02-07-2018 12:24 AM - edited 03-05-2019 09:53 AM
Hi everyone. Our company is running metro-Ethernet service that is connecting customers to edge switch at several locations. In most of them we are using 3750 switch and for internet connection for clients we want to rate-limit.
One sample interface configuration:
interface GigabitEthernet1/0/10
description Klinika_Inet
power inline never
no switchport
ip address 85.***.***.*** 255.255.255.240
rate-limit input access-group 110 61440000 7680000 15360000 conform-action transmit exceed-action drop
rate-limit output access-group 110 61440000 7680000 15360000 conform-action transmit exceed-action drop
load-interval 30
storm-control broadcast level 50.00
storm-control multicast level 50.00
storm-control action shutdown
spanning-tree bpdufilter enable
spanning-tree bpduguard enable
end
access-list 110 permit ip 85.***.***.*** 0.0.0.15 any
access-list 110 permit ip any 85.***.***.*** 0.0.0.15
However, it is not working. I monitor in PRTG that their traffic is free for use and reach sometimes beyond 100Mbps. I checked show access-list and don`t see even a match.
What can be a reason?
02-07-2018 01:05 AM
Hello,
my first thought is: what are the IP addresses of your actual LAN clients ? In your example, is interface GigabitEthernet1/0/10 the LAN or WAN interface ?
02-07-2018 01:12 AM
That port is edge port looking toward client device (router mainly) and I think you mean this as lan. So, it is lan for client side. I hided ip addresses because they are global. Just access-lists are for subnets in which interface vlan ip address located.
02-07-2018 01:30 AM
Hello,
on second thought, I seem to remember that rate limiting on physical interfaces used to be not supported on the 3750, although the switch accepts the commands.
Try the below instead and see if this works:
access-list 110 permit ip 85.***.***.*** 0.0.0.15 any
access-list 110 permit ip any 85.***.***.*** 0.0.0.15
class-map LIMIT_ISP_CLASS
match ip address 110
policy-map LIMIT_ISP_POLICY
class LIMIT_ISP_CLASS
police 61440000 768000 exceed-action drop
class class-default
interface GigabitEthernet1/0/10
service-policy input LIMIT_ISP_POLICY
02-07-2018 03:38 AM
Thank you very much for you effort but I`ve already tried this configuration and no result. the interesting thing is when rate-limit is configured under interface and I reload the device, as soon as the comes up I see matches in acl for a second. However then it stops incrementing. It is quite weird I think.
02-07-2018 04:36 AM
Hello,
odd indeed. You can also try a service policy on the SVI (in the example below I used Vlan 20, change that to whatever Vlan you have configured). You need a parent policy for that to work:
access-list 110 permit ip 85.***.***.*** 0.0.0.15 any
access-list 110 permit ip any 85.***.***.*** 0.0.0.15
class-map LIMIT_ISP_CLASS
match ip address 101
policy-map CHILD_LIMIT_ISP_POLICY
class LIMIT_ISP_CLASS
police 61440000 768000 exceed-action drop
policy-map PARENT_LIMIT_ISP_POLICY
class class-default
service-policy CHILD_LIMIT_ISP_POLICY
interface Vlan20
service-policy input PARENT_LIMIT_ISP_POLICY
02-07-2018 05:15 AM
Have already tried parent child qos configuration and failed. Actually that was a bit different from yours with matching input interface etc. following cisco documentation. However tried your configuration also.
Gence(config)#inter vlan 615
Gence(config-if)#service-policy input PARENT_LIMIT_ISP_POLICY
%QoS: No action is configured in the policymap PARENT_LIMIT_ISP_POLICY classmap class-default, or it is being modified.
Service Policy attachment failed
Moreover, you forgot "mls qos vlan-based" configuration under physical interface
02-07-2018 06:37 AM
Hello,
just set something in the parent map:
access-list 110 permit ip 85.***.***.*** 0.0.0.15 any
access-list 110 permit ip any 85.***.***.*** 0.0.0.15
class-map LIMIT_ISP_CLASS
match ip address 101
policy-map CHILD_LIMIT_ISP_POLICY
class LIMIT_ISP_CLASS
police 61440000 768000 exceed-action drop
policy-map PARENT_LIMIT_ISP_POLICY
class class-default
set ip precedence 1
service-policy CHILD_LIMIT_ISP_POLICY
interface Vlan20
service-policy input PARENT_LIMIT_ISP_POLICY
02-07-2018 06:37 AM
02-07-2018 07:39 AM
I have already limited egress traffic with "srr-queue bandwidth limit %" and it is alright. The problem with input limiting. I have tried rate-limiting under interface, service-police under physical interface, parent-child policy under SVI and none works. Moreover it doesn`t show matches for acl under show access-list command.
02-07-2018 07:50 AM
02-07-2018 11:45 PM
The soft i device was something old i do not remember exact full name. But I renewed it with latest recommended release in cisco.com "c3750-ipbasek9-mz.122-55.SE12.bin" but no changes. Rate-limit in ingress traffic still doesn`t work and i don`t see any acl matches.
02-08-2018 01:18 AM
Hello,
try the 'match-all' in the class definition:
class-map match-all
02-08-2018 02:59 AM
02-09-2018 03:36 AM
No result, unfortunately :( Even tried matching dscp default value, class-default. I got confirmed by several sources that not seeing acl matches is normal for these router but I check in prtg and see that input traffic is not limited :(
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide