10-21-2011 09:32 AM - edited 03-07-2019 02:58 AM
Hi Guyz,
I want to restrict internet traffic for guests on a free SSID to 1MB.
I configured my CORE Switch as follows. all seems well but traffic is never dropped.
any help to solve this is highly appreciated.
I want this vlan (50) to be restricted to 1 MB for outgoing and incoming traffic.
configuration for vlan 50
-----------------------------------
interface Vlan50
description *** Interface for VLAN 50
ip address 10.1.22.1 255.255.255.0
ip access-group 105 in
rate-limit input 1000000 1000000 1000000 conform-action transmit exceed-action drop
rate-limit output 1000000 1000000 1000000 conform-action transmit exceed-action drop
end
no traffic is dropped
-----------------------------
SW-3560-1#sh int vlan 50 rate-limit
Vlan50 *** Interface for VLAN 50
Input
matches: all traffic
params: 1000000 bps, 1000000 limit, 1000000 extended limit
conformed 0 packets, 0 bytes; action: transmit
exceeded 0 packets, 0 bytes; action: drop
last packet: 2853770291ms ago, current burst: 0 bytes
last cleared 2w0d ago, conformed 0 bps, exceeded 0 bps
Output
matches: all traffic
params: 1000000 bps, 1000000 limit, 1000000 extended limit
conformed 0 packets, 0 bytes; action: transmit
exceeded 0 packets, 0 bytes; action: drop
last packet: 2853770291ms ago, current burst: 0 bytes
last cleared 2w0d ago, conformed 0 bps, exceeded 0 bps
thanks in advance.
Solved! Go to Solution.
10-25-2011 01:30 PM
Hi,
you can apply this to trunk interfaces as well. you just need to put the trunk interface in the "match input-interface"
class-map vlan50
match input-interface
and just put the mls qos vlan-based under the trunk interfaces and it will work.
abukuru95 wrote:
thanks Kishore,
the configuration is successfully applied, but helas no traffic is dropped. i have three trunk interfaces on my core switch where i need to apply this. I guess i can only apply it on physical interfaces? thanks w bunch anyway. i am still awaiting new ideas.
You cannot apply service-policy output to physical interfaces on 3560 due to ASIC limitations
HTH
Kishore
10-21-2011 10:27 AM
Hi,
Can you please check the below mention thread. It is more or less on same track...
https://supportforums.cisco.com/message/3471481#3471481
Regards,
Smitesh
10-24-2011 12:52 AM
Hello Smitesh,
I cannot apply some commands that are on the link you provided such as
match class-map class -default
I am running version (C3560-IPSERVICESK9-M), Version 12.2(35)SE5
any more ideas?
regards.
10-24-2011 01:48 AM
Hi,
helped me very much: "do we have 'mls qos vlan-based' configured on the physical port through which the traffic is ingressing?"
https://supportforums.cisco.com/message/3470502#3470502
Maybe it will help you as well.
--
Dimitry
10-24-2011 02:11 AM
Hi,
Try below may help you...
Policy a specific VLAN number on VLAN interface.
class-map vlan5
match vlan 5
match class-map class-default
policy-map vlan5-limit
class vlan5
police 2000000 250000 exceed-action drop
int vlan5
service-policy input vlan5-limit
After you apply this configuration, the traffic with VLAN 5 coming from any will be policed at 2Mbps.
Hope this will help you.
Please rate the helpfull posts.
Regards,
Naidu.
10-24-2011 10:12 AM
Hi Latchum,
when i apply the command
int vlan5
service-policy input vlan5-limit,
i receive this error %QoS: policy-map with police action at parent level not supported on Vlan5 interface.
i am running ios version 12.2(35)SE5
any ideas on a way out ?
10-24-2011 02:03 PM
What you can do use same policy suggest above as child policy
Example
Policy-map p1
Class-class default
Service-policy vlan5-limit
Then apply the p1 policy at the clan interface level
You mY need to change the behavour of the qos to vlan based on the physical interface level
Using the command mls qos vlan-based
Hope this help
If helpful rate
10-25-2011 01:06 AM
Hi Marwanshawi,
I dont get you quiet well using the same policy as child policy?
thanks for the help.
10-25-2011 01:21 AM
Hi,
What that meant is...
configure everything like in my previous post then configure the child policy like below and apply to the vlan interface.
Policy-map p1
Class-class default
Service-policy vlan5-limit
int vlan5
Policy-map p1
Please rate the helpfull posts.
Regards,
Naidu.
10-25-2011 02:26 AM
Hi Natchum,
i do not have this command under the interface vlan options
interface vlan 5
policy-map p1
when i go to the
conf t
interface vlan 5
?
it does not exist on the ios
thanks for the help anyway.
10-25-2011 03:35 AM
Hi,
Latchum meant
int vlan 5
service-policy input p1
HTH
Regards,
Kishore
10-25-2011 03:47 AM
hi Kishore, yes.
this is the output i am getting now.
3560(interface vlan 5
3560(config-if)#service-policy input p1
%QoS: policy-map vlan_5-limit with MATCH INPUT-INTERFACE matching non-physical interfaces or other unsupported
Service Policy attachment failed
3560(config-if)#
3560(config-if)#service-policy input p1
%QoS: policy-map vlan_5-limit with MATCH INPUT-INTERFACE matching non-physical interfaces or other unsupported
Service Policy attachment failed
3560(config-if)#
thanks for your help guys.
10-25-2011 05:39 AM
Ah the reason is that the match statement under the class-map is not correct.
match vlan 5 is only available on 6500's 4500's and metro ethernet switches. not on a 3560
please remember the following points while using child policy's
Key things to remember:
Child classes use match input-interface
Child policies use police
Parent classes match ACL (I think you can also match dscp, maybe others)
Parent policies must have an action (e.g. set or trust)
Apply parent policies to SVI
So you need to use match input-interface and match all the interfaces where vlan 50 is configured.
For eg: lets assume that you have vlan 50 configured on interface fa1/0/1 then the class-map will be like this
access-list 100 permit ip any any
class-map match-any cm-1
match access-group 100
class-map vlan50
match input-interface fa1/0/1
policy-map vlan50-limit
class vlan50
police 2000000 250000 exceed-action drop
policy-map vlan-50-limit-2Mbps
class cm-1
trust dscp
service-policy vlan50-limit
int vlan50
service-policy input vlan-50-limit-2Mbps
int fa1/0/1
mls qos vlan-based
Please apply the above and let me know how you go
HTH
Regards,
Ksihore
Please rate if helps
10-25-2011 06:35 AM
thanks Kishore,
the configuration is successfully applied, but helas no traffic is dropped. i have three trunk interfaces on my core switch where i need to apply this. I guess i can only apply it on physical interfaces? thanks w bunch anyway. i am still awaiting new ideas.
10-25-2011 01:30 PM
Hi,
you can apply this to trunk interfaces as well. you just need to put the trunk interface in the "match input-interface"
class-map vlan50
match input-interface
and just put the mls qos vlan-based under the trunk interfaces and it will work.
abukuru95 wrote:
thanks Kishore,
the configuration is successfully applied, but helas no traffic is dropped. i have three trunk interfaces on my core switch where i need to apply this. I guess i can only apply it on physical interfaces? thanks w bunch anyway. i am still awaiting new ideas.
You cannot apply service-policy output to physical interfaces on 3560 due to ASIC limitations
HTH
Kishore
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide