Policing traffic on switch 2960x

mrochac · ‎07-13-2018

Cisco friends - my question is, can i setup some sort of class-map with specific ACL set BE queue and only allow this traffic to use a percentage of traffic on the uplink port of switch?

scenario - users use o365, o365 is saturating our traffic, i would like to tag this traffic based on destination ip's and police how much bandwidth it can use.

hope question is clear

Christopher Bell · ‎07-13-2018

You can tag it on the 2960 using qos and then police it on the uplink switch.. is that what you are asking?

If this posts answers your question or is helpful, please consider rating it and/or marking as answered.

mrochac · ‎07-13-2018

That is correct, exactly - that being said what do I tag it with CoS value or DSCP value, I'm still new to this... and I tag at ingress port and throttle on egress uplink port correct?

mrochac · ‎07-13-2018

...i must add the following, access switches are 2960x, distribution switches are 4500x - that being said, i cant create object-groups on 2960 i dont think, so how would i go about creating ACL to tag? manual entry i'm stating to get the feeling?

Joseph W. Doherty · ‎07-13-2018

From what you've described, if you have some traffic that saturates a link, it would probably be better to deprioritize it rather than police it. This because a policer won't allow such traffic to use otherwise available bandwidth and a policer might not still constrain the traffic enough relative to other traffic.

Regarding you later question about tagging, when possible, use DSCP ToS tags.

mrochac · ‎07-14-2018

...getting a little confused and not sure why. So i created a ACL to filter the traffic for my policy; (MS ip's)

Extended IP access list O365Filter

10 permit ip any 13.107.6.0 0.0.0.254 log

11 permit ip any 40.100.162.0 0.0.0.255

20 permit ip any 13.107.9.0 0.0.0.254 log

30 permit ip any 13.107.18.0 0.0.0.254 log

40 permit ip any 13.107.19.0 0.0.0.254 log

50 permit ip any 13.107.128.0 0.0.3.255 log

60 permit ip any 23.103.160.0 0.0.15.255 log

70 permit ip any 23.103.224.0 0.0.31.255 log

80 permit ip any 40.96.0.0 0.0.255.255 log

90 permit ip any 40.104.0.0 0.0.255.255 log

100 permit ip any 52.96.0.0 0.3.255.255 log

110 permit ip any 111.221.112.0 0.0.7.255 log

130 permit ip any 132.245.0.0 0.0.255.255 log

140 permit ip any 134.170.68.0 0.0.1.255 log

150 permit ip any 150.171.32.0 0.0.3.255 log

160 permit ip any 157.56.232.0 0.0.7.255 log

170 permit ip any 157.56.240.0 0.0.15.255 log

180 permit ip any 191.232.96.0 0.0.31.255 log

190 permit ip any 191.234.140.0 0.0.3.255 log

200 permit ip any 206.191.224.0 0.0.31.255 log

201 permit ip any any

I've attached the ACL to my core4500 ports which is connected to my access switche as follow;

interface TenGigabitEthernet1/1/6

description Catwalk-STK

switchport trunk native vlan 999

switchport trunk allowed vlan 22,31,50,70,71,90,183,666,999

switchport mode trunk

ip access-group O365Filter in

channel-protocol lacp

channel-group 6 mode active

ip dhcp snooping trust

so 5 separate ports (connected to 5 separate Access switches) - ACL is in the "IN" to filter traffic coming into core.

...but.. im getting no hits on ACL...help?

The idea here is to confirm indeed traffic to the following destination is flowing in - so i can then use the ACL and implement in policy as follow;

class-map match-any O365
match access-group name O365Filter

policy-map O365
class O365
set dscp 000

...where i will then apply to my MPLS facing port... am i in the right path?

Joseph W. Doherty · ‎07-16-2018

Not showing how? Reason I ask, sometimes switches don't show "normal" stats when ASIC process packet.

Does access-group also show in port-channel interface?