From: Victor Cappuccio (vcappuccio@gmail.com)
Date: Fri Oct 05 2007 - 17:20:40 ART
Maybe this link could help
http://vcappuccio.wordpress.com/catalyst-qos-notes/
*Cat Policing *
You configure the bucket depth (the maximum burst that is tolerated before
the bucket overflows) by using the burst-byte option
You configure how fast (the average rate) that the tokens are removed from
the bucket by using the rate-bps option
*Rules of Policing:*
Only the average rate and committed burst parameters are configurable.
Policing can occur on ingress and egress physical interfaces on 3550.
You cannot police at the switch virtual interface level on a 3550.
The switch does not support per-VLAN QoS or VLAN QoS policing across the
entire switch.
*Build a class map:*
Only one ACL per class map. (u)
only one match class-map configuration command per class map are supported.
(u)
(u) You cannot use the service-policy interface configuration command to
attach policy maps that contain these elements to an egress interface:
set or trust policy-map class configuration commands. Instead, you can use
the police policy-map class configuration command to mark down (reduce) the
DSCP value at the egress interface.
Access control list (ACL) classification.
Per-port per-VLAN classification.
3560 diference:
In Cisco IOS Release 12.2(25)SE or later, you can configure QoS on physical
ports and on switch virtual interfaces (SVIs). Other than to apply policy
maps, you configure the QoS settings, such as classification, queueing, and
scheduling, the same way on physical ports and SVIs. When configuring QoS on
a physical port, you apply a nonhierarchical policy map. When configuring
QoS on an SVI, you apply a nonhierarchical or a hierarchical policy map.(u)
*Comparison of 3550 and 3560 Policing Techniques:*
Individual
Hierarchical
Supported on 3560 SVI
Non-hierarchical
Physical port
SVI supported on 3560
Per-port Per-Vlan on 3550
Aggregrate
3550 and 3560 supported
*Individual Policing *
Policers can be configured only on a physical port or on a per-port
per-VLAN basis (specifies the bandwidth limits for the traffic on a per-VLAN
basis, for a given port). Per-port per-VLAN policing is not supported on
routed ports or on virtual (logical) interfaces. It is supported only on an
ingress port configured as a trunk or as a static-access port. (unvercd)
Switch(config)# mls qos cos policy-map ???
*Physical Port *
QoS applies the bandwidth limits specified in the policer separately to
each matched traffic class. You configure this type of policer within a
policy map by using the police policy-map configuration command.
*Per-Port Per-VLAN *
Per-port Per-VLAN policing supported on 3550.
Rules:
Per-port per-VLAN policing is supported only on ingress interfaces.
Must use the match-any keyword with the class-map (Bob)
Must put match vlan first in class-map (Bob)
Classify traffic:
class-map match-any [name_x]
match [ access-group | ip prec | ip dscp ]
class-map match-all [name_y]
match vlan
match class name_x
When to use per-port per-vlan policing instead of physical port policing?
Per-port per-VLAN basis specifies the bandwidth limits for the traffic on a
per-VLAN basis, for a given port. Per-port per-VLAN policing is not
supported on routed ports or on virtual (logical) interfaces. It is
supported only on an ingress port configured as a trunk or as a
static-access port. (u)
*SVI Policing *
Policing on SVIs is a 3560 supported feature.
Configure classification, queueing, and scheduling, the same way on physical
ports and SVIs. Applying policy map is different. (u)
*Policing*
*hierarchical aka single-level policy maps*
Apply on SVI
hierarchical policy map contains two levels.
First level - the VLAN level, specifies the actions to be taken against a
traffic flow on the SVI.
Second level - the interface level, specifies the actions to be taken
against the traffic on the physical ports that belong to the SVI.
**
*nonhierarchical dual-level policy maps*
Applied on physical port or SVI
All traffic, regardless of whether it is bridged or routed, is subjected to
a policer, if one is configured. As a result, bridged packets might be
dropped or might have their DSCP or CoS fields modified when they are
policed and marked.
Police->Mark->Ingress Queues->SRR->Internal Ring->Egress Queues->SRR
Only 1 policy per ingress.
Policy-map trust and port trust are mutually exclusive. Last one configured
wins.
What's the difference betweeen a hierarchical map on svi and a map that
references a vlan and IP acl?
*Hierarchical Maps*
trust cos, dscp or ip prec
set cos, dscp or ip prec
*Policing on SVIs*
Enable VLAN-based QoS on the physical ports that belong to the SVI -Physical
Level. (u)
Configure class maps that specify port trust state or set a new QoS tag in
packet. Policers not supported here - VLAN level.
*Checklist for hierarchical policy-maps for classification on 3560:*
<!--[if !supportLists]-->7. <!--[endif]-->Enable mls qos vlan-based on
physical interface
<!--[if !supportLists]-->8. <!--[endif]-->Build ACL and class-map to match
IP traffic
<!--[if !supportLists]-->9. <!--[endif]-->Build policy-map using class-map
for IP traffic
<!--[if !supportLists]-->10. <!--[endif]-->Apply policy-map to SVI
<!--[if !supportLists]-->11. <!--[endif]-->
*Checklist for hierarchical policy-maps for policing on 3560:*
Enable mls qos vlan-based on physical interface
Build ACL and class-map to match IP traffic
Build class-map to match interface range
Build policy-map using interface range class-map and rate-limit the class
Build another policy-map using IP traffic class-map. Optionally, change QoS
here. Nest first policy-map.
Apply policy-map to SVI.
Checklist for hierarchical policy-maps for policing markdown on 3560:
Same steps as above except police statement has exceed policed added
Add global mls qos map policed-dscp x to y
interface int-id
mls qos vlan-based
class-map *vlan-map*
match [acl | dscp | prec ] Can only use 1 match per class map in this
case. Therfore
it doesn't matter whether I use match-all or match-any in class-map name.
class-map* interface-map*