Re: limit bandwidth

d-mark · ‎10-31-2006

Hi,

I'm running a MetroEthernet witch 3750 as backbone switces and 2950/3560 at the

edges which is configured as switched layer 2 network. Throuout this network I want to provide different VLANs with different bandwidths. To find a working configuration I've setup a small test scenario, consiting of two 3560, one as the 'layer2 network' and the ohter one as layer3 device with VLAN-interfaces and ip routing enabled.

What I want to achieve is that the traffic on VLAN 150 (interface FastEthernet0/15, ip net 192.168.150.0/24) is limited to 1MBit/s and the traffic on VLAN 160 (interface FastEthernet0/16, ip net 192.168.160/24) is limited to 2MBit/s. I've read the 'Configuring QoS' chapter of 'Catalyst 3560 Switch Software Configuration Guide' and tried the config attached below, but it's not working.

Maybe someone of you could give me a hint, about what I'm doing wrong?

thanks in advance

Mark

!

version 12.2

no service pad

service timestamps debug datetime localtime show-timezone

service timestamps log datetime localtime show-timezone

no service password-encryption

!

hostname ts2

!

enable secret 0 xxx

!

no aaa new-model

vtp mode transparent

ip subnet-zero

no ip domain-lookup

!

ip tftp source-interface Vlan121

!

mls qos

!

no file verify auto

!

mac access-list extended everythingL2

permit any any

!

spanning-tree mode mst

no spanning-tree optimize bpdu transmission

spanning-tree extend system-id

!

spanning-tree mst configuration

name main-mst-region

revision 1

instance 1 vlan 1-4094

!

spanning-tree mst forward-time 7

spanning-tree mst max-age 15

!

vlan internal allocation policy ascending

vlan dot1q tag native

!

vlan 111,121,130,140,150,160

!

class-map match-all EveryMAC

match access-group name erverythingL2

class-map match-all V160

match access-group 16

class-map match-all V150

match access-group 15

!

policy-map InetUp

class V150

police 1000000 100000 exceed-action drop

class V160

police 2000000 200000 exceed-action drop

policy-map 1MBits

class EveryMAC

police 1000000 100000 exceed-action drop

policy-map 2MBits

class EveryMAC

police 2000000 200000 exceed-action drop

!

interface FastEthernet0/4

switchport trunk encapsulation dot1q

switchport trunk native vlan 111

switchport mode trunk

service-policy input InetUp

!

interface FastEthernet0/15

description internet access -> ts2 vlan150

switchport access vlan 150

switchport mode access

service-policy input 1MBits

spanning-tree bpdufilter enable

spanning-tree guard root

!

interface FastEthernet0/16

description internet access -> ts2 vlan160

switchport access vlan 160

switchport mode access

service-policy input 2MBits

spanning-tree bpdufilter enable

spanning-tree guard root

!

interface Vlan121

description management

ip address 10.66.153.76 255.255.255.0

!

ip default-gateway 10.66.153.1

ip classless

no ip http server

!

access-list 15 permit 192.168.150.0 0.0.0.255

access-list 16 permit 192.168.160.0 0.0.0.255

!

line con 0

line vty 0 4

password xxx

login

!

end

mheusinger · ‎10-31-2006

Hi,

do you get matches in your ACLs?

You are applying a policy matching on IP addresses on a L2/trunk port.

Can you try to match on input interface or VLAN?

Regards, Martin

d-mark · ‎10-31-2006

Hi Martin,

thanks for your reply. A "show access-list [15|16]" don't show any matches. The output of a "sh policy-map interface fa0/[15|16]" also shows nothing, that would look like the policy-map ist working.

If tried to match/classify on the different VLANs, but couldn't find a way how this can be done.

Classification/Matching on the input interface may be possible in this test scenario. But in the real network the input interfaces (Fast0/15 & fast0/16) are distributed on different devices throughout the network.

thanks and kind regards

Mark

mheusinger · ‎11-02-2006

Mark,

can you explain "But in the real network the input interfaces (Fast0/15 & fast0/16) are distributed on different devices throughout the network."

The QoS you apply is a "rule set" local to the switch. Traffic outside the switch can not be handled. I seem to misunderstand something here.

Where should the limit be applied, where does the traffic come from? Can you be more specific about the topology and the goal you would like to achieve?

Thank you.

Regards, Martin

d-mark · ‎11-03-2006

Hi,

the 'real' network is a layer 2 transport network, consisting of a backbone build by 3750 and 2950/3560 at the edges. What I want to achieve is provide access to the internet from different places with different bandwidths. Here the different places are access ports at the edge switches (like fa0/15 in the example/test config above) and the connetion to the internet is a trunk port (like fa0/4 in the example/test config above). This trunk port leads to another switch, who's in routing mode an has different vlan-interfaces for the different places.

Because, as far as I know, policing could be done only at the 'input direction' of a physical interface (eg. FastEthernet), my approch is to limit the input bandwidth at both ends of a connetion.

thanks and kind regards

Mark

mheusinger · ‎11-03-2006

Hm,

you might want to try this idea. Mark any traffic destined to internet with cos 1 and use the cos value to police the traffic on the trunk. Could look like this:

2950:

class-map Internet

match access-group name 4Internet

policy-map LimitInternet

class Internet

police 10000000 8192 exceed-action drop

set cos 1

interface range FastEthernet0/1 - 10

switchport access vlan 123

service-policy input LimitInternet

! if you want per user port limits

ip access-list extended 4Internet

deny any 10.0.0.0 0.255.255.255

deny any 172.16.0 0.15.255.255

deny any 192.168.0.0 0.0.255.255

permit any any

Trunk port on other switches:

class-map Internet

match cos 1

policy-map LimitInternet

class Internet

police 50000000 8192 exceed-action drop

interface FastEthernet0/3

switchport mode trunk

service-policy input LimitInternet

Tell me what you think about it.

Regards, Martin

network.king · ‎11-03-2006

Hi ,

Pls do test this,

1.Create a L3 vlan and apply the service policy that you have created to this Vlan

2.Configure "mls qos vlan-based" in the physical interface

use it for ref :

http://www.cisco.com/en/US/products/hw/switches/ps5528/products_configuration_guide_chapter09186a00802b7caf.html#wp1324535

and share us the results

regards

vanesh k

swaroop.potdar · ‎11-03-2006

From what i collect from the conversation the problem is as below.

Q1) You are trying policing in the LAB on 3560, and you dont see any output on the policy maps.

Q2) You cannot do SVI based policing as you SVI for a vlan is on another switch and the access ports are on another switch. SO you cannot do a match interface for which it requires the SVI to be on the same local switch.

Hopefully the below is useful in your scenario:

Ans 1) The document which you are referring, if you see the last section it clarifies that "show policy-map interface" is not a supported command, and the output displayed should be ignored.(At the moment there arent any commands spefied to verify the individual policers throughput)

Ans 2) Create a Dummy SVI without an IP address, so that you conserve on the IP space, on the local Switch and police closer to the source. As its recommended to police closer to the source.

Use the config as below. to achieve the same. The below config is tested and working on a 3560. You may have to use a external test equipment to test the validity of your policer in the LAB)

HTH-Cheers,

Swaroop

Config for your reference.

-----------O/P from 3560---------

!

class-map match-all TEST

match input-interface FastEthernet0/9

class-map match-all PAR

match access-group 101

!

access-list 101 permit ip any any

!

policy-map CHILD

class CHILD

police 80000 80000 exceed-action drop --> Use parameters right for you

policy-map PARENT

class PARENT

set precedence 0 <--- Since this is Internet Traffic set Prec to 0

service-policy CHILD

!

interface FastEthernet0/15

switchport access vlan 150

switchport mode access

mls qos vlan-based

!

interface Vlan150

service-policy input PAR

!

swaroop.potdar · ‎11-03-2006

Modified Class Naming.

-----------O/P from 3560---------

!

class-map match-all CHILD

match input-interface FastEthernet0/9

class-map match-all PARENT

match access-group 101

!

access-list 101 permit ip any any

!

policy-map CHILD

class CHILD

police 80000 80000 exceed-action drop --> Use parameters right for you

policy-map PARENT

class PARENT

set precedence 0 <--- Since this is Internet Traffic set Prec to 0

service-policy CHILD

!

interface FastEthernet0/15

switchport access vlan 150

switchport mode access

mls qos vlan-based

!

interface Vlan150

service-policy input PARENT

!

d-mark · ‎11-15-2006

Hello,

thanks for your replies. I found a solution, by changing my test network. Instead of the 3560 as conncetion facing to the 'internet' switch, I used a 3750. (Because it seemed that the 3560 isn't capable to work as I want him to do.) The 'customer' ports remained on the 3560, but the police-map has been extended with an ip access-list as class-map. The (partial) configurations of these two switche is

3750:

mls qos

!

class-map match-all vlan150

match access-group 115

class-map match-all vlan160

match access-group 116

!

policy-map to_Inet

class vlan150

police 3000000 300000 exceed-action drop

class vlan160

police 1000000 100000 exceed-action drop

!

interface GigabitEthernet1/0/9

switchport trunk encapsulation dot1q

switchport trunk native vlan 111

switchport mode trunk

service-policy input to_Inet

keepalive 10

speed 100

duplex full

no cdp enable

!

access-list 115 permit ip any 192.168.150.0 0.0.0.255

access-list 116 permit ip any 192.168.160.0 0.0.0.255

!

3560:

mls qos

!

mac access-list extended everythingL2

permit any any

!

class-map match-all EveryMAC

match access-group name everythingL2

class-map match-all EveryIP

match access-group name everythingIP

!

policy-map 1MBits

class EveryMAC

police 1000000 100000 exceed-action drop

class EveryIP

police 1000000 100000 exceed-action drop

policy-map 3MBits

class EveryMAC

police 3000000 300000 exceed-action drop

class EveryIP

police 3000000 300000 exceed-action drop

!

interface FastEthernet0/15

switchport access vlan 150

switchport mode access

service-policy input 4MBits

spanning-tree bpdufilter enable

spanning-tree guard root

!

interface FastEthernet0/16

switchport access vlan 160

switchport mode access

service-policy input 2MBits

spanning-tree bpdufilter enable

spanning-tree guard root

!

ip access-list extended everythingIP

permit ip any any

!

thanks and kind regards

Mark

charlestran · ‎02-22-2007

2950 Switch connects to 3750ME fa, Port 1, 100Mb

3560 switch connects to 3750ME gi, Port 1, 1 GbE

Is there a way we can simply limit bandwidth and rate at port level on Cisco 3750 access switch to match bandwidth needs from edge switches?

Thanks

cisco_bantonei · ‎03-05-2007

Did you ever get a resolution on this? I am also wanting to allocate my bandwidth usage for individual vlans not by service. On my test bed I need to simulate very small pipes, i.e. 128kbps. If you got answers somewhere else, can you please post them here, so the resolution is found here?