Solved: SVI Policing

Lee Nickol · ‎09-24-2013

I have some communication across a LAN I would like to police before it leaves on a WAN interface. The device transmitting traffic across the LAN is connected to a trunked switchport of a switch connected to a "core" switch stack.

device ===TRUNK===Switch====TRUNK===Core Switch (Default Gateway)---WAN--->

The traffic I am trying to police is in VLAN1 and the default gateway of the transmitting device is the SVI of VLAN1 on the core switch. Because of a port channel spanning multiple stack members between the two switches it is not possible to configure a hierarchical policy-map on the SVI of the core switch with multiple match input-interface commands. I would like to configure a hierarchical policy-map on the SVI (VLAN1) of the directly connected switch. Whenever I configure this and apply I do not see any matched traffic in the policy map for the class I specified nor the default class. I have checked ACLS, class maps, etc and configured vlan based QoS on the physical port connected to the device.

Will the policy-map work on a switch that is not the default gateway of the endpoint I am trying to police?

Lei Tian · ‎09-26-2013

Hi,

That should work. Is the switch 3750? show policy-map doesn't work for 3750. Test the configure with policing down to the lowest CIR, see if you get packet drop.

HTH,

Lei Tian

View solution in original post

Lei Tian · ‎09-25-2013

Hi,

Would it work if you apply policy-map on the physical?

HTH,

Lei Tian

Lee Nickol · ‎09-25-2013

Yes, I believe this would work. However, the transmitting device is a virtual machine and could move from one physical port to another. I was hoping to get the policy-map working with one "match input-interface " command and then add additional "match input-interface " commands for each possible port this machine could reside on.

The scenario I am describing in this discussion is for one device with one IP address. Ultimately I have a range of IP addresses on a few different physical physical ports on this switch and I would like to have a maximum bandwidth policer applied to the group.

Lei Tian · ‎09-26-2013

Hi Lee,

I see your case. Would it work if you match IP address on the policy-map, and apply the policy to all possible ports? Alternatively, can you enforce the policy on VM level? So the policy can move with the VM?

HTH,

Lei Tian

Lee Nickol · ‎09-26-2013

I configured the ACL and policy-map to match the IP addressing of the communication. I also set the match input-interface to all applicable interfaces. I did this on the switch between the transmitting device and the core switch stack. When I applied this to the SVI I don't see any increments on the class-map I had hoped for or on the class-default class. Is it a valid design to configure this on this particular switch? Or does it need to be configured on the core switch stack because that is the default gateway and where the routing occurs?

I would prefer to police the traffic on the intermediate switch for two reasons: 1. This is as close to the source as possible, 2. The traffic comes into the core switch stack on a port-channel across multiple stack members and the SVI policy-map is not supported to match input interfaces on multiple stack members.

Lei Tian · ‎09-26-2013

Hi,

That should work. Is the switch 3750? show policy-map doesn't work for 3750. Test the configure with policing down to the lowest CIR, see if you get packet drop.

HTH,

Lei Tian