Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Webcast-Catalyst9k
New Member

Rate Limit on Cisco 3750v2 SVI's

I am losing hair by the second with this problem!  Any help would be greatly appreciated....

I have a stack of Cisco 3750v2 switches with 8 VLANs (one per customer) and 8 SVI's (again, one per customer).  I am trying to apply rate limiting to the SVI's of each vlan for both input and output traffic.  This is my SVI configuration for one such VLAN (I have substituted the real IPs for prviate IPs for the purposes of this example) -

interface Vlan30

description ****CUST-C-VL30-SUBRATE-CAR-10M****

ip address 192.168.30.250 255.255.255.0

ip access-group CUST-C-VL30-ACL in

rate-limit input 10000000 1875000 3750000 conform-action transmit exceed-action drop

rate-limit output 10000000 1875000 3750000 conform-action transmit exceed-action drop

The access list for this interface is as follows -

Extended IP access list CUST-C-VL30-ACL

    10 deny ip 192.168.30.0 0.0.0.255 192.168.10.0 0.0.0.255

    20 deny ip 192.168.30.0 0.0.0.255 192.168.20.0 0.0.0.255

    30 deny ip 192.168.30.0 0.0.0.255 192.168.40.0 0.0.0.255

    40 deny ip 192.168.30.0 0.0.0.255 192.168.50.0 0.0.0.255

    50 deny ip 192.168.30.0 0.0.0.255 192.168.60.0 0.0.0.255

    60 deny ip 192.168.30.0 0.0.0.255 192.168.70.0 0.0.0.255

    70 deny ip 192.168.30.0 0.0.0.255 192.168.80.0 0.0.0.255

    80 permit ip any any

Finally the physical ports associated with this VLAN are configured as follows -

interface FastEthernet1/0/4

description CUST-D-VL40-ACCESS-ACT

switchport access vlan 40

switchport mode access

mls qos vlan-based

interface FastEthernet2/0/4

description CUST-D-VL40-ACCESS-PSV

switchport access vlan 40

switchport mode access

mls qos vlan-based

When i pass traffic from behind the VLAN and out to the internet the rate limit statistics for the port show as follows -

Vlan30 ****CUST-C-VL30-SUBRATE-CAR-10M****

  Input

    matches: all traffic

      params:  10000000 bps, 1875000 limit, 3750000 extended limit

      conformed 0 packets, 0 bytes; action: transmit

      exceeded 0 packets, 0 bytes; action: drop

      last packet: 19317663ms ago, current burst: 0 bytes

      last cleared 03:50:26 ago, conformed 0 bps, exceeded 0 bps

  Output

    matches: all traffic

      params:  10000000 bps, 1875000 limit, 3750000 extended limit

      conformed 0 packets, 0 bytes; action: transmit

      exceeded 0 packets, 0 bytes; action: drop

      last packet: 19318251ms ago, current burst: 0 bytes

      last cleared 03:55:55 ago, conformed 0 bps, exceeded 0 bps

Based on this and the speed tests I am performing from within the VLAN i am receiving the full bandwidth and not what should be assigned based on the rate limiting.  Have I missed anything as far as the configuration goes??  (Im going grey by the second!!!)

Thanks

Nick

12 REPLIES

Rate Limit on Cisco 3750v2 SVI's

Hi Nick,

The rate limit commands looks ok.

Why dont you use policy map and see how it will do the job for you....

I have the below at one of my core switch and doing good as desired.

class-map vlan5
match vlan 5
match class-map class-default

policy-map vlan5-limit
class vlan5
police 2000000 250000 exceed-action drop *********Change the values according to you*************

int vlan5
service-policy input vlan5-limit


After you apply this configuration, the traffic with VLAN 5 coming from any will be policed at 2Mbps.


Hope this will help you.


Please rate the helpfull posts.
Regards,
Naidu.

New Member

Re: Rate Limit on Cisco 3750v2 SVI's

Thanks for the prompt response unfortunately the commands you provided have failed to work.  To give you an insight into what I have done please see below -

1.  Create a Class Map

class-map CUST-A-VL10-SUBRATE-CAR-4K-CMAP

match access-group name CUST-A-VL10-ACL

2.  Create a Policy Map

policy-map CUST-A-VL10-SUBRATE-CAR-4K-PMAP

class CUST-A-VL10-SUBRATE-CAR-4K-CMAP

police 400000 75000 exceed-action drop

3.  Apply Policy Map to Vlan 10

service-policy input CUST-A-VL10-SUBRATE-CAR-4K-PMAP

This then reports the following error -

%QoS: policy-map with police action at parent level not supported on Vlan10 interface.

