12-07-2011 05:44 AM - edited 03-04-2019 02:33 PM
I am losing hair by the second with this problem! Any help would be greatly appreciated....
I have a stack of Cisco 3750v2 switches with 8 VLANs (one per customer) and 8 SVI's (again, one per customer). I am trying to apply rate limiting to the SVI's of each vlan for both input and output traffic. This is my SVI configuration for one such VLAN (I have substituted the real IPs for prviate IPs for the purposes of this example) -
interface Vlan30
description ****CUST-C-VL30-SUBRATE-CAR-10M****
ip address 192.168.30.250 255.255.255.0
ip access-group CUST-C-VL30-ACL in
rate-limit input 10000000 1875000 3750000 conform-action transmit exceed-action drop
rate-limit output 10000000 1875000 3750000 conform-action transmit exceed-action drop
The access list for this interface is as follows -
Extended IP access list CUST-C-VL30-ACL
10 deny ip 192.168.30.0 0.0.0.255 192.168.10.0 0.0.0.255
20 deny ip 192.168.30.0 0.0.0.255 192.168.20.0 0.0.0.255
30 deny ip 192.168.30.0 0.0.0.255 192.168.40.0 0.0.0.255
40 deny ip 192.168.30.0 0.0.0.255 192.168.50.0 0.0.0.255
50 deny ip 192.168.30.0 0.0.0.255 192.168.60.0 0.0.0.255
60 deny ip 192.168.30.0 0.0.0.255 192.168.70.0 0.0.0.255
70 deny ip 192.168.30.0 0.0.0.255 192.168.80.0 0.0.0.255
80 permit ip any any
Finally the physical ports associated with this VLAN are configured as follows -
interface FastEthernet1/0/4
description CUST-D-VL40-ACCESS-ACT
switchport access vlan 40
switchport mode access
mls qos vlan-based
interface FastEthernet2/0/4
description CUST-D-VL40-ACCESS-PSV
switchport access vlan 40
switchport mode access
mls qos vlan-based
When i pass traffic from behind the VLAN and out to the internet the rate limit statistics for the port show as follows -
Vlan30 ****CUST-C-VL30-SUBRATE-CAR-10M****
Input
matches: all traffic
params: 10000000 bps, 1875000 limit, 3750000 extended limit
conformed 0 packets, 0 bytes; action: transmit
exceeded 0 packets, 0 bytes; action: drop
last packet: 19317663ms ago, current burst: 0 bytes
last cleared 03:50:26 ago, conformed 0 bps, exceeded 0 bps
Output
matches: all traffic
params: 10000000 bps, 1875000 limit, 3750000 extended limit
conformed 0 packets, 0 bytes; action: transmit
exceeded 0 packets, 0 bytes; action: drop
last packet: 19318251ms ago, current burst: 0 bytes
last cleared 03:55:55 ago, conformed 0 bps, exceeded 0 bps
Based on this and the speed tests I am performing from within the VLAN i am receiving the full bandwidth and not what should be assigned based on the rate limiting. Have I missed anything as far as the configuration goes?? (Im going grey by the second!!!)
Thanks
Nick
12-07-2011 05:54 AM
Hi Nick,
The rate limit commands looks ok.
Why dont you use policy map and see how it will do the job for you....
I have the below at one of my core switch and doing good as desired.
class-map vlan5
match vlan 5
match class-map class-default
policy-map vlan5-limit
class vlan5
police 2000000 250000 exceed-action drop *********Change the values according to you*************
int vlan5
service-policy input vlan5-limit
After you apply this configuration, the traffic with VLAN 5 coming from any will be policed at 2Mbps.
Hope this will help you.
Please rate the helpfull posts.
Regards,
Naidu.
12-07-2011 07:35 AM
Thanks for the prompt response unfortunately the commands you provided have failed to work. To give you an insight into what I have done please see below -
1. Create a Class Map
class-map CUST-A-VL10-SUBRATE-CAR-4K-CMAP
match access-group name CUST-A-VL10-ACL
2. Create a Policy Map
policy-map CUST-A-VL10-SUBRATE-CAR-4K-PMAP
class CUST-A-VL10-SUBRATE-CAR-4K-CMAP
police 400000 75000 exceed-action drop
3. Apply Policy Map to Vlan 10
service-policy input CUST-A-VL10-SUBRATE-CAR-4K-PMAP
This then reports the following error -
%QoS: policy-map with police action at parent level not supported on Vlan10 interface.
