Cisco – Traffic Policing

ciscocisco-catalystpolicingqos

I know traffic policing isn't something that you normally find in a LAN environment, and I wish I wouldn't be finding it in mine. That being said… I have no choice.

The device is a 3750X. The requirement is to POLICE (not shape) all traffic coming to/from the 10.0.0.0 and 10.0.1.0 networks to a MAXIMUM of ~48Mbps. Below is the configuration I've come up with. Whatd'ya reckon? Also, I know I should probably have this configured on the inbound interface, but that's a whole 'nother story…

ip access-list extended acl-police
 permit ip 10.0.0.0 0.0.0.255 10.0.1.0 0.0.0.255
 permit ip 10.0.1.0 0.0.0.255 10.0.0.0 0.0.0.255
!
class-map police-san
 match access-group name acl-police
!
policy-map police-san-replication
 class police-san
  police 47000000 10000 20000 conform-action transmit exceed-action drop

interface <outbound>
service-policy output police-san-replication

One other thing… Can anyone explain to me the "burst-normal" & "burst-max"? Is this allowing it to burst above the police limit (bps) that I defined? What are the timer thresholds for that? Should I configure these burst numbers smaller? Larger?

Best Answer

I would use vlan-based policing which works better on these switches. This is an example matching a speed value of 48Mb

mls qos
!
interface GigabitEthernet1/0/2
 switchport access vlan 500
 switchport mode access
 mls qos vlan-based
!
class-map match-all CUSTOMER_1
 match input-interface  GigabitEthernet1/0/2
!
policy-map VLAN500_POLICE
 class CUSTOMER_1
  police 48000000 18000000 exceed-action drop
!
policy-map VLAN500_PARENT
 class class-default
  set dscp default
  service-policy VLAN500_POLICE
!
interface Vlan500
 service-policy input VLAN500_PARENT

Under the parent policy you have to 'set' something in order for it to work. This could be anything so in this example I'm simply setting the dscp to 0

Related Solutions

Cisco – How to reasonably verify the QoS configuration is working

Your question's pretty broad. There's a lot of different commands you can use to troubleshoot and monitor QoS, so I'll focus on the primary question you have, which is how to reasonably verify your QoS configuration is working and how to read the policy-map interface output.

The only true way to verify that QoS is working is to hook up a traffic generator and monitor your drop rate in various queues. Since that isn't typically feasible, particularly in a production environment, all you can really do is verify that the traffic is being marked and classified properly.

What you're really looking for, when it comes to verifying if your QoS configuration is working, is for the counters in the policy-map interface command to increment.

So, for example, in the output your provided:

Class-map: VOICE (match-any)
  3860628 packets, 1070196895 bytes
  5 minute offered rate 0 bps, drop rate 0 bps
  Match: protocol sip
    97348 packets, 49867304 bytes
    5 minute rate 0 bps
  Match: protocol rtp
    3763280 packets, 1020329591 bytes
    5 minute rate 0 bps
  Match: access-group name NEC-PBX
    0 packets, 0 bytes
    5 minute rate 0 bps
  Priority: 40% (340 kbps), burst bytes 8500, b/w exceed drops: 5

You can see that you're seeing packets under SIP and RTP, but not NEC-PBX. If you know you're getting SIP and RTP traffic across a link, you should see the packet counts increment and that's a reasonable way to know that your configuration is basically working.

Cisco – Traffic policing on 3750-x Lan base

You're configuring it wrong. In order to get policing working on these switches you need to configure the following (I've taken this from a working switch of mine)

mls qos
!
interface GigabitEthernet1/0/2
 switchport access vlan 500
 switchport mode access
 mls qos vlan-based
!
class-map match-all CUSTOMER_2
 match input-interface  GigabitEthernet1/0/2
!
policy-map VLAN500_POLICE
 class CUSTOMER_2
  police 10000000 1000000 exceed-action drop
!
policy-map VLAN500_PARENT
 class class-default
  set dscp default
  service-policy VLAN500_POLICE
!
interface Vlan500
 ip address 192.168.203.1 255.255.255.248
 ip ospf 1 area 0
 service-policy input VLAN500_PARENT

This is the only way I've ever got policing to work on a 3750

Related Topic