Can someone take a look at this policing config please?

tdennehy · ‎04-15-2010

I'm "new" to QoS policing, and I thought I had this configuration working, but turns out it doesn't. I was hoping to apply this policy for users on vlan 2099 both ingress and egress, but turns out the ingress doesn't work. I modified the config and placed an egress policy on vlan 40, the default route out of the box. That portion works perfectly - I hit our bandwidth test server and my throughput is policed to about 1mb/s, even though my policy is for 4mb/s.

The egress policy towards the users on vlan 2099 doesn't work at all. That subnet is 10.128.254/24, and my laptop on that vlan doesn't appear to get policed. I'm wondering if there's a limit to one egress policy per box or something strange like that. Here's my config:

class-map match-all

Identify_WLAN_Guest_outbound

match access-group name Guest_WLAN_UBRL_Outbound

class-map match-all

Identify_WLAN_Guest_inbound

match access-group name

Guest_WLAN_UBRL_Inbound

!

policy-map

police_WLAN_Guest_traffic_outbound

class Identify_WLAN_Guest_outbound

police cir 4000000 bc 32000 be 32000 conform-action transmit exceed-action drop violate-action drop

policy-map

police_WLAN_Guest_traffic_inbound

class Identify_WLAN_Guest_inbound

police cir 4000000 bc 32000 be 32000 conform-action transmit exceed-action drop violate-action drop

!

interface Vlan40

ip address 19.27.2.89 255.255.255.252 (santized for your protection)

service-policy output

police_WLAN_Guest_traffic_outbound

!

interface Vlan2099

description = Dilbert_Development

ip address 10.128.254.254 255.255.255.0

service-policy output

police_WLAN_Guest_traffic_inbound

!

ip access-list extended

Guest_WLAN_UBRL_Inbound

permit ip any 10.128.254.0 0.0.0.255

ip access-list extended

Guest_WLAN_UBRL_Outbound

permit ip 10.128.254.0 0.0.0.255 any

CSFC6503#sh policy-map interface vlan 40
Vlan40

Service-policy output: police_WLAN_Guest_traffic_outbound

    class-map: Identify_WLAN_Guest_outbound (match-all)
      Match: access-group name Guest_WLAN_UBRL_Outbound
      police :
        4000000 bps 32000 limit 32000 extended limit
      Earl in slot 5 :
        19559988 bytes
        5 minute offered rate 98984 bps
        aggregate-forwarded 16727171 bytes action: transmit
        exceeded 2832817 bytes action: drop
        aggregate-forward 0 bps exceed 0 bps

    Class-map: class-default (match-any)
      579 packets, 42651 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: any
CSFC6503#
CSFC6503#
CSFC6503#
CSFC6503#sh policy-map interface vlan 2099
Vlan2099

Service-policy output: police_WLAN_Guest_traffic_inbound

    class-map: Identify_WLAN_Guest_inbound (match-all)
      Match: access-group name Guest_WLAN_UBRL_Inbound
      police :
        4000000 bps 32000 limit 32000 extended limit
      Earl in slot 5 :
        3490 bytes
        5 minute offered rate 0 bps
        aggregate-forwarded 3490 bytes action: transmit
        exceeded 0 bytes action: drop
        aggregate-forward 0 bps exceed 0 bps

    Class-map: class-default (match-any)
      0 packets, 0 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: any
CSFC6503#

Giuseppe Larosa · ‎04-15-2010

Hello Tdenney,

Vlan based QoS can be of help in your case:

This example shows how to enable VLAN-based PFC QoS on Fast Ethernet port 5/42:

Router# configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Router(config)# interface fastethernet 5/42

Router(config-if)# mls qos vlan-based

Router(config-if)# end 

see
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SXF/native/configuration/guide/qos.html#wp1726124

Hope to help
Giuseppe

tdennehy · ‎04-15-2010

Giuseppe,

My users on vlan 2099 come in from a vlan trunk - they are not local to this 6509. They come in from a WiSM module, which builds a trunk (that I cannot modify) and therefore I don't think mls qos vlan-based is possible. I could be wrong, since I'm new to QoS.

Thanks,

Tim

Giuseppe Larosa · ‎04-16-2010

Hello Tim,

>> My users on vlan 2099 come in from a vlan trunk - they are not local to this 6509. They come in from a WiSM module, which builds a trunk (that I cannot modify)

I see so you mean the internal bundles (4GE) + (4GE) towards the two WISM processors?

Is there an alternate place in the network where you can apply a policing or shaping action for this users?

Hope to help

Giuseppe

tdennehy · ‎04-16-2010

Giuseppe,

Yes, the internal 4GE bundles from the WiSM to the chassis. This 6509 has four WiSM blades in it and a 24 port gig blade with four SFPs in it etherchanneled to another 6509, which is the default gateway. We call it a WiSM farm, so the box does almost nothing else.

What if I were to hang an 8 port 3560 off one of those gig ports and trunk it. No users connected to it, etc, but at least it would provide me with a trunk that could be modified. I wonder if that would trick the box into allowing the policies to work bidirectionally on the vlan interface. The users would still be on the WiSMs, but I wonder if the traffic would get policed.

Good idea!

Thanks,

Tim

Lei Tian · ‎04-15-2010

Hi,

Why do you want policing the outbound direction toward user?

If you want restrict the user bandwidth, you might want apply the policing inbound direction on the user vlan.

HTH,

Lei Tian

tdennehy · ‎04-15-2010

Lei,

I want to police the traffic because this vlan is used for guest users. I would rather us policing to ingress and egress vlan 2099, however I could not get it to work. The users on vlan 2099 are coming in from a trunk, which is not able to be modified.

My first attempt was to use ingress policing on vlan 2099 but it did not work. I read somewhere ingress policing was not supported, so I moved it to egress policing on vlan 40, which is the default route of of the box.

Thanks,

Tim

Lei Tian · ‎04-15-2010

Hi Tim,

Inbound policing is supported by all supervisor; it must be other reason prevent inbound policing working.

HTH,

Lei Tian

tdennehy · ‎04-16-2010

Lei Tian,

Do you suppose it could be a bug? Do I have to reboot the 6509 after entering in "mls qos" or something? I'm at a loss as to what the problem could be.

Thanks,

Tim