Re: Vlan-based or interface based service policy from Maarten Vervoorn on 2010-07-31 (Ccielab archives 07/2010)

From: Maarten Vervoorn <mr.vervoorn_at_gmail.com>
Date: Sat, 31 Jul 2010 11:42:33 +0200

Hi Jorge,

The last example (6) in this blog descripes how to do that.
Match on input interfaces and police that traffic. The policy map than is
applied to a SVI interface. On the port you use mls qos vlan-based
Its called per port per vlan policing. So I beleive if you configure it as
below you will policy all traffic from a specific VLAN

ip access-list standard IP-ANY
permit ip any any
!
Class-map IP-ANY
match access-group name IP-ANY
!
Class-map ALL-PORTS
match input-interface fa0/1 - fa0/24
!
Policy-map POLICER-12
class ALL-PORTS
   police 64000 8000 exceed drop
!
Policy-map POLICER-16
class ALL-PORTS
   police 2048000 8000 exceed drop
!
Policy-map VLAN12
class IP-ANY
  serivce-policy POLICER-12
!
Policy-map VLAN16
class IP-ANY
  serivce-policy POLICER-16
!
Interface vlan 12
Service-policy input VLAN12
!
Interface vlan 16
Service-policy input VLAN16
!
Interface range fa0/1 - 24
mls qos vlan-based

Kind regards,

Maarten Vervoorn

Hi Guys,

I hadn't read that post at INE blog before, but now that I took a look this
paragraph has been brought to my attention:

The police action applies individually to every port in the range.

This, to me, reads that the policer is per port and not per VLAN, which
would mean that you cannot limit the aggregate traffic entering the VLAN,
but rather apply the policer to all ports, individually, in a given VLAN
with a single command, rather than going into each port and apply it
individually.

Having said that, is there a way to limit the aggregate traffic entering a
VLAN in the 3560?

Thanks,
Jorge

On Thu, Jul 29, 2010 at 8:51 AM, Henrique Reis <reis.henrique_at_gmail.com>
wrote:
Have you tried this link? http://blog.ine.com/tag/vlan-based/ Thanks

On Thu, Jul 29, 2010 at 2:30 AM, Maarten Vervoorn <mr.vervoorn_at_gmail.com>
wrote:
Thanks all,

I think vlan-based it will be. I cheched the vlan match option and it is
indeed not possible (I think the anwser guide is wrong here)
I did not read anywhere that I can't use the default-class in the link you
gave me, as I did in the second scenario. My thoughts were if I only use the
default class without any match options, all traffic will be limmited from
that vlan. Can you please explain this to me?

Kind regards,

Maarten vervoorn

2010/7/29 Narbik Kocharians <narbikk_at_gmail.com>

> I agree with Sonu.
>
>
> On Wed, Jul 28, 2010 at 2:39 PM, Jorge Cortes <jorge.cortes.cano_at_gmail.com
> > wrote:
>
>> Hi,
>>
>> I think neither of your configurations will work -assuming your switch is
>> a
>> 3560, which are the only switches you will find in the actual lab since
>> 3550
>> are now long gone. The reasons are the following.
>>
>> For scenario 2, you cannot use "match vlan" in 3560. See here:
>>
>>
http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_44_se/command/reference/cli1.html#wp1862439
>>
>> For scenario 1, the child class-map MUST have "match input interface",
and
>> you cannot use class-default, whether the parent class-map matches on the
>> type of traffic you want to rate-limit. You cannot use class-default
>> either.
>> See here:
>>
>>
http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_44_se/configuration/guide/swqos.html#wp1703903
>>
>> Also remember this is only works in the input direction.
>>
>> So in order to achieve your requirement (assuming it is ingress
direction)
>> you need to define the child class-map matching on all interfaces that
are
>> members of your VLANs, including the trunks. For the parent class-map
>> since
>> you cannot use class-default and sounds like you need to limit all
traffic
>> you need to create a user defined class-map and match an access-list with
>> permit any statement.
>>
>> Also remember that the child policy-map can only police, but not mark,
>> while
>> the parent policy-map can only mark, but not police.
>>
>> Taking a closer look at your requirements seems to me like something is
>> missing. Usually they ask you to police certain type of traffic (HTTP,
>> email, etc).
>>
>> HTH,
>> Jorge
>>
>> On Wed, Jul 28, 2010 at 9:26 AM, David Bass <davidbass570_at_gmail.com>
>> wrote:
>>
>> > I think that if you apply it to the interfaces only then you will limit
>> > each
>> > port to the required amount, but the aggregate on the VLAN would not be
>> > limited to 64 or 2048 k. IMO, the only solution for the task is having
>> it
>> > on the SVI...
>> >
>> > On Wed, Jul 28, 2010 at 8:39 AM, Maarten Vervoorn <
>> mr.vervoorn_at_gmail.com
>> > >wrote:
>> >
>> > > Well in both options you have to configure some-thing on those
>> > interfaces.
>> > > Configure mls qos vlan-based on the interface or service-policy out
>> LIMIT
>> > > Both access and trunks are used but I don't think its an issue here.
>> > >
>> > > In this practice lab I configured it vlan-based. The anwser guide
>> > > configured
>> > > it with a service-policy attached to the interfaces (access and trunk
>> > > ports)
>> > >
>> > > Kind regards,
>> > >
>> > > Maarten Vervoorn
>> > >
>> > > 2010/7/28 Hash <hashng_at_gmail.com>
>> > >
>> > > > It depends if the interfaces are trunks or access and the number of
>> > > > interfaces you have plus how much time you have in the lab to go
>> over
>> > > > interface by interface (task consuming)
>> > > >
>> > > > Hash
>> > > >
>> > > > Sent from my BlackBerry. wireless device from STC
>> > > > ------------------------------
>> > > > *From: *Maarten Vervoorn <mr.vervoorn_at_gmail.com>
>> > > > *Date: *Wed, 28 Jul 2010 15:26:31 +0200
>> > > > *To: *<hashng_at_gmail.com>
>> > > > *Cc: *Cisco certification<ccielab_at_groupstudy.com>
>> > > > *Subject: *Re: Vlan-based or interface based service policy
>> > > >
>> > > > In the class-maps I match on the vlans. So I think both anwser will
>> do.
>> > > If
>> > > > you configure the service policy on all interfaces of vlan 12 and
16
>> > > >
>> > > > 2010/7/28 Hash <hashng_at_gmail.com>
>> > > >
>> > > >> Apply it under the svi
>> > > >> Hash
>> > > >> Sent from my BlackBerry. wireless device from STC
>> > > >>
>> > > >> -----Original Message-----
>> > > >> From: Mirco Orlandi <mirco.orlandi_at_gmail.com>
>> > > >> Sender: nobody_at_groupstudy.com
>> > > >> Date: Wed, 28 Jul 2010 11:58:05
>> > > >> To: Maarten Vervoorn<mr.vervoorn_at_gmail.com>
>> > > >> Reply-To: Mirco Orlandi <mirco.orlandi_at_gmail.com>
>> > > >> Cc: Cisco certification<ccielab_at_groupstudy.com>
>> > > >> Subject: Re: Vlan-based or interface based service policy
>> > > >>
>> > > >> Hi Maarten,
>> > > >>
>> > > >> this task is asking you to configure a policer for vlan12 and a
>> > policer
>> > > >> for
>> > > >> vlan16.
>> > > >>
>> > > >> At this point of my preparation path I'm not a guru on this staff,
>> but
>> > > it
>> > > >> seems your second option doesn't match task requirements, because
>> it
>> > > >> creates
>> > > >> per-port per-vlan policer.
>> > > >> So, you will have a lot of policer without a single point of
entire
>> > vlan
>> > > >> traffic metering.
>> > > >>
>> > > >> I have not labbed this up.
>> > > >> -mirco.
>> > > >>
>> > > >>
>> > > >> On Wed, Jul 28, 2010 at 7:41 AM, Maarten Vervoorn <
>> > > mr.vervoorn_at_gmail.com
>> > > >> >wrote:
>> > > >>
>> > > >> > Hi All,
>> > > >> >
>> > > >> > I just received a quetsion from the workbook lab with the
>> following
>> > > >> > question:
>> > > >> > Configure VLAN 12 to allow a maximum bandwidth of 64 Kb
>> > > >> > Configure VLAN 16 to allow a maximum bandwidth of 2048 Kbit
>> > > >> >
>> > > >> > I think there are two option to do this. I can create a service
>> > policy
>> > > >> and
>> > > >> > put it on alle vlan 12 and 16 interfaces or I could you
>> vlan-based
>> > to
>> > > >> just
>> > > >> > apply the policy to the vlan interface. Can anyone tell me if
I'm
>> > > >> correct.
>> > > >> > In the real lab I could ask the proctor that I could do this
>> > question
>> > > >> two
>> > > >> > ways
>> > > >> > *SW1*
>> > > >> > mls qos
>> > > >> > !
>> > > >> > policy-map POLICE-16
>> > > >> > class class-default
>> > > >> > police 2048000 8000 exceed-action drop
>> > > >> > policy-map VLAN16
>> > > >> > class class-default
>> > > >> > service-policy POLICE-16
>> > > >> > policy-map POLICE-12
>> > > >> > class class-default
>> > > >> > police 64000 8000 exceed-action drop
>> > > >> > policy-map VLAN12
>> > > >> > class class-default
>> > > >> > service-policy POLICE-12
>> > > >> > !
>> > > >> > int fa0/1
>> > > >> > sw access vl 12
>> > > >> > sw mo access
>> > > >> > mls qos vlan-based
>> > > >> > int fa0/3
>> > > >> > sw access vl 16
>> > > >> > sw mo access
>> > > >> > mls qos vlan-based
>> > > >> > int fa0/4
>> > > >> > sw tr en isl
>> > > >> > sw mo tr
>> > > >> > sw tr all vl 12,16
>> > > >> > mls qos vlan-based
>> > > >> > int vlan 12
>> > > >> > service-policy in VLAN12
>> > > >> > int vlan 16
>> > > >> > service-policy in VLAN16
>> > > >> > !
>> > > >> > **
>> > > >> > *OR
>> > > >> > SW1*
>> > > >> > class-map ALL
>> > > >> > match access-group 100
>> > > >> > class VLAN12
>> > > >> > match vlan 12
>> > > >> > match class-map ALL
>> > > >> > class VLAN16
>> > > >> > match vlan 16
>> > > >> > match class-map ALL
>> > > >> > !
>> > > >> > policy-map LIMIT
>> > > >> > class VLAN12
>> > > >> > police 64000 8000 exceed-action drop
>> > > >> > class VLAN16
>> > > >> > police 2048000 8000 exceed-action drop
>> > > >> > !
>> > > >> > int fa0/1
>> > > >> > sw access vl 12
>> > > >> > sw mo access
>> > > >> > service-policy in LIMIT
>> > > >> > int fa0/3
>> > > >> > sw access vl 16
>> > > >> > sw mo access
>> > > >> > service-policy in LIMIT
>> > > >> > int fa0/4
>> > > >> > sw tr en isl
>> > > >> > sw mo tr
>> > > >> > sw tr all vl 12,16
>> > > >> > service-policy in LIMIT
>> > > >> > !
>> > > >> >
>> > > >> >
>> > > >> > Blogs and organic groups at http://www.ccie.net
>> > > >> >
>> > > >>
>> >
>_______________________________________________________________________
>> > > >> > Subscription information may be found at:
>> > > >> > http://www.groupstudy.com/list/CCIELab.html
>> > > >>
>> > > >>
>> > > >> Blogs and organic groups at http://www.ccie.net
>> > > >>
>> > > >>
>> > _______________________________________________________________________
>> > > >> Subscription information may be found at:
>> > > >> http://www.groupstudy.com/list/CCIELab.html
>> > >
>> > >
>> > > Blogs and organic groups at http://www.ccie.net
>> > >
>> > >
>> _______________________________________________________________________
>> > > Subscription information may be found at:
>> > > http://www.groupstudy.com/list/CCIELab.html
>> >
>> >
>> > Blogs and organic groups at http://www.ccie.net
>> >
>> > _______________________________________________________________________
>> > Subscription information may be found at:
>> > http://www.groupstudy.com/list/CCIELab.html
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>>
>>
>>
>>
>>
>>
>>
>>
>
>
> --
> Narbik Kocharians
> CCSI#30832, CCIE# 12410 (R&S, SP, Security)
> www.MicronicsTraining.com <http://www.micronicstraining.com/> <
http://www.micronicstraining.com/>
> Sr. Technical Instructor
> YES! We take Cisco Learning Credits!
> Training And Remote Racks available

Blogs and organic groups at http://www.ccie.net
Received on Sat Jul 31 2010 - 11:42:33 ART

This archive was generated by hypermail 2.2.0 : Sun Aug 01 2010 - 19:19:15 ART