompt response unfortunately the commands you provided have failed to work.  To give you an insight into what I have done please see below -

1.  Create a Class Map

class-map CUST-A-VL10-SUBRATE-CAR-4K-CMAP

match access-group name CUST-A-VL10-ACL

2.  Create a Policy Map

policy-map CUST-A-VL10-SUBRATE-CAR-4K-PMAP

class CUST-A-VL10-SUBRATE-CAR-4K-CMAP

police 400000 75000 exceed-action drop

3.  Apply Policy Map to Vlan 10

service-policy input CUST-A-VL10-SUBRATE-CAR-4K-PMAP

This then reports the following error -

%QoS: policy-map with police action at parent level not supported on Vlan10 interface.

%QoS: policy-map with police action at parent level not supported on Vlan10 interface.

%QoS: policy-map with police action at parent level not supported on Vlan10 interface.

service-policy output CUST-A-VL10-SUBRATE-CAR-4K-PMAP

Reports the error -

police command is not supported for this interface

The interface does not support the specified policy configuration and/or parameter values.

Nick,

1) rate-limit command (while accepted by the CLI) is not supported in the 3750/3560 platforms

2) Egress policing with MQC is not supported on these platforms. You can limit egress traffic with SRR bandwidth limit.

3) For ingress policing, you can use MQC and apply the service-policy directly into the physical interface instead of the logical SVI. You could apply the inbound policer in the SVI but you need to configure a hierachical policy with and the police statement must be in the child policy.

For instance:

class-map Vlan10

match input-interface ...

policy-map Vlan10

class Vlan10

police 10000000 187500 exceed-action drop

policy-map CUST-A-VL10-SUBRATE-CAR-4K-PMAP

class class-default

service-policy Vlan10

interface Vlan 10

service-policy input CUST-A-VL10-SUBRATE-CAR-4K-PMAP

Regards,

Edison

Edison,

Thank you very much for the answer, it has saved me a lot of time and effort.  The Cisco 3750v2 product overview confirms the support for rate limiting, so i would have thought it would be supported? -

Cisco Catalyst 3750 v2 Series Software

Anyhow, I have gone ahead and used the example you have provided to police on ingress the SVI, but am receiving the following error -

No action is configured in the policymap ****CUST-A-VL10-SUBRATE-CAR-4K-PMAP**** classmap class-default, or it is being modified

Based on my research into this it would appear i need to configure an action within the policy map to perform a function such as the following -

set dscp or set ip

Would you agree with this, and if so why is this required? I would have thought the action would have been taken within the subsequent service policy map?

Thanks

Nick

Edison,

I have been toying with this all day and am now completely confused.....  I have performed the following steps -

Class Map

class-map match-all CUST-A-VL10-CMAP1

match input-interface fa1/0/1

match input interface fa2/0/1

Policy Map

policy-map CUST-A-VL10-PMAP1

class CUST-A-VL10-CMAP1

police 200000 37500 exceed-action drop

Parent Policy Map

policy-map CUST-A-VL10-PARENT-PMAP1

class class-default

service-policy CUST-A-VL10-PMAP1

Interface Settings

interface vlan 10

service-policy input CUST-A-VL10-PARENT-PMAP1

All of these commands are accepted successfully by the switch.  However, when i do a sh run or sh conf the service-policy command is never displayed below the vlan SVI.  No matter what i try to do I cannot get it to display within the config.  The same problem occurs if i try to apply the command to a physical (fa1/0/1) or virtual (vlan10) interface.

Am i doing something wrong here?

Ok after further investigation it would seem you cannot add two interfaces to the match input-interface command below the class map -

class map match-all CUST-A-VL10-CMAP1

match input-interface fa1/0/1

match input-interface fa2/0/1

Although this is accpeted by the CLI and at no point issues a warning or failure, the command service-policy input CUST-A-VL10-PARENT-PMAP1 will be accepted but never applied.  Simply removing the match input-interface fa2/0/1 command from the class map and re assigning the parent policy map to the SVI resolves the problem.  So based on this i must have to create two class maps (one for each interface) as I am presenting two feeds to each customer per VLAN.

I tried to piece this together but a little tough. Asking also if a snippit of all the QoS could be posted.

The product overview indicates you can rate limit packets with QoS on the platform but not necessarily with the rate-limit command.

Please refer to the list of unsupported commands and you will see rate-limit listed:

http://www.cisco.com/en/US/docs/switches/lan/catalyst3750e_3560e/software/release/12.2_58_se/configuration/guide/swuncli.html

I recommend applying the service-policy inbound on each of the physical interfaces instead of the SVI.

Can you try that and report back?

Regards,

Edison

Edison,

Thanks for helping with this it is greatly appreciated.  I have been playing around with this and have managed to get the policing working successfully on the SVI. 

The problem was basically the direction the policing was being applied.  Initially I was applying the service policies to the customer SVIs in an inbound direction.  This would only be traffic coming into the VLAN interface from within the VLAN; therefore, in terms of internet traffic this would be upload and NOT the required download.

In order to resolve this, I have applied the service policy to the Internet facing VLAN.  Please see below -

Class Maps and Policy Maps

class-map match-all CUST-A-VL10-CMAP1

match input-interface  FastEthernet1/0/24

class-map match-all CUST-A-VL10-CMAP2

match access-group name CUST-A-VL10-ACL-POL

policy-map CUST-A-VL10-PMAP1

class CUST-A-VL10-CMAP1

police 100000 18750 exceed-action drop

policy-map CUST-A-VL10-PARENT-PMAP1

class CUST-A-VL10-CMAP2

set ip precedence 1

service-policy CUST-A-VL10-PMAP1

VLAN Confguration

interface Vlan300

ip address ************

service-policy input CUST-A-VL10-PARENT-PMAP1

This works successfully and polices the traffic as expected.  However, I have now run into the problem with assigning multiple service policies to the VLAN interface.  As this is the internet facing VLAN for the routing of traffic to and from the internet, all customer service policies need to be applied to this interface.  When I attempt to apply more than one service policy to this VLAN i receive the following error -

(config-if)#service-policy input CUST-B-VL20-PARENT-PMAP1

Policy map CUST-A-VL10-PARENT-PMAP1 is already attached

Looks like another couple of hours needed working around this problem!!

Thanks

Nick

Ok, figured out what I need to do......

Instead of using multiple parent policy maps,I can aggregate my class maps into one parent policy map and perform all required functions from one policy map.  See example -

policy-map CUST-A-VL10-PARENT-PMAP1

class CUST-A-VL10-CMAP2

   set ip precedence 1

   service-policy CUST-A-VL10-PMAP1

class CUST-B-VL20-CMAP2

   set ip precedence 1

   service-policy CUST-B-VL20-PMAP1

class CUST-C-VL30-CMAP2

   set ip precedence 1

   service-policy CUST-C-VL30-PMAP1

class CUST-D-VL40-CMAP2

   set ip precedence 1

   service-policy CUST-D-VL40-PMAP1

class CUST-E-VL50-CMAP2

   set ip precedence 1

   service-policy CUST-E-VL50-PMAP1

class CUST-F-VL60-CMAP2

   set ip precedence 1

   service-policy CUST-F-VL60-PMAP1

class CUST-G-VL70-CMAP2

   set ip precedence 1

   service-policy CUST-G-VL70-PMAP1

class CUST-H-VL80-CMAP2

   set ip precedence 1

   service-policy CUST-H-VL80-PMAP

This way, I only ever need to assign the single parent policy map to the SVI and traffic for each customer will be matched by ACL and policed as necessary.

Hope this helps anybody else with the same problem.

Great job Nick and thanks for posting such detailed information.

Regards,

Hi,

I wondered if you could help me as I have tried to follow your guide and am getting a bit stuck. I have 20 customers each with their own VLAN and I would like to limit the bandwdith per SVI. I have tried to follow the programming relating to a single parent map but cannot understand how to differentiate between customers on the child maps, are you able to port your full config?

Cheers

Hi just found your post from 2011 and i am wondering why "technically" rate-limiting on a WS-C3750G-24TS-S1U is not possible while (like you also mentioned in your post the commands are possible on the interface level) ..

I entered the following config on the 3750G-24TS-S1U but the loadtester just stays sending the maximum mbps data without getting rate limited.

