01-18-2017 01:01 PM - edited 03-08-2019 08:57 AM
We are trying to setup QoS Bandwidth policing by subnet but the policies we've defined aren't getting any hits. Only the default policy is applying.
All of our /24 subnets terminate on the 3850 stack, we are trying to police bandwidth inbound/outbound via interfaces tied to VLAN 2 and VLAN 3 to our edge routers.
class-map match-any GOLD
match access-group name GOLD_staff
class-map match-any BRONZE
match access-group name BRONZE_staff
class-map match-any PLATINUM
match access-group name PLATINUM_staff
class-map match-any SILVER
match access-group name SILVER_staff
policy-map PoliceBandwidth
class BRONZE
police cir 10240000 bc 312500 conform-action transmit exceed-action drop
class SILVER
police cir 25600000 bc 312500 conform-action transmit exceed-action drop
class GOLD
police cir 51200000 bc 312500 conform-action transmit exceed-action drop
class PLATINUM
police cir 102400000 bc 312500 conform-action transmit exceed-action drop
class class-default
police cir 10240000 bc 312500 conform-action transmit exceed-action drop
interface GigabitEthernet1/0/1
switchport access vlan 2
switchport mode access
service-policy input PoliceBandwidth
service-policy output PoliceBandwidth
!
interface GigabitEthernet1/0/2
switchport access vlan 3
switchport mode access
service-policy input PoliceBandwidth
service-policy output PoliceBandwidth
ip access-list extended BRONZE_staff
permit ip 192.168.100.0 0.0.0.255 any
ip access-list extended SILVER_staff
permit ip 192.168.101.0 0.0.0.255 any
ip access-list extended GOLD_staff
permit ip 192.168.102.0 0.0.0.255 any
ip access-list extended PLATINUM_staff
permit ip 192.168.103.0 0.0.0.255 any
Solved! Go to Solution.
01-19-2017 06:34 PM
If you want to police in both directions, your access lists are going to have to match in both directions. e,g.
ip access-list extended BRONZE_staff
permit ip 192.168.100.0 0.0.0.255 any
permit ip any 192.168.100.0 0.0.0.255
Try putting the service policy on the actual VLAN interfaces if you don't make progress.
01-19-2017 06:34 PM
If you want to police in both directions, your access lists are going to have to match in both directions. e,g.
ip access-list extended BRONZE_staff
permit ip 192.168.100.0 0.0.0.255 any
permit ip any 192.168.100.0 0.0.0.255
Try putting the service policy on the actual VLAN interfaces if you don't make progress.
01-23-2017 09:19 AM
Adding the reciprocal path to the access-list seems to be working, thanks!
When I try to add;
service-policy input PoliceBandwidth
service-policy output PoliceBandwidth
to the vlan interface the commands don't stick and don't show up in the configuration?
I can only assume this switch doesn't support service policies on VLAN interfaces
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide