Re: Two switches in truking 802.1q with QoS

Edouard,

with the 3560, you cannot apply a per-VLAN policy to a physical
interface, the policy needs to be applied to the SVI interface (even
if the particular VLAN is only L2 switched). Also, the use of
class-default in the policy-map is needed to preserve marking for all
other traffic on VLAN120 - by default, the marking is not trusted.
Configuring this might not be required in the particular scenario,
especially in case if all traffic on VLAN120 is IP-based.

HTH,

-- 
Petr Lapukhov, petr_at_INE.com
CCIE #16379 (R&S/Security/SP/Voice)
Internetwork Expert, Inc.
http://www.INE.com
Toll Free: 877-224-8987
Outside US: 775-826-4344
2009/12/29 Edouard Zorrilla <ezorrilla_at_tsf.com.pe>:
> You were right :
>
> SW-REPLICACION-MON(config-if)#service-policy out  VLAN120
> police command is not supported for this interface
> The interface does not support the specified policy configuration and/or
> parameter values.
> Warning: Assigning a policy map to the output side of an interface not
> supported
> SW-REPLICACION-MON(config-if)#
>
> My Bad, I am so sorry,
>
> Regards
>
> ----- Original Message ----- From: "Bryan Bartik" <bbartik_at_ipexpert.com>
> To: "Edouard Zorrilla" <ezorrilla_at_tsf.com.pe>
> Cc: "Petr Lapukhov" <petr_at_internetworkexpert.com>; <ccielab_at_groupstudy.com>
> Sent: Wednesday, December 30, 2009 12:25 AM
> Subject: Re: Two switches in truking 802.1q with QoS
>
>
>> Try to attach a policy and see what happens :)
>>
>> On Tue, Dec 29, 2009 at 10:13 PM, Edouard Zorrilla
>> <ezorrilla_at_tsf.com.pe>wrote:
>>
>>> Thanks for answering Petr,
>>>
>>> My switch is : 3560,
>>>
>>> SW-REPLICACION-MON(config-if)#do sh ver | in WS
>>> cisco WS-C3560G-24TS (PowerPC405) processor (revision D0) with 131072K
>>> bytes of memory.
>>> Model number                    : WS-C3560G-24TS-S
>>> *    1 28    WS-C3560G-24TS     12.2(53)SE            C3560-IPBASEK9-M
>>>
>>> And It support ingress and egress policy :
>>>
>>> SW-REPLICACION-MON(config)#int vlan 750
>>> SW-REPLICACION-MON(config-if)#service-policy ?
>>>        input   Assign policy-map to the input of an interface
>>>        output  Assign policy-map to the output of an interface
>>>
>>> SW-REPLICACION-MON(config-if)#int gi0/24
>>> SW-REPLICACION-MON(config-if)#service-policy ?
>>>        input   Assign policy-map to the input of an interface
>>>        output  Assign policy-map to the output of an interface
>>> SW-REPLICACION-MON(config-if)#
>>>
>>> So, what do you mean, when you said "3560 model does not support egress
>>> policing" ?,
>>>
>>> Thanks a lot,
>>>
>>> Regards
>>>
>>> ----- Original Message ----- From: "Petr Lapukhov" <
>>> petr_at_internetworkexpert.com>
>>> To: "Bryan Bartik" <bbartik_at_ipexpert.com>
>>> Cc: "Edouard Zorrilla" <ezorrilla_at_tsf.com.pe>; <ccielab_at_groupstudy.com>
>>> Sent: Tuesday, December 29, 2009 11:49 PM
>>> Subject: Re: Two switches in truking 802.1q with QoS
>>>
>>>
>>>
>>> Hi All,
>>>
>>> Unfortunately, the 3560 model does not support egress policing.
>>> However, it does support a rudimentary form of traffic shaping via the
>>> SRR queueing strategy (shaped mode). Specifically, any given egress
>>> queue (there are 4 of them) on any port could be limited in its
>>> transmission rate. The limiting is actually based on the SRR, and
>>> resembles traffic shaping in the way that it does not drop "exceeding"
>>> packets but queues them.
>>>
>>> Let's say you need to limit SWA VLAN120's egress traffic on the trunk
>>> link. You need to do the following:
>>>
>>> 1) Enable VLAN based QoS on all ingress links that may potentially
>>> carry VLAN 120
>>> 2) Attach a service policy that marks all ingress packets with DSCP
>>> value of X to VLAN120's SVI
>>> 3) Configure the switch to map the DSCP value of X to, say, queue 4
>>> 4) Configure the trunk port to shape queue 4's bandwidth to 1/N of the
>>> interface rate so that the resulting sending rate is close to 150Mbps.
>>> In case of 1000 Mbps link, N is 1000/150 = approx 7
>>>
>>> Here is a sample configuration:
>>>
>>> mls qos
>>> !
>>> interface FastEthernet 0/13
>>> mls qos vlan-based
>>> !
>>> interface FastEthernet 0/15
>>> mls qos vlan-based
>>> !
>>> .. enable the above on all ingress ports with VLAN 120
>>>
>>> !
>>> ! All IP Traffic
>>> !
>>> ip access-list extended IP_ACL
>>> permit ip any any
>>> !
>>> class-map IP_TRAFFIC
