05-24-2013 12:01 PM - edited 03-04-2019 08:00 PM
I was trying to rate limit a vlan and found this works a ltitle different than a normal port. The vlan connections are still able to get full bandwidth bypassing this policer. I'm not sure why.
class-map match-all BYOD-Accesslist
match access-group 100
class-map match-all BYOD-Interface
match input-interface GigabitEthernet1/0/6
!
policy-map BYOD-InterfaceMap
class BYOD-Interface
police 3145500 8000 exceed-action drop
policy-map BYOD-Vlan
class BYOD-Accesslist
set dscp default
service-policy BYOD-InterfaceMap
interface Vlan2
description BYOD Network
ip address 10.8.0.1 255.255.0.0
ip access-group 100 in
ip access-group 101 out
service-policy input BYOD-Vlan
access-list 100 permit ip any host 10.3.3.254
access-list 100 permit ip any host 10.3.3.253
access-list 100 permit ip any host 10.8.0.1
access-list 100 deny ip any 10.0.0.0 0.255.255.255
access-list 100 permit ip any any
access-list 101 permit ip host 10.3.3.254 any
access-list 101 permit ip host 10.3.3.253 any
access-list 101 permit ip host 10.8.0.1 any
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 permit ip any any
interface GigabitEthernet1/0/6
description Ruckus ZD3000
switchport trunk encapsulation dot1q
switchport mode trunk
Everything Vlan related works and the access list also work correctly. However when I use a bandwidth testing site, it shows that this is not getting policed.
05-24-2013 12:52 PM
hello
try enabling vlan qos on the trunks
int xxx
mls qos vlan-based
res
paul
Sent from Cisco Technical Support Android App
05-24-2013 03:24 PM
This was the first thing I tried when it didn't work.
interface gig1/0/6
mls qos vlan-based
Didn't make any difference.
"follow these steps to enable VLAN-based QoS. This procedure is
required on physical ports that are specified in the interface level of a hierarchical policy map on an SVI."
So it looks like I do need to enable that regardless. However, I did try this and it made no difference.
GigabitEthernet1/0/6
trust state: not trusted
trust mode: not trusted
trust enabled flag: ena
COS override: dis
default COS: 0
DSCP Mutation Map: Default DSCP Mutation Map
Trust device: none
qos mode: vlan-based
"Before configuring a hierarchical policy map, you must enable VLAN-based QoS on the physical
ports that are to be specified at the interface level of the policy map."
I added mls qos vlan-based after I had already attached the policy to the port. So I'm not sure why exactly it says the above which I quoted from a manual or how to fix it without deleting the policy. Does it make a difference and why?
I also found these two notes in the manual.
"When configuring a hierarchical policy map on trunk ports, the VLAN ranges must not overlap. If
the ranges overlap, the actions specified in the policy map affect the incoming and outgoing traffic
on the overlapped VLANs."
"You can configure a hierarchical policy map only on the primary VLAN of a private VLAN."
Well it does not look like this vlan is a primary vlan of a private vlan? Though I see examples all over which don't seem to be.
05-24-2013 04:35 PM
Hello Jon
Personally I dont think you need to use the acl.
Maybe you could you try this, ive not had chance to testbed it , But will let you know asap- maybe Monday at the earliest.
conf t
mls qos
class-map Policed_traffic
match input-interface xx ( this should be where you traffic enters the switch)
policy-map vlan2police_pm_child
class Policed_traffic
police 31744000 992000 exceed-action drop ( this is policing at 31mb not calculated what your value is)
policy-map vlan2police_pm_parent
class class-default
set ip dscp xx
service-policy vlan2police_pm_child
int vlan 2
service-policy input vlan2police_pm_parent
int x/x (trunk links with vlan2 traversing)
mls qos vlan-based
res
Paul
Please don't forget to rate any posts that have been helpful.
Thanks.
05-24-2013 05:30 PM
Thanks for the replies pdriver. I was able to test a few minutes ago in the office and probably won't be back in until Monday as well.
Here is what I've found.
"Before configuring a hierarchical policy map, you must enable VLAN-based QoS on the physical
ports that are to be specified at the interface level of the policy map."
So I tested this.. I stripped the policy map BYOD-Vlan off of vlan2. I stripped match input-inter g1/0/6 off of the class-map. I then stripped mls qos vlan-based off of g1/0/6, and reapplied it. Next I added the match input-inter back on the class-map, and last added the policy-map back to the vlan2.
I did a test and found that it was now capped at around 2mbs. Which I question from my police numbers but still. I tried something close to what you had earlier today and found it did not work. However I did not have mls qos vlan-based on g1/0/6. So I'll try it again on Monday, but I'm unsure if it will work without the class-map interface match command.
My next issue is that I'll need to find a way to limit the port both ways. It seems data coming back through the port is full speed so this will also cause a issue for me, and any suggestions to do two way policing would be appreciated. Or how to set it up in a method that would police the egress.
05-28-2013 10:32 AM
Just going to bump this again. I found that even though Qos is working it only limits the outbound traffic through the vlan2. But all internet traffic coming in from the firewall is still full speed. So is this not the proper way to speed limit traffic going to a second vlan? What is the correct method / procedure to do this?
05-29-2013 06:13 AM
Hello Jon,
Try this, it should limit vlan 2 to 2mb
class-map Policed_traffic
match input-inter xx xx ( all trunk interfaces allowing the vlan)
policy-map Policed_traffic_pm
police 2048000 64000 exceed-action drop
access-list 100 permit ip any any
class-map policed_vlan2_cm
match access-group 100
policy-map Policed_vlan2_pm
class policed_vlan2_cm
service_policy Policed_traffic_pm
int vlan 2
service-policy input Policed_vlan2_pm
int xx (all trunk links with vlan2 traversing)
mls qos vlan-based
res
Paul
Please don't forget to rate any posts that have been helpful.
Thanks.
05-29-2013 07:47 AM
I see what you are getting at here and this is absolutely correct. However in my case this will not trottle the inc traffic back into the switch because it is on Vlan1 from a firewall.
Gig 1/0/1 is the firewall --> router and vlan1
Gig 1/0/6 is vlan1 and vlan2
No other port on the switch is vlan2
Of course I'm using intervlan routing to allow them to talk. The problem I'm seeing is that the svi is dumping that traffic to vlan1. So there is no incoming vlan2 port in the switch from the firewall which I can trottle via the method above.
So does that just leave me out of luck? Firewall is a ASA 5510.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide