[c-nsp] Rate Limit On VLANs 3550

[Per Carlson]

On Wed, Jun 28, 2006 at 10:12:45AM +0100, Alex Foster wrote:

> From what I can determine from the link you gave and other documents I
> have read - it doesn't appear possible to apply the policy-map to the
> output of the interface - the restrictions are imposed because we are
> using ACLs to classify traffic, would this be correct.

As the document describes are the 'match' options _very_ limited in
the output direction, only 'match ip dscp' can be used. So, yes
you are correct.

> In my scenario I want to police the traffic (per VLAN) before it
> traverses the dot1q trunk, but if it can only be applied on the
> input of the interface this would mean the traffic had already
> traversed the trunk.
>
> I guess if this is the case - I would have to place the
> policy-map on the access-ports where the traffic entered the
> switch (before it was trunked).

Yes. 

There is a vital restriction on aggregate-policers that I didn't
state. You can't apply the same policer to more than one
interface. So if you have 5 interfaces where e.g. Vlan100 enters,
you can't police the total traffic, just the traffic per port
(using 5 different policers). In this case the policing must be
done on the upstream switch (if there is one).

> Ideally I would prefer my original concept - so if this can be
> done please let me know.

There are no workarounds around it as far as I know. 

-- 
Per Carlson, Sr. Network Developer