HI Gpauwen

cbemobile · ‎12-26-2016

HI,
I am using a WS-3560-48PS with IPBASEK9-M version 12.2(55)SE6.
Actually :
I have 5 vlan configured with wired LAN
I have a new 100 Mega internet acces with french provider connected to the switch
Modification :
I need to install Access Point 1832 on our buiding with 5 SSID/VLAN according to the VLAN already configured.
access point will be connected to trunk port.
To share the 100 Mega bandwidth with the VLANs I have to configure the QOS. In would like to shape the bandwidth
I try to use, without success, the following configuration :
VLAN Description and bandwidth allocation :
VLAN 10   192.168.10.0/24   5 Mega
VLAN 20   192.168.20.0/24   5 Mega
VLAN 30   192.168.30.0/24   10 Mega
VLAN 40   192.168.30.0/24   50 Mega
VLAN 50   192.168.50.0/24   5 Mega
----------------------------------------------------------------------------------------------------------------
part of Configuration i tried :

access-list 101 permit ip 192.168.10.0 0.0.0.255 any
access-list 102 permit ip 192.168.20.0 0.0.0.255 any
access-list 103 permit ip 192.168.30.0 0.0.0.255 any
access-list 104 permit ip 192.168.40.0 0.0.0.255 any
access-list 105 permit ip 192.168.50.0 0.0.0.255 any
!
!
Class-map match-all ACC_Class
match access-group 101
!
Class-map Match-all RSE_Class
match access-group 102
!
Class-map Match-all IT_Class
match access-group 103
!
Class-map Match-all CUSTO_Class
match access-group 104
!
Class-map Match-all TEST_Class
match access-group 105
!
Policy-map ACC_QoS
class ACC_Class
class class-default
police 5000000 8000 exceed-action drop
!
Policy-map RSE_QoS
class RSE_Class
class class-default
police 5000000 8000 exceed-action drop
!
Policy-map IT_QoS
class IT_Class
class class-default
police 10000000 8000 exceed-action drop
!
Policy-map CUSTO_QoS
class CUSTO_Class
class class-default
police 50000000 10000 exceed-action drop
!
Policy-map TEST_QoS
class TEST_Class
class class-default
police 5000000 8000 exceed-action drop
!
interface vlan 10
   Service-policy input ACC_QoS
   Service-policy output ACC_QoS
!
interface vlan 20
   Service-policy input RSE_QoS
   Service-policy output RSE_QoS
!
interface vlan 30
   Service-policy input IT_QoS
   Service-policy output IT_QoS
!
interface vlan 40
   Service-policy input CUSTO_QoS
   Service-policy output CUSTO_QoS
!
interface vlan 50
   Service-policy input TEST_QoS
   Service-policy output TEST_QoS
!
-----------------------------------------------------------------------------------------------------------------------------------------
It doesn't work with my 3560.
The switch doesn't support the input policy and also the shaping.
I would like to shape my qos input/output flow according to the VLAN descrition.
Could you help me

Claude

Georg Pauwen · ‎12-26-2016

Hello Claude,

the 3560 does QoS a bit different.

Do you have 'mls qos' enabled globally ?

For VLAN based QoS, you also need to enable 'mls qos vlan-based' on the physical ports that belong to the SVIs.

Can you post the full configuration of the switch ? That would make it easier to point out a few things...

cbemobile · ‎12-27-2016

HI Gpauwen

thanks for your help

here under my configuration all the port of the switch are not used for my test. The unused port are shutdown.

no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname SW3560
!
boot-start-marker
boot-end-marker
!
!
!
!
no aaa new-model
system mtu routing 1500
ip routing
no ip domain-lookup
!
!
!
mls qos
!
!
!
!
!
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
!
!
class-map match-all TEST_Class
match access-group 105
class-map match-all IT_Class
match access-group 103
class-map match-all CUSTO_Class
match access-group 104
class-map match-all ACC_Class
match access-group 101
class-map match-all RSE_Class
match access-group 102
!
!
policy-map TEST_QoS
class TEST_Class
class class-default
police 5000000 8000 exceed-action drop
policy-map IT_QoS
class IT_Class
class class-default
police 10000000 8000 exceed-action drop
policy-map CUSTO_QoS
class CUSTO_Class
class class-default
police 50000000 10000 exceed-action drop
policy-map ACC_QoS
class ACC_Class
class class-default
police 5000000 8000 exceed-action drop
policy-map RSE_QoS
class RSE_Class
class class-default
police 5000000 8000 exceed-action drop
!
!
!
interface FastEthernet0/7
description to RSE Office 1
switchport access vlan 20
switchport mode access
mls qos vlan-based
!
interface FastEthernet0/11
description to RSE office 2
switchport access vlan 20
switchport mode access
mls qos vlan-based
!
interface FastEthernet0/15
description trunk to Acces Point 1
switchport trunk encapsulation dot1q
switchport trunk native vlan 10
switchport trunk allowed vlan 10,20,30,40
switchport mode trunk
switchport nonegotiate
mls qos vlan-based
!
interface FastEthernet0/18
description to IT Office 1
switchport access vlan 30
switchport mode access
mls qos vlan-based
!
interface FastEthernet0/22
description to IT Office 2
switchport access vlan 30
switchport mode access
mls qos vlan-based
!
interface FastEthernet0/31
description trunk to Acces Point 2
switchport trunk encapsulation dot1q
switchport trunk native vlan 10
switchport trunk allowed vlan 10,20,30,40,50
switchport mode trunk
switchport nonegotiate
mls qos vlan-based
!
interface FastEthernet0/33
description to Billetterie
switchport access vlan 50
switchport mode access
mls qos vlan-based
!
interface FastEthernet0/36
description to TEST 1
switchport access vlan 50
switchport mode access
mls qos vlan-based
!
interface FastEthernet0/40
description to TEST 2
switchport access vlan 50
switchport mode access
mls qos vlan-based
!
interface FastEthernet0/47
description trunk to Acces Point 3
switchport trunk encapsulation dot1q
switchport trunk native vlan 10
switchport trunk allowed vlan 10,20,30,40,50
switchport mode trunk
switchport nonegotiate
mls qos vlan-based
!
interface FastEthernet0/48
shutdown
!
interface GigabitEthernet0/1
shutdown
!
interface GigabitEthernet0/2
description trunk to captive portal
switchport trunk encapsulation dot1q
switchport trunk native vlan 10
switchport trunk allowed vlan 10,20,30,40,50
switchport mode trunk
switchport nonegotiate
!
interface GigabitEthernet0/3
shutdown
!
interface GigabitEthernet0/4
shutdown
!
interface Vlan1
no ip address
shutdown
!
interface Vlan10
description ACC Admin network
ip address 192.168.10.254 255.255.255.0
!
interface Vlan20
description RSE network
ip address 192.168.20.254 255.255.255.0
!
interface Vlan30
description IT network
ip address 192.168.30.254 255.255.255.0
!
interface Vlan40
description CUSTO Guest network
ip address 192.168.40.254 255.255.255.0
!
interface Vlan50
description TEST network
ip address 192.168.50.254 255.255.255.0

!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.10.1
ip http server
ip http secure-server
!
access-list 101 permit ip 192.168.10.0 0.0.0.255 any
access-list 102 permit ip 192.168.20.0 0.0.0.255 any
access-list 103 permit ip 192.168.30.0 0.0.0.255 any
access-list 104 permit ip 192.168.40.0 0.0.0.255 any
access-list 105 permit ip 192.168.50.0 0.0.0.255 any
!
line con 0
line vty 5 15
!
end

------------------------------------------------------------

When i try to apply the Policy to a vlan i get the following error

SW3560(config-if)# Service-policy input ACC_QoS
%QoS: policy-map with police action at parent level not supported on Vlan10 interface.
SW3560(config-if)# Service-policy output ACC_QoS
police command is not supported for this interface
The interface does not support the specified policy configuration and/or parameter values.
SW35601(config-if)#

------------------------------------------------------------

If it doesn't work with 3560 whitch is the method i can use to set the priority to a vlan compared to the others.

Thanks

Georg Pauwen · ‎12-27-2016

Hello,

thanks for the config. The caveat with SVIs and policy maps is that you cannot police in the parent map, you need a nested child map where the policing is configured.

I will try and get a working config together...will get back with you.

cbemobile · ‎12-27-2016

Thanks

Georg Pauwen · ‎12-29-2016

Hello,

you need to configure the VLAN_10 class and VLAN_10_POLICER_PARENt at the root level. Make sure you exit to (config) mode first as below:

SW3560(config)#class-map match-any ACC_TRUNK
SW3560(config-cmap)# match input-interface FastEthernet0/15
SW3560(config-cmap)# match input-interface FastEthernet0/31
SW3560(config-cmap)# match input-interface FastEthernet0/47
SW3560(config-cmap)# match input-interface GigabitEthernet0/2
SW3560(config-cmap)#exit
SW3560(config)#access-list 101 permit ip 192.168.10.0 0.0.0.255 any
SW3560(config)#policy-map VLAN10_POLICER_CHILD
SW3560(config-pmap)# class ACC_TRUNK
SW3560(config-pmap-c)# police 5000000 8000 exceed-action drop
SW3560(config-pmap-c)# exit
SW3560(config)#class-map match-all VLAN_10
SW3560(config-cmap)# match access-group 101
SW3560(config-cmap)#exit
SW3560(config)#policy-map VLAN10_POLICER_PARENT
SW3560(config-pmap)# class VLAN_10
SW3560(config-pmap-c)# set ip precedence 1
SW3560(config-pmap-c)# service-policy VLAN10_POLICER_CHILD
SW3560(config-pmap-c)#ex
SW3560(config-pmap)#ex
SW3560(config)#interface Vlan 10
SW3560(config-if)# service-policy input VLAN10_POLICER_PARENT

cbemobile · ‎12-29-2016

hello,

I have tried but it is the same :

SW3560(config)#class-map match-any ACC_TRUNK
SW3560(config-cmap)# match input-interface FastEthernet0/15
SW3560(config-cmap)# match input-interface FastEthernet0/31
SW3560(config-cmap)# match input-interface FastEthernet0/47
SW3560(config-cmap)# match input-interface GigabitEthernet0/2
SW3560(config-cmap)#ex
SW3560(config)#access-list 101 permit ip 192.168.10.0 0.0.0.255 any
SW3560(config)#
SW3560(config)#policy-map VLAN10_POLICER_CHILD
SW3560(config-pmap)# class ACC_TRUNK
SW3560(config-pmap-c)# police 5000000 8000 exceed-action drop
SW3560(config-pmap-c)#ex
SW3560(config-pmap)#ex
SW3560(config)#class-map match-all VLAN_10
SW3560(config-cmap)# match access-group 101
SW3560(config-cmap)#ex
SW3560(config)#
SW3560(config)#policy-map VLAN10_POLICER_PARENT
SW3560(config-pmap)# class VLAN_10
SW3560(config-pmap-c)# set ip precedence 1
SW3560(config-pmap-c)# service-policy VLAN10_POLICER_CHILD
SW3560(config-pmap-c)#
SW3560(config-pmap-c)#ex
SW3560(config-pmap)#ex
SW3560(config)#interface Vlan 10
SW3560(config-if)# description ADMIN_VLAN Admin network
SW3560(config-if)# ip address 192.168.10.254 255.255.255.0
SW3560(config-if)# service-policy input VLAN10_POLICER_PARENT
QoS: class(ACC_TRUNK) Unsupported classification [Vlan10]
Service Policy attachment failed
SW3560(config-if)#

---------------------------------------------------------------------------------------

But according to your configuration i tried the following :

SW3560(config)#
SW3560(config)#class-map match-all TRUNK_F15
SW3560(config-cmap)# match input-interface FastEthernet0/15
SW3560(config-cmap)#class-map match-all TRUNK_F31
SW3560(config-cmap)# match input-interface FastEthernet0/31
SW3560(config-cmap)#class-map match-all TRUNK_F47
SW3560(config-cmap)# match input-interface FastEthernet0/47
SW3560(config-cmap)#class-map match-all TRUNK_G02
SW3560(config-cmap)# match input-interface GigabitEthernet0/2
SW3560(config-cmap)#ex
SW3560(config)#access-list 101 permit ip 192.168.10.0 0.0.0.255 any
SW3560(config)#access-list 102 permit ip 192.168.20.0 0.0.0.255 any
SW3560(config)#policy-map VLAN10_POLICER_CHILD
SW3560(config-pmap)# class TRUNK_F15
SW3560(config-pmap-c)# class TRUNK_F31
SW3560(config-pmap-c)# class TRUNK_F47
SW3560(config-pmap-c)# class TRUNK_G02
SW3560(config-pmap-c)# police 5000000 8000 exceed-action drop
SW3560(config-pmap-c)#ex
SW3560(config-pmap)#ex
SW3560(config)#policy-map VLAN20_POLICER_CHILD
SW3560(config-pmap)# class TRUNK_F15
SW3560(config-pmap-c)# class TRUNK_F31
SW3560(config-pmap-c)# class TRUNK_F47
SW3560(config-pmap-c)# class TRUNK_G02
SW3560(config-pmap-c)# police 10000000 24000 exceed-action drop
SW3560(config-pmap-c)#ex
SW3560(config-pmap)#ex
SW3560(config)#class-map match-all VLAN_10
SW3560(config-cmap)# match access-group 101
SW3560(config-cmap)#class-map match-all VLAN_20
SW3560(config-cmap)# match access-group 102
SW3560(config-cmap)#ex
SW3560(config)#policy-map VLAN10_POLICER_PARENT
SW3560(config-pmap)# class VLAN_10
SW3560(config-pmap-c)# set ip precedence 1
SW3560(config-pmap-c)# service-policy VLAN10_POLICER_CHILD
SW3560(config-pmap-c)#ex
SW3560(config-pmap)#ex
SW3560(config)#policy-map VLAN20_POLICER_PARENT
SW3560(config-pmap)# class VLAN_20
SW3560(config-pmap-c)# set ip precedence 6
SW3560(config-pmap-c)# service-policy VLAN20_POLICER_CHILD
SW3560(config-pmap-c)#ex
SW3560(config-pmap)#ex
SW3560(config)#interface Vlan 10
SW3560(config-if)# description ADMIN_VLAN Admin network
SW3560(config-if)# ip address 192.168.10.254 255.255.255.0
SW3560(config-if)# service-policy input VLAN10_POLICER_PARENT
00:07:05: %LINK-3-UPDOWN: Interface Vlan10, changed state to up
SW3560(config-if)#ex
SW3560(config)#interface Vlan 20
SW3560(config-if)# description RSE_VLAN RSE network
SW3560(config-if)# ip address 192.168.20.254 255.255.255.0
SW3560(config-if)# service-policy input VLAN20_POLICER_PARENT
SW3560(config-if)#
00:07:25: %LINK-3-UPDOWN: Interface Vlan20, changed state to up
SW3560(config-if)#

---------------------------------------------------------------------------

I didn't got any error message.

do you think that it work's ?

There is a command to check if the qos is well apllied ?

Georg Pauwen · ‎12-29-2016

Hello Claude,

SW3560#show policy-map interface vlan 10

should tell you if you have matching packets. Can you post the output of that command ?

cbemobile · ‎12-29-2016

hi,

The switch is on my desk in my lab not in the nominal site.

I need to install equipments to generate traffic.

I will do it as soon as possible.

here Under the result of the command show in the console.

SW3560>show policy-map interface VLAN10
Vlan10

Service-policy input: VLAN10_POLICER_PARENT

    Class-map: VLAN_10 (match-all)
      0 packets, 0 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: access-group 101

Service-policy : VLAN10_POLICER_CHILD

        Class-map: TRUNK_F15 (match-all)
          0 packets, 0 bytes
          5 minute offered rate 0 bps
          Match: input-interface FastEthernet0/15

        Class-map: TRUNK_F31 (match-all)
          0 packets, 0 bytes
          5 minute offered rate 0 bps
          Match: input-interface FastEthernet0/31

        Class-map: TRUNK_F47 (match-all)
          0 packets, 0 bytes
          5 minute offered rate 0 bps
          Match: input-interface FastEthernet0/47

        Class-map: TRUNK_G02 (match-all)
          0 packets, 0 bytes
          5 minute offered rate 0 bps, drop rate 0 bps
          Match: input-interface GigabitEthernet0/2

        Class-map: class-default (match-any)
          0 packets, 0 bytes
          5 minute offered rate 0 bps, drop rate 0 bps
          Match: any
            0 packets, 0 bytes
            5 minute rate 0 bps

    Class-map: class-default (match-any)
      0 packets, 0 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: any
        0 packets, 0 bytes
        5 minute rate 0 bps
SW3560>

I will send you one with traffic ASAP.

Thanks

cbemobile · ‎01-04-2017

HI,

I am on duty on other project for a week.

But in first i have this message for you and the members of the forum :

I wish you this new year brings you health, happiness and success of your personal and professional projects.

thanks "gpauwen" for your help.

I will give you news ASAP.

Georg Pauwen · ‎12-27-2016

Hello,

can you try the below ? Unfortunately I do not have a 3560 I can test this on...

The idea is to nest the policer inside a parent map, that is the only way the policy can be applied to an SVI (VLAN interface).

class-map match-all ACC_CLASS
match access-group 101

policy-map CHILD_POLICY
class ACC_CLASS
police 5000000 8000 exceed-action-drop

policy-map PARENT_POLICY
class ACC_CLASS
service-policy CHILD_POLICY

int vlan 10
service-policy input PARENT_POLICY

cbemobile · ‎12-27-2016

Hello,

I have tried the configuration here under according to your example :

---------------------------------------------------------------------------

access-list 101 permit ip 192.168.10.0 0.0.0.255 any

class-map match-all ACC_Class
match access-group 101

policy-map CHILD_ACC_POLICY
class ACC_Class
police 5000000 8000 exceed-action drop

policy-map ACC_PARENT_POLICY
class ACC_Class
service-policy CHILD_ACC_POLICY

-------------------------------------------------------------

but when i try to configure the vlan i get this :

SW3560(config)#interface Vlan10
SW3560(config-if)# description ACC Admin network
SW3560(config-if)# ip address 192.168.10.254 255.255.255.0
SW3560(config-if)# service-policy input ACC_PARENT_POLICY
%QoS: No action is configured in the policymap ACC_PARENT_POLICY classmap ACC_Class, or it is being modified.
Service Policy attachment failed
SW3560(config-if)#

I writed the configuration and i reload the switch but i got the same error.

Do you have an idea ?

Thanks

Claude

Georg Pauwen · ‎12-27-2016

Hello,

try and add 'set dscp cs1' to the parent map:

access-list 101 permit ip 192.168.10.0 0.0.0.255 any

class-map match-all ACC_Class
match access-group 101

policy-map CHILD_ACC_POLICY
class ACC_Class
police 5000000 8000 exceed-action drop

policy-map ACC_PARENT_POLICY
class ACC_Class
service-policy CHILD_ACC_POLICY
set dscp cs1

cbemobile · ‎12-28-2016

HI,

I did it :

class-map match-all ACC_Class
match access-group 101
!
!
policy-map CHILD_ACC_POLICY
class ACC_Class
police 5000000 8000 exceed-action drop
!
policy-map ACC_PARENT_POLICY
class ACC_Class
set dscp cs1
service-policy CHILD_ACC_POLICY
!
interface Vlan10
description ACC Admin network
ip address 192.168.10.254 255.255.255.0
service policy input ACC_PARENT_POLICY

And i get the following error :

SW3560(config-if)# service-policy input ACC_PARENT_POLICY
%QoS: child policy-map CHILD_ACC_POLICY classmap ACC_Class only support MATCH INPUT-INTERFACE.
Service Policy attachment failed
SW3560(config-if)#

---------------------------------------------------------------------------------------------------------------------------------------------

I saw that i can apply directly the rate limit to the interface vlan :

interface Vlan10
description ACC Admin network
ip address 192.168.10.254 255.255.255.0
rate-limit input 5000000 8000 8000 conform-action transmit exceed-action drop
rate-limit output 5000000 8000 8000 conform-action transmit exceed-action drop

But i am not shure (i am not expert in QOS) that this configuration match with my need. I supose that the rating could be apply only when i use intervlan routing.

My need is to limit all the traffic from a vlan input/output on all the interface where this vlan is allowed.

Georg Pauwen · ‎12-28-2016

Claude,

try this one. The child policy needs to match an interface and has to be a policer. The parent policy needs a 'set' action.

class-map match-any ACC_TRUNK
match input-interface FastEthernet0/15
match input-interface FastEthernet0/31
match input-interface FastEthernet0/47
match input-interface GigabitEthernet0/2

!
policy-map VLAN10_POLICER_CHILD
class ACC_TRUNK
police 5000000 8000 exceed-action drop

access-list 101 permit ip 192.168.10.0 any
!
class-map match-all VLAN_10
match access-group 101
!
policy-map VLAN10_POLICER_PARENT
class VLAN_10
set ip precedence 1
service-policy VLAN10_POLICER_CHILD

interface Vlan 10
service policy input VLAN10_POLICER_PARENT

3560 SWITCH QOS CONFIGUrATION HELP