Re: Vlan-based or interface based service policy from Jorge Cortes on 2010-07-28 (Ccielab archives 07/2010)

From: Jorge Cortes <jorge.cortes.cano_at_gmail.com>
Date: Wed, 28 Jul 2010 16:39:20 -0500

Hi,

I think neither of your configurations will work -assuming your switch is a
3560, which are the only switches you will find in the actual lab since 3550
are now long gone. The reasons are the following.

For scenario 2, you cannot use "match vlan" in 3560. See here:
http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_44_se/command/reference/cli1.html#wp1862439

For scenario 1, the child class-map MUST have "match input interface", and
you cannot use class-default, whether the parent class-map matches on the
type of traffic you want to rate-limit. You cannot use class-default either.
See here:
http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_44_se/configuration/guide/swqos.html#wp1703903

Also remember this is only works in the input direction.

So in order to achieve your requirement (assuming it is ingress direction)
you need to define the child class-map matching on all interfaces that are
members of your VLANs, including the trunks. For the parent class-map since
you cannot use class-default and sounds like you need to limit all traffic
you need to create a user defined class-map and match an access-list with
permit any statement.

Also remember that the child policy-map can only police, but not mark, while
the parent policy-map can only mark, but not police.

Taking a closer look at your requirements seems to me like something is
missing. Usually they ask you to police certain type of traffic (HTTP,
email, etc).

HTH,
Jorge

On Wed, Jul 28, 2010 at 9:26 AM, David Bass <davidbass570_at_gmail.com> wrote:

