CISCO CATALYST QOS POLICING BANDWIDTH ON SVI ISSUE

mohammed abdul naveed · ‎08-13-2015

Hi Freinds,

i am facing issue with MLS QOS , in 3750x (15.02(se3)) , i configure class maps, policy maps , service policy , but still my qos policing is not working .please let know what mistake i am making.

configuration below.

Current configuration : 12255 bytes

!

! Last configuration change at 09:04:44 UTC Thu Jul 15 1993 by naveed

!

version 15.0

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname QUR-FF-CB2-DSW

!

boot-start-marker

boot-end-marker

!

username mdraffi privilege 15 secret 5 $1$KKiJ$4xFm.s7k8boTe8BCnxw7N.

username zubair privilege 15 secret 5 $1$TlXi$PUBbZhzTWn5r3lUTBD22N/

username gazi privilege 15 secret 5 $1$3PBF$jEMaN7G2UykGPjoIKdG3G1

username abdullah privilege 15 secret 5 $1$WN9q$BipNuTF4JZtdusRkrmg8x/

username naveed privilege 15 secret 5 $1$FSs2$CL2inO/wv5.1GxYXpOhwq/

username ncm privilege 15 secret 5 $1$lCM3$K63Tf5QvcSCo2Nm67jtAy1

no aaa new-model

switch 1 provision ws-c3750x-12s

switch 2 provision ws-c3750x-12s

system mtu routing 1500

ip routing

!

ip dhcp excluded-address 10.2.13.200 10.2.13.210

ip dhcp excluded-address 10.2.11.1 10.2.11.60

ip dhcp excluded-address 10.2.14.1 10.2.14.50

ip dhcp excluded-address 10.2.26.1 10.2.26.30

ip dhcp excluded-address 10.2.25.1 10.2.25.30

ip dhcp excluded-address 10.2.27.1 10.2.27.30

ip dhcp excluded-address 10.2.28.1 10.2.28.30

ip dhcp excluded-address 10.2.29.1 10.2.29.30

ip dhcp excluded-address 10.2.26.1 10.2.26.50

!

ip dhcp pool GL

network 10.2.11.0 255.255.255.0

default-router 10.2.11.1

domain-name ALJAZIRAHFORD

netbios-name-server 172.16.0.87

option 60 ip 10.1.12.61

option 67 ascii boot\x86\pxeboot.com

option 66 ip 10.1.12.61

dns-server 172.16.0.73 10.1.11.25 10.1.102.56

!

ip dhcp pool GR

network 10.2.12.0 255.255.255.0

default-router 10.2.12.1

domain-name ALJAZIRAHFORD

netbios-name-server 172.16.0.87

option 60 ip 10.1.12.61

option 67 ascii boot\x86\pxeboot.com

--More-- option 66 ip 10.1.12.61

dns-server 172.16.0.73 10.1.11.25 10.1.102.56

!

ip dhcp pool FL

network 10.2.13.0 255.255.255.0

default-router 10.2.13.1

domain-name ALJAZIRAHFORD

netbios-name-server 172.16.0.87

option 60 ip 10.1.12.61

option 67 ascii boot\x86\pxeboot.com

option 66 ip 10.1.12.61

dns-server 172.16.0.73 10.1.11.25 10.1.102.56

!

ip dhcp pool FR

network 10.2.14.0 255.255.255.0

default-router 10.2.14.1

domain-name ALJAZIRAHFORD

netbios-name-server 172.16.0.87

option 60 ip 10.1.12.61

option 67 ascii boot\x86\pxeboot.com

option 66 ip 10.1.12.61

dns-server 172.16.0.73 10.1.11.25 10.1.102.56

!

ip dhcp pool voice1

network 10.2.21.0 255.255.255.0

default-router 10.2.21.1

domain-name ALJAZIRAHFORD

option 150 ip 172.16.1.97 172.16.1.52 172.16.8.24

netbios-name-server 172.16.0.87

dns-server 172.16.0.73 10.1.11.25 10.1.102.56

!

