[c-nsp] Cisco 3750G-24TS Bandwidth Limiting
Nick Shah
Nick.Shah at aapt.com.au
Tue Nov 9 19:23:18 EST 2004
Steve
3750 supports shaping on egress (aggregate & individual), and policing
on ingress. The steps to do it are
- Enable QOS globally (mls qos)
- Classify packets
- This can be done in many ways, including port trust, trust
COS, DSCP etc.
- Standard way of doing it is match on MAC & IP on ingress (and
match on DSCP for egress bound traffic)
- Create aggregate policers
- Create class maps
- Bind them in a policy map
- Apply policy map according to direction
Eg.
Mls qos
! Create aggregate policers to police @ 75mbits
mls qos aggregate-policer 75M-epolicer#1 75000000 937500 exceed-action
drop (egress aggregate policer)
mls qos aggregate-policer 75M-ipolicer#1 75000000 937500 exceed-action
drop (ingress aggregate policer)
!
! ACL for matching on MAC
mac access-list extended L2
permit any any
! ACL for matching on IP
access-list 100 permit ip any any
! Class maps
!
class-map match-all L2-traffic
match access-group name L2
class-map match-all DSCPOLICE
match ip dscp 0 63
class-map match-all IP-traffic
match access-group 100
!
! Bind everythign to the policy maps
policy-map 75M-egress#1
class DSCPOLICE
police aggregate 75M-epolicer#1
policy-map 75M-igress#1
class IP-traffic
police aggregate 75M-ipolicer#1
class L2-traffic
police aggregate 75M-ipolicer#1
! Apply to interface
interface FastEthernet0/4
switchport access vlan xxx
no ip address
duplex full
speed 100
service-policy input 75M-igress
service-policy output 75M-egress
no cdp enable
spanning-tree bpdufilter enable
end
!
!
Verify QOS
!
!
Xxxx#sh mls qos interface fa0/4 statistics
FastEthernet0/4
Ingress
dscp: incoming no_change classified policed dropped (in bytes)
Others: 186570420 3424803869 1056733847 0 0
Egress
dscp: incoming no_change classified policed dropped (in bytes)
Others: 2323178989 n/a n/a 0 150440940
There is also provision for 4 SRR queues (on egress, I think), along
with WTD... But for most of policing requirements the above should be
sufficient.
Hth
Nick
-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Steve Wright
Sent: Wednesday, 10 November 2004 1:38 AM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] Cisco 3750G-24TS Bandwidth Limiting
Hi all,
I am currently checking out what I can and can't do with the Cisco
3750G's, and am looking at methods of placing a quick limit on a port
should it start to use up excessive amounts of bandwidth on the network/
be under attack then obviously investigating further...
>From what I have read, I have a few ways of doing this... using
>rate-limit
under a vlan/ layer3 switch port, or my preferred thought, by use of an
ACL, class-map and policy-map as below, as I could setup a number of
different policy maps with different police settings:
access-list 101 permit ip any any
class-map match-all ip-traffic
description Match IP Traffic
match access-group 101
policy-map 1mb-limit
class ip-traffic
police 8000000 1000000 exceed-action drop
Then on the interface I wish to limit
service-policy input 1mb-limit
Please can anyone confirm whether this would work, or share their
experiences of doing such limiting?
Thank you,
Steve Wright
This message has been scanned for viruses by MailController -
www.MailController.altohiway.com
_______________________________________________
cisco-nsp mailing list cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
------------------------------------------------------------------------------
This communication, including any attachments, is confidential. If
you are not the intended recipient, you should not read it - please
contact me immediately, destroy it, and do not copy or use any part of
this communication or disclose anything about it.
------------------------------------------------------------------------------
More information about the cisco-nsp
mailing list