Re: Catalyst 3750 rate limiting & policing

elipschutz · ‎09-21-2004

Hi,

I have configured rate limiting successfully in routers many times.

I want to configure rate limiting in a 3750 switch, is there anything that differs from configuring it in a router?

I have configured it on a routed port (no switchport) and applied the values I want to use but it seems to have no effect. Anything that I must consider configuring rate limiting on a 3750 switch?

Question number 2:

I also tried to configure policing with the Modular QoS CLI but it did not do any policing either?

The policing configuration:

!

mls qos

!

class-map match-any MATCHFOR1MBPS

match access-group 101

!

policy-map RATETO5

class MATCHFOR1MBPS

police 496000 24000 exceed-action drop

!

interface GigabitEthernet1/0/16

ip address x.x.x.x

service-policy input RATETO5

!

Many thanks,

Best regards

Emanuel Lipschütz

pflunkert · ‎09-21-2004

Hi Emanuel,

why you think that the policy don't works. Your configuration seems okay. The problem on catalyst switches is that the the commands to verify don't works (CSCee70104 for example). You can't verfiy if you have a hit with a ACL nor you can see dropped packets. But with the command "show platform port-asic stats drop asic 1" you can see that the packets are dropped.

Best regards

Peter

elipschutz · ‎09-22-2004

Hi Peter,

Thank you for your reply!

I see that it does not work because no policing is done.

I have verify it by sending traffic that matches the access-list and shall be policed, but it is not, these connections "eats up" all the bandwidth. That is what I want to prevent with the policing.

Many thanks,

Best regards

Emanuel

pflunkert · ‎09-22-2004

Hi Emanuel,

here is a config which works. I tested this in our lab with a smartbit:

mls qos

!

class-map match-all T-incoming

match access-group 1

!

policy-map Test

class T-incoming

police 1000000 10000 exceed-action drop

!

interface FastEthernet1/0/1

service-policy input Test

!

access-list 1 permit 10.1.0.0 0.0.255.255

access-list 1 permit 192.168.20.0 0.0.0.255

I use the match-all statement. You should do this also.

Regards

Peter

elipschutz · ‎09-22-2004

Hi again Peter,

Very nice of you to test this!

The "interface FastEthernet1/0/1" is that a switchport or a "routed port"?

Is it a 3750 switch you are using?

Can you try using an extended access-list instead of a standard?

Many thanks,

Best regards

Emanuel

pflunkert · ‎09-22-2004

Hi Emanuel,

the interface FastEthernet1/0/1 is a switchport. I try the configuration as access-vlan and as trunk-port. I use a catalyst 3750 with 12.1.19(Ea1a), but i try it with other version also. I also try to configure this with extended and named ACL. And all works. As routed ports i use the interface vlans.

Perhaps you should try my config.

Regards

Peter

elipschutz · ‎09-22-2004

Hi Peter,

Many thanks for all your answers, it seems like it have worked all the time but the police values do not reflect the actual bandwidth allowed.

When using this configuration I can send approximately 0,7 Mbps from the server affected by the policy. That can't be correct.

policy-map RATETO5MBPS

class MATCHFOR1MBPS3

police 24000 8000 exceed-action drop

When you used the configuration you sent, what throughput did you get?

Again, thanks.

Best regards

Emanuel

pflunkert · ‎09-22-2004

On the interface is only 1 MBit/s per second allowed.

Your configuration limit the traffic to 24000 Bits/s.

But that fines that your config will works.

Regards

Peter

elipschutz · ‎09-22-2004

Hi Peter,

You actually get 1 Mbps using your configuration?

When I used your configuration I got more much more than 1 Mbps, in fact I got 400 Kbytes / s.

Yes, that is true, it shall police it to 24000 bits with a burst of 8000 bytes. But that is what does not seem to work correctly.

It works, but not correctly. :-)

Many thanks,

Best regards

Emanuel