Solved: 3560 port rate limiting

jobby.jose · ‎02-05-2009

Hi All,

We have a 3560 switch that connects to customer CPE over a 1Mb link. Since we don't manage CPE, we want to apply rate limiting for ingress and egress traffic.

I couldn't find specific information on this from cisco documents, but came across different options that is listed below.

1. srr-queue bandwidth limit 90 (Limit the available egress bandwidth to 80% of interface speed)

2. rate-limit input <1024000> <> conform-action transmit exceed-action drop

3. service-policy <> (but this cannot be applied to egress traffic.)

Could anyone please confirm which is the correct method to rate-limit the traffic on 3560.

Thanks

Jobby Jose

cpubob · ‎02-05-2009

You can use the "srr-queue bandwidth limit xx" command to limit the bandwidth but the values are from 10-100 so if you want to limit your bandwidth to 1 meg, you need to configure the speed of the interface to 10 meg.

int gi0/1

speed 10

srr-queue bandwidth limit 10

You will probably have to enable "mls qos" globally to have this feature work, in which case you'll automatically get the default queue configuration. I would be very cautious turning this on without testing because once your traffic goes over 1meg, the switch will then use its default egress queue policy which may not be a policy that works for you. I found the defaults to be less that steller, like dropping tos 7 and 4 before dropping tos 0. Just be aware that there is a default policy even though it doesn't show in the running config.

Check out the qos section of the config guide.

http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_46_se/configuration/guide/swqos.html

View solution in original post

Joseph W. Doherty · ‎02-07-2009

". . . the parameter allows only 10-90 values, and hence i can set max of 900Kb, but not 1Mb. "

10% of 10 Mbps should be 1 Mbps, although there's the increment factor to consider. Is that how you're getting 900 Kbps?

"Do you have any idea how rate-limit works on 3560?"

I don't see rate-limit command in http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_46_se/command/reference/cli1.html. I also found under show access-lists "Note Though visible in the command-line help strings, the rate-limit keywords are not supported. " (Also similar note under show interfaces.) What IOS version are you running?

View solution in original post

Joseph W. Doherty · ‎02-05-2009

Correct method depends on what you're attempting to accomplish. You note you don't control CPE and you want to apply rate limiting for both ingress and egress. Why?

On ingress, you shouldn't receive traffic over 1 Mbps, so you want to slow it even more?

On egress, the CPE should either queue and/or discard over-rate traffic. So, unless you want to queue or discard egress traffic as part of some policy, there's no reason for you to anything. If you do have a policy in mind, if you could describe it, might be able to suggest how you might accomplish it.

jobby.jose · ‎02-05-2009

Hi Joseph,

The CPE connection is 1Mb and backbone is of 3Mb bandwidth. Hence we want to discard any egress data over 1Mb. Regarding ingress, though LLP equipment limit the traffic to 1Mb, we want to enforce the port based rate limiting in our managed device.

We have another 2 x 1Mb local connections where we have managed CPEs and hence not worried about rate limiting on those ports.

Hope i have answered your queries.

Thanks

Jobby

cpubob · ‎02-05-2009

You can use the "srr-queue bandwidth limit xx" command to limit the bandwidth but the values are from 10-100 so if you want to limit your bandwidth to 1 meg, you need to configure the speed of the interface to 10 meg.

int gi0/1

speed 10

srr-queue bandwidth limit 10

You will probably have to enable "mls qos" globally to have this feature work, in which case you'll automatically get the default queue configuration. I would be very cautious turning this on without testing because once your traffic goes over 1meg, the switch will then use its default egress queue policy which may not be a policy that works for you. I found the defaults to be less that steller, like dropping tos 7 and 4 before dropping tos 0. Just be aware that there is a default policy even though it doesn't show in the running config.

Check out the qos section of the config guide.

http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_46_se/configuration/guide/swqos.html

Joseph W. Doherty · ‎02-05-2009

You can use method #3 to rate-limit ingress traffic from the CPE. I assume there's only one CPE port.

Dealing with egress to the CPE, I'm not positive about the correct functioning if there's more than one LAN facing interface. You can again use method #3, but you many need to use an ACL to identify CPE egress traffic (if there's also LAN to LAN port traffic). Further, with more than one LAN facing interface you'll likely need to adopt a Hierarchical Policy Map on the SVI and physical ports. What's unclear is whether the policer configured on the physical interfaces can each be 1 Mbps or whether their sums should not exceed 1 Mbps.

An alternative for egress to CPE is to use your method #1 (or Robert's suggestion). This approach acts more like a shaper rather than a policer (personally I prefer shaping especially if you chose to organize the traffic for QoS across the 4 egress queues).

Do note, the port bandwidth isn't exactly configued to the percentage you specify; from Cisco's QoS guide "These values are not exact because the hardware adjusts the line rate in increments of six.".

PS:

Although an added expense, you might consider placing a low end Cisco router between yor 3650 and the CPE. Cisco routers tend to have much richer features for dealing with traffic.

jobby.jose · ‎02-06-2009

Thanks for your suggestions and comments. It seems method #1 is the best solution to limit port bandwidth (egress), but here the parameter allows only 10-90 values, and hence i can set max of 900Kb, but not 1Mb.

Do you have any idea how rate-limit works on 3560? we have tested this in Lab, but traffic is not flowing under the "conformed" queue, let alone "exceeded" queue.

Would appreciate your comments on rate-limit command.

Thanks

Jobby

Joseph W. Doherty · ‎02-07-2009

". . . the parameter allows only 10-90 values, and hence i can set max of 900Kb, but not 1Mb. "

10% of 10 Mbps should be 1 Mbps, although there's the increment factor to consider. Is that how you're getting 900 Kbps?

"Do you have any idea how rate-limit works on 3560?"

I don't see rate-limit command in http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_46_se/command/reference/cli1.html. I also found under show access-lists "Note Though visible in the command-line help strings, the rate-limit keywords are not supported. " (Also similar note under show interfaces.) What IOS version are you running?

jobby.jose · ‎02-08-2009

You are right, 10% of 10Mb would give the result.

Thanks for rate-limit information; really don't understand why they have that option in CLI if it is not supported.

Thanks a lot..

Cheers..

Jobby