cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Join Customer Connection to register!
374
Views
0
Helpful
11
Replies
Highlighted
Beginner

Rate limiting on Catalyst 2950T switches

Hi,

I would like to allow some users full access to internal servers, but only provide them with 2 Mbps access to the Internet. As far as I understand I cannot use the deny statement when defining the access-list for the class-map and therefore I am asking for your help. (The config below work well for rate-limiting all traffic, but I would need full access for traffic matching access-list 111):

access-list 111 remark [ Traffic not to be rate limited ]

access-list 111 permit ip 10.0.0.0 0.255.255.255 192.168.0.0 0.0.255.255

access-list 112 remark [ Traffic to be rate limited ]

access-list 112 permit ip 10.0.0.0 0.255.255.255 any

class-map match-all Internet-Class

match access-group 112

policy-map Internet

description [ Rate limit Internet access ]

class Internet-Class

police 2000000 65536 exceed-action drop

interface FastEthernet0/1

service-policy input Internet

interface FastEthernet0/24

service-policy input Internet

Any help would be very appreciated!

Regards,

Harald

11 REPLIES 11
Highlighted
Contributor

I'm not sure if you forgot it, but you need to call ACL 111:

class-map match-all local_traffic

match access-group 111

!

policy-map Internet

class local_traffic

police 98000000 65536

!

And in case you don't have it already:

http://www.cisco.com/en/US/products/hw/switches/ps628/products_configuration_guide_chapter09186a00801cdef0.html

Hope this helps,

-Mark Turpin

-- -Mark Turpin
Highlighted

Thanks for your reply Mark!

However, when I try to add the local_traffic map to the policy map I get the following error:

Error:Class-map has a different mask than the Policymap

If I change the access-list to something like:

access-list 112 remark [ Traffic to be rate limited ]

access-list 112 permit ip 10.0.0.0 0.255.255.255 172.16.0.0 0.0.255.255

then I am able to put both class statements in the policy-map, but I would like to use "any" since it is traffic bound for the Internet.

Is it possible to do this in some way?

Thanks again for your help!

Regards,

Harald

Highlighted

Hi Harald,

As far as i understand class- maps u can use deny statements in acl's for class-maps... A deny in an acl simply tells the class-map that this kind of traffic do not match.

regards,

Sebastian

Highlighted

Thanks for your reply Sebastian!

Unfortunately, the Catalyst 2950 QoS configuration documents states that "Deny statements are not supported for QoS ACLs", which I noted when I could not define them on the switch.

Regards,

Harald

Highlighted

Harald,

Can you paste your config again? It sounds as if you're trying to call two different ACP's or "masks" as your error indicates.

http://www.cisco.com/en/US/products/hw/switches/ps628/products_configuration_guide_chapter09186a00801cde58.html#75868

Thanks,

Mark Turpin

-- -Mark Turpin
Highlighted

Thanks again for the reply!

My "working" configuration is as follows:

access-list 111 remark [ Traffic not to be rate limited ]

access-list 111 permit ip 10.0.0.0 0.255.255.255 192.168.0.0 0.0.255.255

access-list 112 remark [ Traffic to be rate limited ]

access-list 112 permit ip 10.0.0.0 0.255.255.255 172.16.0.0 0.0.255.255

class-map match-all Local-Class

match access-group 111

class-map match-all Internet-Class

match access-group 112

policy-map Internet-Policy

description [ Rate limit Internet access ]

class Internet-Class

police 2000000 65536 exceed-action drop

class Local-Class

police 98000000 65536

interface FastEthernet0/1

description [ Local LAN facing interface ]

service-policy input Internet-Policy

interface FastEthernet0/24

description [ Internet facing interface ]

service-policy input Internet-Policy

However, I would like to change "172.16.0.0 0.0.255.255" in access-list 112 to "any" since it should apply to all Internet traffic. If I try to do that I get the mask error I previously mentioned.

Regards,

Harald

Highlighted

Just out of curiousity, tell me what "show mls masks" tells you.

I have a feeling that the 2950 is looking at the 10/8 -> 192.168/16 and 10/8 -> any statements as overlapping.

Let's assume you have 10.15.x.x as your network. What happens if you leave ACL111 as is, and rewrite ACL112 as:

access-list 112 remark [ Traffic to be rate limited]

access-list 112 permit ip 10.15.0.0 0.0.255.255 any

Let me know what you find out! :)

-Mark

-- -Mark Turpin
Highlighted

I tried to change the access-list 112 as you suggested, but I still got the "mask error" when trying to define the policy.

The "show mls masks" gives (with only Local-Class in the policy-map):

Mask1

Type : qos

Fields : ip-sa(255.0.0.0), ip-da(255.255.0.0)

Policymap : Internet-Policy

Interfaces : Fa0/1, Fa0/24

Regards,

Harald

Highlighted

You will probably want to open a TAC case to confirm. I'm guessing that we're hitting a wall when we call the 'any' keyword which is mixing masks. You can't mix masks inside the same policy, and I am guessing that the any mask falls in to a system mask, and your other ACL is a user defined mask.

Only one other thing I can think of to try: put the policy only on f0/1 - your ingress interface and see if it makes a difference.

If changing the interface the policy is applied to, I'd try calling the TAC :)

Sorry I couldn't help more, here's a URL I've been referencing:

http://www.cisco.com/en/US/products/hw/switches/ps628/products_configuration_guide_chapter09186a00802c31e3.html#wp1054266

-Mark

-- -Mark Turpin
Highlighted

Only applying the policy to one interface unfortunately did not solve the problem either.

I will try to find another solution to the problem.

Thanks again for your help!

Regards,

Harald

Highlighted

Hi I have a Cisco 2950EI and while the rate limiting is good in ingress, I wanted to also blend in prioritization in the prority queue. However in the policy map I would like to make bsd10 traffic low priority, while the rest is high. I typed some stuff into the 2950 'policy-map bsd10' but I am not sure how these rules behave:

!

!

class-map match-all match-any

match access-group 1

class-map match-all bsd10only

match access-group name bsd10

class-map match-all bsd10

match access-group name bsd10

!

!

policy-map 8Mbps

class match-any

police 16000000 32768 exceed-action drop

set ip dscp 56

policy-map bsd10

class match-any

police 11000000 32768 exceed-action drop

set ip dscp 8

class bsd10

set ip dscp 8

police 17000000 32768 exceed-action drop

!

Content for Community-Ad