%QoS: policy-map with police action at parent level not supported on Vlan10 interface.

%QoS: policy-map with police action at parent level not supported on Vlan10 interface.

service-policy output CUST-A-VL10-SUBRATE-CAR-4K-PMAP

Reports the error -

police command is not supported for this interface

The interface does not support the specified policy configuration and/or parameter values.

Hall of Fame Super Bronze

Rate Limit on Cisco 3750v2 SVI's

Nick,

1) rate-limit command (while accepted by the CLI) is not supported in the 3750/3560 platforms

2) Egress policing with MQC is not supported on these platforms. You can limit egress traffic with SRR bandwidth limit.

3) For ingress policing, you can use MQC and apply the service-policy directly into the physical interface instead of the logical SVI. You could apply the inbound policer in the SVI but you need to configure a hierachical policy with and the police statement must be in the child policy.

For instance:

class-map Vlan10

match input-interface ...

policy-map Vlan10

class Vlan10

police 10000000 187500 exceed-action drop

policy-map CUST-A-VL10-SUBRATE-CAR-4K-PMAP

class class-default

service-policy Vlan10

interface Vlan 10

service-policy input CUST-A-VL10-SUBRATE-CAR-4K-PMAP

Regards,

Edison

New Member

Re: Rate Limit on Cisco 3750v2 SVI's

Edison,

Thank you very much for the answer, it has saved me a lot of time and effort.  The Cisco 3750v2 product overview confirms the support for rate limiting, so i would have thought it would be supported? -

Cisco Catalyst 3750 v2 Series Software

The  Cisco Catalyst 3750 v2 Series can be purchased with the IP Base or IP  Services license preinstalled. The IP Base license offers advanced  quality of service (QoS), rate limiting, access control lists (ACLs),  and basic static and Routing Information Protocol (RIP) and OSPF routing  functions. The IP Services license provides a richer set of  enterprise-class features, including advanced hardware-based IP unicast  and IP multicast routing as well as policy-based routing (PBR). The  Advanced IP Services license, which includes IPv6 routing and IPv6 ACL  support, is now included in the IP Services license. Upgrade licenses  are available to upgrade a switch from the IP Base license to the IP  Services license.

Anyhow, I have gone ahead and used the example you have provided to police on ingress the SVI, but am receiving the following error -

No action is configured in the policymap ****CUST-A-VL10-SUBRATE-CAR-4K-PMAP**** classmap class-default, or it is being modified

Based on my research into this it would appear i need to configure an action within the policy map to perform a function such as the following -

set dscp or set ip

Would you agree with this, and if so why is this required? I would have thought the action would have been taken within the subsequent service policy map?

Thanks

Nick

New Member

Re: Rate Limit on Cisco 3750v2 SVI's

Edison,

I have been toying with this all day and am now completely confused.....  I have performed the following steps -

Class Map

class-map match-all CUST-A-VL10-CMAP1

match input-interface fa1/0/1

match input interface fa2/0/1

Policy Map

policy-map CUST-A-VL10-PMAP1

class CUST-A-VL10-CMAP1

police 200000 37500 exceed-action drop

Parent Policy Map

policy-map CUST-A-VL10-PARENT-PMAP1

class class-default

service-policy CUST-A-VL10-PMAP1

Interface Settings

interface vlan 10

service-policy input CUST-A-VL10-PARENT-PMAP1

All of these commands are accepted successfully by the switch.  However, when i do a sh run or sh conf the service-policy command is never displayed below the vlan SVI.  No matter what i try to do I cannot get it to display within the config.  The same problem occurs if i try to apply the command to a physical (fa1/0/1) or virtual (vlan10) interface.

Am i doing something wrong here?

New Member

Rate Limit on Cisco 3750v2 SVI's

Ok after further investigation it would seem you cannot add two interfaces to the match input-interface command below the class map -

class map match-all CUST-A-VL10-CMAP1

match input-interface fa1/0/1

match input-interface fa2/0/1

Although this is accpeted by the CLI and at no point issues a warning or failure, the command service-policy input CUST-A-VL10-PARENT-PMAP1 will be accepted but never applied.  Simply removing the match input-interface fa2/0/1 command from the class map and re assigning the parent policy map to the SVI resolves the problem.  So based on this i must have to create two class maps (one for each interface) as I am presenting two feeds to each customer per VLAN.

