Solved: Re: Hi,

tedauction · ‎12-06-2016

Hello, I have a WS-C3850-48T with a Port channel comprised of four physical interfaces.

If I want to apply a service-policy to this (which detects and marks certain traffic as 'EF'),.

Do I simply put it on the Port Channel interface and would I put it on each of the individual physical interfaces that comprise the Port Channel ?

Also, will this cause any brief outage ?

Thank you kindly for any help.

Reza Sharifi · ‎12-06-2016

Hi,

On the 3850s, you have to apply the policy to individual interfaces that belong to that Portchannel. Even though the Portchannel takes the command, but it does not appear under the Po interface.

Also, applying it to physical interfaces does not cause any outage.

From the qos doc:

The following are restrictions and considerations for applying QoS features on EtherChannel and channel member interfaces:

QoS is not supported on an EtherChannel interface.
QoS is supported on EtherChannel member interfaces in both ingress and egression directions. All EtherChannel members must have the same QoS policy applied. If the QoS policy is not the same, each individual policy on the different link acts independently.
On attaching a service policy to channel members, the following warning message appears to remind the user to make sure the same policy is attached to all ports in the EtherChannel: ' Warning: add service policy will cause inconsistency with port xxx in ether channel xxx. '.

Link:

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3850/software/release/3se/qos/configuration_guide/b_qos_3se_3850_cg/b_qos_3se_3850_cg_chapter_011.html

HTH

View solution in original post

Joseph W. Doherty · ‎12-07-2016

I haven't worked with the 3850, but from what Reza has posted, and in general, applying QoS on a L3 switch, I believe, may "bang up" some inflight frames/packets. Usually, the impact is so small, most network applications aren't adversely impacted.

As to the situation with the 3850, which allows, but doesn't recommend, different policies per port-channel interface, the issue would appear to be, different traffic treatment depending on what particular channel link a flow transits. For example, in your case, as you apply the policies to each member link, the one link might mark traffic with EF while other links yet do not.

When applying a service policy to multiple channel members, using an interface range command, with just one policy statement, would likely be the fasted method to change all the member ports. I.e. if you have both an ingress and egress policy, again to minimize the time port members are configured differently, use one interface range to apply the the ingress or egress policy, and another interface range command to apply the other policy.

View solution in original post

Reza Sharifi · ‎12-06-2016

Hi,

On the 3850s, you have to apply the policy to individual interfaces that belong to that Portchannel. Even though the Portchannel takes the command, but it does not appear under the Po interface.

Also, applying it to physical interfaces does not cause any outage.

From the qos doc:

The following are restrictions and considerations for applying QoS features on EtherChannel and channel member interfaces:

QoS is not supported on an EtherChannel interface.
QoS is supported on EtherChannel member interfaces in both ingress and egression directions. All EtherChannel members must have the same QoS policy applied. If the QoS policy is not the same, each individual policy on the different link acts independently.
On attaching a service policy to channel members, the following warning message appears to remind the user to make sure the same policy is attached to all ports in the EtherChannel: ' Warning: add service policy will cause inconsistency with port xxx in ether channel xxx. '.

Link:

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3850/software/release/3se/qos/configuration_guide/b_qos_3se_3850_cg/b_qos_3se_3850_cg_chapter_011.html

HTH

tedauction · ‎12-06-2016

Thank you kindly, however when I read the section:

" On attaching a service policy to channel members, the following warning message appears to remind the user to make sure the same policy is attached to all ports in the EtherChannel: ' Warning: add service policy will cause inconsistency with port xxx in ether channel xxx. '.'."

My question is, when you are actually adding the service-policy to each individual interface of the Port Channel, would that cause any disturbance i.e. do you have to 'instantaneously' add the 'service-policy' command to each Port Channel member interface or can you do it incrementally without causing network disturbance ?

Thank you kindly.

Joseph W. Doherty · ‎12-07-2016

I haven't worked with the 3850, but from what Reza has posted, and in general, applying QoS on a L3 switch, I believe, may "bang up" some inflight frames/packets. Usually, the impact is so small, most network applications aren't adversely impacted.

As to the situation with the 3850, which allows, but doesn't recommend, different policies per port-channel interface, the issue would appear to be, different traffic treatment depending on what particular channel link a flow transits. For example, in your case, as you apply the policies to each member link, the one link might mark traffic with EF while other links yet do not.

When applying a service policy to multiple channel members, using an interface range command, with just one policy statement, would likely be the fasted method to change all the member ports. I.e. if you have both an ingress and egress policy, again to minimize the time port members are configured differently, use one interface range to apply the the ingress or egress policy, and another interface range command to apply the other policy.

Reza Sharifi · ‎12-07-2016

When I did the test on a 3850, it did not give this message saying "Warning: add service policy will cause inconsistency with port xxx in ether channel xxx. '.'."

As a matter of fact, no message was shown. It just took the command and I did not see any packet drops.

I am not sure why the software allows you to add it to the PO, but it does not show it under the PO interface. If the command is not supposed to be there, than I should see a message saying something like "Portchannel does not support qos policy, apply it to psychical interface" or something like that. It is a strange behavior.

My question is, when you are actually adding the service-policy to each individual interface of the Port Channel, would that cause any disturbance i.e. do you have to 'instantaneously' add the 'service-policy' command to each Port Channel member interface or can you do it incrementally without causing network disturbance ?

I did it one interface at a time and did not see any issues. I just turned on a continues ping from my laptop to the management IP address of the 3850 and did not see any drops.

If you don't feel this test is good enough, than I suggest doing it after hours or during a maintenance window.

HTH

sepideh.ta · ‎12-30-2020

Hello ,

I wanted to restrict the send traffic by a server, and server gateway is on firewall, I preferred to do it on access switch (switch 3850) and I applied service policy on physical interfaces that they are layer 2 interface mode trunk. But it did not work properly. Do you have an idea ?

Thank you.

Configuration:

ip access-list extended Police

permit tcp host Source IP eq port host Destination Port eq Port

class-map match-all Polie

match access-group name Police

policy-map Police

class Polie

police 30000000

interface TenGigabitEthernet1/0/18

switchport trunk allowed vlan 14-22

switchport mode trunk

load-interval 30

channel-group 24 mode active

spanning-tree portfast trunk

spanning-tree bpduguard enable

service-policy input Police

interface TenGigabitEthernet2/0/18

switchport trunk allowed vlan 14-22

switchport mode trunk

load-interval 30

channel-group 24 mode active

spanning-tree portfast trunk

spanning-tree bpduguard enable

service-policy input Police

Georg Pauwen · ‎12-30-2020

Hello,

what exactly is not working ?

Basedon what you have posted, try the changes marked in bold:

ip access-list extended Police
--> permit tcp host Source IP host Destination Port eq Port
!
class-map match-all Polie
match access-group name Police
!
policy-map Police
class Polie
--> police 30000000 conform-action transmit exceed-action drop
!
interface TenGigabitEthernet1/0/18
switchport trunk allowed vlan 14-22
switchport mode trunk
load-interval 30
channel-group 24 mode active
spanning-tree portfast trunk
spanning-tree bpduguard enable
--> service-policy output Police
!
interface TenGigabitEthernet2/0/18
switchport trunk allowed vlan 14-22
switchport mode trunk
load-interval 30
channel-group 24 mode active
spanning-tree portfast trunk
spanning-tree bpduguard enable
-> service-policy output Police

sepideh.ta · ‎12-31-2020

Hi,
After applying service-policy , I changed the police rate several times
(30m, 60 m 15 m) but I didn't see any change in server traffic .

I think that policy-map does not work!

Thanks

service-policy on Port Channel