>>> match access-group name IP_ACL
>>> !
>>> ! Mark IP traffic with DSCP 16 (DSCP X)
>>> !
>>> policy-map VLAN120_MARK
>>> class IP_TRAFFIC
>>>  set dscp 16
>>> class class-default
>>>  trust dscp
>>> !
>>> interface vlan 120
>>> service-policy input VLAN120_MARK
>>>
>>> !
>>> ! Map all VLAN120's IP traffic to (DSCP 16=CS2) to queue 4
>>> !
>>> mls qos srr-queue output dscp-map queue 4 16
>>>
>>> !
>>> ! Set queue 4's shaping weight to 7 to limit the egress rate to 1/7 of
>>> 1000 (port speed)
>>> !
>>> interface FastEthernet 0/6
>>> speed 1000
>>> srr-queue bandwidth shape 0 0 0 7
>>>
>>> The obvious drawback is that you need to reserve a special queue just
>>> for this particular purpose, plus use a dedicated DSCP value which
>>> might not be used by any other traffic. If the link bandwidth is not
>>> heavily oversubscribed you may use the ingress policing method that
>>> Bryan has demonstrated. It is much more scalable in terms of resources
>>> used, though allows for egress port overutilization.
>>>
>>> HTH,
>>> --
>>> Petr Lapukhov, petr_at_INE.com
>>> CCIE #16379 (R&S/Security/SP/Voice)
>>>
>>> Internetwork Expert, Inc.
>>> http://www.INE.com
>>> Toll Free: 877-224-8987
>>> Outside US: 775-826-4344
>>>
>>> 2009/12/29 Bryan Bartik <bbartik_at_ipexpert.com>:
>>>
>>>> Hi, Edouard,
>>>>
>>>> I am not sure how to do this outbound, but inbound can be done using a
>>>> hierarchical policy. The following example matches the trunk interface
>>>> and
>>>> limits it to 150m.
>>>>
>>>> mls qos
>>>> access-list 100 permit ip any any
>>>>
>>>> class-map match-all IP
>>>> match access-group 100
>>>> ! this is the input trunk interface
>>>> class-map match-all TRUNK
>>>> match input-interface g0/1
>>>>
>>>> ! this the child policy
>>>> policy-map VLAN120-POLICER
>>>> class TRUNK
>>>> police 150m 187500 exceed-action drop
>>>> ! this is the parent policy with child nested below
>>>> policy-map VLAN120-PARENT
>>>> class IP
>>>> trust
>>>> service-policy VLAN120-POLICER
>>>>
>>>> interface g0/1
>>>> mls qos vlan-based
>>>> interface Vlan120
>>>> no ip address
>>>> service-policy input VLAN120-PARENT
>>>>
>>>> You could also use similar policies for the access ports, policing them
>>>> individually or as a range I believe. It would be nice if you could use
>>>> an
>>>> aggregate police action in a class that matches all access ports but it
>>>> is
>>>> not supported (in the IOS I tried).
>>>>
>>>> Perhaps someone knows a better way to do outbound policing if
>>>> possible...
>>>>
>>>> On Tue, Dec 29, 2009 at 8:03 PM, Edouard Zorrilla <ezorrilla_at_tsf.com.pe
>>>> >wrote:
>>>>
>>>>  Hello,
>>>>>
>>>>> I have two switches 3560 in trunk 802.1q with 1000Mbps (1GEth.), there
>>>>> I
>>>>> have
>>>>> many vlans, one of them is vlan120.
>>>>>
>>>>> SWA ------------[802.1q at 1000Mbps]-------------------------SWB
>>>>>
>>>>> Do any one know how can I set up QoS there so that I limit the bandwith
>>>>> for
>>>>> vlan120 to 150Mbps ?. What I want is that vlan120 just go up to 150Mbps
>>>>> instead of taking all traffic in the trunk link (1000Mbps.) = Limit the
>>>>> amount
>>>>> of traffic entering the SW and limiting the amount of traffic leaving
>>>>> the
>>>>> SW
>>>>> at the same time.
>>>>>
>>>>> I am reading this configurations guide :
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12
>>>>> .2_52_se/configuration/guide/swqos.html
>>>>>
>>>>> But I do not figure out yet how can I acomplish it,
>>>>>
>>>>> Any help will be appreciated.
>>>>>
>>>>> Best Regards
>>>>>
>>>>>
>>>>> Blogs and organic groups at http://www.ccie.net
>>>>>
>>>>> _______________________________________________________________________
>>>>> Subscription information may be found at:
>>>>> http://www.groupstudy.com/list/CCIELab.html
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>
>>>> --
>>>> Bryan Bartik
>>>> CCIE #23707 (R&S, SP), CCNP
>>>> Sr. Support Engineer - IPexpert, Inc.
>>>> URL: http://www.IPexpert.com
>>>>
>>>>
>>>> Blogs and organic groups at http://www.ccie.net
>>>>
>>>> _______________________________________________________________________
>>>> Subscription information may be found at:
>>>> http://www.groupstudy.com/list/CCIELab.html
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>> --
>> Bryan Bartik
>> CCIE #23707 (R&S, SP), CCNP
>> Sr. Support Engineer - IPexpert, Inc.
>> URL: http://www.IPexpert.com
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net