Hello,

pandaboy16 · ‎05-22-2017

Hi Guys,

I am trying to limit the switch inbound trafficby applying policy map at the switchport level.

I am using a WS-C3560X-48 and trying to limit the inbound traffic to 40Mbps. The policy is working but it seems that it does not cap at the intended value.

ip access-list extended ACL_Testing
permit ip any any

class-map match-all CLASS_Testing
match access-group name ACL_Testing

policy-map POLICY_Testing
class CLASS_Testing
police 40960000 1000000 exceed-action drop

interface GigabitEthernet0/31
switchport access vlan 25
switchport mode access
no cdp enable
spanning-tree bpdufilter enable
service-policy input POLICY_Testing

When i apply the above configuration to my device, the inbound traffic dropped from 80Mbps to 33Mbps. It seems that the inbound traffic is capped at 33Mbps. Any idea why it is capped at 33 Mbps and not 40Mbps?

Thank you.

Georg Pauwen · ‎05-22-2017

Hello,

try the below:

police 40000000 7500000 conform-action transmit exceed-action drop

pandaboy16 · ‎05-23-2017

Hi Georg,

Thanks for your response.

Switch(config-pmap-c)#police 40960000 ?

<8000-1000000> Normal burst bytes

The burst bytes is limited to 1000000.

Would like to check if the value limit is something I can change by upgrading the firmware?

Thanks again for your support.

Georg Pauwen · ‎05-23-2017

Hello,

all QoS on Catalyst switches is hardware based an depends on the ASICs, so I don't think firmware upgrades will change that. Either way, since you are matching everything, try:

policy-map POLICY_Testing
class class-default
police 40000000 1000000 exceed-action drop

As an alternative, you could configure:

srr-queue bandwidth limit 96

on the interface. The 96 refers to the percentage of bandwidth that is being limited, with the rest being released. On a GigabitEthernet interface, the remaining 4 percent would equal 40Mbit.

pandaboy16 · ‎05-23-2017

Thanks Georg. I will try that out.

srr-queue bandwidth limit 96

The command above only milit the outbound traffic? Correct me if im wrong. Thanks.

Joseph W. Doherty · ‎05-23-2017

As an alternative, you could configure:

srr-queue bandwidth limit 96

on the interface. The 96 refers to the percentage of bandwidth that is being limited, with the rest being released. On a GigabitEthernet interface, the remaining 4 percent would equal 40Mbit.

As far as I know, this command only impacts egress, not ingress.

Plus if it did impact ingress, you would want the limit to restrict to the 40 Mbps, not the converse, correct? I.e. you would want srr-queue bandwidth limit 4 for a gig port.

Also BTW, the command values are documented as limited from 10 to 90 and as Cisco also notes "These values are not exact because the hardware adjusts the line rate in increments of six."

Georg Pauwen · ‎05-23-2017

Hello,

I was wrong, and you guys are absolutely right about the srr-queue bandwidth' command, it is egress only, also, I had it the wrong way around. So the value should be 4, and that is not even configurable.

My bad.

I have never actually used that command on a 3560 in a real life situation, I was just going through the command reference, and since even rate limiting is not available on the 3560, this looked, at first glance, as a feasible option...

Joseph W. Doherty · ‎05-23-2017

Any idea why it is capped at 33 Mbps and not 40Mbps?

Policers often clip normal traffic burst (e.g. from slow start) "prematurely", which throttles traffic slower than intended.

Georg is trying to address that by increasing the Bc value.

If your policer supports a Be option, you could also try increasing that.

Otherwise, simply increase the CIR rate to obtain the effective rate you desire.

Limit inbound traffic on 3560 switchport