Hello,

I have a problem with policing ingress traffic using MQC on a port configured as 802.1q tunnel. Policing seems to work only for tagged VLANs sent via the tunnel (VLAN 10 is tagged VLAN sent via the tunnel):

R3600_LAB#ping 172.31.10.1 repeat 100

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!.

!!!!!!!!!!!!!!!!.!!!!!!!!!!!!!!!!.!!!!!!!!!!!!!!!!!.!!!!!!!!!!!!!!!!.!

!!!!!!!!!!!!!!!.!!!!!!!!!!!!!!!!!.!!!!!!!!!!!!!!!!.!!!!!!!!!!!!!!!!.!!

An not for traffic sent over the native vlan (99):

R3600_LAB#ping 172.31.99.1 repeat 200

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

Native VLAN does not have the COS field since there is no tag attached, nevertheless class-map should match all the traffic due to MAC permit any any. Below I encose configuration of both ends of assymetric link:

Interface on the 3560 switch connected to tunneling port:

interface GigabitEthernet0/1

switchport trunk encapsulation dot1q

switchport trunk native vlan 99

switchport trunk allowed vlan 10,99,141,191

switchport mode trunk

!

Configuration on tunneling 3750G-42TS switch:

mls qos

!

mac access-list extended ANY

permit any any

!

class-map match-any ANY

match access-group name ANY

!

policy-map POLICE

class ANY

  police 8000 8000 exceed-action drop

!

interface GigabitEthernet1/0/1

switchport access vlan 10

switchport mode dot1q-tunnel

switchport nonegotiate

switchport port-security maximum 200

l2protocol-tunnel cdp

l2protocol-tunnel stp

l2protocol-tunnel vtp

no cdp enable

spanning-tree portfast

service-policy input POLICE

!

Thanks for any help,

Best Regards,

Krzysztof Grabowski