ANNOUNCEMENT - The community will be down for maintenace this Thursday August 13 from 12:00 AM PT to 02:00 AM PT. As a precaution save your work.
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
482
Views
0
Helpful
15
Replies
Highlighted

Cisco 3750 Catalyst Switch Rate-Limit problem

Hi everyone. Our company is running metro-Ethernet service that is connecting customers to edge switch at several locations. In most of them we are using 3750 switch and for internet connection for clients we want to rate-limit. 

One sample interface configuration:

 
interface GigabitEthernet1/0/10

description Klinika_Inet
 power inline never
 no switchport
 ip address 85.***.***.*** 255.255.255.240
 rate-limit input access-group 110 61440000 7680000 15360000 conform-action transmit exceed-action drop
 rate-limit output access-group 110 61440000 7680000 15360000 conform-action transmit exceed-action drop
 load-interval 30
 storm-control broadcast level 50.00
 storm-control multicast level 50.00
 storm-control action shutdown
 spanning-tree bpdufilter enable
 spanning-tree bpduguard enable
end

 

access-list 110 permit ip 85.***.***.*** 0.0.0.15 any
access-list 110 permit ip any 85.***.***.*** 0.0.0.15

 

However, it is not working. I monitor in PRTG that their traffic is free for use and reach sometimes beyond 100Mbps. I checked show access-list and don`t see even a match.

 

What can be a reason?

Everyone's tags (3)
15 REPLIES 15
Highlighted
VIP Mentor

Re: Cisco 3750 Catalyst Switch Rate-Limit problem

Hello,

 

my first thought is: what are the IP addresses of your actual LAN clients ? In your example, is interface GigabitEthernet1/0/10 the LAN or WAN interface ?

Highlighted

Re: Cisco 3750 Catalyst Switch Rate-Limit problem

That port is edge port looking toward client device (router mainly) and I think you mean this as lan. So, it is lan for client side. I hided ip addresses because they are global. Just access-lists are for subnets in which interface vlan ip address located. 

Highlighted
VIP Mentor

Re: Cisco 3750 Catalyst Switch Rate-Limit problem

Hello,

 

on second thought, I seem to remember that rate limiting on physical interfaces used to be not supported on the 3750, although the switch accepts the commands.

 

Try the below instead and see if this works:

 

access-list 110 permit ip 85.***.***.*** 0.0.0.15 any
access-list 110 permit ip any 85.***.***.*** 0.0.0.15 

 

class-map LIMIT_ISP_CLASS
 match ip address 110
policy-map LIMIT_ISP_POLICY
 class LIMIT_ISP_CLASS
  police 61440000 768000 exceed-action drop
 class class-default

 

interface GigabitEthernet1/0/10
 service-policy input LIMIT_ISP_POLICY

 

 

Highlighted

Re: Cisco 3750 Catalyst Switch Rate-Limit problem

Thank you very much for you effort but I`ve already tried this configuration and no result. the interesting thing is when rate-limit is configured under interface and I reload the device, as soon as the comes up I see matches in acl for a second. However then it stops incrementing. It is quite weird I think.

Highlighted
VIP Mentor

Re: Cisco 3750 Catalyst Switch Rate-Limit problem

Hello,

 

odd indeed. You can also try a service policy on the SVI (in the example below I used Vlan 20, change that to whatever Vlan you have configured). You need a parent policy for that to work:

 

access-list 110 permit ip 85.***.***.*** 0.0.0.15 any
access-list 110 permit ip any 85.***.***.*** 0.0.0.15

 

class-map LIMIT_ISP_CLASS
 match ip address 101
policy-map CHILD_LIMIT_ISP_POLICY
 class LIMIT_ISP_CLASS
  police 61440000 768000 exceed-action drop
policy-map PARENT_LIMIT_ISP_POLICY
 class class-default
  service-policy CHILD_LIMIT_ISP_POLICY

 

interface Vlan20
 service-policy input PARENT_LIMIT_ISP_POLICY

Highlighted

Re: Cisco 3750 Catalyst Switch Rate-Limit problem

Have already tried parent child qos configuration and failed. Actually that was a bit different from yours with matching input interface etc. following cisco documentation. However tried your configuration also.

 

Gence(config)#inter vlan 615
Gence(config-if)#service-policy input PARENT_LIMIT_ISP_POLICY
%QoS: No action is configured in the policymap PARENT_LIMIT_ISP_POLICY classmap class-default, or it is being modified.
Service Policy attachment failed

 

Moreover, you forgot "mls qos vlan-based" configuration under physical interface

Highlighted
VIP Mentor

Re: Cisco 3750 Catalyst Switch Rate-Limit problem

Hello,

 

just set something in the parent map:

 

access-list 110 permit ip 85.***.***.*** 0.0.0.15 any
access-list 110 permit ip any 85.***.***.*** 0.0.0.15

class-map LIMIT_ISP_CLASS
match ip address 101
policy-map CHILD_LIMIT_ISP_POLICY
class LIMIT_ISP_CLASS
police 61440000 768000 exceed-action drop
policy-map PARENT_LIMIT_ISP_POLICY
class class-default
set ip precedence 1
service-policy CHILD_LIMIT_ISP_POLICY

interface Vlan20
service-policy input PARENT_LIMIT_ISP_POLICY

Highlighted
VIP Expert

Re: Cisco 3750 Catalyst Switch Rate-Limit problem

If I remember correctly, you can rate limit port ingress, using a policy-map policer. For egress your options are to "shape" the port or to "shape" a hardware queue.
Highlighted

Re: Cisco 3750 Catalyst Switch Rate-Limit problem

I have already limited egress traffic with "srr-queue bandwidth limit %" and it is alright. The problem with input limiting. I have tried rate-limiting under interface, service-police under physical interface, parent-child policy under SVI and none works. Moreover it doesn`t show matches for acl under show access-list command.

Highlighted
VIP Expert

Re: Cisco 3750 Catalyst Switch Rate-Limit problem

The ACL not showing matches may be due to the 3750 processing the ACL on the ASIC. Often on these platforms, you don't see stats where you would on other devices. Some of the ASIC stats will show what you want, but there might not be any for ACL hits.

Hmm, as far as I know, an service policy in the ingress port should be able to limit bandwidth.

What IOS version are you running?
Highlighted

Re: Cisco 3750 Catalyst Switch Rate-Limit problem

The soft i device was something old i do not remember exact full name. But I renewed it with latest recommended release in cisco.com "c3750-ipbasek9-mz.122-55.SE12.bin" but no changes. Rate-limit in ingress traffic still doesn`t work and i don`t see any acl matches.

Highlighted
VIP Mentor

Re: Cisco 3750 Catalyst Switch Rate-Limit problem

Hello,

 

try the 'match-all' in the class definition:

 

class-map match-all

Highlighted
VIP Expert

Re: Cisco 3750 Catalyst Switch Rate-Limit problem

I don't know about rate-limit - I noted using an ingress policy map with a policer.
Highlighted

Re: Cisco 3750 Catalyst Switch Rate-Limit problem

No result, unfortunately :( Even tried matching dscp default value, class-default. I got confirmed by several sources that not seeing acl matches is normal for these router but I check in prtg and see that input traffic is not limited :(