I said something wrong, it's not a 3650 my mistake it's a 9300L with a Network Essentials license:

C9300L-24T-4G 16.12.02 CAT9K_IOSXE

My switch 9300 connects to a CiscoIE2000 that is controlled by another company. They are connected trough 1Gbps interfaces but the other company has on their IE2000 a policy limiting the throughput to max 400Mbps, anything more than this is automatically dropped. 

I wanted in some way to prevent this from happening, but since I can't control this IE2000 I need to apply a policy on my 9300 in order to mitigate this if possible. 

Currently and because I couldn't find a solution, my switch has the following config right now for the Policy Map:

ip access-list extended 100
10 permit udp any any

The class VIDEO_IN is following the Access list and marking the UDP traffic with CS4

policy-map VIDEO_IN
class VIDEO_IN
set dscp cs4
policy-map system-cpp-policy
policy-map VIDEO_OUT
class VIDEO_OUT
class class-default
police cir 30000000
exceed-action drop

Also this switch only has the average function in the shaper and no peak...

Basically, I'm just marking traffic but doing nothing with it to be fair and I'm marking all the remaining traffic to be dropped after it reaches 30Mbps. I was seeing that the other traffic was going on top of the UDP traffic and was creating issues, by doing this it mitigated the problem and freed the bandwidth for the UDP my prioritary traffic (we are talking about video). But it doesn't solve my issue of limiting all the traffic to 400Mbps on the 1Gbps port.

What would be good to do was something like this:

we have a 400Mbps link and it would be good to mark the traffic to not surpass that and to give priority to UDP over all the remaining traffic within this 400Mbps, and if in fact it needed to be dropped it would drop on the 9600 and not on the IE2000 that I can't control

Is this possible to achieve?

Thank you

Once again 5 stars! Thank you, Joseph

I've applied the commands to the switch adapted to my reality and I'm now evaluating the system. Let's see hot it goes

thank you once again

Unfortunately, I have something that is not working quite correctly...

I applied the following configuration:

policy-map VIDEO_OUT

class VIDEO_OUT

  bandwidth 350000

class class-default

policy-map ALL_TRAFFIC

class class-default

  shape average 380000000

   service-policy VIDEO_OUT

And applied the service policy ALL_TRAFFIC to the outgoing interface but I'm still having issues.

Basically I'm marking all the Video UDP traffic with CS4 and I'm giving it 350Mbps reserved and I'm shapping the link to 380Mbps when in reality I have 400Mbps.

I get the picture correctly but when I do a file transfer from one computer to another using this same link (TCP), it starts affecting affecting the cameras and they start loosing packets. I check my cisco switch and I have no packet loss and I check the cisco switch from the supplier that is limiting the link to 400Mbps and I have no drops as well. I'm not understanding what's happening, I see the images dropping packets but I don't see anything in the switches...

Any idea please? is my config correct?

Thank you

Hello,

what platform is this on ? If 'priority percent' is available, try that instead of bandwidth:

policy-map VIDEO_OUT

class VIDEO_OUT

--> priority percent 30

class class-default

policy-map ALL_TRAFFIC

class class-default

shape average 380000000

service-policy VIDEO_OUT

Thank you for the reply

Unfortunately, the switch says that it only supports, priority with level in the platform 

The switch is a C9300L-24T-4G with the Network essentials license

Hello,

that might even be better. After all, you want video traffic to be prioritized at any time:

policy-map VIDEO_OUT

class VIDEO_OUT

--> priority level 1

class class-default

policy-map ALL_TRAFFIC

class class-default

shape average 380000000

service-policy VIDEO_OUT

Hello

Thank you for the reply

I tried priority level and it's even worst, for some reason it starts to have loads of drops on the VIDEO_OUT policy. I think the only way is really the bandwidth.

Regarding the shaping, I'm doing 380000000 is this good for a switch that as a policing of 400000000 and it's dropping traffic after that?

Thank you

Hello,

I wonder if you really need a parent/child policy. What if you use the below:

policy-map VIDEO_OUT

class VIDEO_OUT

bandwidth 350000

class class-default

shape average 380000000

!

service-policy VIDEO_OUT

BTW, in theory, a parent/child policy is better, because for the available bandwidth, the child policy should insure the priority traffic goes first.  This kind of policy, does not.

This policy would also allow the video class to go to port speed.

When you're forced (due to platform limitations) to use such a policy, you'll want the class-default limited such that the priority traffic's needed bandwidth is always available, which unfortunately, also means when your priority traffic doesn't need that bandwidth it goes unused (another reason to prefer parent [shaper] with child policies).

I agree with Georg, normally for real-time traffic, like video conferencing, you'll want to use a priority command, although if levels are supported, the normal recommendation is to use level 1 for VoIP and level 2 for video.

If you're seeing drops with the priority command, does that command also support a bandwidth allocation option.  If so, insure there's sufficient bandwidth allocated for your video stream.  BTW, video streams are often very variable in their bandwidth usage.  I.e., don't allocate for the "average" usage (video bandwidth), but for about twice that.

Regarding shaping, I believe, on some Cisco platforms, the shaper does not account for L2 overhead.  If such a platform, you need to allocate a shaper smaller than the nominal bandwidth.  Since L2 overhead varies per packet size, smaller packets, on average, need to set aside more bandwidth for overhead.  Often I've found making the shaper about 15% less than provided bandwidth a good starting point.  (I.e. 85% of 400 Mbps would be 340 Mbps.)

Of course, it's also possible your provider isn't really providing the agreed 400 Mbps.  The way you can demonstrate that is with a traffic generator that can generate a defined amount of bandwidth usage, and see if the other side receives that amount.  (Of course, this testing is exclusive of using the path for any other traffic.  Also, ideally, you can test during peak business hours to insure congestion in the provider's cloud isn't an issue either.)