Solved

VLAN-Based QoS on Trunk Ports not working

Posted on 2013-12-18
5
960 Views
Last Modified: 2014-01-25
Hi,

My network is as follows:


Network Layout
So VLANs are spanned accross the switches with a 802.1q trunk link.

I need to limit all vlan 1 traffic to 50mbps. It does not need to be shaped, but when congestion occurs the traffic above 50mbps must be dropped. The other vlan can take the whole bandwidth and does not need to be policed.

I cannot classify according to IP addresses because I have various customers on different VLANs but they may be using the same IP address range so the only thing that keeps each customer unique is the VLAN.

Below is my config but it does not seem to work. My output shows no traffic hitting that QoS policy.

Can anyone help?

Config:

SWITCH A

mls qos
!
class-map match-all cmap-TN_DC_Interconnect
 match input-interface GigabitEthernet1/0/37
!
policy-map pmap-Qos_Policer-DC_Spanned_VLANs
 class cmap-TN_DC_Interconnect
  police 50000000 25000 exceed-action drop
policy-map pmap-Qos_Parent-DC_Spanned_VLANs
 class class-default
  set ip dscp default
   service-policy pmap-Qos_Policer-DC_Spanned_VLANs
!
!
interface GigabitEthernet1/0/37
 description MetroE link to TN Hosting
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1-989,991-999
 switchport mode trunk
 speed 100
 mls qos vlan-based
!
interface Vlan1
 no ip route-cache
 service-policy input pmap-Qos_Parent-DC_Spanned_VLANs



SWITCH B

mls qos
!
!
class-map match-all cmap-TN_DC_Interconnect
 match input-interface GigabitEthernet1/0/1
!
policy-map pmap-Qos_Policer-DC_Spanned_VLANs
 class cmap-TN_DC_Interconnect
  police 50000000 25000 exceed-action drop
policy-map pmap-Qos_Parent-DC_Spanned_VLANs
 class class-default
  set ip dscp default
   service-policy pmap-Qos_Policer-DC_Spanned_VLANs
!
!
interface GigabitEthernet1/0/1
 description MetroE to Logical
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1-989,991-999
 switchport mode trunk
 speed 100
 mls qos vlan-based
!
!
interface Vlan1
 service-policy input pmap-Qos_Parent-DC_Spanned_VLANs
!

Open in new window


The Policy-Map output on both switches are:

#sh policy-map int vlan 1
 Vlan1

  Service-policy input: pmap-Qos_Parent-DC_Spanned_VLANs

    Class-map: class-default (match-any)
      0 packets, 0 bytes
      5 minute offered rate 0000 bps, drop rate 0000 bps
      Match: any

      Service-policy : pmap-Qos_Policer-DC_Spanned_VLANs

        Class-map: cmap-TN_DC_Interconnect (match-all)
          0 packets, 0 bytes
          5 minute offered rate 0000 bps, drop rate 0000 bps
          Match: input-interface GigabitEthernet1/0/1

        Class-map: class-default (match-any)
          0 packets, 0 bytes
          5 minute offered rate 0000 bps, drop rate 0000 bps
          Match: any
0
Comment
Question by:salt-eit
  • 3
  • 2
5 Comments
 
LVL 13

Expert Comment

by:Quori
ID: 39730482
Layer 2 limiting on a multitenant trunk is a pain in the neck on the 3750.

Try removing the match interface statement and instead match VLAN ID then apply the service policy to the physical interface.
0
 

Author Comment

by:salt-eit
ID: 39730558
Hi Quori.
The switch has no option for match vlan. I think the 3650s had that but not the 3750.

Any other ideas?
0
 
LVL 13

Assisted Solution

by:Quori
Quori earned 500 total points
ID: 39730621
Okay, I couldn't remember if the 3750X had that feature or not, but was really hoping to make this easier.

We're going to have to go back to the original plan of a two-level QoS to make this work.

For your VLAN level policy-map configure a class-map matching an access-list with "permit ip any any" and use this class instead of class-default.
0
 

Accepted Solution

by:
salt-eit earned 0 total points
ID: 39793806
Hi Quori, even though the "show [policy-map interface" command is visable on the 3750, it is not supported according to Cisco:

http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_50_se/command/reference/cli2.html#wp1948343

Show that command cannot be used to verify the config. One will have to use packet capturing or something to verify the config.

Also, to be safe I changed the config to use an ACL with "permit ip any any" instead of class-default. This is similar to the config that was done here:

http://ccietobe.blogspot.com/2009/02/3560-qos-per-port-per-vlan-policing.html

Thanks for your assistance.
0
 

Author Closing Comment

by:salt-eit
ID: 39808390
Did my own research as per comment.
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

Suggested Solutions

Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
PRTG Network Monitor lets you monitor your bandwidth usage, so you know who is using up your bandwidth, and what they're using it for.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now