Policy wont apply

[marsss]

Hello, usualy, my policy map was working to cut traffic t a specific value, but i m having some problem to use it with vlan, i show some part of the config i have atm, and traffic wont cut at 640kb with this.

Any idea how to make it work?

Just to be sure, is it possible to set a max speed per IP address in this vlan, well that is what i would do

vlan 2

class-map match-all client_640
  match access-group 110

policy-map client
  class client_640
    police 640000 80000 exceed-action drop

interface FastEthernet0/13
 switchport access vlan 2
 no ip address
 service-policy input client


interface Vlan2
 ip address 172.16.4.1 255.255.252.0 secondary
 ip address w.x.y.z 255.255.255.192
 ip access-group 101 in
 ip access-group 102 out
 ip accounting access-violations

access-list 101 deny   tcp any any eq 135
access-list 101 deny   tcp any any eq 136
access-list 101 deny   tcp any any eq 137
access-list 101 deny   tcp any any eq 138
access-list 101 deny   tcp any any eq 139
access-list 101 deny   udp any any eq 135
access-list 101 deny   udp any any eq 136
access-list 101 deny   udp any any eq netbios-ns
access-list 101 deny   udp any any eq netbios-dgm
access-list 101 deny   udp any any eq netbios-ss
access-list 101 deny   tcp any any eq 445
access-list 101 deny   udp any any eq 445
access-list 101 permit ip any any
access-list 102 deny   tcp any any eq 135
access-list 102 deny   tcp any any eq 136
access-list 102 deny   tcp any any eq 137
access-list 102 deny   tcp any any eq 138
access-list 102 deny   tcp any any eq 139
access-list 102 deny   udp any any eq 135
access-list 102 deny   udp any any eq 136
access-list 102 deny   udp any any eq netbios-ns
access-list 102 deny   udp any any eq netbios-dgm
access-list 102 deny   udp any any eq netbios-ss
access-list 102 deny   tcp any any eq 445
access-list 102 deny   udp any any eq 445
access-list 102 permit ip any any
access-list 110 permit ip any any

 

[lambent]

what if you apply the "service-policy input client" inside the "interface vlan 2"? Also with this "input" command you're only policing the traffic for the inbound traffic.

if you want to perform traffic policing per IP address, I think you can try to set another class like this:

class-map match-all Peter_640
match access-group 110
class-map match-all Mary_1280
match access-group 111

policy-map client
class Peter_640
police 640000 80000 exceed-action drop
class Mary_1280
police 1280000 160000 exceed-action drop

access-list 110 permit ip host 1.1.1.1 any
access-list 111 permit ip host 1.1.1.2 any

 

[marsss]

what if you apply the "service-policy input client" inside the "interface vlan 2"?

Not sure how to do that if it s possible.

I figure this specific 3550 only isn t working. I try exact same programmation on another 3550 and it did work.

I verified both IOS

the one that isn t working run :
IOS (tm) C3550 Software (C3550-I9Q3L2-M), Version 12.1(11)EA1, RELEASE SOFTWARE

the one that is working run :
IOS (tm) C3550 Software (C3550-I9Q3L2-M), Version 12.1(13)EA1a, RELEASE SOFTWARE


Any idea if police-map not suppose to work on version 12.1(11)EA1 ?

 

[lambent]

hmm the feature you're using is actually called "Modular QoS CLI (MQC) Unconditional Packet Discard " and it's not available for Cat3550 lol. I've even used "CAR" to check and still it's not available for Cat3550.

If you do think it really works on your 2nd 3550 using SMI 12.1(13)EA1a, then try to upgrade the first switch with this image and see if this helps or not.

 

[marsss]

from :

http://www.cisco.com/en/US/customer...erence_chapter09186a0080400cc9.html#wp1864211

they say plicy-ma was first introduced in version 12.1(4)EA1

 

[lambent]

Ok then the feature search has misleading information.

But again if you do think it really works on your 2nd 3550 using SMI 12.1(13)EA1a, then try to upgrade the first switch with this image and see if this helps or not.

 

[marsss]

Well, I ordered and received another Cisco Catalyst 3550.

And i figured today something. My traffic policy work only on interface that aren t using Vlan

Exemple :

{Client} --- Interface 15 --- {switch3550} --- Interface 3 --- Internet

class-map match-all cl_640Kb
match access-group 106

class-map match-all cl_1.5Mb
match access-group 107

policy-map po_ip207
class cl_640Kb
police 640000 80000 exceed-action drop
class cl_1.5Mb
police 1496000 80000 exceed-action drop

interface FastEthernet0/3
no ip address
service-policy input po_ip207

interface FastEthernet0/15
switchport access vlan 2
no ip address
service-policy input po_ip207

interface Vlan2
ip address w.x.y.z 255.255.255.192
ip access-group 101 in
ip access-group 102 out
ip accounting access-violations

access-list 106 deny ip any host {Insert here people without bandwidth limit + people at 1.5mbps}
access-list 106 permit ip any any
access-list 107 deny ip any host {Insert here people without bandwidth limit}
access-list 107 permit ip any any



With this config, download is limited trough interface 3, but upload isn t working on interface 15, i figure it s because i have some vlan setting, but can t figure how to set it up, any clue?

thx for help

 

[lambent]

Can you show me the output of "sh policy-map int f0/3" and "sh policy-map int f0/15"?

btw your access-list 106 and 107 only provide exceptions for downstream traffic using "any host x.x.x.x". If you also want to provide exceptions for upstream traffic, you'll probably need to use "host x.x.x.x any" instead.

 

[marsss]

Interface 3

 FastEthernet0/3

  service-policy input: po_ip207

    class-map: cl_640Kb (match-all)
      0 packets, 0 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      match: access-group 106qm_police_inform_feature: CLASS_SHOW


    class-map: cl_1.5Mb (match-all)
      0 packets, 0 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      match: access-group 107qm_police_inform_feature: CLASS_SHOW


    class-map: class-default (match-any)
      0 packets, 0 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      match: any
        0 packets, 0 bytes
        5 minute rate 0 bps

Interface 15

 FastEthernet0/15

  service-policy input: po_ip207

    class-map: cl_640Kb (match-all)
      0 packets, 0 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      match: access-group 106qm_police_inform_feature: CLASS_SHOW


    class-map: cl_1.5Mb (match-all)
      0 packets, 0 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      match: access-group 107qm_police_inform_feature: CLASS_SHOW


    class-map: class-default (match-any)
      0 packets, 0 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      match: any
        0 packets, 0 bytes
        5 minute rate 0 bps

not sure about result I should get here...

btw your access-list 106 and 107 only provide exceptions for downstream traffic using "any host x.x.x.x". If you also want to provide exceptions for upstream traffic, you'll probably need to use "host x.x.x.x any" instead.

Yeah, you right, but still with "permit ip any any" at end, it should apply to other...

 

[marsss]

well, dunno why but it s looking to work now, currwent config looking like this :

mls qos

class-map match-all cl_640_down
  match access-group 110
class-map match-all cl_640_up
  match access-group 120

policy-map po_up
  class cl_640_up
    police 8000 8000 exceed-action drop
policy-map po_down
  class cl_640_down
    police 8000 8000 exceed-action drop

interface FastEthernet0/3
 switchport mode dynamic desirable
 service-policy input po_down

interface FastEthernet0/15
 switchport access vlan 2
 switchport mode dynamic desirable
 speed 100
 duplex full
 service-policy input po_up

access-list 110 deny   ip any host x.x.x.x
access-list 110 permit ip any any
access-list 120 deny   ip host x.x.x.x any
access-list 120 permit ip any any

not realy sure what made the policy work, but well... it do work in both direction