ip dhcp pool Qurtuba-Wireless-Ajva-Users

network 10.2.26.0 255.255.255.0

default-router 10.2.26.1

dns-server 172.16.0.73 10.1.11.25 10.1.102.56

domain-name aljazirahford.com

option 43 hex f104.ac10.1e02

option 60 ip 10.1.12.61

option 67 ascii boot\x86\pxeboot.com

option 66 ip 10.1.12.61

!

ip dhcp pool Qurtuba-Wireless-Ajva-VIPs

network 10.2.25.0 255.255.255.0

default-router 10.2.25.1

dns-server 172.16.0.73 10.1.11.25 10.1.102.56

domain-name aljazirahford.com

option 43 hex f104.ac10.1e02

option 60 ip 10.1.12.61

option 67 ascii boot\x86\pxeboot.com

option 66 ip 10.1.12.61

!

ip dhcp pool Qurtuba-GUEST-Wireless

network 10.2.27.0 255.255.255.0

default-router 10.2.27.1

dns-server 172.16.0.73 10.1.11.25 10.1.102.56

domain-name aljazirahford.com

option 43 hex f104.ac10.1e02

--More-- option 60 ip 10.1.12.61

option 67 ascii boot\x86\pxeboot.com

option 66 ip 10.1.12.61

!

ip dhcp pool Qurtuba-WIPHONE-Wireless

network 10.2.28.0 255.255.255.0

default-router 10.2.28.1

dns-server 172.16.0.73 10.1.11.25 10.1.102.56

domain-name aljazirahford.com

option 43 hex f104.ac10.1e02

option 67 ascii boot\x86\pxeboot.com

option 66 ip 10.1.12.61

!

ip dhcp pool Qurtuba-ASCOM-Wireless

network 10.2.29.0 255.255.255.0

default-router 10.2.29.1

dns-server 172.16.0.73 10.1.11.25 10.1.102.56

domain-name aljazirahford.com

option 43 hex f104.ac10.1e02

option 60 ip 10.1.12.61

option 67 ascii boot\x86\pxeboot.com

option 66 ip 10.1.12.61

!

mls qos

!

crypto pki trustpoint TP-self-signed-3461845760

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-3461845760

revocation-check none

rsakeypair TP-self-signed-3461845760

!

crypto pki certificate chain TP-self-signed-3461845760

certificate self-signed 01

30820246 308201AF A0030201 02020101 300D0609 2A864886 F70D0101 04050030

31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

69666963 6174652D 33343631 38343537 3630301E 170D3933 30333031 30303031

35395A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 34363138

34353736 3030819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

8100D4FF 0110B67C FBAEBE19 13D8C19B 1DC0D2B1 56DDF5BD 09CF922C 23CB0091

71EEEC56 BB0527FF 81CCE011 038BD17D 12C64B2D D64D5098 6381CE1B D5ED89F5

81B3D0B4 7CDD463F CF78EF54 72A80B2C 20D70067 D372F121 9DA9FA11 F30A7B75

1941767F 9374DA35 B4D3626F C221DD1F 84F16E76 50666793 A4410DAD A400E905

C03B0203 010001A3 6E306C30 0F060355 1D130101 FF040530 030101FF 30190603

551D1104 12301082 0E515552 2D46462D 4342322D 44535730 1F060355 1D230418

30168014 B97FF0E4 51369507 0CAEEC59 AE0FB917 3069E02D 301D0603 551D0E04

160414B9 7FF0E451 3695070C AEEC59AE 0FB91730 69E02D30 0D06092A 864886F7

0D010104 05000381 8100BE85 E2D775F0 9022D377 5FC37F9A 7147CF78 944E0A0E

37901DF1 981D9B41 782C7ECE 3BB66D04 2A6AD612 279A65A9 4579F8B0 10F769BF

204D3C26 C999A2B2 7DB8BB78 9EC599CC FC0894CF AE0C1F7F 4FCCE1A1 7AB4DF20

11D5AAEC BA4B9A75 6B6801E1 4A7C34E3 6E3AA32C D876CC6C 927B78CD A1FFCCF3

DD7D5C15 5D798A56 99F2

quit

!

