cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1519
Views
0
Helpful
15
Replies

Cisco 3750 Catalyst Switch Rate-Limit problem

Hi everyone. Our company is running metro-Ethernet service that is connecting customers to edge switch at several locations. In most of them we are using 3750 switch and for internet connection for clients we want to rate-limit. 

One sample interface configuration:

 
interface GigabitEthernet1/0/10

description Klinika_Inet
 power inline never
 no switchport
 ip address 85.***.***.*** 255.255.255.240
 rate-limit input access-group 110 61440000 7680000 15360000 conform-action transmit exceed-action drop
 rate-limit output access-group 110 61440000 7680000 15360000 conform-action transmit exceed-action drop
 load-interval 30
 storm-control broadcast level 50.00
 storm-control multicast level 50.00
 storm-control action shutdown
 spanning-tree bpdufilter enable
 spanning-tree bpduguard enable
end

 

access-list 110 permit ip 85.***.***.*** 0.0.0.15 any
access-list 110 permit ip any 85.***.***.*** 0.0.0.15

 

However, it is not working. I monitor in PRTG that their traffic is free for use and reach sometimes beyond 100Mbps. I checked show access-list and don`t see even a match.

 

What can be a reason?

15 Replies 15

Hello,

 

my first thought is: what are the IP addresses of your actual LAN clients ? In your example, is interface GigabitEthernet1/0/10 the LAN or WAN interface ?

That port is edge port looking toward client device (router mainly) and I think you mean this as lan. So, it is lan for client side. I hided ip addresses because they are global. Just access-lists are for subnets in which interface vlan ip address located. 

Hello,

 

on second thought, I seem to remember that rate limiting on physical interfaces used to be not supported on the 3750, although the switch accepts the commands.

 

Try the below instead and see if this works:

 

access-list 110 permit ip 85.***.***.*** 0.0.0.15 any
access-list 110 permit ip any 85.***.***.*** 0.0.0.15 

 

class-map LIMIT_ISP_CLASS
 match ip address 110
policy-map LIMIT_ISP_POLICY
 class LIMIT_ISP_CLASS
  police 61440000 768000 exceed-action drop
 class class-default

 

interface GigabitEthernet1/0/10
 service-policy input LIMIT_ISP_POLICY

 

 

Thank you very much for you effort but I`ve already tried this configuration and no result. the interesting thing is when rate-limit is configured under interface and I reload the device, as soon as the comes up I see matches in acl for a second. However then it stops incrementing. It is quite weird I think.

Hello,

 

odd indeed. You can also try a service policy on the SVI (in the example below I used Vlan 20, change that to whatever Vlan you have configured). You need a parent policy for that to work:

 

access-list 110 permit ip 85.***.***.*** 0.0.0.15 any
access-list 110 permit ip any 85.***.***.*** 0.0.0.15

 

class-map LIMIT_ISP_CLASS
 match ip address 101
policy-map CHILD_LIMIT_ISP_POLICY
 class LIMIT_ISP_CLASS
  police 61440000 768000 exceed-action drop
policy-map PARENT_LIMIT_ISP_POLICY
 class class-default
  service-policy CHILD_LIMIT_ISP_POLICY

 

interface Vlan20
 service-policy input PARENT_LIMIT_ISP_POLICY

Have already tried parent child qos configuration and failed. Actually that was a bit different from yours with matching input interface etc. following cisco documentation. However tried your configuration also.

 

Gence(config)#inter vlan 615
Gence(config-if)#service-policy input PARENT_LIMIT_ISP_POLICY
%QoS: No action is configured in the policymap PARENT_LIMIT_ISP_POLICY classmap class-default, or it is being modified.
Service Policy attachment failed

 

Moreover, you forgot "mls qos vlan-based" configuration under physical interface

Hello,

 

just set something in the parent map:

 

access-list 110 permit ip 85.***.***.*** 0.0.0.15 any
access-list 110 permit ip any 85.***.***.*** 0.0.0.15

class-map LIMIT_ISP_CLASS
match ip address 101
policy-map CHILD_LIMIT_ISP_POLICY
class LIMIT_ISP_CLASS
police 61440000 768000 exceed-action drop
policy-map PARENT_LIMIT_ISP_POLICY
class class-default
set ip precedence 1
service-policy CHILD_LIMIT_ISP_POLICY

interface Vlan20
service-policy input PARENT_LIMIT_ISP_POLICY

Joseph W. Doherty
Hall of Fame
Hall of Fame
If I remember correctly, you can rate limit port ingress, using a policy-map policer. For egress your options are to "shape" the port or to "shape" a hardware queue.

I have already limited egress traffic with "srr-queue bandwidth limit %" and it is alright. The problem with input limiting. I have tried rate-limiting under interface, service-police under physical interface, parent-child policy under SVI and none works. Moreover it doesn`t show matches for acl under show access-list command.

The ACL not showing matches may be due to the 3750 processing the ACL on the ASIC. Often on these platforms, you don't see stats where you would on other devices. Some of the ASIC stats will show what you want, but there might not be any for ACL hits.

Hmm, as far as I know, an service policy in the ingress port should be able to limit bandwidth.

What IOS version are you running?

The soft i device was something old i do not remember exact full name. But I renewed it with latest recommended release in cisco.com "c3750-ipbasek9-mz.122-55.SE12.bin" but no changes. Rate-limit in ingress traffic still doesn`t work and i don`t see any acl matches.

Hello,

 

try the 'match-all' in the class definition:

 

class-map match-all

I don't know about rate-limit - I noted using an ingress policy map with a policer.

No result, unfortunately :( Even tried matching dscp default value, class-default. I got confirmed by several sources that not seeing acl matches is normal for these router but I check in prtg and see that input traffic is not limited :(

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: