[nsp] Example code of how to "rate limit" a port on a 3550

Jon Lewis jlewis at lewis.org
Sat Jul 3 11:42:48 EDT 2004 

I was hoping someone from cisco might comment on this...or should I just
open a TAC case?  I've looked some more, and on the 3550 I've been looking
at, I see some ports using service-policies built like whats below are
working (policing both ingress and egress, at least show mls qos int stat
says packets in both directions have been dropped) while others are not
policing ingress and allowing data to flow at full wire speed.

class-map match-any all
  match ip dscp 0
!
policy-map 1mbit
  class all
    police 1000000 16000 exceed-action drop

interface f...
 service-policy input 1mbit
 service-policy output 1mbit


----------------------------------------------------------------------
 Jon Lewis                   |  I route
 Senior Network Engineer     |  therefore you are
 Atlantic Net                |
_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________

---------- Forwarded message ----------
Date: Fri, 2 Jul 2004 11:23:06 -0400 (EDT)
From: Jon Lewis <jlewis at lewis.org>
To: Matthew Crocker <matthew at crocker.com>
Cc: Cisco Nsp <cisco-nsp at puck.nether.net>
Subject: Re: [nsp] Example code of how to "rate limit" a port on a 3550

On Fri, 2 Jul 2004, Matthew Crocker wrote:

> My new config which appears to be working for inbound (customer to me,
> customer to Internet) and outbound (me to customer, Internet to
> customer) uses dscp on both ingress and egress.
>
> class-map match-any everything
> 	match ip dscp 0
>
> policy-map 1mbps
>     class everything
>       police 1000000 8000 exceed-action drop
>
>
> int f0/5
>    service-policy input 1mbps
>    service-policy output 1mbps

Are you sure this is working?  I just copied this verbatim (other than the
interface number) and I find it polices egress (to the box on the
configured port) but not ingress.

#sh  mls qos interface fastEthernet 0/14 statistics
FastEthernet0/14
Ingress
  dscp: incoming   no_change  classified policed    dropped (in bytes)
Others: 22186896   385        22186511   0          0
Egress
  dscp: incoming   no_change  classified policed    dropped (in bytes)
Others: 1014364       n/a       n/a      0          138138

It does classify the ingress packets, but doesn't drop any.

> I'll beat on the server a bit to test it out some more.
>
> 3550-48# show mls qos interface f0/5
> FastEthernet0/5
> Attached policy-map for Ingress: 1mbps
> trust state: not trusted
> trust mode: not trusted
> COS override: dis
> Attached policy-map for Egress: 1mbps
> default COS: 0
> DSCP Mutation Map: Default DSCP Mutation Map
> trust device: none

#show mls qos interface f0/14
FastEthernet0/14
Attached policy-map for Ingress: 1mbps
trust state: not trusted
trust mode: not trusted
COS override: dis
Attached policy-map for Egress: 1mbps
default COS: 0
DSCP Mutation Map: Default DSCP Mutation Map
trust device: none

> 3550-48# show mls qos interface f0/5 statistics
> FastEthernet0/5
> Ingress
>    dscp: incoming   no_change  classified policed    dropped (in bytes)
> Others: 38984265   38123202   861063     0          1252177044
> Egress
>    dscp: incoming   no_change  classified policed    dropped (in bytes)
> Others: 2227787239    n/a       n/a      0          0

Did you clear mls qos interface f0/5 statistics before testing this new
config?  Those numbers look kind of big...so I'm guessing maybe not.

----------------------------------------------------------------------
 Jon Lewis                   |  I route
 Senior Network Engineer     |  therefore you are
 Atlantic Net                |
_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________

More information about the cisco-nsp mailing list