%QoS: policy-map with police action at parent level not supported on Vlan10 interface.
%QoS: policy-map with police action at parent level not supported on Vlan10 interface.
service-policy output CUST-A-VL10-SUBRATE-CAR-4K-PMAP
Reports the error -
police command is not supported for this interface
The interface does not support the specified policy configuration and/or parameter values.
12-07-2011 08:40 AM
Nick,
1) rate-limit command (while accepted by the CLI) is not supported in the 3750/3560 platforms
2) Egress policing with MQC is not supported on these platforms. You can limit egress traffic with SRR bandwidth limit.
3) For ingress policing, you can use MQC and apply the service-policy directly into the physical interface instead of the logical SVI. You could apply the inbound policer in the SVI but you need to configure a hierachical policy with and the police statement must be in the child policy.
For instance:
class-map Vlan10
match input-interface ...
policy-map Vlan10
class Vlan10
police 10000000 187500 exceed-action drop
policy-map CUST-A-VL10-SUBRATE-CAR-4K-PMAP
class class-default
service-policy Vlan10
interface Vlan 10
service-policy input CUST-A-VL10-SUBRATE-CAR-4K-PMAP
Regards,
Edison
12-08-2011 02:56 AM
Edison,
Thank you very much for the answer, it has saved me a lot of time and effort. The Cisco 3750v2 product overview confirms the support for rate limiting, so i would have thought it would be supported? -
Cisco Catalyst 3750 v2 Series Software
Anyhow, I have gone ahead and used the example you have provided to police on ingress the SVI, but am receiving the following error -
No action is configured in the policymap ****CUST-A-VL10-SUBRATE-CAR-4K-PMAP**** classmap class-default, or it is being modified
Based on my research into this it would appear i need to configure an action within the policy map to perform a function such as the following -
set dscp or set ip
Would you agree with this, and if so why is this required? I would have thought the action would have been taken within the subsequent service policy map?
Thanks
Nick
12-08-2011 06:04 AM
Edison,
I have been toying with this all day and am now completely confused..... I have performed the following steps -
Class Map
class-map match-all CUST-A-VL10-CMAP1
match input-interface fa1/0/1
match input interface fa2/0/1
Policy Map
policy-map CUST-A-VL10-PMAP1
class CUST-A-VL10-CMAP1
police 200000 37500 exceed-action drop
Parent Policy Map
policy-map CUST-A-VL10-PARENT-PMAP1
class class-default
service-policy CUST-A-VL10-PMAP1
Interface Settings
interface vlan 10
service-policy input CUST-A-VL10-PARENT-PMAP1
All of these commands are accepted successfully by the switch. However, when i do a sh run or sh conf the service-policy command is never displayed below the vlan SVI. No matter what i try to do I cannot get it to display within the config. The same problem occurs if i try to apply the command to a physical (fa1/0/1) or virtual (vlan10) interface.
Am i doing something wrong here?
12-08-2011 06:27 AM
Ok after further investigation it would seem you cannot add two interfaces to the match input-interface command below the class map -
class map match-all CUST-A-VL10-CMAP1
match input-interface fa1/0/1
match input-interface fa2/0/1
Although this is accpeted by the CLI and at no point issues a warning or failure, the command service-policy input CUST-A-VL10-PARENT-PMAP1 will be accepted but never applied. Simply removing the match input-interface fa2/0/1 command from the class map and re assigning the parent policy map to the SVI resolves the problem. So based on this i must have to create two class maps (one for each interface) as I am presenting two feeds to each customer per VLAN.
09-23-2015 12:09 PM
I tried to piece this together but a little tough. Asking also if a snippit of all the QoS could be posted.
12-08-2011 11:42 AM
The product overview indicates you can rate limit packets with QoS on the platform but not necessarily with the rate-limit command.
Please refer to the list of unsupported commands and you will see rate-limit listed:
I recommend applying the service-policy inbound on each of the physical interfaces instead of the SVI.
Can you try that and report back?
Regards,
Edison
12-09-2011 01:01 AM
Edison,
Thanks for helping with this it is greatly appreciated. I have been playing around with this and have managed to get the policing working successfully on the SVI.
The problem was basically the direction the policing was being applied. Initially I was applying the service policies to the customer SVIs in an inbound direction. This would only be traffic coming into the VLAN interface from within the VLAN; therefore, in terms of internet traffic this would be upload and NOT the required download.
In order to resolve this, I have applied the service policy to the Internet facing VLAN. Please see below -
Class Maps and Policy Maps
class-map match-all CUST-A-VL10-CMAP1
match input-interface FastEthernet1/0/24
class-map match-all CUST-A-VL10-CMAP2
match access-group name CUST-A-VL10-ACL-POL
policy-map CUST-A-VL10-PMAP1
class CUST-A-VL10-CMAP1
police 100000 18750 exceed-action drop
policy-map CUST-A-VL10-PARENT-PMAP1
class CUST-A-VL10-CMAP2
set ip precedence 1
service-policy CUST-A-VL10-PMAP1
VLAN Confguration
interface Vlan300
ip address ************
service-policy input CUST-A-VL10-PARENT-PMAP1
This works successfully and polices the traffic as expected. However, I have now run into the problem with assigning multiple service policies to the VLAN interface. As this is the internet facing VLAN for the routing of traffic to and from the internet, all customer service policies need to be applied to this interface. When I attempt to apply more than one service policy to this VLAN i receive the following error -
(config-if)#service-policy input CUST-B-VL20-PARENT-PMAP1
Policy map CUST-A-VL10-PARENT-PMAP1 is already attached
Looks like another couple of hours needed working around this problem!!
Thanks
Nick
12-09-2011 03:22 AM
Ok, figured out what I need to do......
Instead of using multiple parent policy maps,I can aggregate my class maps into one parent policy map and perform all required functions from one policy map. See example -
policy-map CUST-A-VL10-PARENT-PMAP1
class CUST-A-VL10-CMAP2
set ip precedence 1
service-policy CUST-A-VL10-PMAP1
class CUST-B-VL20-CMAP2
set ip precedence 1
service-policy CUST-B-VL20-PMAP1
class CUST-C-VL30-CMAP2
set ip precedence 1
service-policy CUST-C-VL30-PMAP1
class CUST-D-VL40-CMAP2
set ip precedence 1
service-policy CUST-D-VL40-PMAP1
class CUST-E-VL50-CMAP2
set ip precedence 1
service-policy CUST-E-VL50-PMAP1
class CUST-F-VL60-CMAP2
set ip precedence 1
service-policy CUST-F-VL60-PMAP1
class CUST-G-VL70-CMAP2
set ip precedence 1
service-policy CUST-G-VL70-PMAP1
class CUST-H-VL80-CMAP2
set ip precedence 1
service-policy CUST-H-VL80-PMAP
This way, I only ever need to assign the single parent policy map to the SVI and traffic for each customer will be matched by ACL and policed as necessary.
Hope this helps anybody else with the same problem.
12-09-2011 08:40 AM
Great job Nick and thanks for posting such detailed information.
Regards,
03-03-2015 09:58 AM
Hi,
I wondered if you could help me as I have tried to follow your guide and am getting a bit stuck. I have 20 customers each with their own VLAN and I would like to limit the bandwdith per SVI. I have tried to follow the programming relating to a single parent map but cannot understand how to differentiate between customers on the child maps, are you able to port your full config?
Cheers
09-19-2019 05:31 AM
Hi just found your post from 2011 and i am wondering why "technically" rate-limiting on a WS-C3750G-24TS-S1U is not possible while (like you also mentioned in your post the commands are possible on the interface level) ..
I entered the following config on the 3750G-24TS-S1U but the loadtester just stays sending the maximum mbps data without getting rate limited.
