09-02-2008 03:40 AM - edited 03-03-2019 11:22 PM
Would like to know how to limit the bandwidth on 3560.Using vlan2,vlan3,vlan4,vlan5.....vlan10.
Want to distribute part 2048kbps equally among all the vlans i.e say 200kbps.QOS confuration guide is very confusing.Can somebody help with a example on same.
Reg,
Sushil
09-02-2008 07:12 AM
You can't perform VLAN-based QoS on a 3560. AFAIK it's only supported on 3550, 4500, and 6500's.
Hope that helps.
09-02-2008 09:16 PM
Can you please double check this.As I can see standard qos guidelines on 3560 it says something like;
1. You can configure QOS on physical ports and SVIs.If a vlan based qos is configured on physical port then switch remove all the port based policy map on the port.Even in SVI we do have the flexibilty of non hierarical and hierarical policy maps.
I am not very sure what does that mean?
So 3550 is not on sale and equivalnet is 3560.So won't 3560 will do that.Very strange!!!!
reg,
Sushil
09-03-2008 03:38 AM
Hi Sushil.
It would be nice to know what your config is. It sounds like you are limiting all the traffic on the switch to pass it out across an E1? In that case the easiest way is to just police the traffic on the port/interface that is leaving the switch to the E1?
The 3560 doesn't make it easy to do true VLAN policing/shaping. You can use an Aggregate policer but this is not allowed on SVIs or to be configured on separate interfaces.
The problem is you can limit an individual port's VLAN to 200K, but if there are 5 ports on that VLAN then that's a possible 1MB of total traffic.
If you are just trying to police traffic exiting the switch then just configure MQC QoS with a different class for each of the VLANs subnets.
If you are routing on the switch with SVIs then you can try using an individual policer on the SVI. This will not limit the traffic within the VLAN but will limit it being routed out. An example of this configuration is below, its only possible in 12.2(25)SE or later. My example configures single rate two color policing to 200K on VLAN100
policy-map POLICE_200K
class-map class-default
police 200000
conform-action transmit
exceed-action drop
!
interface vlan100
service-policy input POLICE_200K
- Simon
09-03-2008 04:20 AM
Hi Simon,
The configuration is something like this.
ASA--->3560(Valns).
broadly 24 port switch and 10 vlans.Vlan2..vlan10.
A set of 5-6 users connects to this vlans on say port2 on this switch randomly/concurrently.This is something where vlan2 attached to port 2 on 3560 and a cable goes to small 8 port switch and serving 5-6 users.That goes for all the interfaces/vlans.one vlan assigned to one port only and serving 3-6 users by connecting through small switches.
What scenario would you recommend in this case?
Reg,
Sushil
09-03-2008 05:05 AM
I would look into getting different hardware. You can't really do what you want to cleanly or efficiently. Take a look at the Metro Ethernet line of switches, they offer advanced QoS capabilities.
http://cisco.com/en/US/products/hw/switches/index.html
Hope that helps.
09-03-2008 08:37 AM
Hi Sushil.
Ok, so if you have just one VLAN per port then you can just police each port.
The configuration below will limit port 2 and all its traffic (for all the 5-6 users) to 200K
mls qos
!
policy-map POLICE_200K
class class-default
police 200000
conform-action transmit
exceed-action drop
!
interface FastEthernet0/2
switchport mode access
switchport access vlan 2
service-policy input ALL_VLAN2
You can create as many of the policy maps as you like. Or you can reuse the same policy map if you want to limit another port to 200K.
Each port will be limited, so even if your E1 connection is underutilized, this port will still only be able to send at 200K.
Hope that's what you are after
Simon
09-05-2008 04:20 AM
Simon I find this one interesting.
Will try and let you know the results.
One more question How can I check,whether it is successful or not?
