Re: Rate Limit traffic in Cisco 3560 - Page 2

Arshad Khan · ‎10-20-2011

Hey all,

I am using Cisco 3560 as distrubution switch and want to limit port 445 traffic on 1 MB and applied rate limit statment on Gi0/1 port but switch unable to limit said traffic.

Here bellow is my scanrio.

access-list 120 permit tcp any any eq 445 log

access-list 120 permit tcp any eq 445 any log

Gi0/1

rate-limit output access-group 120 1024000 128000 128000 conform-action transmit exceed-action drop

But its not working. Kindly guide me on this issue as it is very critical to me.

Kishore Chennupati · ‎10-25-2011

Hi Arshad,

"service-policy output" is not supported on physical interfaces in 3560/3750 due to ASIC limitation. You can use it under a vlan using hierachical qos maps. However it might be a bit of admin task here as you have 64 vlans. It would mean that you need to apply to each vlan and use "mls qos vlan-based" on the trunk interface as well.


access-list 120 permit tcp any any eq 445 log 
access-list 120 permit tcp any eq 445 any log 
Gi0/1
rate-limit output access-group 120 1024000 128000 128000 conform-action transmit exceed-action drop

what happens when you change that to rate-limit input?

Also can you please paste in the output of " sh interface gi0/1 rate-limit" I would like to see what actually happens?

There are some restrictions with these classic switches 3560/3750..

if push comes to shove then apply it to all the vlans. you can write a script to do that or go for a Metro E switch. Also whats connected to this port on the other side. maybe you can police the traffic on that device for incoming traffic

Edit: you can also downgrade to a 3550 if you like.

HTH

Regards,

Kishore

Arshad Khan · ‎10-29-2011

Now i have applied mention bellow configuration on distribution switch and core switch connected via G0/1 and G0/2 ports with each other and found no error this time however configuration working fine on distribution switch but now working on core switch.

Distribution Switch Configuration

access-list 140 permit tcp any any eq 445 log

access-list 140 permit tcp any eq 445 any log

class-map test

match access-group 140

policy-map test

class test

police 1024000 128000 exceed-action drop

int range gi0/1-2

service-policy input test

Core Switch Configuration

access-list 140 permit tcp any any eq 445 log

access-list 140 permit tcp any eq 445 any log

class-map test

match access-group 140

policy-map test

class test

police 1024000 128000 exceed-action drop

int range gi1/0/1-2

service-policy input test

Regards,

Arshad Ahmed

Arshad Khan · ‎10-29-2011

Hi Kishore,

The traffic originating on core is finely police on input queue of distribution switch mean policy working fine on distribution switch but traffic originating from distribution switch need to be police on input queue of core switch which is not working.

I m attaching a diagram for your under standing.

Regards,

Arshad Ahmed

Kishore Chennupati · ‎10-29-2011

sory arshad I was reading another post and got mixed up. . I see what you mean. Policing on core is not working right?what does sh ip access-lists show . Does it show any hits? what model switch are using?