Switch#show int g1/0/6
GigabitEthernet1/0/6 is up, line protocol is up (connected)
Hardware is Gigabit Ethernet, address is 0016.c872.5044 (bia 0016.c872.5044)
Description: interface to loadtesterserver_172.19.3.245
Internet address is 172.19.3.243/24
MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec,
reliability 255/255, txload 1/255, rxload 198/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Full-duplex, 1000Mb/s, media type is 10/100/1000BaseTX
input flow-control is off, output flow-control is unsupported
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:02:36, output 00:00:09, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 780049000 bits/sec, 64257 packets/sec
5 minute output rate 3039000 bits/sec, 5228 packets/sec
235746135 packets input, 3768805512 bytes, 0 no buffer
Received 822 broadcasts (0 IP multicast)
0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 watchdog, 46 multicast, 0 pause input
0 input packets with dribble condition detected
332910035 packets output, 2336440540 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collision, 0 deferred
0 lost carrier, 0 no carrier, 0 PAUSE output
0 output buffer failures, 0 output buffers swapped out
Switch#
Switch#
Switch#show int g1/0/9
GigabitEthernet1/0/9 is up, line protocol is up (connected)
Hardware is Gigabit Ethernet, address is 0016.c872.5045 (bia 0016.c872.5045)
Description: interface to loadtesterclient_192.168.3.243
Internet address is 192.168.1.243/24
MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec,
reliability 255/255, txload 199/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Full-duplex, 1000Mb/s, media type is 10/100/1000BaseTX
input flow-control is off, output flow-control is unsupported
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:00:01, output 00:00:01, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 3051000 bits/sec, 5250 packets/sec
5 minute output rate 780655000 bits/sec, 64305 packets/sec
332939970 packets input, 2340054800 bytes, 0 no buffer
Received 367 broadcasts (2 IP multicast)
0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 watchdog, 119 multicast, 0 pause input
0 input packets with dribble condition detected
236218194 packets output, 189084976 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collision, 0 deferred
0 lost carrier, 0 no carrier, 0 PAUSE output
0 output buffer failures, 0 output buffers swapped out
Switch#
Switch#
Switch#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

172.19.0.0/24 is subnetted, 1 subnets
C 172.19.3.0 is directly connected, GigabitEthernet1/0/6
C 192.168.1.0/24 is directly connected, GigabitEthernet1/0/9
Switch#
Switch#
Switch#
Switch#show int g1/0/6 rate
Switch#show int g1/0/6 rate-limit
GigabitEthernet1/0/6 interface to loadtesterserver_172.19.3.245
Input
matches: all traffic
params: 100000000 bps, 100000 limit, 1000000 extended limit
conformed 91 packets, 7908 bytes; action: transmit
exceeded 0 packets, 0 bytes; action: drop
last packet: 179248ms ago, current burst: 0 bytes
last cleared 00:16:45 ago, conformed 62 bps, exceeded 0 bps
Output
matches: all traffic
params: 100000000 bps, 100000 limit, 1000000 extended limit
conformed 0 packets, 0 bytes; action: transmit
exceeded 0 packets, 0 bytes; action: drop
last packet: 691905717ms ago, current burst: 0 bytes
last cleared 00:16:21 ago, conformed 0 bps, exceeded 0 bps
Switch#
Switch#
Switch#
Switch#
Switch#
Switch#
Switch#show int g1/0/9 rate-limit
GigabitEthernet1/0/9 interface to loadtesterclient_192.168.3.243
Input
matches: all traffic
params: 100000000 bps, 100000 limit, 1000000 extended limit
conformed 4 packets, 360 bytes; action: transmit
exceeded 0 packets, 0 bytes; action: drop
last packet: 371951ms ago, current burst: 0 bytes
last cleared 00:16:03 ago, conformed 2 bps, exceeded 0 bps
Output
matches: all traffic
params: 100000000 bps, 100000 limit, 1000000 extended limit
conformed 0 packets, 0 bytes; action: transmit
exceeded 0 packets, 0 bytes; action: drop
last packet: 691913510ms ago, current burst: 0 bytes
last cleared 00:15:59 ago, conformed 0 bps, exceeded 0 bps
Switch#
Switch#
Switch#show run
Building configuration...

Current configuration : 2382 bytes
!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Switch
!
!
no aaa new-model
switch 1 provision ws-c3750g-24ts-1u
ip subnet-zero
ip routing
!
!
!
!
!
!
no file verify auto
!
spanning-tree mode pvst
spanning-tree extend system-id
no spanning-tree vlan 3
!
vlan internal allocation policy ascending
!
interface GigabitEthernet1/0/1
!
interface GigabitEthernet1/0/2
!
interface GigabitEthernet1/0/3
no switchport
no ip address
!
interface GigabitEthernet1/0/4
no switchport
no ip address
shutdown
!
interface GigabitEthernet1/0/5
!
interface GigabitEthernet1/0/6
description interface to loadtesterserver_172.19.3.245
no switchport
ip address 172.19.3.243 255.255.255.0
rate-limit input 100000000 100000 1000000 conform-action transmit exceed-action drop
rate-limit output 100000000 100000 1000000 conform-action transmit exceed-action drop
!
interface GigabitEthernet1/0/7
!
interface GigabitEthernet1/0/8
!
interface GigabitEthernet1/0/9
description interface to loadtesterclient_192.168.3.243
no switchport
ip address 192.168.1.243 255.255.255.0
rate-limit input 100000000 100000 1000000 conform-action transmit exceed-action drop
rate-limit output 100000000 100000 1000000 conform-action transmit exceed-action drop