[c-nsp] 3750: Hierarchical qos/police issue

Paul van der Zel paul at is.co.za
Tue Sep 19 07:23:35 EDT 2006 

Hi all,

I am having an issue with deploying a police or rate-limit  
functionality on Vlan SVI's on a Catalyst 3750 (WS-C3750G-24TS)  
switch. I've followed Cisco's documentation for this device and IOS  
version (12.2[25]SEA) on configuring QoS in a hierarchical service  
policy and enabled vlan-based qos on the relevant physical ports.

The scenario is that this switch is connects to a firewall which is  
shared by multiple clients on port G1/0/25 which is a trunk port and  
uplinks to the rest of the network via G1/0/28, an access port in  
Vlan 617. Clients configured on firewall are separated by vlan id and  
are routed to the rest of the network via L3 SVI's on a per-client  
basis.

I need to configure a police / rate-limit on one customer, and have  
configured 2 separate hierarchical service policies to do this, one  
bound as input to Vlan 209, which is my test "client" interface from  
the firewall, and one bound as input to Vlan 617, the shared L3  
uplink to the rest of the network. The issue is that while the first  
service policy does work, limiting traffic from the "client" into the  
network, the second on (bound to Vlan 617), has no effect at all.

My configuration looks as follows:

mls qos
vlan 209
name Paul_test
!
vlan 617
name Uplink
!
!
class-map match-any ACCESS-INTERFACE-INPUT
   match input-interface  GigabitEthernet1/0/28
class-map match-any PAUL-TEST
   match access-group name PAUL-TEST
class-map match-any FIREWALL-INTERFACE-INPUT
   match input-interface  GigabitEthernet1/0/25
!
!
policy-map ACCESS-INTERFACE-INPUT
   class ACCESS-INTERFACE-INPUT
     police 64000 12000 exceed-action drop
policy-map FIREWALL-INTERFACE-INPUT
   class FIREWALL-INTERFACE-INPUT
     police 64000 12000 exceed-action drop
policy-map PAUL-TEST
   class PAUL-TEST
    set dscp af12
    service-policy FIREWALL-INTERFACE-INPUT
policy-map ACCESS-TEST
   class PAUL-TEST
    set dscp af12
    service-policy ACCESS-INTERFACE-INPUT
!
interface GigabitEthernet1/0/25
description FIREWALL outside
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1-616,618-4094
switchport mode trunk
mls qos vlan-based
!
interface GigabitEthernet1/0/28
description Uplink to Access
switchport access vlan 617
switchport mode access
mls qos vlan-based
!
interface Vlan209
description Paul test
ip address W.X.Y.Z 255.255.255.240
no ip redirects
no ip unreachables
service-policy input PAUL-TEST
no ip mroute-cache
!
interface Vlan617
ip address A.B.C.D 255.255.252.0
ip flow ingress
service-policy input ACCESS-TEST
!
ip access-list standard PAUL-TEST
permit W.X.Y.Z 0.0.0.15

Can anyone assist on what might be incorrect with this configuration?

Thank you
--

Paul van der Zel
Internet Solutions, South Africa
Tel: +27 (11) 575-0818

More information about the cisco-nsp mailing list