Rate-limiting/policing VLAN traffic (ingress and egress) on Cisco access switch

A customer is looking for a Cisco switch where they can rate-limit/police both ingress and egress traffic on a particular VLAN. They’re an ISP, and need to limit traffic to X-Mbps in/out on specific VLANs for their colo customers. Is there a way to accomplish this within an access switch, such as the Cisco 3560-X series?  Their core switch apparently isn’t capable of any of this, so trunking the VLAN to the core isn’t an option.

Looking at the QoS chapter of the 3560-X configuration guide - http://tinyurl.com/69jdhow - I see some examples of where you can implement policing through service policies, but this appears only to be for ingress traffic (not egress).  Plus, the examples all reference physical interfaces vs. VLAN’s.  Again, the goal is to rate-limit traffic arriving from, or exiting to a particular customer VLAN.  (I saw the “mls qos vlan-based” command does – “enables VLAN-based QoS on the port” – not clear what that does, or if it would apply here.)

Thank you – looking for design options to accomplish what the customer is looking for here, as well as configuration examples.
Who is Participating?
jmeggersConnect With a Mentor Sr. Network and Security EngineerCommented:
Rate-limiting and policing are typically done on ingress, which is most likely why those functions are not supported as egress functions on the 3560.  Maybe I'm missing something but I'm not sure why this won't work for your customer.  If you rate limit on the inbound side, you've inherently limited the amount of traffic that can be sent out on the other side of the switch.  Then the only concern becomes the order in which packets or frames are sent, which is the queueing and scheduling part of QoS, and which is supported on egress from the 3560.  What am I missing?
dslam24Connect With a Mentor Commented:
From my experience with the 3550/3560/3750 models, what you mentioned is about the only rate-limiting that you are able to do.  I am not so sure about the 4500 or 6500 series, although these are not really 'access' switches.

You may look at a different vendor such as Brocade/Foundry, I know that some ISPs use them heavily.
cfan73Author Commented:
Sorry for the extreme delay in responding here...  after much back and forth, the customer/we settled on a 4500-series switch.  The customer is an ISP, and was needing to regulate/police traffic on shared physical interfaces, based on the VLAN/subnet of each individual customer, and for both ingress/egress.

I'll share points equally to close out the thread.
cfan73Author Commented:
A solution wasn't really provided through the thread.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.