Re: QoS 2960/3750: policing ingress bandwith of multiple ports

robert.dahlem · ‎07-27-2009

I'm looking for a solution to this problem:

I get ingress traffic from multiple ports (one VLAN), egressing at one single port, which is connected to a trunk line with small bandwidth.

I would like to limit the aggregated traffic of these ports to a certain bandwidth. Unfortunately, the 2960 and 3750 have no egress policing, only ingress. In addition to that, ingress policing can only be done per port, that is each single port can be limited, but not the aggregated traffic from a group of ports.

=================================================================

class-map match-any

match any

!

policy-map max-3mbps

class match-any

police 3000000 100000 exceed-action drop

!

interface FastEthernet0/1

description ingress-1

switchport access vlan 11

switchport mode access

service-policy input max-3mbs

!

interface FastEthernet0/2

description ingress-2

switchport access vlan 11

switchport mode access

service-policy input max-3mbs

!

interface FastEthernet0/11

description egress-trunk

switchport trunk allowed vlan 11,...

switchport mode trunk

=================================================================

In this configuration each ingress port can send up to 3 Mbps, adding up to 6 Mbps egress traffic on the trunk.

Here is a hardware workaround: I connect two ports with a crossover cable, put all ingress ports together with one side of the crossover cable into a new VLAN, the other side of the crossover cable into the old VLAN, applying the service-policy to this side of the crossover cable.

=================================================================

class-map match-any

match any

!

policy-map max-3mbps

class match-any

police 3000000 100000 exceed-action drop

!

interface FastEthernet0/1

description ingress-1

switchport access vlan 12

switchport mode access

!

interface FastEthernet0/2

description ingress-2

switchport access vlan 12

switchport mode access

!

interface FastEthernet0/3

description crossover cable to Fa0/4

switchport access vlan 12

switchport mode access

!

interface FastEthernet0/4

description crossover cable to Fa0/3

switchport access vlan 11

switchport mode access

service-policy input max-3mbs

!

interface FastEthernet0/11

description egress-trunk

switchport trunk allowed vlan 11,...

switchport mode trunk

=================================================================

Now the ingress traffic aggregates at Fa0/4 and maxes out at 3 Mbps.

1.) Is there a solution for this that does not force me to sacrifice two hardware ports? Something like a "virtual crossover cable"?

2.) Is this actually the way to go? Am I missing something in QoS configuration that would allow me to limit the aggregated traffic coming in through multiple ports?

cpubob · ‎07-27-2009

On the 2960/3560 platform their is an aggregate policer function that provides the functionality you are looking for. Below is an example I use to control routing control traffic on CPE device we provide.

Our example uses this feature to do a rate-limit of routing control traffic. In some instances, we need to give routing control (prec 6 & 7) highest priority, even higher than voice and video, but we also don't want a rouge device or config to take advantage of this, so we give only the first 100k of routing control high priority, everything over 100k gets transmitted but at the same level as routine traffic.

Here is the config:

mls qos map policed-dscp 48 56 to 0

!

mls qos aggregate-policer rcontrol 100000 8000 exceed-action policed-dscp-transmit

!

class-map match-any control

match ip precedence 6 7

!

policy-map routing-control

class control

police aggregate rcontrol

!

int range gi 0/2 - 23

mls qos trust ip-precedence

service-policy input routing-control

no shut

!

robert.dahlem · ‎07-27-2009

Thank you for your suggestion.

Are you sure aggregate-policers limit the aggregated traffic of multiple ports?

As far as I understand the topic aggregate-policers limit the aggregated traffic of multiple classes within one policy-map, but the policy-map still limits the traffic of each port for itself.

I guess in your example the precedence 6&7 traffic from those 22 ports could add up to 2.2m of high priority traffic. Of course this is a worst case scenario with an awful lot of rogue devices. :-)

Marwan ALshawi · ‎07-28-2009

first for 3750 like 3560 you can police egress traffic as bellow

int f0/1

srr-queue limit bandwith (%)

make sure to put the correct seep command in the interface this percent will be refrenct from the speed if you looking for smothing less than 10M

in the interface do thefollwoing

in fa1/0

speed 10

srr-queue liit bandwith 30

this mean 30 % of 10M

for more than one interface to be confige with policing

i think in the 3750 like 3560

you can use per vlan policing

see bellow example

let say you have in fa1/0 and fa1/1

both are trunk port you wan to limit vlan 10 traffic cofing thorugh those ports to 128k

class-map trnk

match input-interface FastEthernet 1/0 - FastEthernet 1/1

ip access-list extended IP_ANY

permit ip any any

!

class-map IP_ANY

match access-group name IP_ANY

policy-map P1

class TRUNKS

police 128000 16000 exceed policed-dscp-transmit

policy-map vlan10_P

class IP_ANY

service-policy P1

interface Vlan 10

service-policy input vlan10_P

int range fa1/0 - 1

mls qos vlan-based

good luck

Hope this helps

snyggsomfan · ‎08-12-2012

I'm also facing the same issue as Robert. Is there any Cisco router/switch that supports aggregate ingress policing over multiple physical ports?