02-23-2007 03:49 PM - edited 03-03-2019 03:54 PM
I have a 3750 switch, with 150MB internet coming into g1/0/1...i have 15 ports g1/0/2-15 that go out to customers, i want to put a policier on the ports to hold them at 10MB, my question is should i do a service-policy input or output here?
i want to limit them to 10MB download...would that be input since its coming IN from the internet, or is Input in from the switch port??
TIA
02-23-2007 04:26 PM
I think switches can only perform ingress QoS.
02-23-2007 06:53 PM
so if i apply the policy in, does that police the download speed or upload speed of that port?
02-23-2007 07:12 PM
I have a 3550-EMI with multiple User VLAN running DHCP. One VLAN is uplink to a router connected to internet.
mls qos, class-map, policy-map, ACL.
I use and create two policy-map, one applied to the port connected to the router (ingress) to control download from internet to all User VLANs, another to the port connected to access switches per User VLAN (ingress) to control upload to internet from all User VLans.
!
interface fastethernet0/1
description to internet router
no ip address
service-policy input DONWLOADFROMINTERNET
duplex full
speed 100
no cdp enable
!
interface fastethernet0/2-48
description to User VLAN access switches
switchport trunk encapsulation dot1q
switchport mode trunk
no ip address
service policy input UPLOADTOINTERNET
duplex full
speed 100
no cdp enable
!
02-24-2007 03:20 AM
hi shaun,
There are few questions before answering.
1Which switch you r using?
2Do you want to control on both sides or only ingess (download from internet) traffic?
any way 6500 & 7600 with PFC3 do bidirectional flow control.but with PFC2 you can control only in one side.
while doing service policy you are imagine that you are siting in side the swith.When you are appliing a policy to a particular port each and every packet exiting that port is for "service policy -out" and comming from that port is "service policy - in"
you may start from here
http://www.cisco.com/en/US/products/ps6558/products_ios_technology_home.html
HTH
02-24-2007 03:55 AM
im using a 3750G with advanced IP services...the only thing i want to control is 10MB download to each port
My real issue here is like you say above, packets coming in and out, which way is the real coming "IN", is that traffic from the internet coming IN, thats routed out that port, or is it traffic coming in from the host to the port???
02-24-2007 04:46 AM
hi shaun,
3750 will do traffic policing.
you can follow these link for details.
http://www.cisco.com/en/US/netsol/ns577/networking_solutions_white_paper09186a00801eb831.shtml
And you second Question .
You are going to apply policy to a port or interface not for the whole switch.more over you will be doing that for customer ports and not for internet port.
So outgoing packet through customer's port is customers download and incomming of customer port is customer's upload.(remember you are sitting inside the switch)
You can apply outbound policy to you customer ports or to customer Vlan interfaces(i'm still in a dilemma weather it will work with VLan interfaces in 3750)
So that the outgoing packets through those ports will get limited and your customers downloading speed is controlled.
I hope it will work.
02-24-2007 04:58 AM
Here is what i have, will this work to ratelimit customer downloads to 10MB?
policy-map INTERNET
class class-default
police 10000000 10000 exceed-action drop
interface GigabitEthernet1/0/2
description GigE to XXXXXX
no switchport
ip address x.x.x.x 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
service-policy output INTERNET
02-24-2007 06:02 AM
yeah it should work.
02-26-2007 01:15 AM
Apply "service-policy output xxxx" to the interface connecting to internet.
02-26-2007 09:31 AM
The catalyst 3750 doesnt support service-policy output on its interfaces..atleast thats the error im getting...
anyone have an idea as to what the best/easiest way to permit 10MB download to each port would be (g1/0/1 is my internet pipe and g1/0/2-15 are L3 routed ports to the customers border router)
02-26-2007 09:40 AM
Take a look at my response above one more time and try to visualize it in your environment. You don't need "service-policy output" in all ports (g1/0/2-15) for download, you need "service-policy input" in g1/0/1.
02-26-2007 09:52 AM
Wont that just rate limit 10MB download from the internet period, not 10MB to all ports?
This is what i have:
policy-map INTERNET
class class-default
police 10000000 10000 exceed-action drop
02-26-2007 10:01 AM
For example;
Customer1 Network = 192.168.1.0/24
Customer2 Network = 192.168.2.0/24
.
.
.
Customer14 Network = 192.168.14.0/24
!
mls qos
mls qos aggregate-policer DL_10.0M 10000000 64000 exceed-action drop
!
class-map match-all Customer1
match access-group 2101
class-map match-all Customer2
match access-group 2102
.
.
.
class-map match-all Customer14
match access-group 2114
!
policy-map DOWNLOAD
class Customer1
police aggregate DL_10.0M
class Customer2
police aggregate DL_10.0M
.
.
.
class Customer14
police aggregate DL_10.0M
!
interface gigabitethernet1/0/1
service-policy input DOWNLOAD
!
access-list 2101 remark Customer1
access-list 2101 permit ip 192.168.1.0 0.0.0.255 any
access-list 2102 remark Customer2
access-list 2102 permit ip 192.168.2.0 0.0.0.255 any
.
.
.
access-list 2114 remark Customer14
access-list 2114 permit ip 192.168.14.0 0.0.0.255 any
02-26-2007 11:47 AM
Couldnt i do this:
policy-map DOWNLOAD
class Customer1
police 10000000 64000 exceed-action drop
class Customer2
police 10000000 64000 exceed-action drop
whats the advantage to the aggregate policier?
And should the ACL be the other way around:
access-list 2101 permit ip any 192.168.2.0 0.0.0.255 since the traffic is coming in from the internet towards the destination of the customer??
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide