Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
1028
Views
0
Helpful
7
Replies

CISCO CATALYST QOS POLICING BANDWIDTH ON SVI ISSUE

mohammed abdul naveed
Level 1
Level 1

‎08-13-2015 01:49 AM - edited ‎03-08-2019 01:20 AM

Hi Freinds, 

i am facing issue with MLS QOS , in 3750x (15.02(se3)) , i configure class maps, policy maps , service policy , but still my qos policing is not working .please let know what mistake i am making.

configuration below.

Current configuration : 12255 bytes
!
! Last configuration change at 09:04:44 UTC Thu Jul 15 1993 by naveed
!
version 15.0
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname QUR-FF-CB2-DSW
!
boot-start-marker
boot-end-marker
!
!
!
username mdraffi privilege 15 secret 5 $1$KKiJ$4xFm.s7k8boTe8BCnxw7N.
username zubair privilege 15 secret 5 $1$TlXi$PUBbZhzTWn5r3lUTBD22N/
username gazi privilege 15 secret 5 $1$3PBF$jEMaN7G2UykGPjoIKdG3G1
username abdullah privilege 15 secret 5 $1$WN9q$BipNuTF4JZtdusRkrmg8x/
username naveed privilege 15 secret 5 $1$FSs2$CL2inO/wv5.1GxYXpOhwq/
username ncm privilege 15 secret 5 $1$lCM3$K63Tf5QvcSCo2Nm67jtAy1
no aaa new-model
switch 1 provision ws-c3750x-12s
switch 2 provision ws-c3750x-12s
system mtu routing 1500
ip routing
!
ip dhcp excluded-address 10.2.13.200 10.2.13.210
ip dhcp excluded-address 10.2.11.1 10.2.11.60
ip dhcp excluded-address 10.2.14.1 10.2.14.50
ip dhcp excluded-address 10.2.26.1 10.2.26.30
ip dhcp excluded-address 10.2.25.1 10.2.25.30
ip dhcp excluded-address 10.2.27.1 10.2.27.30
ip dhcp excluded-address 10.2.28.1 10.2.28.30
ip dhcp excluded-address 10.2.29.1 10.2.29.30
ip dhcp excluded-address 10.2.26.1 10.2.26.50
!
ip dhcp pool GL
   network 10.2.11.0 255.255.255.0
   default-router 10.2.11.1 
   domain-name ALJAZIRAHFORD
   netbios-name-server 172.16.0.87 
   option 60 ip 10.1.12.61 
   option 67 ascii boot\x86\pxeboot.com
   option 66 ip 10.1.12.61 
   dns-server 172.16.0.73 10.1.11.25 10.1.102.56 
!
ip dhcp pool GR
   network 10.2.12.0 255.255.255.0
   default-router 10.2.12.1 
   domain-name ALJAZIRAHFORD
   netbios-name-server 172.16.0.87 
   option 60 ip 10.1.12.61 
   option 67 ascii boot\x86\pxeboot.com
 --More--            option 66 ip 10.1.12.61 
   dns-server 172.16.0.73 10.1.11.25 10.1.102.56 
!
ip dhcp pool FL
   network 10.2.13.0 255.255.255.0
   default-router 10.2.13.1 
   domain-name ALJAZIRAHFORD
   netbios-name-server 172.16.0.87 
   option 60 ip 10.1.12.61 
   option 67 ascii boot\x86\pxeboot.com
   option 66 ip 10.1.12.61 
   dns-server 172.16.0.73 10.1.11.25 10.1.102.56 
!
ip dhcp pool FR
   network 10.2.14.0 255.255.255.0
   default-router 10.2.14.1 
   domain-name ALJAZIRAHFORD
   netbios-name-server 172.16.0.87 
   option 60 ip 10.1.12.61 
   option 67 ascii boot\x86\pxeboot.com
   option 66 ip 10.1.12.61 
   dns-server 172.16.0.73 10.1.11.25 10.1.102.56 
!
ip dhcp pool voice1
   network 10.2.21.0 255.255.255.0
   default-router 10.2.21.1 
   domain-name ALJAZIRAHFORD
   option 150 ip 172.16.1.97 172.16.1.52 172.16.8.24 
   netbios-name-server 172.16.0.87 
   dns-server 172.16.0.73 10.1.11.25 10.1.102.56 
!
ip dhcp pool Qurtuba-Wireless-Ajva-Users
   network 10.2.26.0 255.255.255.0
   default-router 10.2.26.1 
   dns-server 172.16.0.73 10.1.11.25 10.1.102.56 
   domain-name aljazirahford.com
   option 43 hex f104.ac10.1e02
   option 60 ip 10.1.12.61 
   option 67 ascii boot\x86\pxeboot.com
   option 66 ip 10.1.12.61 
!
ip dhcp pool Qurtuba-Wireless-Ajva-VIPs
   network 10.2.25.0 255.255.255.0
   default-router 10.2.25.1 
   dns-server 172.16.0.73 10.1.11.25 10.1.102.56 
   domain-name aljazirahford.com
   option 43 hex f104.ac10.1e02
   option 60 ip 10.1.12.61 
   option 67 ascii boot\x86\pxeboot.com
   option 66 ip 10.1.12.61 
!
ip dhcp pool Qurtuba-GUEST-Wireless
   network 10.2.27.0 255.255.255.0
   default-router 10.2.27.1 
   dns-server 172.16.0.73 10.1.11.25 10.1.102.56 
   domain-name aljazirahford.com
   option 43 hex f104.ac10.1e02
 --More--            option 60 ip 10.1.12.61 
   option 67 ascii boot\x86\pxeboot.com
   option 66 ip 10.1.12.61 
!
ip dhcp pool Qurtuba-WIPHONE-Wireless
   network 10.2.28.0 255.255.255.0
   default-router 10.2.28.1 
   dns-server 172.16.0.73 10.1.11.25 10.1.102.56 
   domain-name aljazirahford.com
   option 43 hex f104.ac10.1e02
   option 67 ascii boot\x86\pxeboot.com
   option 66 ip 10.1.12.61 
!
ip dhcp pool Qurtuba-ASCOM-Wireless
   network 10.2.29.0 255.255.255.0
   default-router 10.2.29.1 
   dns-server 172.16.0.73 10.1.11.25 10.1.102.56 
   domain-name aljazirahford.com
   option 43 hex f104.ac10.1e02
   option 60 ip 10.1.12.61 
   option 67 ascii boot\x86\pxeboot.com
   option 66 ip 10.1.12.61 
!
!
!
mls qos
!
crypto pki trustpoint TP-self-signed-3461845760
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-3461845760
 revocation-check none
 rsakeypair TP-self-signed-3461845760
!
!
crypto pki certificate chain TP-self-signed-3461845760
 certificate self-signed 01
  30820246 308201AF A0030201 02020101 300D0609 2A864886 F70D0101 04050030 
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274 
  69666963 6174652D 33343631 38343537 3630301E 170D3933 30333031 30303031 
  35395A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649 
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 34363138 
  34353736 3030819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 
  8100D4FF 0110B67C FBAEBE19 13D8C19B 1DC0D2B1 56DDF5BD 09CF922C 23CB0091 
  71EEEC56 BB0527FF 81CCE011 038BD17D 12C64B2D D64D5098 6381CE1B D5ED89F5 
  81B3D0B4 7CDD463F CF78EF54 72A80B2C 20D70067 D372F121 9DA9FA11 F30A7B75 
  1941767F 9374DA35 B4D3626F C221DD1F 84F16E76 50666793 A4410DAD A400E905 
  C03B0203 010001A3 6E306C30 0F060355 1D130101 FF040530 030101FF 30190603 
  551D1104 12301082 0E515552 2D46462D 4342322D 44535730 1F060355 1D230418 
  30168014 B97FF0E4 51369507 0CAEEC59 AE0FB917 3069E02D 301D0603 551D0E04 
  160414B9 7FF0E451 3695070C AEEC59AE 0FB91730 69E02D30 0D06092A 864886F7 
  0D010104 05000381 8100BE85 E2D775F0 9022D377 5FC37F9A 7147CF78 944E0A0E 
  37901DF1 981D9B41 782C7ECE 3BB66D04 2A6AD612 279A65A9 4579F8B0 10F769BF 
  204D3C26 C999A2B2 7DB8BB78 9EC599CC FC0894CF AE0C1F7F 4FCCE1A1 7AB4DF20 
  11D5AAEC BA4B9A75 6B6801E1 4A7C34E3 6E3AA32C D876CC6C 927B78CD A1FFCCF3 
  DD7D5C15 5D798A56 99F2
  quit
!
 --More--         !
!
spanning-tree mode pvst
spanning-tree extend system-id
!
!
!
!
vlan internal allocation policy ascending
!
!
class-map match-all GUEST-PORTS
  match input-interface  GigabitEthernet1/0/1
  match input-interface  GigabitEthernet1/0/3 - GigabitEthernet1/0/5
  match input-interface  GigabitEthernet2/0/3 - GigabitEthernet2/0/7
  match input-interface  GigabitEthernet2/0/1
  match input-interface  GigabitEthernet2/0/12
class-map match-all GUEST-REST
  match access-group 101
!
policy-map GUEST-PORT
 class GUEST-PORTS
  police 1000000 32000 exceed-action drop
policy-map GUEST-VLAN
 class GUEST-REST
   set dscp default
   service-policy GUEST-PORT
!
!
!
!
!
!
!
interface FastEthernet0
 no ip address
 no ip route-cache
!
interface GigabitEthernet1/0/1
 switchport trunk encapsulation dot1q
 mls qos vlan-based
!
interface GigabitEthernet1/0/2
 switchport trunk encapsulation dot1q
!
interface GigabitEthernet1/0/3
 switchport trunk encapsulation dot1q
 mls qos vlan-based
!
interface GigabitEthernet1/0/4
 switchport trunk encapsulation dot1q
 mls qos vlan-based
!
interface GigabitEthernet1/0/5
 switchport trunk encapsulation dot1q
 mls qos vlan-based
!
 --More--         interface GigabitEthernet1/0/6
 switchport trunk encapsulation dot1q
!
interface GigabitEthernet1/0/7
 switchport trunk encapsulation dot1q
!
interface GigabitEthernet1/0/8
 switchport trunk encapsulation dot1q
!
interface GigabitEthernet1/0/9
 switchport trunk encapsulation dot1q
!
interface GigabitEthernet1/0/10
 switchport trunk encapsulation dot1q
!
interface GigabitEthernet1/0/11
 switchport trunk encapsulation dot1q
!
interface GigabitEthernet1/0/12
 switchport trunk encapsulation dot1q
 mls qos vlan-based
!
interface GigabitEthernet1/1/1
!
interface GigabitEthernet1/1/2
!
interface GigabitEthernet1/1/3
!
interface GigabitEthernet1/1/4
!
interface TenGigabitEthernet1/1/1
!
interface TenGigabitEthernet1/1/2
!
interface GigabitEthernet2/0/1
 switchport trunk encapsulation dot1q
 switchport mode trunk
 mls qos vlan-based
!
interface GigabitEthernet2/0/2
 switchport trunk encapsulation dot1q
 switchport mode trunk
!
interface GigabitEthernet2/0/3
 switchport trunk encapsulation dot1q
 switchport mode trunk
 mls qos vlan-based
!
interface GigabitEthernet2/0/4
 switchport trunk encapsulation dot1q
 switchport mode trunk
 mls qos vlan-based
!
interface GigabitEthernet2/0/5
 switchport trunk encapsulation dot1q
 switchport mode trunk
 mls qos vlan-based
 --More--         !
interface GigabitEthernet2/0/6
 switchport trunk encapsulation dot1q
 switchport mode trunk
 mls qos vlan-based
!
interface GigabitEthernet2/0/7
 switchport trunk encapsulation dot1q
 switchport mode trunk
 mls qos vlan-based
!
interface GigabitEthernet2/0/8
 switchport trunk encapsulation dot1q
 switchport mode trunk
!
interface GigabitEthernet2/0/9
 switchport trunk encapsulation dot1q
 switchport mode trunk
!
interface GigabitEthernet2/0/10
 switchport trunk encapsulation dot1q
 switchport mode trunk
!
interface GigabitEthernet2/0/11
 switchport trunk encapsulation dot1q
 switchport mode trunk
!
interface GigabitEthernet2/0/12
 switchport trunk encapsulation dot1q
 switchport mode trunk
!
interface GigabitEthernet2/1/1
!
interface GigabitEthernet2/1/2
!
interface GigabitEthernet2/1/3
!
interface GigabitEthernet2/1/4
!
interface TenGigabitEthernet2/1/1
!
interface TenGigabitEthernet2/1/2
!
interface Vlan1
 ip address 172.16.57.254 255.255.255.0
!
interface Vlan100
 ip address 10.2.10.1 255.255.255.0
!
interface Vlan101
 ip address 10.2.11.1 255.255.255.0
!
interface Vlan102
 ip address 10.2.12.1 255.255.255.0
!
interface Vlan103
 ip address 10.2.13.1 255.255.255.0
 --More--         !
interface Vlan104
 ip address 10.2.14.1 255.255.255.0
!
interface Vlan111
 ip address 10.2.21.1 255.255.255.0
!
interface Vlan112
 ip address 10.2.22.1 255.255.255.0
!
interface Vlan115
 description **AJVA-VIP**WIRELESS**
 ip address 10.2.25.1 255.255.255.0
!
interface Vlan116
 description **AJVA-USER-AP-WIRELESS**
 ip address 10.2.26.1 255.255.255.0
!
interface Vlan117
 description **AJVA-GUEST-WIRELESS**
 ip address 10.2.27.1 255.255.255.0
 ip access-group 110 in
!
interface Vlan118
 description **AJVA-WIPHONE-WIRELESS**
 ip address 10.2.28.1 255.255.255.0
!
interface Vlan119
 description **AJVA-ASCOM-WIRELESS**
 ip address 10.2.29.1 255.255.255.0
!
ip default-gateway 172.16.57.1
!
ip http server
ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 172.16.57.1
!
logging esm config
access-list 101 permit ip 10.2.27.0 0.0.0.255 any
access-list 110 permit ip 10.2.27.0 0.0.0.255 host 172.16.18.10
access-list 110 permit ip 10.2.27.0 0.0.0.255 host 1.1.1.1
access-list 110 permit tcp 10.2.27.0 0.0.0.255 host 1.1.1.1
access-list 110 permit udp 10.2.27.0 0.0.0.255 host 1.1.1.1
access-list 110 permit ahp 10.2.27.0 0.0.0.255 host 1.1.1.1
access-list 110 permit esp 10.2.27.0 0.0.0.255 host 1.1.1.1
access-list 110 permit ipinip 10.2.27.0 0.0.0.255 host 1.1.1.1
access-list 110 deny   tcp 10.2.27.0 0.0.0.255 172.16.0.0 0.0.255.255 eq telnet
access-list 110 deny   tcp 10.2.27.0 0.0.0.255 172.18.0.0 0.0.255.255 eq telnet
access-list 110 deny   tcp 10.2.27.0 0.0.0.255 172.20.0.0 0.0.255.255 eq telnet
access-list 110 deny   tcp 10.2.27.0 0.0.0.255 10.0.0.0 0.255.255.255 eq telnet
access-list 110 deny   icmp 10.2.27.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 110 deny   icmp 10.2.27.0 0.0.0.255 172.16.0.0 0.0.255.255
access-list 110 deny   icmp 10.2.27.0 0.0.0.255 172.18.0.0 0.0.255.255
access-list 110 deny   icmp 10.2.27.0 0.0.0.255 172.20.0.0 0.0.255.255
access-list 110 permit ip 10.2.27.0 0.0.0.255 any
access-list 110 deny   tcp 10.2.27.0 0.0.0.255 10.0.0.0 0.255.255.255 eq 22
 access-list 110 deny   tcp 10.2.27.0 0.0.0.255 172.20.0.0 0.0.255.255 eq 22
access-list 110 deny   tcp 10.2.27.0 0.0.0.255 172.16.0.0 0.0.255.255 eq 22
access-list 110 deny   tcp 10.2.27.0 0.0.0.255 172.18.0.0 0.0.255.255 eq 22
!
snmp-server community ajva RW
snmp-server community public RO
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps tty
snmp-server enable traps config
snmp-server enable traps entity
snmp-server enable traps cpu threshold
snmp-server enable traps syslog
snmp-server enable traps flash insertion removal
snmp-server enable traps envmon temperature
snmp ifmib ifindex persist
!
!
line con 0
 login local
line vty 0 4
 login local
 transport input all
line vty 5 15
 login
!
Labels:
0 Helpful
7 Replies 7

m.kafka
Level 4
Level 4

‎08-13-2015 01:34 PM

I don't see the service policies (in other words where are the policy maps used?).

Rgds, MiKa

0 Helpful

mohammed abdul naveed
Level 1
Level 1
In response to m.kafka

‎08-13-2015 02:02 PM

class-map match-all GUEST-PORTS
  match input-interface  GigabitEthernet1/0/1
  match input-interface  GigabitEthernet1/0/3 - GigabitEthernet1/0/5
  match input-interface  GigabitEthernet2/0/3 - GigabitEthernet2/0/7
  match input-interface  GigabitEthernet2/0/1
  match input-interface  GigabitEthernet2/0/12
class-map match-all GUEST-REST
  match access-group 101
!
policy-map GUEST-PORT
 class GUEST-PORTS
  police 1000000 32000 exceed-action drop
policy-map GUEST-VLAN
 class GUEST-REST
   set dscp default
   service-policy GUEST-PORT
!
i try to apply service policy on INT VLAN 117
 
But after i apply command i could not see the command , i dont know even its applied or not.
 
so i wanna know do i am miss something.
0 Helpful

m.kafka
Level 4
Level 4
In response to mohammed abdul naveed

‎08-14-2015 12:45 AM

Service policies can only be applied to physical switchports or interfaces, not to VLANs or SVIs ("vlan interfaces").

Hope that helps and best regards,

 

MiKa

 

(EDIT: I was to brief with my answer, policy maps with configured policing, like in this case, are not supported on SVIs)

0 Helpful

mohammed abdul naveed
Level 1
Level 1
In response to m.kafka

‎08-14-2015 12:45 AM

Hi , 

we can apply service policy to SVI , but for that we need to follow some steps which i am already done , like below you can see

firstly i need to enable under range of interface or single interface the command below

#mls qos vlan-based

Second i need to configure parent and child policy 

#class-map match-all GUEST-PORTS
  match input-interface  GigabitEthernet1/0/1
  match input-interface  GigabitEthernet1/0/3 - GigabitEthernet1/0/5
  match input-interface  GigabitEthernet2/0/3 - GigabitEthernet2/0/7
  match input-interface  GigabitEthernet2/0/1
  match input-interface  GigabitEthernet2/0/12
class-map match-all GUEST-REST
  match access-group 101
!
#policy-map GUEST-PORT
 class GUEST-PORTS
  police 1000000 32000 exceed-action drop
#policy-map GUEST-VLAN
 class GUEST-REST
   set dscp default
   service-policy GUEST-PORT
 
Lastly i need to apply it under SVI 
 
int vlan 117
service-policy input GUEST-VLAN
 
That are the detailed steps which i followed , i hope some one may face some issue and solved  it , 
 
0 Helpful

shaps
Level 3
Level 3
In response to mohammed abdul naveed

‎08-14-2015 03:05 AM

Hi 

I too have faced similar issues but was more specific to using Ipv6 class maps,  from what i have some platform/images have different capabilities and even though the command is not rejected the fact it is not showing indicates that it is not supported,   

0 Helpful

m.kafka
Level 4
Level 4
In response to shaps

‎08-14-2015 12:57 PM

Maybe you are in a similar situation, do you try to configure a policer on a SVI? Policy maps on SVIs only support marking, DCSP etc... the policer must be applied to physical interfaces.

Can you give us a bit more details how your config looks like?

Best regards, MiKa

0 Helpful

m.kafka
Level 4
Level 4
In response to mohammed abdul naveed

‎08-14-2015 08:06 AM

Dear Mohammed Abdul,

I'm sorry if was too brief with my comment, Service policies with policing are not supported on SVIs:

When configuring policing on an SVI, you can create and configure a 
hierarchical policy map with these two levels:

•VLAN level —Create this primary level by configuring class maps 
 and classes that specify the port trust state or set a new DSCP 
 or IP precedence value in the packet. The VLAN-level policy map 
 applies only to the VLAN in an SVI and does not support policers.

•Interface level —Create this secondary level by configuring class 
 maps and classes that specify the individual policers on physical 
 ports the belong to the SVI. The interface-level policy map only 
 supports individual policers and does not support aggregate policers. 
 You can configure different interface-level policy maps for each 
 class defined in the VLAN-level policy map.

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750/software/release/12-2_55_se/configuration/guide/scg3750/swqos.html#wp1898407

The policer has to be applied to physical ports, policy-maps on SVIs only support marking, DSCP stuff, trust etc...

 

Best regards, MiKa

0 Helpful
Top