Cisco 3750 switch throttling and prioritizing traffic
My company has run of 100 Mbps private between two locations. On either end is a 3750 switch. I believe there is finally enough traffic between the locations that I need to do some throttling and prioritizing so critical applications can still talk during the time our backups run.
I realize this would be better served by plugging both ends into routers but I'd like to try and make it work with the switches as I'd need to change my network architecture around.
Below is my code. My two questions are: 1) The policy is applied to the interface connecting to the fiber, yet when I run sh policy-map int gig 4/0/47 I get 0's for everything like nothing's being processed. 2) How do I prioritize Class A traffic?
ip access-list extended priority_list
permit ip host 15.5.5.31 any
permit ip host 15.5.5.39 any
permit ip host 15.5.5.10 any
ip access-list extended non_priority
permit ip any any
class-map Class-A
match access-group name priority_list
class-map Class-B
match access-group name non_priority
policy-map priority-policy
class Class-A
police 95000000 8000 exceed-action drop
*prioritize this traffic*
class Class-B
police 40000000 8000 exceed-action drop
*do not prioritize this traffic*
int Gig 4/0/47
service-policy input priority-policy
I realize this would be better served by plugging both ends into routers but I'd like to try and make it work with the switches as I'd need to change my network architecture around.
Below is my code. My two questions are: 1) The policy is applied to the interface connecting to the fiber, yet when I run sh policy-map int gig 4/0/47 I get 0's for everything like nothing's being processed. 2) How do I prioritize Class A traffic?
ip access-list extended priority_list
permit ip host 15.5.5.31 any
permit ip host 15.5.5.39 any
permit ip host 15.5.5.10 any
ip access-list extended non_priority
permit ip any any
class-map Class-A
match access-group name priority_list
class-map Class-B
match access-group name non_priority
policy-map priority-policy
class Class-A
police 95000000 8000 exceed-action drop
*prioritize this traffic*
class Class-B
police 40000000 8000 exceed-action drop
*do not prioritize this traffic*
int Gig 4/0/47
service-policy input priority-policy
Network Engineer
CERTIFIED EXPERT
First of all, you need a policy to classify traffic. You have most of it, but not all of it. My classification policies actually mark traffic with DSCP tags. I don't know if what I have will work.
policy-map classify-policy
class Class-A
class Class-B
! on all interfaces where traffic can arrive on, you need to classify the traffic on ingress
interface range g4/0/1-48
service-policy input classify-policy
! on the egress interface where you want to control the traffic, apply your output policy
int g4/0/47
desc fiber connection to mpls
service-policy output priority-policy
Kevin, I'm not sure I follow. I have an access list, a class map, a policy map, then I apply that policy to an interface with these lines:
int gig 4/0/47
service-policy input priority-policy
What else am I missing?
int gig 4/0/47
service-policy input priority-policy
What else am I missing?
These are the guides I used to help me out:
http://www.cisco.com/c/en/us/support/docs/switches/catalyst-3750-series-switches/91862-cat3750-qos-config.html
https://supportforums.cisco.com/discussion/10795966/bandwidth-restrict-port-cisco-ws-3750g-12s-12
https://supportforums.cisco.com/discussion/10944941/how-do-i-limit-bandwidth-cisco-3550-switch
http://www.cisco.com/c/en/us/support/docs/switches/catalyst-3750-series-switches/91862-cat3750-qos-config.html
https://supportforums.cisco.com/discussion/10795966/bandwidth-restrict-port-cisco-ws-3750g-12s-12
https://supportforums.cisco.com/discussion/10944941/how-do-i-limit-bandwidth-cisco-3550-switch
Kevin, on a switch (at least the 3750) you can't put an egress policy on an interface:
LocationASwitch(config-if)
police command is not supported for this interface
Configuration failed!
Warning: Assigning a policy map to the output side of an interface not supported
LocationASwitch(config-if)
police command is not supported for this interface
Configuration failed!
Warning: Assigning a policy map to the output side of an interface not supported
Let me also add that from some of my bandwidth monitoring it looks like the policy is in effect eventhough when I run "sh policy-map int gig 4/0/47" it's showing "0 packets, 0 bytes" & "5 minute offered rate 0 bps, drop rate 0 bps" which makes me even more confused.
I applied a policy to the other end of our fiber connection between locations thinking this was a directional problem, but that didn't change anything. Also, running a "sh policy-map" on this interface showed the same "0 packets, 0 bytes" results as the other policy. Below is that configuration. Any help is appreciated.
ip access-list extended LocationB_priority_list
permit ip any host 10.1.1.31
permit ip any host 10.1.1.39
permit ip any host 10.1.1.10
ip access-list extended LocationB_non_priority
permit ip any any
class-map LocationB-Class-A
match access-group name LocationB_priority_list
class-map LocationB-Class-B
match access-group name LocationB_non_priority
policy-map LocationB-priority-policy
class LocationB-Class-A
police 95000000 8000 exceed-action drop
*prioritize this traffic*
class LocationB-Class-B
police 40000000 8000 exceed-action drop
*do not prioritize this traffic*
int Gig 1/0/47
service-policy input LocationB-priority-policy
ip access-list extended LocationB_priority_list
permit ip any host 10.1.1.31
permit ip any host 10.1.1.39
permit ip any host 10.1.1.10
ip access-list extended LocationB_non_priority
permit ip any any
class-map LocationB-Class-A
match access-group name LocationB_priority_list
class-map LocationB-Class-B
match access-group name LocationB_non_priority
policy-map LocationB-priority-policy
class LocationB-Class-A
police 95000000 8000 exceed-action drop
*prioritize this traffic*
class LocationB-Class-B
police 40000000 8000 exceed-action drop
*do not prioritize this traffic*
int Gig 1/0/47
service-policy input LocationB-priority-policy
Since I'm not familiar with any part of the process I'm breaking it down into it's parts. I tried a simple:
ip access-list extended test
permit ip host *computer a* any
deny ip host *computer b* any
conf t
int gig 1/0/40
ip access-group test in
And that works, so I know I've got my ip access list section configured correctly so it has to be something down the line.
ip access-list extended test
permit ip host *computer a* any
deny ip host *computer b* any
conf t
int gig 1/0/40
ip access-group test in
And that works, so I know I've got my ip access list section configured correctly so it has to be something down the line.
Gain unlimited access to on-demand training courses with an Experts Exchange subscription.
Get AccessWhy Experts Exchange?
Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.
Jim Murphy
Programmer at Smart IT Solutions
When asked, what has been your best career decision?
Deciding to stick with EE.
Mohamed Asif
Technical Department Head
Being involved with EE helped me to grow personally and professionally.
Carl Webster
CTP, Sr Infrastructure Consultant
Did You Know?
We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE
Ask ANY Question
Connect with Certified Experts to gain insight and support on specific technology challenges including:
- Troubleshooting
- Research
- Professional Opinions