New Member

I tried to piece this

I tried to piece this together but a little tough. Asking also if a snippit of all the QoS could be posted.

Hall of Fame Super Bronze

Rate Limit on Cisco 3750v2 SVI's

The product overview indicates you can rate limit packets with QoS on the platform but not necessarily with the rate-limit command.

Please refer to the list of unsupported commands and you will see rate-limit listed:

http://www.cisco.com/en/US/docs/switches/lan/catalyst3750e_3560e/software/release/12.2_58_se/configuration/guide/swuncli.html

I recommend applying the service-policy inbound on each of the physical interfaces instead of the SVI.

Can you try that and report back?

Regards,

Edison

New Member

Rate Limit on Cisco 3750v2 SVI's

Edison,

Thanks for helping with this it is greatly appreciated.  I have been playing around with this and have managed to get the policing working successfully on the SVI. 

The problem was basically the direction the policing was being applied.  Initially I was applying the service policies to the customer SVIs in an inbound direction.  This would only be traffic coming into the VLAN interface from within the VLAN; therefore, in terms of internet traffic this would be upload and NOT the required download.

In order to resolve this, I have applied the service policy to the Internet facing VLAN.  Please see below -

Class Maps and Policy Maps

class-map match-all CUST-A-VL10-CMAP1

match input-interface  FastEthernet1/0/24

class-map match-all CUST-A-VL10-CMAP2

match access-group name CUST-A-VL10-ACL-POL

policy-map CUST-A-VL10-PMAP1

class CUST-A-VL10-CMAP1

police 100000 18750 exceed-action drop

policy-map CUST-A-VL10-PARENT-PMAP1

class CUST-A-VL10-CMAP2

set ip precedence 1

service-policy CUST-A-VL10-PMAP1

VLAN Confguration

interface Vlan300

ip address ************

service-policy input CUST-A-VL10-PARENT-PMAP1

This works successfully and polices the traffic as expected.  However, I have now run into the problem with assigning multiple service policies to the VLAN interface.  As this is the internet facing VLAN for the routing of traffic to and from the internet, all customer service policies need to be applied to this interface.  When I attempt to apply more than one service policy to this VLAN i receive the following error -

(config-if)#service-policy input CUST-B-VL20-PARENT-PMAP1

Policy map CUST-A-VL10-PARENT-PMAP1 is already attached

Looks like another couple of hours needed working around this problem!!

Thanks

Nick

New Member

Rate Limit on Cisco 3750v2 SVI's

Ok, figured out what I need to do......

Instead of using multiple parent policy maps,I can aggregate my class maps into one parent policy map and perform all required functions from one policy map.  See example -

policy-map CUST-A-VL10-PARENT-PMAP1

class CUST-A-VL10-CMAP2

   set ip precedence 1

   service-policy CUST-A-VL10-PMAP1

class CUST-B-VL20-CMAP2

   set ip precedence 1

   service-policy CUST-B-VL20-PMAP1

class CUST-C-VL30-CMAP2

   set ip precedence 1

   service-policy CUST-C-VL30-PMAP1

class CUST-D-VL40-CMAP2

   set ip precedence 1

   service-policy CUST-D-VL40-PMAP1

class CUST-E-VL50-CMAP2

   set ip precedence 1

   service-policy CUST-E-VL50-PMAP1

class CUST-F-VL60-CMAP2

   set ip precedence 1

   service-policy CUST-F-VL60-PMAP1

class CUST-G-VL70-CMAP2

   set ip precedence 1

   service-policy CUST-G-VL70-PMAP1

class CUST-H-VL80-CMAP2

   set ip precedence 1

   service-policy CUST-H-VL80-PMAP

This way, I only ever need to assign the single parent policy map to the SVI and traffic for each customer will be matched by ACL and policed as necessary.

Hope this helps anybody else with the same problem.

Hall of Fame Super Bronze

Rate Limit on Cisco 3750v2 SVI's

Great job Nick and thanks for posting such detailed information.

Regards,

New Member

Hi, I wondered if you could

Hi,

 

I wondered if you could help me as I have tried to follow your guide and am getting a bit stuck. I have 20 customers each with their own VLAN and I would like to limit the bandwdith per SVI. I have tried to follow the programming relating to a single parent map but cannot understand how to differentiate between customers on the child maps, are you able to port your full config?

 

Cheers

3837
Views
5
Helpful
12
Replies
CreatePlease to create content