cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3467
Views
0
Helpful
4
Replies

3750 SVI QoS not working

afrozahmad07
Level 1
Level 1

I want to police the traffic coming from host 10.0.0.10 that is connected to another switch via port-channel interface the port-channel have interfaces G2/049 and G2/0/50 , i have applied below config to the SVI 112 but this is not working, as the host  is still able to go beyond the policed rate also in the "sh policy-map interface vlan 112" command everything is showing 0(zero).

class-map match-all CM_FTP_PORT_49

  match input-interface  GigabitEthernet2/0/49

class-map match-all CM_FTP_PORT_50

  match input-interface  GigabitEthernet2/0/50

class-map match-all CM_FTP

  match access-group 21

!

!

policy-map PM_CHILD_FTP

  class CM_FTP_PORT_49

    police 3000000 24000 exceed-action drop

  class CM_FTP_PORT_50

    police 3000000 24000 exceed-action drop

policy-map PM_PARENT_FTP

  class CM_FTP

   set precedence 1

   service-policy PM_CHILD_FTP

!

interface Vlan112

ip address xxxx

service-policy input PM_PARENT_FTP

end

!

access-list 21 permit 10.0.0.10

!

The output of "show policy-map interface vlan 112" showing no results.

SW1#sh policy-map int vlan 112

Vlan112

  Service-policy input: PM_PARENT_FTP

    Class-map: CM_FTP (match-all)

      0 packets, 0 bytes

       offered rate 0 bps, drop rate 0 bps

      Match: access-group 21

      Service-policy : PM_CHILD_FTP

        Class-map: CM_FTP_PORT_49 (match-all)

          0 packets, 0 bytes

           offered rate 0 bps, drop rate 0 bps

          Match: input-interface  GigabitEthernet2/0/49

        Class-map: CM_FTP_PORT_50 (match-all)

          0 packets, 0 bytes

           offered rate 0 bps, drop rate 0 bps

          Match: input-interface  GigabitEthernet2/0/50

        Class-map: class-default (match-any)

          0 packets, 0 bytes

           offered rate 0 bps, drop rate 0 bps

          Match: any

            0 packets, 0 bytes

             rate 0 bps

    Class-map: class-default (match-any)

      0 packets, 0 bytes

       offered rate 0 bps, drop rate 0 bps

      Match: any

        0 packets, 0 bytes

         rate 0 bps

Also MLS Qos is disabled, if it is enabled the result is still same.

SW1#sh mls qos

QoS is disabled

QoS ip packet dscp rewrite is enabled

Also i have not used "mls qos vlan-based" under the Physical interfaces as the result in any case is same.

SW1#sh ver | i IOS

Cisco IOS Software, C3750 Software (C3750-IPSERVICES-M), Version 12.2(35)SE5, RELEASE SOFTWARE (fc1)

Can somebody help me with this?????

4 Replies 4

Nicholas Beard
Level 1
Level 1

Afroz,

I have recently implemented the exact same thing you are attempting here with good success on the 3750v2 switch.  Firstly you have a problem if the switch is showing "QoS is disabled", so you need to be sure to enter the "mls qos" command in global configuration.

Secondly, if you are applying QoS to VLAN interfaces (SVI) then you must use the "mls qos vlan-based" command under the physical ports that are members of that VLAN. 

Once you have performed this you need to be aware of the direction the service policy is being applied.  The 3750 has a limitation regarding egress policing.  You have used the "service-policy input" command therefore traffic is being policed in the inbound direction.  This means traffic coming from within that VLAN to the VLAN interface will be policed.

Also, bear in mind there is a bug/limitation with the Cisco 3750 that affects the "show policy-map" command.  This command will always display no traffic for the policies despite them working or not.  See below -

3750 statistics under match criteria in show   policy int always zero

Symptom:
The counters associated with individual match criteria under show   policy-map
interface
are always 0. These counters are not supported by the switch.

Workaround:
None.


Your QoS config looks good, so if you perform the two steps above it should work.

Thanks

Nick

Thanks Nick for the reply.

Here i want to ask few things more, before i actually apply this policy.

1.As the host is directly connected to other switch and we have a port-channel configured between two switches and if we are applying "mls qos vlan-based" on the Trunk port of etherchannel, so it may affect other traffic in other Vlans, so do we need to apply full QoS in the LAN environment.

2.Also as the MLS QoS rewrite is enabled by default and as we are enabling MLS QoS so the rewrite thing will affect other markings and mark it to zero if not trusted, so do we need to trust Cos Or DSCP on every port.So can we apply MLS QoS with Rewrite disabled.But again as we are marking the CM_FTP class-map to precedence 1 then again this will not work.This again mean full implementation of QoS in the LAN environment.

3.Also as we are applying policy inbound on the SVI port means we can only limit Downloaded traffic from the FTP server, not Upload.

The connectivity is as follows.

SW1--SVI

||Port-channel

||

SW2---FTP server

Regards

Afroz

No problem, in response to your points see below -

1.  The service policy will not affect traffic in other VLANs as you have applied the "mls qos vlan-based" command to only two physical ports.  You have also, only applied the service policy to a single VLAN.  Finally, you have also specified within the parent policy map an access list.  This means the service policy will only apply to two physical ports (Gi2/0/49 and Gi2/0/50) in a single VLAN (112) matching an access list based on the source address (10.0.0.10).

2.  Once you have enabled QoS using the "mls qos" command the following occurs -

  • A frame enters the switch port and it does not have the frame tagged  (it means the port is access port and the frame enters the switch does  not have ISL or dot1q encapsulation).

  • The switch encapsulates the frame with the dot1q (ignore ISL because dot1q is the default on all the new switches).

  • Inside the dot1q frame tag, there are three bits called 802.1p  priority bits available which are also called CoS. These bits are set to  0.

  • Then, the switch calculates DSCP value based on the CoS-DSCP map  table. As per the table, the switch sets the DSCP value to 0. DSCP value  is located at the IP header of the packet.

In summary, the CoS and DSCP values of the frame enter the switch set to 0 by default if the QoS is enabled on the switch.  Ignore, the first two points above if the frame is already encapsulated with dot1q (trunk port).

3.  If the FTP Server is sat within the VLAN you have applied the service policy to, then this will mean traffic sent to the VLAN interface from the FTP Server will be policed.  This traffic will therefore be upload traffic.

Hope this helps.

Nick

Thanks Nick for prompt reply.

I will test this and will get back to u.

Regards

Afroz

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: