[c-nsp] Police or shape switched traffic in Cisco Catalyst 3750 series switches

Martin T m4rtntns at gmail.com
Tue Jan 13 11:51:00 EST 2015 

Hi,

I tried few options to police or shape traffic in Cisco Catalyst 3750
series switches:

1) Storm-control for unicast, multicast and broadcast traffic. As
expected, this basically does not work in case of UDP traffic as all
the traffic is allowed up to a point where storm-control rising
threshold is reached and after that all the unicast traffic is
blocked. In case of TCP, congestion control would kick in and traffic
would reduce to a level where unicast traffic is no longer blocked,
i.e. port would flap between forward and block states. However, as UDP
has no congestion control, this does not work.
For TCP I also got bit unexpected results. In case of topology:

Iperf_client <-> [Gi1/0/1]switch1 <-> switch2[Gi1/0/1] <-> Iperf_server

..where ports Gi1/0/1 in both switches had "storm-control unicast
level bps 20m" configured, I received bandwidth well over 100Mbps:


root at localhost:~# iperf -c 10.10.10.2 -fm -d -t 60
------------------------------------------------------------
Server listening on TCP port 5001
TCP window size: 0.08 MByte (default)
------------------------------------------------------------
------------------------------------------------------------
Client connecting to 10.10.10.2, TCP port 5001
TCP window size: 0.09 MByte (default)
------------------------------------------------------------
[  5] local 10.10.10.1 port 40496 connected with 10.10.10.2 port 5001
[  4] local 10.10.10.1 port 5001 connected with 10.10.10.2 port 37359
[ ID] Interval       Transfer     Bandwidth
[  4]  0.0-60.4 sec  1286 MBytes   178 Mbits/sec
[  5]  0.0-60.6 sec  1014 MBytes   140 Mbits/sec
root at localhost:~#

As expected, Gi1/0/1 in both switches was blocking and forwarding
unicast traffic with few seconds intervals, but I'm bit surprised by
high bandwidth results. How to explain this?


2) "srr-queue bandwidth limit" under interface configuration seems to
work fine. However, it allows only egress policing.


3) I configured a policy-map which I applied to a switch-port in
"input" direction, but for some reason it had no affect:

WS-C3750G-24TS#sh policy-map POLICED-TRAFFIC
  Policy Map POLICED-TRAFFIC
      Description: 100Mbps policer
    Class class-default
      police 100000000 8000 exceed-action drop
WS-C3750G-24TS#sh policy-map interface Gi1/0/1
 GigabitEthernet1/0/1

  Service-policy input: POLICED-TRAFFIC

    Class-map: class-default (match-any)
      0 packets, 0 bytes
      30 second offered rate 0 bps, drop rate 0 bps
      Match: any
        0 packets, 0 bytes
        30 second rate 0 bps
WS-C3750G-24TS#

Are policy-maps supported for switched traffic?


Last but not least, are there any additional possibilities to
police/shape traffic in Cisco Catalyst 3750 series switches?


thanks,
Martin

More information about the cisco-nsp mailing list