04-30-2012 03:03 AM - edited 03-04-2019 04:12 PM
Hi folks,
I have a Cisco 3750 switch stack and am performing QOS against a number of SVI vlans on per customer basis. I have 8 customers, each with a /29 public subnet and each with an SVI as a gateway within that /29 range. I then have a "routable" SVI vlan for routing upstream to the internet. See below -
Customer VLAN
interface Vlan101
description ****CUST-A-***-VL101-SUBRATE-CAR-10MB****
ip address 10.10.10.65 255.255.255.248
ip access-group CUST-***-VL101-ACL in
no ip redirects
service-policy input ***-VLAN-ALL-PARENT-PMAP
Routable VLAN
interface Vlan1
ip address 10.10.11.155 255.255.255.248
no ip redirects
service-policy input ***-VLAN-ALL-PARENT-PMAP
The service policy attached to the interfaces above is supposed to perform policing on download and upload traffic. The service policy is attached to the Routable VLAN for download policing and the Customer VLAN for upload policing. For example, traffic entering the routable VLAN will be policed based on traffic matching an access list to the customers IP range (download). Traffic entering the customer VLAN will be policed based on traffic matching an access list from the customers IP range (upload).
The command I am using to police is as follows - police 10485500 966080 exceed-action drop
The problem I am experiencing is traffic into the routable VLAN is being successfully policed down to the 10Mbps i have specified on a per customer basis (download).
Traffic entering the customer VLAN is NOT being policed at all (upload).
I am limited as to the use of the parent policy map I have specified on the interface, as I can only assign it in one direction (input).
Any help as to why the upload policing into the customer specific VLAN is failing would be greatly appreciated.
Thanks
Nick
04-30-2012 03:17 AM
Hi Nick ,
If I understood well you want to police both ingress and egress traffic with the policy-map applied in the input direction.
The input policy-map will match only the traffic coming from the client.
You can use "srr-queue bandwidth limit " in order to police the egress traffic.
Here is also a document related to 3750 Qos
Dan
04-30-2012 03:19 AM
To provide an update to this, I have run the "sh policy-map int vlan" command to obtain statistics about the matching of the service policy (I'm aware the Cisco 3750 is not supposed to work with this command, but it seems as though it does). See the output below -
Routable VLAN
Service-policy input: ***-VLAN-ALL-PARENT-PMAP
Class-map: CUST-***-VL101-CMAP2 (match-all)
279 packets, 18660 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: access-group name CUST-***-VL101-ACL-POL
Service-policy : CUST-***-VL101-PMAP1
Class-map: CUST-***-VL101-CMAP1 (match-all)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: input-interface FastEthernet1/0/24
Class-map: CUST-***-VL101-CMAP3 (match-all)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: input-interface FastEthernet2/0/24
Class-map: CUST-***-VL101-CMAP4 (match-all)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: input-interface FastEthernet1/0/1
Class-map: CUST-***-VL101-CMAP5 (match-all)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: input-interface FastEthernet2/0/1
Class-map: class-default (match-any)
279 packets, 18660 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: any
Customer VLAN
Customer Vlan
Service-policy input: ***-VLAN-ALL-PARENT-PMAP
Class-map: CUST-***-VL101-CMAP2 (match-all)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: access-group name CUST-***-VL101-ACL-POL
Service-policy : CUST-***-VL101-PMAP1
Class-map: CUST-***-VL101-CMAP1 (match-all)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: input-interface FastEthernet1/0/24
Class-map: CUST-***-VL101-CMAP3 (match-all)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: input-interface FastEthernet2/0/24
Class-map: CUST-***-VL101-CMAP4 (match-all)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: input-interface FastEthernet1/0/1
Class-map: CUST-***-VL101-CMAP5 (match-all)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: input-interface FastEthernet2/0/1
Class-map: class-default (match-any)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: any
It would appear from the above, that the routable VLAN service policy is being applied based on the default traffic within the default class map. The customer VLAN policy, is not being matched by any traffic.
04-30-2012 03:23 AM
Dan,
Thanks for the reply, yes I have to apply the service policy using the "input" command due to a limitation with either the hardware or software can't remember which. Basically, I am limited to having to use it this way.
I thought by applying "input" to the routable vlan would be traffic from the internet to the VLAN (download) - Works successfully.
Then by applying "input" to the customer vlan would be traffic from within the customer vlan to the interface (upload) - fails to work.
Thanks
Nick
04-30-2012 03:36 AM
Hi Nick ,
Ok, now I understood your configuration.
Routable vlan is the upstream vlan - traffic coming to your customers .
Did you applied the same policy-map on both interfaces (client and 'routable') ?
If I understood well your customers reside in the same vlan.
Dan
04-30-2012 03:43 AM
Dan,
Thanks for responding again. Each customer has their own individual VLAN, and there are approximately 8 customers. They are configured as follows -
interface Vlan101
description ****CUST-A-***-VL101-SUBRATE-CAR-10MB****
ip address 10.10.10.65 255.255.255.248
ip access-group CUST-***-VL101-ACL in
no ip redirects
service-policy input ***-VLAN-ALL-PARENT-PMAP
!
interface Vlan102
description ****CUST-B-***-VL102-SUBRATE-CAR-10MB****
ip address 10.10.10.73 255.255.255.248
ip access-group CUST-***-VL102-ACL in
no ip redirects
service-policy input ***-VLAN-ALL-PARENT-PMAP
There is then a single "routable" vlan which connects to upstream devices for routing to the internet. See Below -
interface Vlan*
ip address 11.11.11.155 255.255.255.248
no ip redirects
service-policy input ***-VLAN-ALL-PARENT-PMAP
(I have substituted the real IPs)
As you can see from the above, the service policy is applied to both the Customer and Routable VLANs. The policy is working for the routable VLAN (download) but NOT working for the individual customer VLANs (upload).
Each customer routes to their SVI IP address for routing to the internet. The switch then has a default route which routes all traffic through the "routable" VLAN upstream.
Does this make sense?
Thanks
Nick
04-30-2012 04:11 AM
The class-maps used on the policy-map applied on the Routable vlan - this is the traffic going to the client ( download ) - have "Match: input-interface FastEthernet1/0/24", which does not make to much sense. Because the traffic does not enter the fa1/0/24 , but is going to that interface , does it ?
I would try this way:
upload :
policy-map client-a-in
class class-default
police x
interface client-vlan
service-policy client-a-in
download :
access-list ex client-a-out
permit ip any client-a-class
class-map client-a-out
match ip address client-a-out
access-list ex client-b-out
permit ip any client-b-class
class-map client-b-out
match ip address client-b-out
policy-map upstream-in
class client-a-out
police x
class client-b-out
police y
class client-c-out
police z
Does it make sense ?
Dan
04-30-2012 04:25 AM
Dan,
Apologies, I forgot to explain the physical interfaces. The routable VLAN has two physical interfaces assigned as follows -
Fa1/0/24
Fa2/0/24
There are two Cisco 3750s stacked. The upstream service is an active/passive service provided via two Cat5 feeds.
Each customer then has two physical interfaces provided to them, as follows -
Cust A
Fa1/0/1
Fa2/0/1
Cust B
Fa1/0/2
Fa2/0/2
Cust C
Fa1/0/3
Fa2/0/3
Each of the physical customer interfaces are assigned to the appropriate VLAN via the "switchport mode access" and "switchport access vlan id" commands.
That is why you see the match input-interface commands within the service policy. Although, it would appear these interfaces are not being matched anyway as the traffic is being picked up by the default class map.
Thanks
Nick
04-30-2012 04:33 AM
Either way , you do not need to match the input interface, it doesn't matter if it the traffic from client A comes from interface 1 or 2 , all traffic from this client should be policed at a certain rate.
On the returing policy , you must match the destination IP in order to set the policing rate
Dan
04-30-2012 05:00 AM
Dan,
When this was originally implemented it was done so with heierarchical policy maps. This meant there were multiple child policy maps and a single parent policy map as follows -
Class Maps -
class-map match-all CUST-***-VL101-CMAP1
match input-interface FastEthernet1/0/24
class-map match-all CUST-***-VL101-CMAP2
match input-interface FastEthernet2/0/24
class-map match-all CUST-***-VL101-CMAP3
match input-interface FastEthernet1/0/1
class-map match-all CUST-***-VL101-CMAP4
match input-interface FastEthernet2/0/1
class-map match-all CUST-***-VL101-CMAP5
match access-group name CUST-***-VL101-ACL-POL
Child Policy Map -
policy-map CUST-***-VL101-PMAP1
class CUST-***-VL101-CMAP1
police 10485500 966080 exceed-action drop
class CUST-***-VL101-CMAP2
police 10485500 966080 exceed-action drop
class CUST-***-VL101-CMAP3
police 10485500 966080 exceed-action drop
class CUST-***-VL101-CMAP4
police 10485500 966080 exceed-action drop
Parent Policy Map -
policy-map ***-VLAN-ALL-PARENT-PMAP
class CUST-***-VL101-CMAP5
set ip precedence 1
service-policy CUST-***-VL101-PMAP1
Access List
ip access-list extended CUST-***-VL101-ACL-POL
permit ip any ***
permit ip *** any
So the parent policy map matching traffic via an access-list calls the child policy map which then performs the policing. It does this using several class maps which match traffic based on the interface. Are you saying that if I remove the "match input-interface" commands from each of the class maps and instead match based on an access list; then this will likely work?
Thanks
Nick
04-30-2012 05:17 AM
Yes Nick , in my opinion in order to achieve bidirectional policing - with regard of 3750 restiction to the output policing - you can use access-lists matching source and destination IP of the client and police this traffic.
Taking into consideration that each client has a dedicated vlan , on the traffic coming from the client you can use the class-default - I am talking about the policy map applied on the input on the client's VLAN.
Dan
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide