cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6809
Views
5
Helpful
10
Replies

Cisco 3750 - QOS mls qos vlan-based

Nicholas Beard
Level 1
Level 1

Hi folks,

I have a Cisco 3750 switch stack and am performing QOS against a number of SVI vlans on per customer basis.  I have 8 customers, each with a /29 public subnet and each with an SVI as a gateway within that /29 range.  I then have a "routable" SVI vlan for routing upstream to the internet.  See below -

Customer VLAN

interface Vlan101

description ****CUST-A-***-VL101-SUBRATE-CAR-10MB****

ip address 10.10.10.65 255.255.255.248

ip access-group CUST-***-VL101-ACL in

no ip redirects

service-policy input ***-VLAN-ALL-PARENT-PMAP

Routable VLAN

interface Vlan1

ip address 10.10.11.155 255.255.255.248

no ip redirects

service-policy input ***-VLAN-ALL-PARENT-PMAP

The service policy attached to the interfaces above is supposed to perform policing on download and upload traffic.  The service policy is attached to the Routable VLAN for download policing and the Customer VLAN for upload policing.  For example, traffic entering the routable VLAN will be policed based on traffic matching an access list to the customers IP range (download).  Traffic entering the customer VLAN will be policed based on traffic matching an access list from the customers IP range (upload).

The command I am using to police is as follows - police 10485500 966080 exceed-action drop

The problem I am experiencing is traffic into the routable VLAN is being successfully policed down to the 10Mbps i have specified on a per customer basis (download).

Traffic entering the customer VLAN is NOT being policed at all (upload).

I am limited as to the use of the parent policy map I have specified on the interface, as I can only assign it in one direction (input).

Any help as to why the upload policing into the customer specific VLAN is failing would be greatly appreciated.

Thanks

Nick

10 Replies 10

Hi Nick ,

If I understood well you want to police both ingress and egress traffic with the policy-map applied in the input direction.

The input policy-map will match only the traffic coming from the client.

You can use "srr-queue bandwidth limit " in order to police the egress traffic.

Here is also a document related to 3750 Qos

http://www.cisco.com/en/US/products/hw/switches/ps5023/products_tech_note09186a0080883f9e.shtml#topic3

Dan

Nicholas Beard
Level 1
Level 1

To provide an update to this, I have run the "sh policy-map int vlan" command to obtain statistics about the matching of the service policy (I'm aware the Cisco 3750 is not supposed to work with this command, but it seems as though it does).  See the output below -

Routable VLAN

  Service-policy input: ***-VLAN-ALL-PARENT-PMAP

    Class-map: CUST-***-VL101-CMAP2 (match-all)

      279 packets, 18660 bytes

      5 minute offered rate 0 bps, drop rate 0 bps

      Match: access-group name CUST-***-VL101-ACL-POL

      Service-policy : CUST-***-VL101-PMAP1

        Class-map: CUST-***-VL101-CMAP1 (match-all)

          0 packets, 0 bytes

          5 minute offered rate 0 bps, drop rate 0 bps

          Match: input-interface  FastEthernet1/0/24

        Class-map: CUST-***-VL101-CMAP3 (match-all)

          0 packets, 0 bytes

          5 minute offered rate 0 bps, drop rate 0 bps

          Match: input-interface  FastEthernet2/0/24

        Class-map: CUST-***-VL101-CMAP4 (match-all)

          0 packets, 0 bytes

          5 minute offered rate 0 bps, drop rate 0 bps

          Match: input-interface  FastEthernet1/0/1

        Class-map: CUST-***-VL101-CMAP5 (match-all)

          0 packets, 0 bytes

          5 minute offered rate 0 bps, drop rate 0 bps

          Match: input-interface  FastEthernet2/0/1

        Class-map: class-default (match-any)

          279 packets, 18660 bytes

          5 minute offered rate 0 bps, drop rate 0 bps

          Match: any

Customer VLAN

Customer Vlan

  Service-policy input: ***-VLAN-ALL-PARENT-PMAP

    Class-map: CUST-***-VL101-CMAP2 (match-all)

      0 packets, 0 bytes

      5 minute offered rate 0 bps, drop rate 0 bps

      Match: access-group name CUST-***-VL101-ACL-POL

      Service-policy : CUST-***-VL101-PMAP1

        Class-map: CUST-***-VL101-CMAP1 (match-all)

          0 packets, 0 bytes

          5 minute offered rate 0 bps, drop rate 0 bps

          Match: input-interface  FastEthernet1/0/24

        Class-map: CUST-***-VL101-CMAP3 (match-all)

          0 packets, 0 bytes

          5 minute offered rate 0 bps, drop rate 0 bps

          Match: input-interface  FastEthernet2/0/24

        Class-map: CUST-***-VL101-CMAP4 (match-all)

          0 packets, 0 bytes

          5 minute offered rate 0 bps, drop rate 0 bps

          Match: input-interface  FastEthernet1/0/1

        Class-map: CUST-***-VL101-CMAP5 (match-all)

          0 packets, 0 bytes

          5 minute offered rate 0 bps, drop rate 0 bps

          Match: input-interface  FastEthernet2/0/1

        Class-map: class-default (match-any)

          0 packets, 0 bytes

          5 minute offered rate 0 bps, drop rate 0 bps

          Match: any

It would appear from the above, that the routable VLAN service policy is being applied based on the default traffic within the default class map.  The customer VLAN policy, is not being matched by any traffic.

Dan,

Thanks for the reply, yes I have to apply the service policy using the "input" command due to a limitation with either the hardware or software can't remember which.  Basically, I am limited to having to use it this way.

I thought by applying "input" to the routable vlan would be traffic from the internet to the VLAN (download) - Works successfully.

Then by applying "input" to the customer vlan would be traffic from within the customer vlan to the interface (upload) - fails to work.

Thanks

Nick

Hi Nick ,

Ok, now I understood your configuration.

Routable vlan is the upstream vlan - traffic coming to your customers .

Did you applied the same policy-map on both interfaces (client and 'routable') ?

If I understood well your customers reside in the same vlan.

Dan

Dan,

Thanks for responding again.  Each customer has their own individual VLAN, and there are approximately 8 customers.  They are configured as follows -

interface Vlan101

description ****CUST-A-***-VL101-SUBRATE-CAR-10MB****

ip address 10.10.10.65 255.255.255.248

ip access-group CUST-***-VL101-ACL in

no ip redirects

service-policy input ***-VLAN-ALL-PARENT-PMAP

!

interface Vlan102

description ****CUST-B-***-VL102-SUBRATE-CAR-10MB****

ip address 10.10.10.73 255.255.255.248

ip access-group CUST-***-VL102-ACL in

no ip redirects

service-policy input ***-VLAN-ALL-PARENT-PMAP

There is then a single "routable" vlan which connects to upstream devices for routing to the internet.  See Below -

interface Vlan*

ip address 11.11.11.155 255.255.255.248

no ip redirects

service-policy input ***-VLAN-ALL-PARENT-PMAP

(I have substituted the real IPs)

As you can see from the above, the service policy is applied to both the Customer and Routable VLANs.  The policy is working for the routable VLAN (download) but NOT working for the individual customer VLANs (upload). 

Each customer routes to their SVI IP address for routing to the internet.  The switch then has a default route which routes all traffic through the "routable" VLAN upstream.

Does this make sense?

Thanks

Nick

The class-maps used on the policy-map applied on the Routable vlan - this is the traffic going to the client ( download ) - have "Match: input-interface  FastEthernet1/0/24", which does not make to much sense. Because the traffic does not enter the fa1/0/24 , but is going to that interface , does it ?

I would try this way:

upload :

   policy-map client-a-in

     class class-default

         police x

   interface client-vlan

     service-policy client-a-in

download :

   access-list ex client-a-out

     permit ip any client-a-class

   class-map client-a-out

     match ip address client-a-out

   access-list ex client-b-out

     permit ip any client-b-class

   class-map client-b-out

     match ip address client-b-out

   policy-map upstream-in

      class client-a-out

         police x

      class client-b-out

         police y

      class client-c-out

         police z

Does it make sense ?

Dan

Dan,

Apologies, I forgot to explain the physical interfaces.  The routable VLAN has two physical interfaces assigned as follows -

Fa1/0/24

Fa2/0/24

There are two Cisco 3750s stacked.  The upstream service is an active/passive service provided via two Cat5 feeds.

Each customer then has two physical interfaces provided to them, as follows -

Cust A

Fa1/0/1

Fa2/0/1

Cust B

Fa1/0/2

Fa2/0/2

Cust C

Fa1/0/3

Fa2/0/3

Each of the physical customer interfaces are assigned to the appropriate VLAN via the "switchport mode access" and "switchport access vlan id" commands. 

That is why you see the match input-interface commands within the service policy.  Although, it would appear these interfaces are not being matched anyway as the traffic is being picked up by the default class map.

Thanks

Nick

Either way , you do not need to match the input interface, it doesn't matter if it the traffic from client A comes from interface 1 or 2 , all traffic from this client should be policed at a certain rate.

On the returing policy , you must match the destination IP in order to set the policing rate

Dan

Dan,

When this was originally implemented it was done so with heierarchical policy maps.  This meant there were multiple child policy maps and a single parent policy map as follows -

Class Maps -

class-map match-all CUST-***-VL101-CMAP1

  match input-interface  FastEthernet1/0/24

class-map match-all CUST-***-VL101-CMAP2

  match input-interface  FastEthernet2/0/24

class-map match-all CUST-***-VL101-CMAP3

  match input-interface  FastEthernet1/0/1

class-map match-all CUST-***-VL101-CMAP4

  match input-interface  FastEthernet2/0/1

class-map match-all CUST-***-VL101-CMAP5

   match access-group name CUST-***-VL101-ACL-POL

Child Policy Map - 

policy-map CUST-***-VL101-PMAP1

class CUST-***-VL101-CMAP1

  police 10485500 966080 exceed-action drop

class CUST-***-VL101-CMAP2

  police 10485500 966080 exceed-action drop

class CUST-***-VL101-CMAP3

  police 10485500 966080 exceed-action drop

class CUST-***-VL101-CMAP4

  police 10485500 966080 exceed-action drop

Parent Policy Map -

policy-map ***-VLAN-ALL-PARENT-PMAP

class CUST-***-VL101-CMAP5

   set ip precedence 1

   service-policy CUST-***-VL101-PMAP1

Access List

ip access-list extended CUST-***-VL101-ACL-POL

permit ip any ***

permit ip *** any

So the parent policy map matching traffic via an access-list calls the child policy map which then performs the policing.  It does this using several class maps which match traffic based on the interface.  Are you saying that if I remove the "match input-interface" commands from each of the class maps and instead match based on an access list; then this will likely work?

Thanks

Nick

Yes Nick , in my opinion in order to achieve bidirectional policing - with regard of 3750 restiction to the output policing - you can use access-lists matching source and destination IP of the client and police this traffic.

Taking into consideration that each client has a dedicated vlan , on the traffic coming from the client you can use the class-default - I am talking about the policy map applied on the input on the client's VLAN.

Dan

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco