I did try a policy-map and policing and it did not work. I believe I had it misconfigured since I read something last night that leads me to that conclusion.

Allen,

I forgot to put that in the question.  The ACL is as follows:

access-list 175 permit ip any any

I must be missing something... because it just isn't working!

Thanks,

Tim

I found this statement on this webpage:

"In order to enable CAR, you must enable Cisco Express Forwarding (CEF) on the box. In addition, you must configure a CEF-switched interface for CAR"

http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_tech_note09186a00800fb50a.shtml

I want to enable it on an VLAN, since the machines are downstream and not directly connected to this 6509. The VLAN interface is on the 6509.

Jim,

I tried that already. My policy is identical to yours, but I plugged yours in just in case I mistyped something. Your policy doesn't work either. I must be missing some other global command is all I can think.

Here's what I have below. I have a laptop on my desk on that vlan, IP is 10.128.254.152, and can hit the speed test site on the internet and has unrestricted downloads and uploads.

mls qos

!

class-map match-all identify_Guest_WLAN_Ratelimit

match access-group name Guest_WLAN_Ratelimit

class-map match-all RATELIMIT

match access-group name RATELIMIT

!

!

policy-map police-WLAN-Guest-traffic

class identify_Guest_WLAN_Ratelimit

police cir 64000 bc 8000 be 8000 conform-action transmit exceed-action drop violate-action drop

policy-map RATELIMIT

class RATELIMIT

police cir 64000 bc 8000 be 8000 conform-action transmit exceed-action drop violate-action drop

interface Vlan2099

description = Dilbert_Development

ip address 10.128.254.254 255.255.255.0

service-policy input RATELIMIT

service-policy output RATELIMIT

ip access-list extended Guest_WLAN_Ratelimit

permit ip any any

ip access-list extended RATELIMIT

permit ip any any

Thanks,

Tim

What's the output of sh policy-map interface vlan 2099?

CSFC6503#sh policy-map interface vlan 2099

Vlan2099

Service-policy input: RATELIMIT

class-map: RATELIMIT (match-all)

Match: access-group name RATELIMIT

police :

64000 bps 8000 limit 8000 extended limit

Earl in slot 5 :

0 bytes

5 minute offered rate 0 bps

aggregate-forwarded 0 bytes action: transmit

exceeded 0 bytes action: drop

aggregate-forward 0 bps exceed 0 bps

Class-map: class-default (match-any)

0 packets, 0 bytes

5 minute offered rate 0 bps, drop rate 0 bps

Match: any

Service-policy output: RATELIMIT

class-map: RATELIMIT (match-all)

Match: access-group name RATELIMIT

police :

64000 bps 8000 limit 8000 extended limit

Earl in slot 5 :

5190 bytes

5 minute offered rate 0 bps

aggregate-forwarded 5190 bytes action: transmit

exceeded 0 bytes action: drop

aggregate-forward 0 bps exceed 0 bps

Class-map: class-default (match-any)

0 packets, 0 bytes

5 minute offered rate 0 bps, drop rate 0 bps

Match: any

Hi Tim,

I suspect that object criteria is falling into the class-default which is specifically for traffic that is not specifically classified.  As you have all one class which consist of essentially everything could you try configuring the policy-map as follows so that you only have the class class-default within it, and then try testing again:-

policy-map RATELIMIT

  class class-default

   police cir  64000 bc 8000 be 8000 conform-action transmit exceed-action drop  violate-action drop

interface Vlan2099

description =  Dilbert_Development

ip address 10.128.254.254 255.255.255.0

service-policy input RATELIMIT

service-policy output RATELIMIT

Could you post the show policy-map, and show interface policy-map command.

Thanks

Allan.

Allen,

Here is what the config looks like now:

policy-map RATELIMIT

class class-default

police cir 64000 bc 8000 be 8000 conform-action transmit exceed-action drop violate-action drop

class-map match-all RATELIMIT

match access-group name RATELIMIT

ip access-list extended RATELIMIT

permit ip any any

interface Vlan2099

description = Dilbert_Development

ip address 10.128.254.254 255.255.255.0

service-policy input RATELIMIT

service-policy output RATELIMIT

CSFC6503#sho policy-map

Policy Map police-WLAN-Guest-traffic

Class identify_Guest_WLAN_Ratelimit

police cir 64000 bc 8000 be 8000 conform-action transmit exceed-action d

rop violate-action drop

Policy Map RATELIMIT

Class class-default

police cir 64000 bc 8000 be 8000 conform-action transmit exceed-action d

rop violate-action drop

CSFC6503#sh policy-map interface vlan 2099

Vlan2099

Service-policy input: RATELIMIT

class-map: class-default (match-any)

Match: any

police :

64000 bps 8000 limit 8000 extended limit

Earl in slot 5 :

0 bytes

5 minute offered rate 0 bps

aggregate-forwarded 0 bytes action: transmit

exceeded 0 bytes action: drop

aggregate-forward 0 bps exceed 0 bps

Service-policy output: RATELIMIT

class-map: class-default (match-any)

Match: any

police :

64000 bps 8000 limit 8000 extended limit

Earl in slot 5 :

602 bytes

5 minute offered rate 0 bps

aggregate-forwarded 602 bytes action: transmit

exceeded 0 bytes action: drop

aggregate-forward 0 bps exceed 0 bps

CSFC6503#

Hi Tim,

From the show policy-map interface vlan2099, the outbound service-policy appears to have bytes matched.  To specifically test whether the policed cir is working you could revise the policy so that the conform action is set to drop, this will ensure that any traffic matched which conforms within the CIR is dropped directly.

This would prove that the policy is working as desired and that the your testing is not exceeding the CIR.  I would also configure the access-list to be more explicit and configure it so initially only your testing IP host is configured to any, and any to your IP host.  The example I provided in my previous post simply negates the requirement to have a separate access-list to match-on as the class class-default provides the same catch-all.

Regards

Allan.

Allan,

I have another box that I use for testing, and I applied the config to it and it works. The main difference is the machine I'm hitting the bandwidth server is on copper, plugged into a copper port on the 6509.

The box that isn't working is a user that enters the box through a vlan trunk. What are the odds that traffic entering through a trunk isn't supported?

I'm going to go prove my theory in a few minutes.

Thanks,

Tim

Hi Tim,

That shouldn't be a problem, if that is the case, then I assume that you have not configured the physical trunk interface on the 6500 for vlan based QoS?  If you haven't could add this command 'mls qos vlan-based' to the appropriate interface and try your tests again?

Regards

Allan.