[nsp] 3550 Traffic marking and Policing

[Dan Salekin]

I'm trying to implement rate-limiting on both the 3550 and 2950.

This email is more specific to the 3550, if there are fundamental differences regarding marking and policing between the two boxes I'd appreciate any comments.

Our initial configurations produced positive results in a lab environment. The traffic was IPv4 and was generated via Ixia test sets.

During field testing and client acceptance testing we noticed both positive and negative test results. It seems that both non-IP traffic and FTP traffic are not marked by our current configuration. It was also noted that once FTP traffic flows through the switch, any traffic type that flows after is no longer marked and rate-limited.

We have read the 3550 docs posted on CCO but, after seeing mixed test results, we do not have a complete understanding of how the switch works regarding marking traffic for QoS purposes.

I would appreciate if someone could explain how the various traffic types flow through the switch and how the available software knobs can be applied for marking and rate-limiting. I'm also very curious to better understand why a basic mac filter will mark non-IP traffic, but not IP traffic!

I'm providing one sample of a VLAN filter that has had both positive and negative test results in the field depending on traffic types.

My example relates to marking and rate-limiting all traffic on a specific VLAN.
WS-C3550-12T
IOS version: 12.1(13)EA1a

! Sample VLAN rate-limiting config: Purpose, rate limit all Ethernet traffic on VLAN 704
!
! MAC Address Filter
!
mac access-list extended AnyMAC
 permit any any
!
! Classify VLAN specific traffic.
!
class-map match-all 1A
  match access-group name AnyMAC
!
class-map match-all 1B
  match access-group name AnyMAC
!
class-map match-all 1B-T
  match vlan  704
  match class-map 1B
!
! Define the maximum rate (bandwidth) of the service
!
policy-map Ingress-Policy1
  class 1A
    police 3000000 188000 exceed-action drop
!
! Define the maximum rate (bandwidth) of the service
!
policy-map Ingress-Policy2
  class 1B-T
    police 3000000 188000 exceed-action drop
!
! Apply policy to physical interface
!
interface GigabitEthernet0/1
 description >>> Access Port <<<
 switchport access vlan 704
 switchport mode access
 flowcontrol send off
 service-policy input Ingress-Policy1
!
! Apply policy to physical interface
!
interface GigabitEthernet0/2
 description >>> 802.1Q Trunk <<<
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,704,1002-1005
 switchport mode trunk
 flowcontrol send off
 service-policy input Ingress-Policy2
!

Comments would be much appreciated,
Dan