[c-nsp] Policing individual vlans per port on 3750 (non metro)

Jose lobo at allstream.net
Mon Jul 28 23:47:52 EDT 2008 

Thanks for the tips Stig/Arie.

So it appears that I've managed to get it to work but not before 
upgrading the IOS to 12.2(44)SE2 as it wasn't working properly before 
that.  Here's the config that I ended up going with in case anyone else 
is looking to get this working.  This example policies one vlan to 5Mbps 
and the other to 1Mbps:

mac access-list extended mac
 permit any any
!
access-list 129 permit ip any any
!
class-map match-any cm-1
  match access-group name mac
class-map match-any cm-1-ip
  match access-group 129
class-map match-all cm-interface-1
  match input-interface  FastEthernet1/0/1 - FastEthernet1/0/2
!
!
policy-map port-plcmap-667
  class cm-interface-1
    police 1000000 8000 exceed-action drop
policy-map vlan-plcmap2
  class cm-1
    trust dscp
   service-policy port-plcmap-667
  class cm-1-ip
    trust dscp
   service-policy port-plcmap-667
policy-map port-plcmap
  class cm-interface-1
    police 5000000 8000 exceed-action drop
policy-map vlan-plcmap
  class cm-1
    trust dscp
   service-policy port-plcmap
  class cm-1-ip
    trust dscp
   service-policy port-plcmap
!
interface FastEthernet1/0/1
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 666,667
 switchport mode trunk
 mls qos vlan-based
!
interface FastEthernet1/0/2
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 666,667
 switchport mode trunk
 mls qos vlan-based
!
interface Vlan666
 description test policing vlan
 no ip address
 service-policy input vlan-plcmap
!
interface Vlan667
 no ip address
 service-policy input vlan-plcmap2
!

It's important to re-iterate that mls qos vlan-based be enabled on the 
interfaces you will be using as without this command all of the above is 
useless.

Thanks.

Jose


Stig Johansen wrote:
> Hi there,
>
> Just remember that the 3750 non-metro platform has several limitations,
> especially for egress QoS, which I would think you would be interested
> in using.
>
> The short story is: The 3750-platform does only queueing and scheduling
> on egress-interfaces. Any policing or prioritization you want to be be
> done on a egress-interface would have to be done by manipulating
> CoS/DSCP-values and configuring the output-queues accordingly.
>
> For inbound QoS in your case, you'll have to enable VLAN-based QoS as
> suggested by Arie. Follow this link:
>
> http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/relea
> se/12.2_44_se/configuration/guide/swqos.html#wp1703591
>
> Best regards,
> Stig Meireles Johansen
>
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Jose
> Sent: 26. juli 2008 15:00
> To: Cisco
> Subject: [c-nsp] Policing individual vlans per port on 3750 (non metro)
>
> Hi everyone.  Ran into a little snag this afternoon when I needed to 
> police layer 2 customers on a single port in a similar fashion to the 
> way we do it on the 3550-24s.  Normally we would we create the aggregate
>
> policer, use a class map that matches on vlan id and another one that 
> matches any ip per customer...we combine these under a single policy-map
>
> and apply it to the interface.
>
>
> When trying this similar process on the 3750, we noticed that we aren't 
> able to match on vlan:
>
> copsw01(config)#class-map match-all ARPI3-IP-Trunk
>
> copsw01(config-cmap)#match ?
>
>  access-group     Access group
>
>  input-interface  Select one or more input interfaces to match
>
>  ip               IP specific values
>
>
> So now we're left wondering how can we have a trunk port police 
> invididual vlans if the option is not there to choose?  BTW, the version
>
> of IOS we're using is c3750-ipbasek9-mz.122-25.SEE2.
>
> Thanks.
>
> Jose
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>
> __________ NOD32 3301 (20080727) Information __________
>
> This message was checked by NOD32 antivirus system.
> http://www.eset.com
>
>
>
>

More information about the cisco-nsp mailing list