Reg,
Sushil
09-05-2008 05:22 AM
hi sushil if u wanna check it work just make download and see the transfere rate
by the way i have a comment
although simon config is right and configureable
but it will limit the port bandwidth to 200K regard less of the type or path of communication so lets asume there is a shared drive in the network and on of the client wanted to get a file from it the rate limit will be 200K !!!
what i suggist u to do is to use the ASA
to achieve the bandwidth managment for example if u have to connection to outside through the ASA and u have a different IP network for each vln u can limit the bandwidth based on the source vlan for eaxmple on ASA:
lets say vlan 100 is 10.100.0.0 /24
vlan 200 10.200.0.0 /24
and we will limit vlan 100 to 200K and vlan 200 to 250K
access-list 100 permit ip 10.100.0.0 255.255.255.0 any
access-list 200 permit ip 10.200.0.0 255.255.255.0 any
class-map vlan100
match access-list 100
class-map vlan200
match access-list 200
policy-map policy1
class vlan100
police output 200000
class vlan200
police output 250000
then apply it to the outside interface like:
service-policy policy1 interface outside
this was a simple example
u can use the same idea if u have a routed interface between the switch and the ASA i this case u can do the same idea but on the switch and appy it in the outbound direction on the routed switch interface
good luck
if helpful Rate
09-05-2008 05:47 AM
Hi Sushil.
To determine if its working you can try a transfer for yourself from one of the machines.
Otherwise to give you an indication you can look at the counters under the command
show policy-map int f0/1 input
Simon
09-05-2008 05:49 AM
Oops Sorry, just seen a mistake in my config I sent before. Should have been this
mls qos
!
policy-map POLICE_200K
class class-default
police 200000
conform-action transmit
exceed-action drop
!
interface FastEthernet0/2
switchport mode access
switchport access vlan 2
service-policy input POLICE_200K
Show command for statistics
show policy-map int f0/2 input
Simon
09-05-2008 09:01 AM
Simon Yes I was aware of that and made the correction by my own.
Marvan,I am already using ASA at Gateway.But all my VLANS are on Switch.Even with this config Is this possible on ASA???
Routing enabled on Switch but Intervlan communication is blocked by access-list.I would be more than happy doing this on ASA..looking forward for your reply.
Sushil
09-06-2008 12:41 AM
hi Sushil
ofcourse u can do it on ASA and i sent u config example and on ASA beeter than on the switch in ur case
now i just want u to post the switch config and if u can the ASA to let me know the config stracture and tell me exaclty how much u wanna limit each vlan and i will do it for u :)
ok
09-07-2008 10:57 PM
09-08-2008 02:01 AM
hi sushi
first the connectivity betweent he switch and ur ASA looks strange cant see routed interface or trunk going to the ASA why u send all traffic through the inside asa to the vlan 1??
if u dont do routing between vlans
creat a layer three port on the switch known as routed interface this port will be connected to the ASA inside interface
for eaxmple
interface FastEthernet0/24
no switchport
ip address 192.168.100.1 255.255.255.0
no shut
change the inside ASA ip to be in the same subnet with routed switch interface
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.100.2 255.255.255.0
and remove this one with no comand:
no route inside 192.168.0.0 255.255.0.0 192.168.0.2 1
make like:
route inside 192.168.0.0 255.255.0.0 192.168.100.1 1
also on the switch change the default route u have to the following one:
ip route 0.0.0.0 0.0.0.0 192.168.100.2
now lets go to bandwidth managment on ASA:
acees-list 101 permit 192.168.0.0 255.255.255.0 any
acees-list 102 permit 192.168.2.0 255.255.255.0 any
acees-list 103 permit 192.168.3.0 255.255.255.0 any
acees-list 104 permit 192.168.4.0 255.255.255.0 any
acees-list 105 permit 192.168.5.0 255.255.255.0 any
acees-list 106 permit 192.168.6.0 255.255.255.0 any
acees-list 107 permit 192.168.7.0 255.255.255.0 any
acees-list 108 permit 192.168.8.0 255.255.255.0 any
acees-list 109 permit 192.168.9.0 255.255.255.0 any
acees-list 110 permit 192.168.10.0 255.255.255.0 any
i wil make the rest of the config for only three vlans u need to make the idea for al of ur vlans:
class-map vlan1
match access-list 101
class-map vlan2
match access-list 102
class-map vlan3
match access-list 103
policy-map limit-policy
class vlan1
police output 100000 conform-action transmit exceed-action drop
class vlan2
police output 100000 conform-action transmit exceed-action drop
class vlan3
police output 150000 conform-action transmit exceed-action drop
now apply it on the ASA inthe outbound direction i mean the policy:
service-policy limit-policy interface outside
and the same idea add all vlan each with its calss map and becareful with config of the connection between the ASA and the switch
the config i have given you enough to get it work
good luck
if helpful Rate
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide