Shaping based on ACL on Cisco C9300

sid11 · ‎03-26-2025

Hello,

I have multiple Cisco C9300s that I also use as a gateway with SVIs and BGP Routing. The switches are interconnected in a kinda ring topology with FortyGigabitEthernet interfaces. The setup works itself works.
See topology image attached.

Some of these C9300s that act as gateway also do NAT with their public ip address (they all have their own VLAN and subnet).

My goal is to limit the bandwidth of the customer by doing shaping and policing.
Shaping at the outbound, policing at the inbound.

I can not just simply limit the Fo1/1/1 and Fo1/1/2 interfaces because all traffic would then be slowed down. The goal is to limit the bandwidth by using a ACL and limit the NAT outside IP.
For policing it works without any problem.

When I try to use shaping combined with an ACL, it gives me this error:
Invalid queuing class-map!!! Queuing actions supported only with dscp/cos/qos-group/precedence/exp based classification!!!

Here is the configuration that I am trying to do:

# Define the access list
ip access-list extended NAT_DOWNLOAD
10 permit ip any host 123.123.123.123
!
ip access-list extended NAT_UPLOAD
10 permit ip host 123.123.123.123 any

# Define the class map
class-map match-any NAT_DOWNLOAD_CLASS
match access-group name NAT_DOWNLOAD
!
class-map match-any NAT_UPLOAD_CLASS
match access-group name NAT_UPLOAD

# Define the policy-map
policy-map LIMIT_UPLOAD
class NAT_UPLOAD_CLASS
shape average 50000000
class class-default
!
policy-map LIMIT_DOWNLOAD
class NAT_DOWNLOAD_CLASS
police cir 301000000
conform-action transmit
exceed-action drop
class class-default

# Set the policies on the interface
interface FortyGigabitEthernet1/1/1
service-policy input LIMIT_DOWNLOAD
service-policy output LIMIT_UPLOAD
!
interface FortyGigabitEthernet1/1/2
service-policy input LIMIT_DOWNLOAD
service-policy output LIMIT_UPLOAD

When doing "service-policy output LIMIT_UPLOAD", I get this error:
Invalid queuing class-map!!! Queuing actions supported only with dscp/cos/qos-group/precedence/exp based classification!!!

How can I do shaping only for the public IP address? So that everything else that goes over the FortyGigabit interfaces does not get limited? Or am I doing this completely wrong?

Version is 17.15.

Thanks for your help.

Ramblin Tech · ‎03-26-2025

The basic issue is that the platform cannot match on an ACL at egress for an output policy. However, it can match at egress to a qos-group. This kind of limitation is fairly common across a number of platforms that forward in hardware.

Use your NAT_UPLOAD ACL on interfaces where traffic sourced from 123.123.123.123 ingresses as a match condition for an ingress class. The input policy-map for those interfaces would set a qos-group for matching in an egress class. At egress, your class-map will match on the qos-group rather than the ACL.

Disclaimers: I am long in CSCO. Bad answers are my own fault as they are not AI generated.

Joseph W. Doherty · ‎03-26-2025

NB: I didn't see Jim's reply until after I posted my reply. Basically, we're both saying the same, although Jim's reply explains in more detail.

Joseph W. Doherty · ‎03-26-2025

I haven't dive into the depths of C9300 QoS, but it's not totally surprising that a switch has QoS limitations compared to a software based router.

From the error message, I would believe you cannot use the ACL for egress matching. I.e. you're limited to matching on dscp/cos/qos-group/precedence/exp.

So, what might you do?

Have an ingress policy use the ACL to match the desired traffic and assign the matched traffic to a qos-group. Then match the qos-group in your egress policy.

Joseph W. Doherty · ‎03-26-2025

BTW, possibly (?) your egress policy would work (using an ACL) if it too used a policer rather than a shaper.

Whether an egress policer would work, using an ACL, or not, two questions come to my mind. First, why use a shaper for egress? Second, why does the policer and shaper use different CIR values? (Both questions are just based on curiosity.)

Also, BTW, you could combine the two ACLs into one ACL (with two ACEs). Further, if ingress and egress policies used policers, with same CIR, you could use just one policy (assuming egress, using a policer, can function with an ACL).