cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6600
Views
0
Helpful
25
Replies

Rate Limit traffic in Cisco 3560

Arshad Khan
Level 1
Level 1

Hey all,

I am using Cisco 3560 as distrubution switch and want to limit port 445 traffic on 1 MB and applied rate limit statment on Gi0/1 port but switch unable to limit said traffic.

Here bellow is my scanrio.

access-list 120 permit tcp any any eq 445 log

access-list 120 permit tcp any eq 445 any log

Gi0/1

rate-limit output access-group 120 1024000 128000 128000 conform-action transmit exceed-action drop

But its not working. Kindly guide me on this issue as it is very critical to me.

25 Replies 25

Hi Arshad,

"service-policy output" is not supported on physical interfaces in 3560/3750 due to ASIC  limitation. You can use it under a vlan using hierachical qos maps. However it might be a bit of admin task here as you have 64 vlans. It would mean that you need to apply to each vlan and use "mls qos vlan-based" on the trunk interface as well.   


access-list 120 permit tcp any any eq 445 log

access-list 120 permit tcp any eq 445 any log

Gi0/1

rate-limit output access-group 120 1024000 128000 128000 conform-action transmit exceed-action drop

what happens when you change that to rate-limit input?

Also can you please paste in the output of " sh interface gi0/1 rate-limit" I would like to see what actually happens?

There are some restrictions with these classic switches 3560/3750..

if push comes to shove then apply it to all the vlans. you can write a script to do that or go for a Metro E switch. Also whats connected to this port on the other side. maybe you can police the traffic on that device for incoming traffic

Edit: you can also downgrade to a 3550 if you like.

HTH

Regards,

Kishore

Now i have applied mention bellow configuration on distribution switch and core switch connected via G0/1 and G0/2 ports with each other and found no error this time however configuration working fine on distribution switch but now working on core switch.

Distribution Switch Configuration


access-list 140 permit tcp any any eq 445 log

access-list 140 permit tcp any eq 445 any log

class-map test

match access-group 140

policy-map test

class test

police 1024000 128000 exceed-action drop

int range gi0/1-2

service-policy input test


Core Switch Configuration

access-list 140 permit tcp any any eq 445 log

access-list 140 permit tcp any eq 445 any log

class-map test

match access-group 140

policy-map test

class test

police 1024000 128000 exceed-action drop

int range gi1/0/1-2

service-policy input test


Regards,

Arshad Ahmed

Hi Kishore,

The traffic originating on core is finely police on input queue of distribution switch mean policy working fine on distribution switch but traffic originating from distribution switch need to be police on input queue of core switch which is not working.

I m attaching a diagram for your under standing.

Regards,

Arshad Ahmed

sory arshad I was reading another post and got mixed up. . I see what you mean. Policing on core is not working right?what does sh ip access-lists show . Does it show any hits? what model switch are using?

Hi Kishorr,

There is no hits on access list and model # of core switch is as under.

Model and IOS version of core switch is as under

Model number                    : WS-C3750G-24T-E

Sw Image                          : C3750-IPSERVICESK9-M

SW version                        :12.2(50)SE3

Regards,

Arshad Ahmed


Hi Arshad,

Interesting. How about this? can I suggest you to add the following to the existing ACL

access-list 140 permit icmp < ipaddress on distrobution switch> log

send some ping across frmo distributino switch to the core switch and see if you get any hits

What I am trying to see if the ACL's are working and traffic is indeed being matched. Because if the traffic doesn't get matched then your policy-map won't work

HTH

Kishore

Hi Kishore,

I also applied rate limit on vlan interface in both incoming and outgoing direction as follow.

Extended IP access list 140

    10 permit tcp any any eq 445 time-range SSH-Data-Transfer (active)

    20 permit tcp any eq 445 any time-range SSH-Data-Transfer (active)

    30 permit tcp any any eq 139 time-range SSH-Data-Transfer (active)

    40 permit tcp any eq 139 any time-range SSH-Data-Transfer (active)

    50 permit tcp any any eq 22 time-range SSH-Data-Transfer (active)

    60 permit tcp any eq 22 any time-range SSH-Data-Transfer (active)

interface Vlan300

ip address 172.18.1.1 255.255.255.0

rate-limit output access-group 140 2048000 256000 256000 conform-action transmit exceed-action drop

sh interfaces vlan 300 rate-limit

Vlan300

  Output

    matches: access-group 140

      params:  2048000 bps, 256000 limit, 256000 extended limit

     conformed 0 packets, 0 bytes; action: transmit

      exceeded 0 packets, 0 bytes; action: drop

      last packet: 4013622527ms ago, current burst: 0 bytes

      last cleared 00:11:20 ago, conformed 0 bps, exceeded 0 bps

But as showen in bold section that packets are not match.

Hi Arshad,

What is the model and IOS of your core switch where the policy is not working?

Best regards,

Alex

Dear Alexandar,

Model and IOS version of core switch is as under

Model number                    : WS-C3750G-24T-E

Sw Image                          : C3750-IPSERVICESK9-M

SW version                        :12.2(50)SE3

Regards,

Arshad Ahmed

Hi Arshad,

It will not work on vlan unless you use "mls qos vlan-based" for the vlan based qos.

QoS should work the same way as on 3560. If you have used used "mls qos vlan-based" remove it and just make config the same way as you did on 3560. If it is not working there is something else in the config which is preventing it to do so.

Best regards,

Alex

Dear Alexander,

if i use "mls qos"  on cisco 3750 and cisco 3560 then its showing mention bellow options

switch_3750(config)mls qos ?

aggregate-policer

map

queue-set

rewrite

srr-queue

so which option i will slect for QoS ?

if i am apply police based QoS on SVI den it will generate error.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco