Solved: rate limit not working for vlan

abukuru95 · ‎10-21-2011

Hi Guyz,

I want to restrict internet traffic for guests on a free SSID to 1MB.

I configured my CORE Switch as follows. all seems well but traffic is never dropped.

any help to solve this is highly appreciated.

I want this vlan (50) to be restricted to 1 MB for outgoing and incoming traffic.

configuration for vlan 50

-----------------------------------

interface Vlan50
description *** Interface for VLAN 50
ip address 10.1.22.1 255.255.255.0
ip access-group 105 in
rate-limit input 1000000 1000000 1000000 conform-action transmit exceed-action drop
rate-limit output 1000000 1000000 1000000 conform-action transmit exceed-action drop
end

no traffic is dropped

-----------------------------
SW-3560-1#sh int vlan 50 rate-limit
Vlan50 *** Interface for VLAN 50
Input
    matches: all traffic
      params: 1000000 bps, 1000000 limit, 1000000 extended limit
      conformed 0 packets, 0 bytes; action: transmit
      exceeded 0 packets, 0 bytes; action: drop
      last packet: 2853770291ms ago, current burst: 0 bytes
      last cleared 2w0d ago, conformed 0 bps, exceeded 0 bps
Output
    matches: all traffic
      params: 1000000 bps, 1000000 limit, 1000000 extended limit
      conformed 0 packets, 0 bytes; action: transmit
      exceeded 0 packets, 0 bytes; action: drop
      last packet: 2853770291ms ago, current burst: 0 bytes
      last cleared 2w0d ago, conformed 0 bps, exceeded 0 bps

thanks in advance.

Kishore Chennupati · ‎10-25-2011

Hi,

you can apply this to trunk interfaces as well. you just need to put the trunk interface in the "match input-interface"

class-map vlan50

match input-interface

and just put the mls qos vlan-based under the trunk interfaces and it will work.

abukuru95 wrote:

thanks Kishore,

the configuration is successfully applied, but helas no traffic is dropped. i have three trunk interfaces on my core switch where i need to apply this. I guess i can only apply it on physical interfaces? thanks w bunch anyway. i am still awaiting new ideas.

You cannot apply service-policy output to physical interfaces on 3560 due to ASIC limitations

HTH

Kishore

View solution in original post

smitesh kharecha · ‎10-21-2011

Hi,

Can you please check the below mention thread. It is more or less on same track...

https://supportforums.cisco.com/message/3471481#3471481

Regards,

Smitesh

abukuru95 · ‎10-24-2011

Hello Smitesh,

I cannot apply some commands that are on the link you provided such as

match class-map class -default

I am running version (C3560-IPSERVICESK9-M), Version 12.2(35)SE5

any more ideas?

regards.

kozorezdi · ‎10-24-2011

Hi,

Balaji K

helped me very much: "do we have 'mls qos vlan-based' configured on the physical port through which the traffic is ingressing?"

https://supportforums.cisco.com/message/3470502#3470502

Maybe it will help you as well.

--

Dimitry

Latchum Naidu · ‎10-24-2011

Hi,

Try below may help you...

Policy a specific VLAN number on VLAN interface.

class-map vlan5
match vlan 5
match class-map class-default

policy-map vlan5-limit
class vlan5
police 2000000 250000 exceed-action drop

int vlan5
service-policy input vlan5-limit

After you apply this configuration, the traffic with VLAN 5 coming from any will be policed at 2Mbps.

Hope this will help you.

Please rate the helpfull posts.
Regards,
Naidu.

abukuru95 · ‎10-24-2011

Hi Latchum,

when i apply the command

int vlan5

service-policy input vlan5-limit,

i receive this error %QoS: policy-map with police action at parent level not supported on Vlan5 interface.

i am running ios version 12.2(35)SE5

any ideas on a way out ?

Marwan ALshawi · ‎10-24-2011

What you can do use same policy suggest above as child policy

Example

Policy-map p1

Class-class default

Service-policy vlan5-limit

Then apply the p1 policy at the clan interface level

You mY need to change the behavour of the qos to vlan based on the physical interface level

Using the command mls qos vlan-based

Hope this help

If helpful rate

abukuru95 · ‎10-25-2011

Hi Marwanshawi,

I dont get you quiet well using the same policy as child policy?

thanks for the help.

Latchum Naidu · ‎10-25-2011

Hi,

What that meant is...

configure everything like in my previous post then configure the child policy like below and apply to the vlan interface.

Policy-map p1
Class-class default
Service-policy vlan5-limit

int vlan5
Policy-map p1

Please rate the helpfull posts.
Regards,
Naidu.

abukuru95 · ‎10-25-2011

Hi Natchum,

i do not have this command under the interface vlan options

interface vlan 5

policy-map p1

when i go to the

conf t

interface vlan 5

?

it does not exist on the ios

thanks for the help anyway.

Kishore Chennupati · ‎10-25-2011

Hi,

Latchum meant

int vlan 5

service-policy input p1

HTH

Regards,

Kishore

abukuru95 · ‎10-25-2011

hi Kishore, yes.

this is the output i am getting now.

3560(interface vlan 5

3560(config-if)#service-policy input p1

%QoS: policy-map vlan_5-limit with MATCH INPUT-INTERFACE matching non-physical interfaces or other unsupported

Service Policy attachment failed

3560(config-if)#

3560(config-if)#service-policy input p1

%QoS: policy-map vlan_5-limit with MATCH INPUT-INTERFACE matching non-physical interfaces or other unsupported

Service Policy attachment failed

3560(config-if)#

thanks for your help guys.

Kishore Chennupati · ‎10-25-2011

Ah the reason is that the match statement under the class-map is not correct.

match vlan 5 is only available on 6500's 4500's and metro ethernet switches. not on a 3560

please remember the following points while using child policy's

Key things to remember:

Child classes use match input-interface

Child policies use police

Parent classes match ACL (I think you can also match dscp, maybe others)

Parent policies must have an action (e.g. set or trust)

Apply parent policies to SVI

So you need to use match input-interface and match all the interfaces where vlan 50 is configured.

For eg: lets assume that you have vlan 50 configured on interface fa1/0/1 then the class-map will be like this

access-list 100 permit ip any any

class-map match-any cm-1

match access-group 100

class-map vlan50
match input-interface fa1/0/1

policy-map vlan50-limit
class vlan50
police 2000000 250000 exceed-action drop

policy-map vlan-50-limit-2Mbps

class cm-1

trust dscp

service-policy vlan50-limit

int vlan50
service-policy input vlan-50-limit-2Mbps

int fa1/0/1

mls qos vlan-based

Please apply the above and let me know how you go

HTH

Regards,

Ksihore

Please rate if helps

abukuru95 · ‎10-25-2011

thanks Kishore,

the configuration is successfully applied, but helas no traffic is dropped. i have three trunk interfaces on my core switch where i need to apply this. I guess i can only apply it on physical interfaces? thanks w bunch anyway. i am still awaiting new ideas.

Kishore Chennupati · ‎10-25-2011

Hi,

you can apply this to trunk interfaces as well. you just need to put the trunk interface in the "match input-interface"

class-map vlan50

match input-interface

and just put the mls qos vlan-based under the trunk interfaces and it will work.

abukuru95 wrote:

thanks Kishore,

the configuration is successfully applied, but helas no traffic is dropped. i have three trunk interfaces on my core switch where i need to apply this. I guess i can only apply it on physical interfaces? thanks w bunch anyway. i am still awaiting new ideas.

You cannot apply service-policy output to physical interfaces on 3560 due to ASIC limitations

HTH

Kishore