--More-- !

!

spanning-tree mode pvst

spanning-tree extend system-id

!

vlan internal allocation policy ascending

!

class-map match-all GUEST-PORTS

match input-interface GigabitEthernet1/0/1

match input-interface GigabitEthernet1/0/3 - GigabitEthernet1/0/5

match input-interface GigabitEthernet2/0/3 - GigabitEthernet2/0/7

match input-interface GigabitEthernet2/0/1

match input-interface GigabitEthernet2/0/12

class-map match-all GUEST-REST

match access-group 101

!

policy-map GUEST-PORT

class GUEST-PORTS

police 1000000 32000 exceed-action drop

policy-map GUEST-VLAN

class GUEST-REST

set dscp default

service-policy GUEST-PORT

!

interface FastEthernet0

no ip address

no ip route-cache

!

interface GigabitEthernet1/0/1

switchport trunk encapsulation dot1q

mls qos vlan-based

!

interface GigabitEthernet1/0/2

switchport trunk encapsulation dot1q

!

interface GigabitEthernet1/0/3

switchport trunk encapsulation dot1q

mls qos vlan-based

!

interface GigabitEthernet1/0/4

switchport trunk encapsulation dot1q

mls qos vlan-based

!

interface GigabitEthernet1/0/5

switchport trunk encapsulation dot1q

mls qos vlan-based

!

--More-- interface GigabitEthernet1/0/6

switchport trunk encapsulation dot1q

!

interface GigabitEthernet1/0/7

switchport trunk encapsulation dot1q

!

interface GigabitEthernet1/0/8

switchport trunk encapsulation dot1q

!

interface GigabitEthernet1/0/9

switchport trunk encapsulation dot1q

!

interface GigabitEthernet1/0/10

switchport trunk encapsulation dot1q

!

interface GigabitEthernet1/0/11

switchport trunk encapsulation dot1q

!

interface GigabitEthernet1/0/12

switchport trunk encapsulation dot1q

mls qos vlan-based

!

interface GigabitEthernet1/1/1

!

interface GigabitEthernet1/1/2

!

interface GigabitEthernet1/1/3

!

interface GigabitEthernet1/1/4

!

interface TenGigabitEthernet1/1/1

!

interface TenGigabitEthernet1/1/2

!

interface GigabitEthernet2/0/1

switchport trunk encapsulation dot1q

switchport mode trunk

mls qos vlan-based

!

interface GigabitEthernet2/0/2

switchport trunk encapsulation dot1q

switchport mode trunk

!

interface GigabitEthernet2/0/3

switchport trunk encapsulation dot1q

switchport mode trunk

mls qos vlan-based

!

interface GigabitEthernet2/0/4

switchport trunk encapsulation dot1q

switchport mode trunk

mls qos vlan-based

!

interface GigabitEthernet2/0/5

switchport trunk encapsulation dot1q

switchport mode trunk

mls qos vlan-based

--More-- !

interface GigabitEthernet2/0/6

switchport trunk encapsulation dot1q

switchport mode trunk

mls qos vlan-based

!

interface GigabitEthernet2/0/7

switchport trunk encapsulation dot1q

switchport mode trunk

mls qos vlan-based

!

interface GigabitEthernet2/0/8

switchport trunk encapsulation dot1q

switchport mode trunk

!

interface GigabitEthernet2/0/9

switchport trunk encapsulation dot1q

switchport mode trunk

!

interface GigabitEthernet2/0/10

switchport trunk encapsulation dot1q

switchport mode trunk

!

interface GigabitEthernet2/0/11

switchport trunk encapsulation dot1q

switchport mode trunk

!

interface GigabitEthernet2/0/12

switchport trunk encapsulation dot1q

switchport mode trunk

!

interface GigabitEthernet2/1/1

!

interface GigabitEthernet2/1/2

!

interface GigabitEthernet2/1/3

!

interface GigabitEthernet2/1/4

!

interface TenGigabitEthernet2/1/1

!

interface TenGigabitEthernet2/1/2

!

interface Vlan1

ip address 172.16.57.254 255.255.255.0

!

interface Vlan100

ip address 10.2.10.1 255.255.255.0

!

interface Vlan101

ip address 10.2.11.1 255.255.255.0

!

interface Vlan102

ip address 10.2.12.1 255.255.255.0

!

interface Vlan103

ip address 10.2.13.1 255.255.255.0

--More-- !

interface Vlan104

ip address 10.2.14.1 255.255.255.0

!

interface Vlan111

ip address 10.2.21.1 255.255.255.0

!

interface Vlan112

ip address 10.2.22.1 255.255.255.0

!

interface Vlan115

description **AJVA-VIP**WIRELESS**

ip address 10.2.25.1 255.255.255.0

!

interface Vlan116

description **AJVA-USER-AP-WIRELESS**

ip address 10.2.26.1 255.255.255.0

!

interface Vlan117

description **AJVA-GUEST-WIRELESS**

ip address 10.2.27.1 255.255.255.0

ip access-group 110 in

!

interface Vlan118

description **AJVA-WIPHONE-WIRELESS**

ip address 10.2.28.1 255.255.255.0

!

interface Vlan119

description **AJVA-ASCOM-WIRELESS**

ip address 10.2.29.1 255.255.255.0

!

ip default-gateway 172.16.57.1

!

ip http server

ip http secure-server

!

ip route 0.0.0.0 0.0.0.0 172.16.57.1

!

logging esm config

access-list 101 permit ip 10.2.27.0 0.0.0.255 any

access-list 110 permit ip 10.2.27.0 0.0.0.255 host 172.16.18.10

access-list 110 permit ip 10.2.27.0 0.0.0.255 host 1.1.1.1

access-list 110 permit tcp 10.2.27.0 0.0.0.255 host 1.1.1.1

access-list 110 permit udp 10.2.27.0 0.0.0.255 host 1.1.1.1

access-list 110 permit ahp 10.2.27.0 0.0.0.255 host 1.1.1.1

access-list 110 permit esp 10.2.27.0 0.0.0.255 host 1.1.1.1

access-list 110 permit ipinip 10.2.27.0 0.0.0.255 host 1.1.1.1

access-list 110 deny tcp 10.2.27.0 0.0.0.255 172.16.0.0 0.0.255.255 eq telnet

access-list 110 deny tcp 10.2.27.0 0.0.0.255 172.18.0.0 0.0.255.255 eq telnet

access-list 110 deny tcp 10.2.27.0 0.0.0.255 172.20.0.0 0.0.255.255 eq telnet

access-list 110 deny tcp 10.2.27.0 0.0.0.255 10.0.0.0 0.255.255.255 eq telnet

access-list 110 deny icmp 10.2.27.0 0.0.0.255 10.0.0.0 0.255.255.255

access-list 110 deny icmp 10.2.27.0 0.0.0.255 172.16.0.0 0.0.255.255

access-list 110 deny icmp 10.2.27.0 0.0.0.255 172.18.0.0 0.0.255.255

access-list 110 deny icmp 10.2.27.0 0.0.0.255 172.20.0.0 0.0.255.255

access-list 110 permit ip 10.2.27.0 0.0.0.255 any

access-list 110 deny tcp 10.2.27.0 0.0.0.255 10.0.0.0 0.255.255.255 eq 22

access-list 110 deny tcp 10.2.27.0 0.0.0.255 172.20.0.0 0.0.255.255 eq 22

access-list 110 deny tcp 10.2.27.0 0.0.0.255 172.16.0.0 0.0.255.255 eq 22

access-list 110 deny tcp 10.2.27.0 0.0.0.255 172.18.0.0 0.0.255.255 eq 22

!

snmp-server community ajva RW

snmp-server community public RO

snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart

snmp-server enable traps tty

snmp-server enable traps config

snmp-server enable traps entity

snmp-server enable traps cpu threshold

snmp-server enable traps syslog

snmp-server enable traps flash insertion removal

snmp-server enable traps envmon temperature

snmp ifmib ifindex persist

!

line con 0

login local

line vty 0 4

login local

transport input all

line vty 5 15

login

!

m.kafka · ‎08-13-2015

I don't see the service policies (in other words where are the policy maps used?).

Rgds, MiKa

mohammed abdul naveed · ‎08-13-2015

class-map match-all GUEST-PORTS

match input-interface GigabitEthernet1/0/1

match input-interface GigabitEthernet1/0/3 - GigabitEthernet1/0/5

match input-interface GigabitEthernet2/0/3 - GigabitEthernet2/0/7

match input-interface GigabitEthernet2/0/1

match input-interface GigabitEthernet2/0/12

class-map match-all GUEST-REST

match access-group 101

!

policy-map GUEST-PORT

class GUEST-PORTS

police 1000000 32000 exceed-action drop

policy-map GUEST-VLAN

class GUEST-REST

set dscp default

service-policy GUEST-PORT

!

i try to apply service policy on INT VLAN 117

But after i apply command i could not see the command , i dont know even its applied or not.

so i wanna know do i am miss something.

m.kafka · ‎08-14-2015

Service policies can only be applied to physical switchports or interfaces, not to VLANs or SVIs ("vlan interfaces").

Hope that helps and best regards,

MiKa

(EDIT: I was to brief with my answer, policy maps with configured policing, like in this case, are not supported on SVIs)

mohammed abdul naveed · ‎08-14-2015

Hi ,

we can apply service policy to SVI , but for that we need to follow some steps which i am already done , like below you can see

firstly i need to enable under range of interface or single interface the command below

#mls qos vlan-based

Second i need to configure parent and child policy

#class-map match-all GUEST-PORTS

match input-interface GigabitEthernet1/0/1

match input-interface GigabitEthernet1/0/3 - GigabitEthernet1/0/5

match input-interface GigabitEthernet2/0/3 - GigabitEthernet2/0/7

match input-interface GigabitEthernet2/0/1

match input-interface GigabitEthernet2/0/12

class-map match-all GUEST-REST

match access-group 101

!

#policy-map GUEST-PORT

class GUEST-PORTS

police 1000000 32000 exceed-action drop

#policy-map GUEST-VLAN

class GUEST-REST

set dscp default

service-policy GUEST-PORT

Lastly i need to apply it under SVI

int vlan 117

service-policy input GUEST-VLAN

That are the detailed steps which i followed , i hope some one may face some issue and solved it ,

shaps · ‎08-14-2015

Hi

I too have faced similar issues but was more specific to using Ipv6 class maps, from what i have some platform/images have different capabilities and even though the command is not rejected the fact it is not showing indicates that it is not supported,

m.kafka · ‎08-14-2015

Maybe you are in a similar situation, do you try to configure a policer on a SVI? Policy maps on SVIs only support marking, DCSP etc... the policer must be applied to physical interfaces.

Can you give us a bit more details how your config looks like?

Best regards, MiKa

m.kafka · ‎08-14-2015

Dear Mohammed Abdul,

I'm sorry if was too brief with my comment, Service policies with policing are not supported on SVIs:

When configuring policing on an SVI, you can create and configure a 
hierarchical policy map with these two levels:

•VLAN level —Create this primary level by configuring class maps 
 and classes that specify the port trust state or set a new DSCP 
 or IP precedence value in the packet. The VLAN-level policy map 
 applies only to the VLAN in an SVI and does not support policers.

•Interface level —Create this secondary level by configuring class 
 maps and classes that specify the individual policers on physical 
 ports the belong to the SVI. The interface-level policy map only 
 supports individual policers and does not support aggregate policers. 
 You can configure different interface-level policy maps for each 
 class defined in the VLAN-level policy map.

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750/software/release/12-2_55_se/configuration/guide/scg3750/swqos.html#wp1898407

The policer has to be applied to physical ports, policy-maps on SVIs only support marking, DSCP stuff, trust etc...

Best regards, MiKa