[c-nsp] Rate Limit On VLANs 3550

Per Carlson lists at ip4all.net
Tue Jun 27 11:24:55 EDT 2006 

On Tue, Jun 27, 2006 at 12:39:41PM +0100, Alex Foster wrote:
> Trying to configure rate-limiting per VLAN on a 3550 dot1q interface
> (GigE port) - so that each VLAN using the trunk is allocated a
> percentage of the bandwidth.
>
> Can this be done ??  

Sure. The 3550 is a bit tricky though. When doing policing of
traffic, it handles IP-traffic and NonIP-traffic as two different
cases. So I you want to be sure *all* traffic is policed, you must
police both traffic types and use an aggregate-policer. 

Here is an quite handy Cisco document that govers the 3550 and
what you can do with a 3550 regarding policing and marking:

http://www.cisco.com/warp/public/473/153.html

I would suggest the following config in your case:



! First some access-list which matches all IP-traffic and all
! NonIP-traffic
ip access-list standard All_IP 
  permit any
!
mac access-list extended All_L2
  permit any any
!
!
! Create some general class-maps
class-map All_IP
  match access-group name All_IP
!
class-map All_L2
  match access-group name All_L2
!
!
! Each Vlan must have an own class-map for IP resp. NonIP-traffic
! Note: 'match Vlan' MUST be configured ahead of 'match class...',
! if you do it the other way around, it won't work!!! Doh...
class-map match-all Vlan100_IP
  match vlan 100
  match class-map All_IP
!
class-map match-all Vlan100_L2
  match vlan 100
  match class-map All_L2
!  
class-map match-all Vlan110_IP
  match vlan 110
  match class-map All_IP
!
class-map match-all Vlan110_L2
  match vlan 110
  match class-map All_L2
!  
class-map match-all Vlan20_IP
  match vlan 20
  match class-map All_IP
!
class-map match-all Vlan20_L2
  match vlan 20
  match class-map All_L2
!
!  
! For each Vlan that should be policed, you need an
! aggregate-policer
mls qos aggregate-policer Vlan100  10000000  10000 exceed-action drop
mls qos aggregate-policer Vlan110  20000000  10000 exceed-action drop
mls qos aggregate-policer Vlan20  100000000 100000 exceed-action drop
!
!
! Wrap up all classes and policers into a policy-map
! 
policy-map rate_limit 
  class Vlan100_IP
    police aggregate Vlan100
  class Vlan100_L2
    police aggregate Vlan100

  class Vlan110_IP
    police aggregate Vlan110
  class Vlan110_L2
    police aggregate Vlan110

  class Vlan20_IP
    police aggregate Vlan20
  class Vlan20_L2
    police aggregate Vlan20
!
!
! And apply it on the interface
interface GigabitEthernet0/2
  service-policy input rate_limit


Yes, this is A LOT of config, but it works :)

As you figured out by yourself, 'mls qos' is required and
'flowcontrol' must be turned off.

The 3550 aren't my favorite platform when speaking of "QoS", it's
so picky about everything, and there are plenty of deep pits to
fall into.

-- 
Per Carlson, Sr. Network Developer

More information about the cisco-nsp mailing list