Hi Tim,

I think essentially as you are concerned with limiting traffic from the WiSM coming in on interface GigabitEthernet 5/2 within VLAN 3099, then this should be the inferace where you apply the 'mls qos vlan-based'.

Regards

Allan.

Hope this help, pls rate helpful posts.

Allen,

The gig port 5/2 is a copper port that I plugged my laptop in and placed it in vlan 3099 to test. The policy didn't work when I was hard wired in. Gig port 5/2 is a user port, not a trunk port. The WiSM creates a dynamic trunk that cannot be modified, so I don't know how I would place a command on a trunk port that is created automagically.

The problem still exists - I can't even get the laptop on gig5/2 to get policed. I placed the port in vlan 3099 and it is not restricted at all. There must be some other global command that I'm missing, I guess.

Thanks,

Tim

Hi Tim,

As Allen suggested, apply vlan-based under the physical interfaces. For testing purpose, you can lower the policer's cir, so that is easier to see the result.  Also vlan-based might not work on intra-vlan traffic; if you want restrict traffic within the vlan you might need to use user based or microflow policing.

HTH,

Lei Tian

My brain is full, so I'm going to have to pick this up on Monday.

Thanks for all your help so far.  You guys rock!

How do I rate helpful posts, by the way?

And thanks for all your help today.  I'm sure I'll get it figured out on Monday thanks to you!

Hi Tim,

Hmmm this is rather strange behaviour, I would expect service-policy on the SVI to be applicable to traffic on ingress from VLAN3099?  I assume the SVI 3099 is the default-gateway for VLAN3099 traffic from the WiSM?  If the PC was connected to this Gigabit5/2 interface as an access, then the ACLs applied on the SVI would take precedent and police the traffic accordingly with vlan-base qos applied to the interface?

As I'm not familiar with how the WiSM trunk interface is negotiated, an alternative would be to match the input-interface instead of a given as access-group as shown below.  However this requires mls qos vlan-based applied to interface as stipulate previously, whether the object match criteria is an access-group or particualr interface/trunk the behaviour or outcome should still be the same.

class-map match-all RATELIMIT
match input-interface GigabitEthernet5/2
!
policy-map RATELIMIT
class RATELIMIT
  police cir 64000000 bc 32000 be 32000 conform-action transmit exceed-action drop violate-action drop
!
interface vlan3099
service-policy input RATELIMIT
!

Rating posts is simply a case of clicking on the appropriate star to merit the level of helpfulness provided.

Regards

Allan

Allen,

I just put the following commands into the 6509, and plugged a laptop into gig7/11. Speed test indicates the policy is working one way... I can download at about 1.5 mb/s, but uploading to our bandwidth server is unrestricted. I figured I would fix it first going through the copper, then after I get it working, to look at the WiSM end.

Do you know if this is only supported one way? Sure looks that way...

Thanks,

Tim

policy-map RATELIMIT

class RATELIMIT

police 4000000 32000 32000 conform-action transmit exceed-action drop

!

class-map match-all RATELIMIT

match access-group name RATELIMIT

interface GigabitEthernet7/11

switchport

switchport access vlan 3099

switchport mode access

no ip address

load-interval 30

interface Vlan3099

description = Dilbert_Development

ip address 10.130.254.254 255.255.255.0

service-policy input RATELIMIT

service-policy output RATELIMIT

ip access-list extended RATELIMIT

permit ip any any

What version of code?

IOS (tm) s72033_rp Software (s72033_rp-IPSERVICESK9_WAN-VM), Version

12.2(18)

System image file is

"sup-bootdisk:s72033-ipservicesk9_wan-vz.122-18.SXF11.bin"

Here's what I ended up with for a solution below. Basically, I could

not put "mls qos vlan-based" on the trunk port because it is a WiSM and

it is a dynamic trunk that is not configurable. So I ended up deploying

the policies on the vlans, 3099 is in the trunk to a wlan, and vlan 30

is the vlan that is the gateway to the FWSM - and eventually the

Internet. So it works. A wlan user on the SSID mapped to vlan 3099

gets policed to about 2mb/s, not 4mb/s as the policy is written.

Another thing I noticed is that when I plug my laptop into a copper port

on the 6509, I can only get a 1 mb/s connection to our bandwidth server.

Strange, but good enough for me.

I was thinking of taking an 8 port 3560 and trunking it to the 6509 and

placing the "mls qos vlan-based" command on that switch just to see if

it works. If not, I'll stick with what I have configured right now.

!

class-map match-all Identify_WLAN_Guest_outbound

match access-group name Guest_WLAN_UBRL_Outbound

class-map match-all Identify_WLAN_Guest_inbound

match access-group name Guest_WLAN_UBRL_Inbound

!

policy-map police_WLAN_Guest_traffic_outbound

class Identify_WLAN_Guest_outbound

police 4000000 32000 32000 conform-action transmit exceed-action

drop

policy-map police_WLAN_Guest_traffic_inbound

class Identify_WLAN_Guest_inbound

police 4000000 32000 32000 conform-action transmit exceed-action

drop

ip access-list extended Guest_WLAN_UBRL_Outbound

permit ip 10.130.254.0 0.0.0.255 any

!

ip access-list extended Guest_WLAN_UBRL_Inbound

permit ip any 10.130.254.0 0.0.0.255

interface Vlan3099

description = Dilbert_Development

ip address 10.130.254.254 255.255.255.0

service-policy output police_WLAN_Guest_traffic_inbound (dnld police)

!

interface Vlan30

service-policy output police_WLAN_Guest_traffic_outbound (upld police)

If I understand your config statements correctly, you are defining the acl for the entire subnet and then policing per flow?   Not sure why it is capping at 2 instead of 4.

We are looking to do something similar, but for a larger address space.  I would love to get away with a single acl for the whole subnet.

Yes, I am doing the entire subnet.  It is working fine, actually

.

I did get different bandwidth results from what was configured, so I just bumped it up a bit until I got the desired bandwidth limitation and left it there.