Re: service-policy IPV4 AND IPV6 for limiting bandwidth ?

sebastien3 · ‎06-22-2022

Hello,

On 3750G/3750X switches is it possible to use a service-policy to limit the bandwidth of an IPV4/IPV6 subnet ?

In IPV4 only I have no problem but with IPV4 AND IPV6 I does not work...

The SDM is dual-ipv4-and-ipv6 default whith mls qos activated.

ipv6 access-list V6_ACL_DOWN-10M
 permit ipv6 any 2001:DB8:1234:5678::/64
 deny ipv6 any any
!
ipv6 access-list V6_ACL_UP-10M
 permit ipv6 2001:DB8:1234:5678::/64 any
 deny ipv6 any any
!
ip access-list extended V4_ACL_DOWN-10M
 permit ip any host X.X.X.1
 deny   ip any any
ip access-list extended V4_ACL_UP-10M
 permit ip host X.X.X.1 any
 deny   ip any any
!
!
! match-any or match-all not work
class-map match-all LIMIT_UP-10M
 match access-group name V4_ACL_UP-10M,V6_ACL_UP-10M
class-map match-all LIMIT_DOWN-10M
 match access-group name V4_ACL_DOWN-10M,V6_ACL_DOWN-10M
!
!
policy-map LIMIT_UP
 class LIMIT_UP-10M
  police 10000000 1000000 exceed-action drop
policy-map LIMIT_DOWN
 class LIMIT_DOWN-10M
  police 10000000 1000000 exceed-action drop
!

!
interface GigabitEthernet1/0/12
 service-policy input LIMIT_DOWN
!
interface GigabitEthernet1/0/1
 service-policy input LIMIT_UP
!

Thanks !

balaji.bandi · ‎06-22-2022

as per the information should work i guess here.: (not tested myself ipv6)

is that interface you apply service policy layer 2 or layer3 ports ?

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750x_3560x/software/release/12-2_53_se/configuration/guide/3750xscg/swqos.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

sebastien3 · ‎06-22-2022

Hi @balaji.bandi

The switch ports are in L2.

G1/0/1 is switchport mode access and G1/0/12 is in Trunk mode.

David Ruess · ‎06-22-2022

Hello,

I see where you made the IPv6 ACLs but didnt reference them in a class map. You will need to reference them in the class map to use them.

This might help

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/qos_classn/configuration/xe-3s/qos-classn-xe-3s-book/ip6-qos-mqc-pkt-cls-xe.html

-David

sebastien3 · ‎06-22-2022

Hello @David Ruess

I don't understand your answer ! Access-group name on Class-map refers to V4 and V6 ACLs.

David Ruess · ‎06-22-2022

Sorry I see it now. Is IPv6 enabled on the interface? Also you may need to use the match any and not match all statement.

Ex:

class-map match-any LIMIT_UP-10M
 match access-group name V4_ACL_UP-10M
Match access-group name V6_ACL_UP-10M

sebastien3 · ‎06-22-2022

policy-map LIMIT_UP
class LIMIT_UP-10M
police 10000000 1000000 exceed-action drop
class V6_LIMIT_UP-10M
police 10000000 1000000 exceed-action drop
policy-map LIMIT_DOWN
class LIMIT_DOWN-10M
police 10000000 1000000 exceed-action drop
class V6_LIMIT_DOWN-10M
police 10000000 1000000 exceed-action drop
!
3750G(config-if)# service-policy input LIMIT_UP
QoS: class(V6_LIMIT_UP-10M) IPv6 class not supported on interface GigabitEthernet1/0/1

I'm bad

sebastien3 · ‎06-22-2022

@David Ruess

I just saw your reply. I had also tried adding a class V6 but that didn't work either...

I have the impression that must be a limitation on the IPV6??

QoS: class(LIMIT_UP-10M) Unsupported classification [GigabitEthernet1/0/1]

QoS: class(V6_LIMIT_UP-10M) IPv6 class not supported on interface GigabitEthernet1/0/1

sebastien3 · ‎06-22-2022

Hello,

Do you know if it is possible to limit IPV4 and IPV6 bandwidth on a port with ACLs ?

Thanks

marce1000 · ‎06-22-2022

- FYI : https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus3000/sw/security/7x/b_Cisco_n3k_Security_Config_7x/b_Cisco_n3k_Security_Config_7x_chapter_01110.html

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

sebastien3 · ‎06-23-2022

@marce1000

I would like to know if such a configuration is possible :

ipv6 access-list V6_ACL_DOWN-10M
 permit ipv6 any 2001:DB8:1234:5678::/64
 deny ipv6 any any
!
ipv6 access-list V6_ACL_UP-10M
 permit ipv6 2001:DB8:1234:5678::/64 any
 deny ipv6 any any
!
ip access-list extended V4_ACL_DOWN-10M
 permit ip any host X.X.X.1
 deny   ip any any
ip access-list extended V4_ACL_UP-10M
 permit ip host X.X.X.1 any
 deny   ip any any
!
!
class-map match-any LIMIT_UP-10M
 match access-group name V4_ACL_UP-10M
 match access-group name V6_ACL_UP-10M
class-map match-any LIMIT_DOWN-10M
 match access-group name V4_ACL_DOWN-10M
 match access-group name V6_ACL_DOWN-10M
!
!
policy-map LIMIT_UP
 class LIMIT_UP-10M
  police 10000000 1000000 exceed-action drop
policy-map LIMIT_DOWN
 class LIMIT_DOWN-10M
  police 10000000 1000000 exceed-action drop
!

!
interface Ethernet1/1
 service-policy input LIMIT_DOWN
!
interface Ethernet1/2
 service-policy input LIMIT_UP
!