Re: Vlan-based or interface based service policy

Hi Henrique,

This is exactly what I was looking for. The last example descripes indeed
that I need to match on input interfaces and than perform policing in the
policy as Jorge told me earlier.
I completly understand this topic now

Thanks all

Kind regards,

Maarten Vervoorn

2010/7/29 Henrique Reis <reis.henrique_at_gmail.com>

> Have you tried this link?
>
> http://blog.ine.com/tag/vlan-based/
>
> Thanks
>
> On Thu, Jul 29, 2010 at 2:30 AM, Maarten Vervoorn <mr.vervoorn_at_gmail.com
> > wrote:
>
>> Thanks all,
>>
>> I think vlan-based it will be. I cheched the vlan match option and it is
>> indeed not possible (I think the anwser guide is wrong here)
>> I did not read anywhere that I can't use the default-class in the link you
>> gave me, as I did in the second scenario. My thoughts were if I only use
>> the
>> default class without any match options, all traffic will be limmited from
>> that vlan. Can you please explain this to me?
>>
>> Kind regards,
>>
>> Maarten vervoorn
>>
>> 2010/7/29 Narbik Kocharians <narbikk_at_gmail.com>
>>
>> > I agree with Sonu.
>> >
>> >
>> > On Wed, Jul 28, 2010 at 2:39 PM, Jorge Cortes <
>> jorge.cortes.cano_at_gmail.com
>> > > wrote:
>> >
>> >> Hi,
>> >>
>> >> I think neither of your configurations will work -assuming your switch
>> is
>> >> a
>> >> 3560, which are the only switches you will find in the actual lab since
>> >> 3550
>> >> are now long gone. The reasons are the following.
>> >>
>> >> For scenario 2, you cannot use "match vlan" in 3560. See here:
>> >>
>> >>
>> http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_44_se/command/reference/cli1.html#wp1862439
>> >>
>> >> For scenario 1, the child class-map MUST have "match input interface",
>> and
>> >> you cannot use class-default, whether the parent class-map matches on
>> the
>> >> type of traffic you want to rate-limit. You cannot use class-default
>> >> either.
>> >> See here:
>> >>
>> >>
>> http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_44_se/configuration/guide/swqos.html#wp1703903
>> >>
>> >> Also remember this is only works in the input direction.
>> >>
>> >> So in order to achieve your requirement (assuming it is ingress
>> direction)
>> >> you need to define the child class-map matching on all interfaces that
>> are
>> >> members of your VLANs, including the trunks. For the parent class-map
>> >> since
>> >> you cannot use class-default and sounds like you need to limit all
>> traffic
>> >> you need to create a user defined class-map and match an access-list
>> with
>> >> permit any statement.
>> >>
>> >> Also remember that the child policy-map can only police, but not mark,
>> >> while
>> >> the parent policy-map can only mark, but not police.
>> >>
>> >> Taking a closer look at your requirements seems to me like something is
>> >> missing. Usually they ask you to police certain type of traffic (HTTP,
>> >> email, etc).
>> >>
>> >> HTH,
>> >> Jorge
>> >>
>> >> On Wed, Jul 28, 2010 at 9:26 AM, David Bass <davidbass570_at_gmail.com>
>> >> wrote:
>> >>
>> >> > I think that if you apply it to the interfaces only then you will
>> limit
>> >> > each
>> >> > port to the required amount, but the aggregate on the VLAN would not
>> be
>> >> > limited to 64 or 2048 k. IMO, the only solution for the task is
>> having
>> >> it
>> >> > on the SVI...
>> >> >
>> >> > On Wed, Jul 28, 2010 at 8:39 AM, Maarten Vervoorn <
>> >> mr.vervoorn_at_gmail.com
>> >> > >wrote:
>> >> >
>> >> > > Well in both options you have to configure some-thing on those
>> >> > interfaces.
>> >> > > Configure mls qos vlan-based on the interface or service-policy out
>> >> LIMIT
