[c-nsp] Cisco 3750G-24TS Bandwidth Limiting

Joe Shen sj_hznm at yahoo.com.cn
Wed Nov 10 21:11:18 EST 2004 

My question:

If we need to share uplink bandwdith dynamically
between different access ports, how could we do it
with 3750? 

thanks

Joe


 --- Nick Shah <Nick.Shah at aapt.com.au> µÄÕýÎÄ£º
> Steve
> 
> 3750 supports shaping on egress (aggregate &
> individual), and policing
> on ingress. The steps to do it are
> 
> - Enable QOS globally (mls qos)
> - Classify packets
> 	- This can be done in many ways, including port
> trust, trust
> COS, DSCP etc.
> 	- Standard way of doing it is match on MAC & IP on
> ingress (and
> match on DSCP for egress bound traffic)
> - Create aggregate policers
> - Create class maps 
> - Bind them in a policy map
> - Apply policy map according to direction
> 
> Eg.
> 
> Mls qos
> 
> ! Create aggregate policers to police @ 75mbits
> 
> mls qos aggregate-policer 75M-epolicer#1 75000000
> 937500 exceed-action
> drop (egress aggregate policer)
> mls qos aggregate-policer 75M-ipolicer#1 75000000
> 937500 exceed-action
> drop (ingress aggregate policer)
> !
> ! ACL for matching on MAC
> 
> mac access-list extended L2
>  permit any any
> 
> ! ACL for matching on IP
> 
> access-list 100 permit ip any any
> 
> ! Class maps
> !
> class-map match-all L2-traffic
>   match access-group name L2
> class-map match-all DSCPOLICE
>   match ip dscp 0 63
> class-map match-all IP-traffic
>   match access-group 100
> !
> ! Bind everythign to the policy maps
> policy-map 75M-egress#1
>   class DSCPOLICE
>     police aggregate 75M-epolicer#1
> policy-map 75M-igress#1
>   class IP-traffic
>     police aggregate 75M-ipolicer#1
>   class L2-traffic
>     police aggregate 75M-ipolicer#1
> 
> ! Apply to interface
> 
> interface FastEthernet0/4
>  switchport access vlan xxx
>  no ip address
>  duplex full
>  speed 100
>  service-policy input 75M-igress
>  service-policy output 75M-egress
>  no cdp enable
>  spanning-tree bpdufilter enable
> end
> !
> !
> Verify QOS
> !
> !
> Xxxx#sh mls qos interface fa0/4 statistics
> FastEthernet0/4
> Ingress
>   dscp: incoming   no_change  classified policed   
> dropped (in bytes)
> Others: 186570420  3424803869 1056733847 0         
> 0
> Egress
>   dscp: incoming   no_change  classified policed   
> dropped (in bytes)
> Others: 2323178989    n/a       n/a      0         
> 150440940
> 
> There is also provision for 4 SRR queues (on egress,
> I think), along
> with WTD... But for most of policing requirements
> the above should be
> sufficient. 
> 
> Hth
> 
> Nick
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf
> Of Steve Wright
> Sent: Wednesday, 10 November 2004 1:38 AM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] Cisco 3750G-24TS Bandwidth Limiting
> 
> 
> Hi all,
> 
> I am currently checking out what I can and can't do
> with the Cisco
> 3750G's, and am looking at methods of placing a
> quick limit on a port
> should it start to use up excessive amounts of
> bandwidth on the network/
> be under attack then obviously investigating
> further...
> 
> >From what I have read, I have a few ways of doing
> this... using 
> >rate-limit
> under a vlan/ layer3 switch port, or my preferred
> thought, by use of an
> ACL, class-map and policy-map as below, as I could
> setup a number of
> different policy maps with different police
> settings:
> 
> access-list 101 permit ip any any
> 
> class-map match-all ip-traffic
>  description Match IP Traffic
>  match access-group 101
> 
> policy-map 1mb-limit
>  class ip-traffic
>  police 8000000 1000000 exceed-action drop
> 
> Then on the interface I wish to limit
> service-policy input 1mb-limit
> 
> Please can anyone confirm whether this would work,
> or share their
> experiences of doing such limiting?
> 
> Thank you,
> Steve Wright 
> 
> 
> 
> This message has been scanned for viruses by
> MailController -
> www.MailController.altohiway.com
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at
> http://puck.nether.net/pipermail/cisco-nsp/
> 
> 
>
------------------------------------------------------------------------------
> This communication, including any attachments, is
> confidential. If 
>  you are not the intended recipient, you should not
> read it - please 
>  contact me immediately, destroy it, and do not copy
> or use any part of 
>  this communication or disclose anything about it.
> 
>
------------------------------------------------------------------------------
> 
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at
> http://puck.nether.net/pipermail/cisco-nsp/
>  

_________________________________________________________
Do You Yahoo!?
150ÍòÇúMP3·è¿ñËÑ£¬´øÄú´³ÈëÒôÀÖµîÌÃ
http://cn.rd.yahoo.com/mail_cn/tag/yisou/music/*http://music.yisou.com/
ÃÀÅ®Ã÷ÐÇÓ¦Óо¡ÓУ¬ËѱéÃÀͼ¡¢ÑÞͼºÍ¿áͼ
http://cn.rd.yahoo.com/mail_cn/tag/yisou/image/*http://image.yisou.com
1G¾ÍÊÇ1000Õ×£¬ÑÅ»¢µçÓÊ×ÔÖúÀ©ÈÝ£¡
http://cn.rd.yahoo.com/mail_cn/tag/1g/*http://cn.mail.yahoo.com/event/mail_1g/

More information about the cisco-nsp mailing list