[c-nsp] QoS on 6500

Corneliu Tanasa ctanasa at i-net.ro
Wed Jun 27 14:23:56 EDT 2007 

I have the following scenario on 6000 with Sup2/PFC2/MSFC2, Native IOS
(ipservices), version 12.2.18 SXF9

 

For one customer, I have multiple interfaces for ingress traffic and
multiple interfaces for egress traffic.

I want to use NBAR to classify the traffic and then to police the traffic.
Because I have multiple incoming interfaces, I choose to use police
aggregate.  So, I have for example one physical interface where the customer
is directly connected.  I have also one defined VLAN attached to that
interface:

 

interface fastethernet 3/1

switchport

switchport mode access

switport acces vlan 100

!

Interface vlan 100

ip address 10.10.10.1 255.255.255.0

 

Now, I have the policy

 

mls qos

mls qos aggregate-policer TEST-aggregate 1024000 1024000 conform-action
transmit exceed-action drop

!

ip access-list extended TEST-acl

 permit ip 10.10.10.0 0.0.0.255 any

!

class-map match-all name TEST-class

 match access-group name TEST-acl

!

policy-map TEST-policy

 class TEST-class

    police aggregate TEST-aggregate

!

 

Please note there is no match protocol statement.

 

Now, I'm going to apply the TEST-policy to the interface.

 

interface fastethernet 3/1

 service-policy input TEST-policy

 

With this configuration, all the ingress traffic is policed to 1024000 bps
and works fine.  Now, without any other change, if I'm going to the vlan
interface and activate ip nbar protocol-discovery, then, the police remains
attached to this interface, but the traffic is flowing this interface as
there is no policy.  In the same time, I'm seeing that the counters are
increasing when looking at the output of:

 

# show mls qos ip fastEthernet 3/1

 

and this makes me think the policy is applied and is doing the job, but
still, the traffic is not policed at all.  What happens is that without NABR
protocol discovery the policy is working, but with NBAR, not, even is there
is no change into the policy (no match protocol statement added).

 

Could somebody help me understand what I am missing?  Are there any
limitations with aggregate-policer?

 

Thank you,

Corneliu

More information about the cisco-nsp mailing list