RE: 3560 Hierarchical Policy-Maps for Traffic Policing

From: Ramy Sisy (ramysisy@ipknowledgenet.com)
Date: Thu Apr 03 2008 - 15:30:21 ART

• Next message: Victor Cappuccio: "Re: Phantom RP ?"
• Previous message: Jack Flash: "Re: IGP full reachability"
• Maybe in reply to: Nitro Drops: "3560 Hierarchical Policy-Maps for Traffic Policing"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi Nitro,
Would you please share this question ONLY if it will not break IE's WB usage
policy?
I was reading in Classifying, Policing, and Marking Traffic on Physical
Ports by Using Policy Maps and got this link. It may help you.

http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/1
2.2_25_see/configuration/guide/swqos.html#wp1552824

Feel free to unicast me if you like as I am interested in this example.

-----------------------------------------------
Thanks,
Ramy Sisy
CCIE#17321 (Security), CCSI#30417
Technical Instructor
http://www.linkedin.com/in/ramysisy
-----------------------------------------------

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Nitro Drops
Sent: Wednesday, April 02, 2008 3:31 PM
To: ccielab@groupstudy.com
Subject: 3560 Hierarchical Policy-Maps for Traffic Policing

Hi Folks,Was practising this last evening using the IE materials, a bit lost
in understanding the end results.

Setup :
SW1 F0/13 >> Trunk >> F0/13 SW2 F0/4 >> Trunk >> E0/0 R4

SW1 Vlan201 - 155.1.201.7/24
SW1 Vlan202 - 155.1.202.7/24
R4 E0/0.201 (encap dot1q vlan 201) - 155.1.201.4/24
R4 E0/0.202 (encap dot1q vlan 202) - 155.1.202.4/24

----------------------------------------------------------------------------
--------------------------------
SW2 is supposed to do Hierarchical Policy-Maps for Traffic Policing

SW2#
!
mls qos
!
interface F0/13
 mls qos vlan based
!
access-lisy 100 permit ip any any

!
class-map match-all IP_TRAFFIC
  match access-group 100
class-map match-all INPUT_INTERFACES
  match input-interface Fa0/13
!
policy-map POLICE_32K
  class INPUT_INTERFACES
    police 32000 16000 exceed-action drop
!
policy-map POLICE_64K
  class INPUT_INTERFACES
    police 64000 32000 exceed-action drop
!
policy-map VLAN201_POLICY
  class IP_TRAFFIC
   set ip precedence 5
   service-policy POLICE_64K
!
policy-map VLAN202_POLICY
  class IP_TRAFFIC
   set ip precedence 4
   service-policy POLICE_32K
!
interface vlan 201
 service input VLAN201_POLICY
!
interface vlan 202
 service input VLAN202_POLICY

----------------------------------------------------------------------------
------------------------------------
Verification results

SW1#ping 155.1.201.4 repeat 100 size 1490 timeout 1

Type escape sequence to abort.
Sending 100, 1490-byte ICMP Echos to 155.1.201.4, timeout is 1 seconds:
!!!!!!!!!!!!!!!!!!!!!!.!!!!!.!!!!!!.!!!!!!.!!!!!!.!!!!!.!!!!!!.!!!!!.!!!!!!.
!!!!!!.!!!!!.!!!!!!.!!!!
Success rate is 88 percent (88/100), round-trip min/avg/max = 1/27/151 ms

SW1#ping 155.1.202.4 repeat 100 size 1490 timeout 1

Type escape sequence to abort.
Sending 100, 1490-byte ICMP Echos to 155.1.202.4, timeout is 1 seconds:
!!!!!!!!!!!.!!.!!.!!!.!!.!!.!!!.!!.!!.!!!.!!.!!.!!.!!!.!!.!!!.!!.!!.!!.!!!.!
!.!!!.!!.!!!.!!.!!.!!!.!
Success rate is 73 percent (73/100), round-trip min/avg/max = 1/56/160 ms

Qns 1.) Looking at the Ping results from SW1 to 155.1.201.4 & 155.1.202.4
How come when i ping a big packet size from SW1 to 155.1.201.4 &
155.1.202.4, packet losses are encountered? Based on the SW2 policing,
it is limiting 64k for vlan201 and 32k for vlan202.

Is it because when i ping a big packet of size 1490 bytes ( =
11920bits), when it hits 64kbps for vlan 201, the timeout happens. The
same goes for 32kbps for vlan202? Because the ratelimit for vlan 202
(32k)is smaller than vlan 201 (64k), timeouts happen more often when
tracing to 155.1.202.4.

----------------------------------------------------------------------------
-----------------------------------------------------

SW2#sh mls qos interface F0/13 statistics
FasttEthernet0/13
  dscp: incoming
-------------------------------
  0 - 4 : 200 0 0 0 0
  5 - 9 : 0 0 0 0 0

  dscp: outgoing
-------------------------------
  0 - 4 : 189 0 0 0 0
  5 - 9 : 0 0 0 0 0

Qns2.) Look at the mls qos statistics of SW2 F0/13. Since the traffic is
coming into SW2 F0/13 from SW1, how come there are values in the
"DSCP:outgoing (DSCP1)"? Shouldnt it just hit "DSCP:incoming(DSCP1)" only?

SW2#sh mls qos interface F0/4 statistics

FasttEthernet0/4

  dscp: incoming

-------------------------------
  30 - 34 : 0 0 85 0 0
  35 - 39 : 0 0 0 0 0

  40 - 44 : 87 0 0 0 0

  dscp: outgoing

-------------------------------
  30 - 34 : 0 0 85 0 0

  35 - 39 : 0 0 0 0 0

  40 - 44 : 87 0 0 0 0

Qns3.) Look at the mls qos statistics of SW2 F0/4. Since the traffic
is going out from SW2 F0/4 to R4 F0/0, how come there are values in the
"DSCP:incoming (DSCP32,40)"? Shouldnt it just hit "DSCP:outgoing(DSCP32,40)"
only?My understanding is SW1 f0/13 >> traffic >> (incoming) F0/13 SW2 F0/4
(Outgoing) >> traffic (incoming) R4Appreciate any kind replies.

• Next message: Victor Cappuccio: "Re: Phantom RP ?"
• Previous message: Jack Flash: "Re: IGP full reachability"
• Maybe in reply to: Nitro Drops: "3560 Hierarchical Policy-Maps for Traffic Policing"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu May 01 2008 - 08:25:49 ART