Switch#show int g1/0/6
GigabitEthernet1/0/6 is up, line protocol is up (connected)
Hardware is Gigabit Ethernet, address is 0016.c872.5044 (bia 0016.c872.5044)
Description: interface to loadtesterserver_172.19.3.245
Internet address is 172.19.3.243/24
MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec,
reliability 255/255, txload 1/255, rxload 198/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Full-duplex, 1000Mb/s, media type is 10/100/1000BaseTX
input flow-control is off, output flow-control is unsupported
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:02:36, output 00:00:09, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 780049000 bits/sec, 64257 packets/sec
5 minute output rate 3039000 bits/sec, 5228 packets/sec
235746135 packets input, 3768805512 bytes, 0 no buffer
Received 822 broadcasts (0 IP multicast)
0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 watchdog, 46 multicast, 0 pause input
0 input packets with dribble condition detected
332910035 packets output, 2336440540 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collision, 0 deferred
0 lost carrier, 0 no carrier, 0 PAUSE output
0 output buffer failures, 0 output buffers swapped out
Switch#
Switch#
Switch#show int g1/0/9
GigabitEthernet1/0/9 is up, line protocol is up (connected)
Hardware is Gigabit Ethernet, address is 0016.c872.5045 (bia 0016.c872.5045)
Description: interface to loadtesterclient_192.168.3.243
Internet address is 192.168.1.243/24
MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec,
reliability 255/255, txload 199/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Full-duplex, 1000Mb/s, media type is 10/100/1000BaseTX
input flow-control is off, output flow-control is unsupported
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:00:01, output 00:00:01, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 3051000 bits/sec, 5250 packets/sec
5 minute output rate 780655000 bits/sec, 64305 packets/sec
332939970 packets input, 2340054800 bytes, 0 no buffer
Received 367 broadcasts (2 IP multicast)
0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 watchdog, 119 multicast, 0 pause input
0 input packets with dribble condition detected
236218194 packets output, 189084976 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collision, 0 deferred
0 lost carrier, 0 no carrier, 0 PAUSE output
0 output buffer failures, 0 output buffers swapped out
Switch#
Switch#
Switch#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
172.19.0.0/24 is subnetted, 1 subnets
C 172.19.3.0 is directly connected, GigabitEthernet1/0/6
C 192.168.1.0/24 is directly connected, GigabitEthernet1/0/9
Switch#
Switch#
Switch#
Switch#show int g1/0/6 rate
Switch#show int g1/0/6 rate-limit
GigabitEthernet1/0/6 interface to loadtesterserver_172.19.3.245
Input
matches: all traffic
params: 100000000 bps, 100000 limit, 1000000 extended limit
conformed 91 packets, 7908 bytes; action: transmit
exceeded 0 packets, 0 bytes; action: drop
last packet: 179248ms ago, current burst: 0 bytes
last cleared 00:16:45 ago, conformed 62 bps, exceeded 0 bps
Output
matches: all traffic
params: 100000000 bps, 100000 limit, 1000000 extended limit
conformed 0 packets, 0 bytes; action: transmit
exceeded 0 packets, 0 bytes; action: drop
last packet: 691905717ms ago, current burst: 0 bytes
last cleared 00:16:21 ago, conformed 0 bps, exceeded 0 bps
Switch#
Switch#
Switch#
Switch#
Switch#
Switch#
Switch#show int g1/0/9 rate-limit
GigabitEthernet1/0/9 interface to loadtesterclient_192.168.3.243
Input
matches: all traffic
params: 100000000 bps, 100000 limit, 1000000 extended limit
conformed 4 packets, 360 bytes; action: transmit
exceeded 0 packets, 0 bytes; action: drop
last packet: 371951ms ago, current burst: 0 bytes
last cleared 00:16:03 ago, conformed 2 bps, exceeded 0 bps
Output
matches: all traffic
params: 100000000 bps, 100000 limit, 1000000 extended limit
conformed 0 packets, 0 bytes; action: transmit
exceeded 0 packets, 0 bytes; action: drop
last packet: 691913510ms ago, current burst: 0 bytes
last cleared 00:15:59 ago, conformed 0 bps, exceeded 0 bps
Switch#
Switch#
Switch#show run
Building configuration...
Current configuration : 2382 bytes
!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Switch
!
!
no aaa new-model
switch 1 provision ws-c3750g-24ts-1u
ip subnet-zero
ip routing
!
!
!
!
!
!
no file verify auto
!
spanning-tree mode pvst
spanning-tree extend system-id
no spanning-tree vlan 3
!
vlan internal allocation policy ascending
!
interface GigabitEthernet1/0/1
!
interface GigabitEthernet1/0/2
!
interface GigabitEthernet1/0/3
no switchport
no ip address
!
interface GigabitEthernet1/0/4
no switchport
no ip address
shutdown
!
interface GigabitEthernet1/0/5
!
interface GigabitEthernet1/0/6
description interface to loadtesterserver_172.19.3.245
no switchport
ip address 172.19.3.243 255.255.255.0
rate-limit input 100000000 100000 1000000 conform-action transmit exceed-action drop
rate-limit output 100000000 100000 1000000 conform-action transmit exceed-action drop
!
interface GigabitEthernet1/0/7
!
interface GigabitEthernet1/0/8
!
interface GigabitEthernet1/0/9
description interface to loadtesterclient_192.168.3.243
no switchport
ip address 192.168.1.243 255.255.255.0
rate-limit input 100000000 100000 1000000 conform-action transmit exceed-action drop
rate-limit output 100000000 100000 1000000 conform-action transmit exceed-action drop
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: