[nsp] Example code of how to "rate limit" a port on a 3550
Jon Lewis
jlewis at lewis.org
Thu Jul 1 17:03:53 EDT 2004
Part of why I posted was I wasn't 100% sure about this, so I wanted to see
if someone would suggest it was wrong. It worked 'in the lab', but I made
no effort to mess with DSCP. My understanding was that without
configuring interfaces to trust DSCP, DSCP is always 0.
http://www.cisco.com/en/US/customer/products/hw/switches/ps646/products_tech_note09186a00800feff5.shtml
When an interface is not trusted (this is the default state when QoS is
enabled), the internal DSCP will be derived from the configurable default
CoS for the corresponding interface. If no default CoS is configured, the
default value will be zero.
On Thu, 1 Jul 2004, Warren Kumari, PhD, CCIE#9190 wrote:
> Well, yeah, but only on dscp 0 traffic. Traffic with other DSCP bits
> wont get policed (and it seems that more and more virii and DoS are
> setting DSCP). You will need to match all of hte DSCP bits for police
> this way.
>
> Warren
> On Jul 1, 2004, at 3:57 PM, Jon Lewis wrote:
>
> > On Thu, 1 Jul 2004, Matthew Crocker wrote:
> >
> >> This is what I use, works pretty well for me.
> >> !
> >> class-map match-all allip
> >> match access-group 100
> >> !
> >> policy-map 2mbps
> >> class allip
> >> police 2000000 32000 exceed-action drop
> >> !
> >> int f0/1
> >> service-policy input 1mbps
> >> !
> >> access-list 100 permit ip any any
> >>
> >> This only works to police packets as they enter the switch port. You
> >> can't use 'match access-group' in a output service-policy on the 3550.
> >
> > If, in the class map, you match ip dscp 0, instead of an access-group,
> > you
> > can police in both directions.
> >
> > ----------------------------------------------------------------------
> > Jon Lewis | I route
> > Senior Network Engineer | therefore you are
> > Atlantic Net |
> > _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
> > _______________________________________________
> > cisco-nsp mailing list cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
> >
> --
> Outside of a dog, a book is your best friend, and inside of a dog, it's
> too dark to read
>
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
----------------------------------------------------------------------
Jon Lewis | I route
Senior Network Engineer | therefore you are
Atlantic Net |
_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
More information about the cisco-nsp
mailing list