Re: Two switches in truking 802.1q with QoS

Hi All,

Unfortunately, the 3560 model does not support egress policing.
However, it does support a rudimentary form of traffic shaping via the
SRR queueing strategy (shaped mode). Specifically, any given egress
queue (there are 4 of them) on any port could be limited in its
transmission rate. The limiting is actually based on the SRR, and
resembles traffic shaping in the way that it does not drop "exceeding"
packets but queues them.

Let's say you need to limit SWA VLAN120's egress traffic on the trunk
link. You need to do the following:

1) Enable VLAN based QoS on all ingress links that may potentially
carry VLAN 120
2) Attach a service policy that marks all ingress packets with DSCP
value of X to VLAN120's SVI
3) Configure the switch to map the DSCP value of X to, say, queue 4
4) Configure the trunk port to shape queue 4's bandwidth to 1/N of the
interface rate so that the resulting sending rate is close to 150Mbps.
In case of 1000 Mbps link, N is 1000/150 = approx 7

Here is a sample configuration:

mls qos
!
interface FastEthernet 0/13
 mls qos vlan-based
!
interface FastEthernet 0/15
 mls qos vlan-based
!
... enable the above on all ingress ports with VLAN 120

!
! All IP Traffic
!
ip access-list extended IP_ACL
 permit ip any any
!
class-map IP_TRAFFIC
 match access-group name IP_ACL
!
! Mark IP traffic with DSCP 16 (DSCP X)
!
policy-map VLAN120_MARK
 class IP_TRAFFIC
  set dscp 16
 class class-default
  trust dscp
!
interface vlan 120
 service-policy input VLAN120_MARK

!
! Map all VLAN120's IP traffic to (DSCP 16=CS2) to queue 4
!
mls qos srr-queue output dscp-map queue 4 16

!
! Set queue 4's shaping weight to 7 to limit the egress rate to 1/7 of
1000 (port speed)
!
interface FastEthernet 0/6
 speed 1000
 srr-queue bandwidth shape 0 0 0 7

The obvious drawback is that you need to reserve a special queue just
for this particular purpose, plus use a dedicated DSCP value which
might not be used by any other traffic. If the link bandwidth is not
heavily oversubscribed you may use the ingress policing method that
Bryan has demonstrated. It is much more scalable in terms of resources
used, though allows for egress port overutilization.

HTH,

-- 
Petr Lapukhov, petr_at_INE.com
CCIE #16379 (R&S/Security/SP/Voice)
Internetwork Expert, Inc.
http://www.INE.com
Toll Free: 877-224-8987
Outside US: 775-826-4344
2009/12/29 Bryan Bartik <bbartik_at_ipexpert.com>:
> Hi, Edouard,
>
> I am not sure how to do this outbound, but inbound can be done using a
> hierarchical policy. The following example matches the trunk interface and
> limits it to 150m.
>
> mls qos
> access-list 100 permit ip any any
>
> class-map match-all IP
>  match access-group 100
> ! this is the input trunk interface
> class-map match-all TRUNK
>  match input-interface g0/1
>
> ! this the child policy
> policy-map VLAN120-POLICER
>  class TRUNK
>    police 150m 187500 exceed-action drop
> ! this is the parent policy with child nested below
> policy-map VLAN120-PARENT
>  class IP
>   trust
>   service-policy VLAN120-POLICER
>
> interface g0/1
>  mls qos vlan-based
> interface Vlan120
>  no ip address
>  service-policy input VLAN120-PARENT
>
> You could also use similar policies for the access ports, policing them
> individually or as a range I believe. It would be nice if you could use an
> aggregate police action in a class that matches all access ports but it is
> not supported (in the IOS I tried).
>
> Perhaps someone knows a better way to do outbound policing if possible...
>
> On Tue, Dec 29, 2009 at 8:03 PM, Edouard Zorrilla <ezorrilla_at_tsf.com.pe>wrote:
>
>> Hello,
>>
>> I have two switches 3560 in trunk 802.1q with 1000Mbps (1GEth.), there I
>> have
>> many vlans, one of them is vlan120.
>>
>> SWA ------------[802.1q at 1000Mbps]-------------------------SWB
>>
>> Do any one know how can I set up QoS there so that I limit the bandwith for
>> vlan120 to 150Mbps ?. What I want is that vlan120 just go up to 150Mbps
>> instead of taking all traffic in the trunk link (1000Mbps.) = Limit the
>> amount
>> of traffic entering the SW and limiting the amount of traffic leaving the
>> SW
>> at the same time.
>>
>> I am reading this configurations guide :
>>
>>
>> http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12
>> .2_52_se/configuration/guide/swqos.html
>>
>> But I do not figure out yet how can I acomplish it,
>>
>> Any help will be appreciated.
>>
>> Best Regards
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>>
>>
>>
>>
>>
>>
>>
>>
>
>
> --
> Bryan Bartik
> CCIE #23707 (R&S, SP), CCNP
> Sr. Support Engineer - IPexpert, Inc.
> URL: http://www.IPexpert.com
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net