cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
822
Views
4
Helpful
7
Replies
Highlighted
Beginner

QoS vlan traffic not getting policed

I was trying to rate limit a vlan and found this works a ltitle different than a normal port.  The vlan connections are still able to get full bandwidth bypassing this policer.  I'm not sure why.

class-map match-all BYOD-Accesslist
  match access-group 100
class-map match-all BYOD-Interface
  match input-interface  GigabitEthernet1/0/6
!
policy-map BYOD-InterfaceMap
class BYOD-Interface
  police 3145500 8000 exceed-action drop
policy-map BYOD-Vlan
class BYOD-Accesslist
   set dscp default
   service-policy BYOD-InterfaceMap

interface Vlan2

description BYOD Network

ip address 10.8.0.1 255.255.0.0

ip access-group 100 in

ip access-group 101 out

service-policy input BYOD-Vlan

access-list 100 permit ip any host 10.3.3.254

access-list 100 permit ip any host 10.3.3.253

access-list 100 permit ip any host 10.8.0.1

access-list 100 deny   ip any 10.0.0.0 0.255.255.255

access-list 100 permit ip any any

access-list 101 permit ip host 10.3.3.254 any

access-list 101 permit ip host 10.3.3.253 any

access-list 101 permit ip host 10.8.0.1 any

access-list 101 deny   ip 10.0.0.0 0.255.255.255 any

access-list 101 permit ip any any

interface GigabitEthernet1/0/6

description Ruckus ZD3000

switchport trunk encapsulation dot1q

switchport mode trunk

Everything Vlan related works and the access list also work correctly.  However when I use a bandwidth testing site, it shows that this is not getting policed.

7 REPLIES 7
Highlighted
VIP Mentor

hello

try enabling vlan qos on the trunks

int xxx
mls qos vlan-based

res
paul

Sent from Cisco Technical Support Android App



kind regards
Paul

Please rate and mark posts accordingly if you have found any of the information provided useful.
It will hopefully assist others with similar issues in the future
Highlighted

This was the first thing I tried when it didn't work.

interface gig1/0/6

mls qos vlan-based

Didn't make any difference.

"follow these steps to enable VLAN-based QoS. This procedure is

required on physical ports that are specified in the interface level of a hierarchical policy map on an SVI."

So it looks like I do need to enable that regardless.  However, I did try this and it made no difference.

GigabitEthernet1/0/6

trust state: not trusted

trust mode: not trusted

trust enabled flag: ena

COS override: dis

default COS: 0

DSCP Mutation Map: Default DSCP Mutation Map

Trust device: none

qos mode: vlan-based

"Before configuring a hierarchical policy map, you must enable VLAN-based QoS on the physical

ports that are to be specified at the interface level of the policy map."

I added mls qos vlan-based after I had already attached the policy to the port.  So I'm not sure why exactly it says the above which I quoted from a manual or how to fix it without deleting the policy.  Does it make a difference and why?

I also found these two notes in the manual.

"When configuring a hierarchical policy map on trunk ports, the VLAN ranges must not overlap. If

the ranges overlap, the actions specified in the policy map affect the incoming and outgoing traffic

on the overlapped VLANs."

"You can configure a hierarchical policy map only on the primary VLAN of a private VLAN."

Well it does not look like this vlan is a primary vlan of a private vlan?  Though I see examples all over which don't seem to be.

Highlighted

Hello Jon

Personally I dont think you need to use the acl.

Maybe you could you try this, ive not had chance to testbed it , But will let you know asap- maybe Monday at the earliest.

conf  t

mls qos

class-map Policed_traffic

match input-interface xx ( this should be where you traffic enters the switch)

policy-map vlan2police_pm_child

class Policed_traffic

police 31744000 992000 exceed-action drop ( this is policing at 31mb not calculated what your value is)

policy-map vlan2police_pm_parent

class class-default

set ip dscp xx

service-policy vlan2police_pm_child

int vlan 2

service-policy input vlan2police_pm_parent

int x/x (trunk links with vlan2 traversing)

mls qos vlan-based

res

Paul

Please don't forget to rate any posts that have been helpful.

Thanks.



kind regards
Paul

Please rate and mark posts accordingly if you have found any of the information provided useful.
It will hopefully assist others with similar issues in the future
Highlighted

Thanks for the replies pdriver.  I was able to test a few minutes ago in the office and probably won't be back in until Monday as well.

Here is what I've found. 

"Before configuring a hierarchical policy map, you must enable VLAN-based QoS on the physical

ports that are to be specified at the interface level of the policy map."

So I tested this.. I stripped the policy map BYOD-Vlan off of vlan2.  I stripped match input-inter g1/0/6 off of the class-map.  I then stripped mls qos vlan-based off of g1/0/6, and reapplied it.  Next I added the match input-inter back on the class-map, and last added the policy-map back to the vlan2.

I did a test and found that it was now capped at around 2mbs.  Which I question from my police numbers but still.  I tried something close to what you had earlier today and found it did not work.  However I did not have mls qos vlan-based on g1/0/6.  So I'll try it again on Monday, but I'm unsure if it will work without the class-map interface match command.

My next issue is that I'll need to find a way to limit the port both ways.  It seems data coming back through the port is full speed so this will also cause a issue for me, and any suggestions to do two way policing would be appreciated.  Or how to set it up in a method that would police the egress.

Highlighted

Just going to bump this again.  I found that even though Qos is working it only limits the outbound traffic through the vlan2.  But all internet traffic coming in from the firewall is still full speed.  So is this not the proper way to speed limit traffic going to a second vlan?  What is the correct method / procedure to do this?

Highlighted

Hello Jon,

Try this, it should limit vlan 2 to 2mb

class-map Policed_traffic

match input-inter xx xx ( all trunk interfaces allowing the vlan)

policy-map Policed_traffic_pm

police 2048000 64000 exceed-action drop

access-list 100 permit ip any any

class-map policed_vlan2_cm

match access-group 100

policy-map Policed_vlan2_pm

class policed_vlan2_cm

service_policy Policed_traffic_pm

int vlan 2

service-policy input Policed_vlan2_pm

int xx (all trunk links with vlan2 traversing)

mls qos vlan-based

res

Paul

Please don't forget to rate any posts that have been helpful.

Thanks.



kind regards
Paul

Please rate and mark posts accordingly if you have found any of the information provided useful.
It will hopefully assist others with similar issues in the future
Highlighted

I see what you are getting at here and this is absolutely correct.  However in my case this will not trottle the inc traffic back into the switch because it is on Vlan1 from a firewall.

Gig 1/0/1 is the firewall --> router and vlan1

Gig 1/0/6 is vlan1 and vlan2

No other port on the switch is vlan2

Of course I'm using intervlan routing to allow them to talk.  The problem I'm seeing is that the svi is dumping that traffic to vlan1.  So there is no incoming vlan2 port in the switch from the firewall which I can trottle via the method above.

So does that just leave me out of luck?  Firewall is a ASA 5510.

Content for Community-Ad