>> >> > > Both access and trunks are used but I don't think its an issue
>> here.
>> >> > >
>> >> > > In this practice lab I configured it vlan-based. The anwser guide
>> >> > > configured
>> >> > > it with a service-policy attached to the interfaces (access and
>> trunk
>> >> > > ports)
>> >> > >
>> >> > > Kind regards,
>> >> > >
>> >> > > Maarten Vervoorn
>> >> > >
>> >> > > 2010/7/28 Hash <hashng_at_gmail.com>
>> >> > >
>> >> > > > It depends if the interfaces are trunks or access and the number
>> of
>> >> > > > interfaces you have plus how much time you have in the lab to go
>> >> over
>> >> > > > interface by interface (task consuming)
>> >> > > >
>> >> > > > Hash
>> >> > > >
>> >> > > > Sent from my BlackBerry. wireless device from STC
>> >> > > > ------------------------------
>> >> > > > *From: *Maarten Vervoorn <mr.vervoorn_at_gmail.com>
>> >> > > > *Date: *Wed, 28 Jul 2010 15:26:31 +0200
>> >> > > > *To: *<hashng_at_gmail.com>
>> >> > > > *Cc: *Cisco certification<ccielab_at_groupstudy.com>
>> >> > > > *Subject: *Re: Vlan-based or interface based service policy
>> >> > > >
>> >> > > > In the class-maps I match on the vlans. So I think both anwser
>> will
>> >> do.
>> >> > > If
>> >> > > > you configure the service policy on all interfaces of vlan 12 and
>> 16
>> >> > > >
>> >> > > > 2010/7/28 Hash <hashng_at_gmail.com>
>> >> > > >
>> >> > > >> Apply it under the svi
>> >> > > >> Hash
>> >> > > >> Sent from my BlackBerry. wireless device from STC
>> >> > > >>
>> >> > > >> -----Original Message-----
>> >> > > >> From: Mirco Orlandi <mirco.orlandi_at_gmail.com>
>> >> > > >> Sender: nobody_at_groupstudy.com
>> >> > > >> Date: Wed, 28 Jul 2010 11:58:05
>> >> > > >> To: Maarten Vervoorn<mr.vervoorn_at_gmail.com>
>> >> > > >> Reply-To: Mirco Orlandi <mirco.orlandi_at_gmail.com>
>> >> > > >> Cc: Cisco certification<ccielab_at_groupstudy.com>
>> >> > > >> Subject: Re: Vlan-based or interface based service policy
>> >> > > >>
>> >> > > >> Hi Maarten,
>> >> > > >>
>> >> > > >> this task is asking you to configure a policer for vlan12 and a
>> >> > policer
>> >> > > >> for
>> >> > > >> vlan16.
>> >> > > >>
>> >> > > >> At this point of my preparation path I'm not a guru on this
>> staff,
>> >> but
>> >> > > it
>> >> > > >> seems your second option doesn't match task requirements,
>> because
>> >> it
>> >> > > >> creates
>> >> > > >> per-port per-vlan policer.
>> >> > > >> So, you will have a lot of policer without a single point of
>> entire
>> >> > vlan
>> >> > > >> traffic metering.
>> >> > > >>
>> >> > > >> I have not labbed this up.
>> >> > > >> -mirco.
>> >> > > >>
>> >> > > >>
>> >> > > >> On Wed, Jul 28, 2010 at 7:41 AM, Maarten Vervoorn <
>> >> > > mr.vervoorn_at_gmail.com
>> >> > > >> >wrote:
>> >> > > >>
>> >> > > >> > Hi All,
>> >> > > >> >
>> >> > > >> > I just received a quetsion from the workbook lab with the
>> >> following
>> >> > > >> > question:
>> >> > > >> > Configure VLAN 12 to allow a maximum bandwidth of 64 Kb
>> >> > > >> > Configure VLAN 16 to allow a maximum bandwidth of 2048 Kbit
>> >> > > >> >
>> >> > > >> > I think there are two option to do this. I can create a
>> service
>> >> > policy
>> >> > > >> and
>> >> > > >> > put it on alle vlan 12 and 16 interfaces or I could you
>> >> vlan-based
>> >> > to
>> >> > > >> just
>> >> > > >> > apply the policy to the vlan interface. Can anyone tell me if
>> I'm
>> >> > > >> correct.
>> >> > > >> > In the real lab I could ask the proctor that I could do this
>> >> > question
>> >> > > >> two
>> >> > > >> > ways
>> >> > > >> > *SW1*
>> >> > > >> > mls qos
>> >> > > >> > !
>> >> > > >> > policy-map POLICE-16
>> >> > > >> > class class-default
>> >> > > >> > police 2048000 8000 exceed-action drop
>> >> > > >> > policy-map VLAN16
>> >> > > >> > class class-default
>> >> > > >> > service-policy POLICE-16
>> >> > > >> > policy-map POLICE-12
>> >> > > >> > class class-default
>> >> > > >> > police 64000 8000 exceed-action drop
>> >> > > >> > policy-map VLAN12
>> >> > > >> > class class-default
>> >> > > >> > service-policy POLICE-12
>> >> > > >> > !
>> >> > > >> > int fa0/1
>> >> > > >> > sw access vl 12
>> >> > > >> > sw mo access
>> >> > > >> > mls qos vlan-based
>> >> > > >> > int fa0/3
>> >> > > >> > sw access vl 16
>> >> > > >> > sw mo access
>> >> > > >> > mls qos vlan-based
>> >> > > >> > int fa0/4
>> >> > > >> > sw tr en isl
>> >> > > >> > sw mo tr
>> >> > > >> > sw tr all vl 12,16
>> >> > > >> > mls qos vlan-based
>> >> > > >> > int vlan 12
>> >> > > >> > service-policy in VLAN12
>> >> > > >> > int vlan 16
>> >> > > >> > service-policy in VLAN16
>> >> > > >> > !
>> >> > > >> > **
>> >> > > >> > *OR
>> >> > > >> > SW1*
>> >> > > >> > class-map ALL
>> >> > > >> > match access-group 100
>> >> > > >> > class VLAN12
>> >> > > >> > match vlan 12
>> >> > > >> > match class-map ALL
>> >> > > >> > class VLAN16
>> >> > > >> > match vlan 16
>> >> > > >> > match class-map ALL
>> >> > > >> > !
>> >> > > >> > policy-map LIMIT
>> >> > > >> > class VLAN12
>> >> > > >> > police 64000 8000 exceed-action drop
>> >> > > >> > class VLAN16
>> >> > > >> > police 2048000 8000 exceed-action drop
>> >> > > >> > !
>> >> > > >> > int fa0/1
>> >> > > >> > sw access vl 12
>> >> > > >> > sw mo access
>> >> > > >> > service-policy in LIMIT
>> >> > > >> > int fa0/3
>> >> > > >> > sw access vl 16
>> >> > > >> > sw mo access
>> >> > > >> > service-policy in LIMIT
>> >> > > >> > int fa0/4
>> >> > > >> > sw tr en isl
>> >> > > >> > sw mo tr
>> >> > > >> > sw tr all vl 12,16
>> >> > > >> > service-policy in LIMIT
>> >> > > >> > !
>> >> > > >> >
>> >> > > >> >
>> >> > > >> > Blogs and organic groups at http://www.ccie.net
>> >> > > >> >
>> >> > > >>
>> >> >
>> >_______________________________________________________________________
>> >> > > >> > Subscription information may be found at:
>> >> > > >> > http://www.groupstudy.com/list/CCIELab.html
>> >> > > >>
>> >> > > >>
>> >> > > >> Blogs and organic groups at http://www.ccie.net
>> >> > > >>
>> >> > > >>
>> >> >
>> _______________________________________________________________________
>> >> > > >> Subscription information may be found at:
>> >> > > >> http://www.groupstudy.com/list/CCIELab.html
>> >> > >
>> >> > >
>> >> > > Blogs and organic groups at http://www.ccie.net
>> >> > >
>> >> > >
>> >> _______________________________________________________________________
>> >> > > Subscription information may be found at:
>> >> > > http://www.groupstudy.com/list/CCIELab.html
>> >> >
>> >> >
>> >> > Blogs and organic groups at http://www.ccie.net
>> >> >
>> >> >
>> _______________________________________________________________________
>> >> > Subscription information may be found at:
>> >> > http://www.groupstudy.com/list/CCIELab.html
>> >>
>> >>
>> >> Blogs and organic groups at http://www.ccie.net
>> >>
>> >> _______________________________________________________________________
>> >> Subscription information may be found at:
>> >> http://www.groupstudy.com/list/CCIELab.html
>> >>
>> >>
>> >>
>> >>
>> >>
>> >>
>> >>
>> >>
>> >
>> >
>> > --
>> > Narbik Kocharians
>> > CCSI#30832, CCIE# 12410 (R&S, SP, Security)
>> > www.MicronicsTraining.com <http://www.micronicstraining.com/> <
>> http://www.micronicstraining.com/>
>>
>> > Sr. Technical Instructor
>> > YES! We take Cisco Learning Credits!
>> > Training And Remote Racks available
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Thu Jul 29 2010 - 16:04:42 ART