> I think that if you apply it to the interfaces only then you will limit
> each
> port to the required amount, but the aggregate on the VLAN would not be
> limited to 64 or 2048 k. IMO, the only solution for the task is having it
> on the SVI...
>
> On Wed, Jul 28, 2010 at 8:39 AM, Maarten Vervoorn <mr.vervoorn_at_gmail.com
> >wrote:
>
> > Well in both options you have to configure some-thing on those
> interfaces.
> > Configure mls qos vlan-based on the interface or service-policy out LIMIT
> > Both access and trunks are used but I don't think its an issue here.
> >
> > In this practice lab I configured it vlan-based. The anwser guide
> > configured
> > it with a service-policy attached to the interfaces (access and trunk
> > ports)
> >
> > Kind regards,
> >
> > Maarten Vervoorn
> >
> > 2010/7/28 Hash <hashng_at_gmail.com>
> >
> > > It depends if the interfaces are trunks or access and the number of
> > > interfaces you have plus how much time you have in the lab to go over
> > > interface by interface (task consuming)
> > >
> > > Hash
> > >
> > > Sent from my BlackBerry. wireless device from STC
> > > ------------------------------
> > > *From: *Maarten Vervoorn <mr.vervoorn_at_gmail.com>
> > > *Date: *Wed, 28 Jul 2010 15:26:31 +0200
> > > *To: *<hashng_at_gmail.com>
> > > *Cc: *Cisco certification<ccielab_at_groupstudy.com>
> > > *Subject: *Re: Vlan-based or interface based service policy
> > >
> > > In the class-maps I match on the vlans. So I think both anwser will do.
> > If
> > > you configure the service policy on all interfaces of vlan 12 and 16
> > >
> > > 2010/7/28 Hash <hashng_at_gmail.com>
> > >
> > >> Apply it under the svi
> > >> Hash
> > >> Sent from my BlackBerry. wireless device from STC
> > >>
> > >> -----Original Message-----
> > >> From: Mirco Orlandi <mirco.orlandi_at_gmail.com>
> > >> Sender: nobody_at_groupstudy.com
> > >> Date: Wed, 28 Jul 2010 11:58:05
> > >> To: Maarten Vervoorn<mr.vervoorn_at_gmail.com>
> > >> Reply-To: Mirco Orlandi <mirco.orlandi_at_gmail.com>
> > >> Cc: Cisco certification<ccielab_at_groupstudy.com>
> > >> Subject: Re: Vlan-based or interface based service policy
> > >>
> > >> Hi Maarten,
> > >>
> > >> this task is asking you to configure a policer for vlan12 and a
> policer
> > >> for
> > >> vlan16.
> > >>
> > >> At this point of my preparation path I'm not a guru on this staff, but
> > it
> > >> seems your second option doesn't match task requirements, because it
> > >> creates
> > >> per-port per-vlan policer.
> > >> So, you will have a lot of policer without a single point of entire
> vlan
> > >> traffic metering.
> > >>
> > >> I have not labbed this up.
> > >> -mirco.
> > >>
> > >>
> > >> On Wed, Jul 28, 2010 at 7:41 AM, Maarten Vervoorn <
> > mr.vervoorn_at_gmail.com
> > >> >wrote:
> > >>
> > >> > Hi All,
> > >> >
> > >> > I just received a quetsion from the workbook lab with the following
> > >> > question:
> > >> > Configure VLAN 12 to allow a maximum bandwidth of 64 Kb
> > >> > Configure VLAN 16 to allow a maximum bandwidth of 2048 Kbit
> > >> >
> > >> > I think there are two option to do this. I can create a service
> policy
> > >> and
> > >> > put it on alle vlan 12 and 16 interfaces or I could you vlan-based
> to
> > >> just
> > >> > apply the policy to the vlan interface. Can anyone tell me if I'm
> > >> correct.
> > >> > In the real lab I could ask the proctor that I could do this
> question
> > >> two
> > >> > ways
> > >> > *SW1*
> > >> > mls qos
> > >> > !
> > >> > policy-map POLICE-16
> > >> > class class-default
> > >> > police 2048000 8000 exceed-action drop
> > >> > policy-map VLAN16
> > >> > class class-default
> > >> > service-policy POLICE-16
> > >> > policy-map POLICE-12
> > >> > class class-default
> > >> > police 64000 8000 exceed-action drop
> > >> > policy-map VLAN12
> > >> > class class-default
> > >> > service-policy POLICE-12
> > >> > !
> > >> > int fa0/1
> > >> > sw access vl 12
> > >> > sw mo access
> > >> > mls qos vlan-based
> > >> > int fa0/3
> > >> > sw access vl 16
> > >> > sw mo access
> > >> > mls qos vlan-based
> > >> > int fa0/4
> > >> > sw tr en isl
> > >> > sw mo tr
> > >> > sw tr all vl 12,16
> > >> > mls qos vlan-based
> > >> > int vlan 12
> > >> > service-policy in VLAN12
> > >> > int vlan 16
> > >> > service-policy in VLAN16
> > >> > !
> > >> > **
> > >> > *OR
> > >> > SW1*
> > >> > class-map ALL
> > >> > match access-group 100
> > >> > class VLAN12
> > >> > match vlan 12
> > >> > match class-map ALL
> > >> > class VLAN16
> > >> > match vlan 16
> > >> > match class-map ALL
> > >> > !
> > >> > policy-map LIMIT
> > >> > class VLAN12
> > >> > police 64000 8000 exceed-action drop
> > >> > class VLAN16
> > >> > police 2048000 8000 exceed-action drop
> > >> > !
> > >> > int fa0/1
> > >> > sw access vl 12
> > >> > sw mo access
> > >> > service-policy in LIMIT
> > >> > int fa0/3
> > >> > sw access vl 16
> > >> > sw mo access
> > >> > service-policy in LIMIT
> > >> > int fa0/4
> > >> > sw tr en isl
> > >> > sw mo tr
> > >> > sw tr all vl 12,16
> > >> > service-policy in LIMIT
> > >> > !
> > >> >
> > >> >
> > >> > Blogs and organic groups at http://www.ccie.net
> > >> >
> > >>
> >_______________________________________________________________________
> > >> > Subscription information may be found at:
> > >> > http://www.groupstudy.com/list/CCIELab.html
> > >>
> > >>
> > >> Blogs and organic groups at http://www.ccie.net
> > >>
> > >>
> _______________________________________________________________________
> > >> Subscription information may be found at:
> > >> http://www.groupstudy.com/list/CCIELab.html
> >
> >
> > Blogs and organic groups at http://www.ccie.net
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Wed Jul 28 2010 - 16:39:20 ART

This archive was generated by hypermail 2.2.0 : Sun Aug 01 2010 - 19:19:15 ART