I know traffic policing isn't something that you normally find in a LAN environment, and I wish I wouldn't be finding it in mine. That being said… I have no choice.
The device is a 3750X. The requirement is to POLICE (not shape) all traffic coming to/from the 10.0.0.0 and 10.0.1.0 networks to a MAXIMUM of ~48Mbps. Below is the configuration I've come up with. Whatd'ya reckon? Also, I know I should probably have this configured on the inbound interface, but that's a whole 'nother story…
ip access-list extended acl-police
permit ip 10.0.0.0 0.0.0.255 10.0.1.0 0.0.0.255
permit ip 10.0.1.0 0.0.0.255 10.0.0.0 0.0.0.255
!
class-map police-san
match access-group name acl-police
!
policy-map police-san-replication
class police-san
police 47000000 10000 20000 conform-action transmit exceed-action drop
interface <outbound>
service-policy output police-san-replication
One other thing… Can anyone explain to me the "burst-normal" & "burst-max"? Is this allowing it to burst above the police limit (bps) that I defined? What are the timer thresholds for that? Should I configure these burst numbers smaller? Larger?
Best Answer
I would use vlan-based policing which works better on these switches. This is an example matching a speed value of 48Mb
Under the parent policy you have to 'set' something in order for it to work. This could be anything so in this example I'm simply setting the dscp to 0