3550 policing

Policing and Marking Features Supported by the Catalyst 3550 (cisco.com)


Ingress/egress port-based policing.
Create a class map that matches all ip traffic. Dscp matching is the only suitable option I seem.

class-map match-all dscp0-7
 match ip dscp default  1  2  3  4  5  6  7 
class-map match-all dscp8-15
 match ip dscp cs1  9  af11  11  af12  13  af13  15 
class-map match-all dscp16-23
 match ip dscp cs2  17  af21  19  af22  21  af23  23 
class-map match-all dscp24-31
 match ip dscp cs3  25  af31  27  af32  29  af33  31 
class-map match-all dscp32-39
 match ip dscp cs4  33  af41  35  af42  37  af43  39 
class-map match-all dscp40-47
 match ip dscp cs5  41  42  43  44  45  ef  47 
class-map match-all dscp48-55
 match ip dscp cs6  49  50  51  52  53  54  55 
class-map match-all dscp56-63
 match ip dscp cs7  57  58  59  60  61  62  63 

Create aggregate policer

mls qos aggregate-policer 10M 10000000 250000 exceed-action drop

Create a policy map that polices traffic which matches class maps

policy-map 10M
 class dscp0-7
    police aggregate 10M
 class dscp8-15
    police aggregate 10M
 class dscp16-23
    police aggregate 10M
 class dscp24-31
    police aggregate 10M
 class dscp32-39
    police aggregate 10M
 class dscp40-47
    police aggregate 10M
 class dscp48-55
    police aggregate 10M
 class dscp56-63
    police aggregate 10M

apply policy map to interface

interface GigabitEthernet0/10
 service-policy input 10M
 service-policy output 10M

And of course you should enable qos

mls qos

Ingress policing based on source ip
ACL matches source IPs:

ip access-list extended ucs
 permit ip 1.1.1.1 0.0.0.7 any

Class map matches ACL:

class-map match-all ucs-src-ip
 match access-group name ucs

Policy map applies policy to class map:

policy-map ucs-shape
 class ucs-src-ip
    police 500000000 2000000 exceed-action drop

Apply policy to an interface:

interface GigabitEthernet0/1
 service-policy input ucs-shape

Remember to enable and configure qos:

mls qos

Troubleshooting
Unfortuantely counters sh policy-map interface g0/1 does not work at all.
Policing/marking and other statistics:

sh mls qos interface g0/1 statistics 

It is also possible to see statistics on certaing dscp fields. You should enable it on interface first:

int g0/1
 mls qos monitor dscp 33
Advertisements

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s