Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

VLAN-Based QoS on Trunk Ports not working

Posted on 2013-12-18
5
Medium Priority
?
1,186 Views
Last Modified: 2014-01-25
Hi,

My network is as follows:


Network Layout
So VLANs are spanned accross the switches with a 802.1q trunk link.

I need to limit all vlan 1 traffic to 50mbps. It does not need to be shaped, but when congestion occurs the traffic above 50mbps must be dropped. The other vlan can take the whole bandwidth and does not need to be policed.

I cannot classify according to IP addresses because I have various customers on different VLANs but they may be using the same IP address range so the only thing that keeps each customer unique is the VLAN.

Below is my config but it does not seem to work. My output shows no traffic hitting that QoS policy.

Can anyone help?

Config:

SWITCH A

mls qos
!
class-map match-all cmap-TN_DC_Interconnect
 match input-interface GigabitEthernet1/0/37
!
policy-map pmap-Qos_Policer-DC_Spanned_VLANs
 class cmap-TN_DC_Interconnect
  police 50000000 25000 exceed-action drop
policy-map pmap-Qos_Parent-DC_Spanned_VLANs
 class class-default
  set ip dscp default
   service-policy pmap-Qos_Policer-DC_Spanned_VLANs
!
!
interface GigabitEthernet1/0/37
 description MetroE link to TN Hosting
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1-989,991-999
 switchport mode trunk
 speed 100
 mls qos vlan-based
!
interface Vlan1
 no ip route-cache
 service-policy input pmap-Qos_Parent-DC_Spanned_VLANs



SWITCH B

mls qos
!
!
class-map match-all cmap-TN_DC_Interconnect
 match input-interface GigabitEthernet1/0/1
!
policy-map pmap-Qos_Policer-DC_Spanned_VLANs
 class cmap-TN_DC_Interconnect
  police 50000000 25000 exceed-action drop
policy-map pmap-Qos_Parent-DC_Spanned_VLANs
 class class-default
  set ip dscp default
   service-policy pmap-Qos_Policer-DC_Spanned_VLANs
!
!
interface GigabitEthernet1/0/1
 description MetroE to Logical
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1-989,991-999
 switchport mode trunk
 speed 100
 mls qos vlan-based
!
!
interface Vlan1
 service-policy input pmap-Qos_Parent-DC_Spanned_VLANs
!

Open in new window


The Policy-Map output on both switches are:

#sh policy-map int vlan 1
 Vlan1

  Service-policy input: pmap-Qos_Parent-DC_Spanned_VLANs

    Class-map: class-default (match-any)
      0 packets, 0 bytes
      5 minute offered rate 0000 bps, drop rate 0000 bps
      Match: any

      Service-policy : pmap-Qos_Policer-DC_Spanned_VLANs

        Class-map: cmap-TN_DC_Interconnect (match-all)
          0 packets, 0 bytes
          5 minute offered rate 0000 bps, drop rate 0000 bps
          Match: input-interface GigabitEthernet1/0/1

        Class-map: class-default (match-any)
          0 packets, 0 bytes
          5 minute offered rate 0000 bps, drop rate 0000 bps
          Match: any
0
Comment
Question by:salt-eit
  • 3
  • 2
5 Comments
 
LVL 13

Expert Comment

by:Quori
ID: 39730482
Layer 2 limiting on a multitenant trunk is a pain in the neck on the 3750.

Try removing the match interface statement and instead match VLAN ID then apply the service policy to the physical interface.
0
 

Author Comment

by:salt-eit
ID: 39730558
Hi Quori.
The switch has no option for match vlan. I think the 3650s had that but not the 3750.

Any other ideas?
0
 
LVL 13

Assisted Solution

by:Quori
Quori earned 1500 total points
ID: 39730621
Okay, I couldn't remember if the 3750X had that feature or not, but was really hoping to make this easier.

We're going to have to go back to the original plan of a two-level QoS to make this work.

For your VLAN level policy-map configure a class-map matching an access-list with "permit ip any any" and use this class instead of class-default.
0
 

Accepted Solution

by:
salt-eit earned 0 total points
ID: 39793806
Hi Quori, even though the "show [policy-map interface" command is visable on the 3750, it is not supported according to Cisco:

http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_50_se/command/reference/cli2.html#wp1948343

Show that command cannot be used to verify the config. One will have to use packet capturing or something to verify the config.

Also, to be safe I changed the config to use an ACL with "permit ip any any" instead of class-default. This is similar to the config that was done here:

http://ccietobe.blogspot.com/2009/02/3560-qos-per-port-per-vlan-policing.html

Thanks for your assistance.
0
 

Author Closing Comment

by:salt-eit
ID: 39808390
Did my own research as per comment.
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

During and after that shift to cloud, one area that still poses a struggle for many organizations is what to do with their department file shares.
Unable to change the program that handles the scan event from a network attached Canon/Brother printer/scanner. This means you'll always have to choose which program handles this action, e.g. ControlCenter4 (in the case of a Brother).
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…

824 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question