cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1231
Views
0
Helpful
8
Replies

3750 Switch Aggregate Policer

alexb
Level 1
Level 1

I have a 1-port VLAN that I wish to regulate the data rate on. So far, this is what I have:

-1 Permit-All ACL that is always on attached to the inbound and outbound of the VLAN (not the port)

-1 class matching on that ACL

-1 Aggregate policer configured at 8kbps with 8kb burst (set to min for testing; this is not the desired rate) with the exceed action set to drop

-1 policy with that class in it

When testing throughput, I am still getting data through at much higher rates. Is there an explanation for this or am I missing something in my configuration.

Thanks in advance!

8 Replies 8

Hello,

can you post your configuration ?

Regards,

GP

I posted once before but it doesn't appear to have made it. I had to trim out some of the "vanilla" ports to meet max-char posting requirements. In the config, each VLAN is, of course, a different net:

version 12.1

no service pad

service timestamps debug uptime

service timestamps log datetime

no service password-encryption

service sequence-numbers

!

hostname xxxxxxxx

!

enable password xxxxxxxx

!

clock timezone EST 0

ip subnet-zero

ip routing

!

mls qos aggregate-policer 1MBRate 8000 8000 exceed-action drop

!

class-map match-all Tenant-41-Class

match access-group name Tenant-41-ACL

!

!

policy-map Tenant-41-1MB-Rate

class Tenant-41-Class

police aggregate 1MBRate

trust ip-precedence

!

!

!

spanning-tree mode pvst

no spanning-tree optimize bpdu transmission

spanning-tree extend system-id

spanning-tree vlan 1 priority 24576

!

!

interface FastEthernet1/0/1

description xxxxxxxx

no ip address

no mdix auto

spanning-tree portfast

!

interface FastEthernet1/0/2

description xxxxxxxx

switchport trunk encapsulation dot1q

switchport mode trunk

no ip address

no mdix auto

!

interface FastEthernet1/0/3

no ip address

no mdix auto

spanning-tree portfast

!

interface FastEthernet1/0/4

no ip address

no mdix auto

spanning-tree portfast

!

interface FastEthernet1/0/13

no ip address

no mdix auto

spanning-tree portfast

!

interface FastEthernet1/0/14

no ip address

no mdix auto

spanning-tree portfast

!

interface FastEthernet1/0/15

no ip address

no mdix auto

spanning-tree portfast

!

interface FastEthernet1/0/16

no ip address

no mdix auto

spanning-tree portfast

!

interface FastEthernet1/0/40

no ip address

no mdix auto

spanning-tree portfast

!

interface FastEthernet1/0/41

switchport access vlan 41

switchport trunk encapsulation dot1q

switchport trunk native vlan 41

switchport mode access

no ip address

service-policy input Tenant-41-1MB-Rate

no mdix auto

!

interface FastEthernet1/0/42

no ip address

no mdix auto

spanning-tree portfast

!

interface FastEthernet1/0/43

no ip address

no mdix auto

spanning-tree portfast

!

interface FastEthernet1/0/44

no ip address

no mdix auto

spanning-tree portfast

!

interface FastEthernet1/0/45

no ip address

no mdix auto

spanning-tree portfast

!

interface FastEthernet1/0/46

no ip address

no mdix auto

spanning-tree portfast

!

interface FastEthernet1/0/47

no ip address

no mdix auto

spanning-tree portfast

!

interface FastEthernet1/0/48

no ip address

no mdix auto

spanning-tree portfast

!

interface GigabitEthernet1/0/1

description xxxxxxxx

switchport trunk encapsulation dot1q

switchport mode trunk

no ip address

no mdix auto

!

interface GigabitEthernet1/0/2

description xxxxxxxx

switchport trunk encapsulation dot1q

switchport mode trunk

no ip address

no mdix auto

!

interface GigabitEthernet1/0/3

description xxxxxxxx

switchport trunk encapsulation dot1q

switchport mode trunk

no ip address

no mdix auto

!

interface GigabitEthernet1/0/4

no ip address

!

interface Vlan1

ip address 172.xxx.xxx.xxx 255.255.255.0

!

interface Vlan2

ip address 172.xxx.xxx.xxx 255.255.255.0

ip helper-address 172.xxx.xxx.xxx

!

interface Vlan3

ip address 172.xxx.xxx.xxx 255.255.255.0

ip helper-address 172.xxx.xxx.xxx

!

interface Vlan4

ip address 172.xxx.xxx.xxx 255.255.255.0

ip helper-address 172.xxx.xxx.xxx

!

interface Vlan5

ip address 172.xxx.xxx.xxx 255.255.255.0

ip helper-address 172.xxx.xxx.xxx

!

interface Vlan41

ip address 172.xxx.xxx.xxx 255.255.255.0

ip access-group Tenant-41-ACL in

ip access-group Tenant-41-ACL out

!

ip classless

ip route 0.0.0.0 0.0.0.0 172.xxx.xxx.xxx

ip http server

!

ip access-list standard Tenant-41-ACL

permit any

!

!

line con 0

line vty 0 4

login

line vty 5 15

login

!

time-range AllTime

periodic daily 0:00 to 23:59

!

end

alfredshum
Level 1
Level 1

What's the direction of your throughput test? Inbound or outbound of that VLAN?

What's the direction of your service-policy on the port or VLAN? Input or output?

Make sure they match or your test won't be valid.

The policy is on the VLAN, inbound and outbound.

My throughput test was outbound.

Thanks for your input!

interface FastEthernet1/0/41

switchport access vlan 41

switchport trunk encapsulation dot1q

switchport trunk native vlan 41

switchport mode access

no ip address

service-policy input Tenant-41-1MB-Rate

no mdix auto

You're doing an inbound service-policy so that all traffic coming into the port f1/0/41 will be policed.

So what about your throughput test? Is the "stress" coming into the port f1/0/41 or out of this port?

Sorry - I did forget to remove the policy from the actual interface. My intent was for the policy to only be applied to the VLAN. Instead, it appears to be attached to inbound and outbound on VLAN 41 and also inbound on the actual interface.

The stress was only tested outbound as that is the only portion i want to rate-limit for now.

But there is no "service-policy" configurations in the Interface VLAN41.

So can you post your most updated configuration? Just want to make sure that you're applying the rate-limit to the correct direction.

Thanks for taking a look. No changes except I removed the service-policy from interface 41.

version 12.1

no service pad

service timestamps debug uptime

service timestamps log datetime

no service password-encryption

service sequence-numbers

!

hostname xxxxxxxx

!

enable password xxxxxxxx

!

clock timezone EST 0

ip subnet-zero

ip routing

!

mls qos aggregate-policer 1MBRate 8000 8000 exceed-action drop

!

class-map match-all Tenant-41-Class

match access-group name Tenant-41-ACL

!

!

policy-map Tenant-41-1MB-Rate

class Tenant-41-Class

police aggregate 1MBRate

trust ip-precedence

!

!

!

spanning-tree mode pvst

no spanning-tree optimize bpdu transmission

spanning-tree extend system-id

spanning-tree vlan 1 priority 24576

!

!

interface FastEthernet1/0/1

description xxxxxxxx

no ip address

no mdix auto

spanning-tree portfast

!

interface FastEthernet1/0/2

description xxxxxxxx

switchport trunk encapsulation dot1q

switchport mode trunk

no ip address

no mdix auto

!

interface FastEthernet1/0/3

no ip address

no mdix auto

spanning-tree portfast

!

interface FastEthernet1/0/4

no ip address

no mdix auto

spanning-tree portfast

!

interface FastEthernet1/0/13

no ip address

no mdix auto

spanning-tree portfast

!

interface FastEthernet1/0/14

no ip address

no mdix auto

spanning-tree portfast

!

interface FastEthernet1/0/15

no ip address

no mdix auto

spanning-tree portfast

!

interface FastEthernet1/0/16

no ip address

no mdix auto

spanning-tree portfast

!

interface FastEthernet1/0/40

no ip address

no mdix auto

spanning-tree portfast

!

interface FastEthernet1/0/41

switchport access vlan 41

switchport trunk encapsulation dot1q

switchport trunk native vlan 41

switchport mode access

no ip address

no mdix auto

!

interface FastEthernet1/0/42

no ip address

no mdix auto

spanning-tree portfast

!

interface FastEthernet1/0/43

no ip address

no mdix auto

spanning-tree portfast

!

interface FastEthernet1/0/44

no ip address

no mdix auto

spanning-tree portfast

!

interface FastEthernet1/0/45

no ip address

no mdix auto

spanning-tree portfast

!

interface FastEthernet1/0/46

no ip address

no mdix auto

spanning-tree portfast

!

interface FastEthernet1/0/47

no ip address

no mdix auto

spanning-tree portfast

!

interface FastEthernet1/0/48

no ip address

no mdix auto

spanning-tree portfast

!

interface GigabitEthernet1/0/1

description xxxxxxxx

switchport trunk encapsulation dot1q

switchport mode trunk

no ip address

no mdix auto

!

interface GigabitEthernet1/0/2

description xxxxxxxx

switchport trunk encapsulation dot1q

switchport mode trunk

no ip address

no mdix auto

!

interface GigabitEthernet1/0/3

description xxxxxxxx

switchport trunk encapsulation dot1q

switchport mode trunk

no ip address

no mdix auto

!

interface GigabitEthernet1/0/4

no ip address

!

interface Vlan1

ip address 172.xxx.xxx.xxx 255.255.255.0

!

interface Vlan2

ip address 172.xxx.xxx.xxx 255.255.255.0

ip helper-address 172.xxx.xxx.xxx

!

interface Vlan3

ip address 172.xxx.xxx.xxx 255.255.255.0

ip helper-address 172.xxx.xxx.xxx

!

interface Vlan4

ip address 172.xxx.xxx.xxx 255.255.255.0

ip helper-address 172.xxx.xxx.xxx

!

interface Vlan5

ip address 172.xxx.xxx.xxx 255.255.255.0

ip helper-address 172.xxx.xxx.xxx

!

interface Vlan41

ip address 172.xxx.xxx.xxx 255.255.255.0

ip access-group Tenant-41-ACL in

ip access-group Tenant-41-ACL out

!

ip classless

ip route 0.0.0.0 0.0.0.0 172.xxx.xxx.xxx

ip http server

!

ip access-list standard Tenant-41-ACL

permit any

!

!

line con 0

line vty 0 4

login

line vty 5 15

login

!

time-range AllTime

periodic daily 0:00 to 23:59

!

end

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: