162 Chapter 6: QoS Features Available on the Catalyst 2950 and 3550 Family of Switches
Policing
Both The Catalyst 2950 Family and 3550 Family of switches support policing with trusting,
marking, and DSCP markdown actions. Both switches use the modular command-line
interface (CLI) as discussed in Chapter 5 for configuring class maps and policy maps used
for policing.
The Catalyst 2950 Family of switches supports only ingress policing on a per-port basis,
whereas the Catalyst 3550 Family of switches supports per-port and aggregate policing in
both ingress and egress configurations. Table 6-4 summarizes the policing options available
to each switch. This section discusses each of the following policing topics as it relates to
the Catalyst 2950 and Catalyst 3550 Family of switches:
• Policing Resources and Guidelines
• Class Maps and Policy Maps
• Ingress and Egress Policing
• Individual and Aggregate Policing
• Port-Based, VLAN-Based, and Per-Port Per-VLAN-Based Policing
• Policing Actions
3 : 30 31 32 33 34 35 36 37 38 39
4 : 30 30 30 30 30 30 46 47 48 49
5 : 50 51 52 53 54 55 56 57 58 59
6 : 60 61 62 63
Dscp-dscp mutation map:
Default DSCP Mutation Map:
d1 : d2 0 1 2 3 4 5 6 7 8 9
---------------------------------------
0 : 00 01 02 03 04 05 06 07 08 09
1 : 10 11 12 13 14 15 16 17 18 19
2 : 20 21 22 23 24 25 26 27 28 29
3 : 30 31 32 33 34 35 36 37 38 39
4 : 40 41 42 43 44 45 46 47 48 49
5 : 50 51 52 53 54 55 56 57 58 59
6 : 60 61 62 63
Table 6-4 QoS Policing Feature Available Per Platform
QoS Policing Feature Catalyst 2950 EI Catalyst 3550
Port-based policing Supported on all interfaces Supported on all physical
interfaces
Aggregate port-based policing Not supported Supported on all physical
interfaces
Per-port VLAN-based policing Not supported Supported on ingress only
Example 6-14 Displaying QoS DSCP Mutation Mappings (Continued)
Policing 163
Policing Resources and Guidelines
Table 6-4 summarizes the QoS policing resource restrictions and guidelines for software
version 12.1(11)EA1. As indicated in Table 6-4, the Catalyst 3550 Family of switches
provides for additional QoS features over the Catalyst 2950 Family of switches. These
features include per-port VLAN-based policing and egress policing. Furthermore, the
Catalyst 3550 Family of switches supports additional policing resources that provide for a
larger number of policers.
Class Maps and Policy Maps
As with mainline Cisco IOS Software, class maps group ACLs and match statements for
application on policy maps. The class maps in effect define the classification criteria for policy
maps that define actions. Example 6-15 illustrates a sample configuration of a policy map.
QoS Policing Feature Catalyst 2950 EI Catalyst 3550
Policing rate parameters Rate and burst only Rate and burst only
No. of ingress policers per
Gigabit Ethernet interfaces
60 128
No. of ingress policers per Fast
Ethernet interfaces
68
No. of egress policers per
Gigabit Ethernet interfaces
Not supported 8
No. of egress policers per Fast
Ethernet interfaces
Not supported 8
Egress policers Not supported Supported
Example 6-15 Sample Class Map and Policy Map Configuration
Switch#show running-config
Building configuration…
!
(text deleted)
mls qos
!
class-map match-any MATCH_LIST
match access-group 100
match ip precedence 5
match ip dscp 35
!
!
policy-map RATE_MARK
class MATCH_LIST
Table 6-4 QoS Policing Feature Available Per Platform (Continued)
continues
164 Chapter 6: QoS Features Available on the Catalyst 2950 and 3550 Family of Switches
The class map MATCH_LIST defines a class map with several classification matching
rules. Because the class map uses the match-any option, matching any of the three match
statements results in policy map executing the class actions. The other matching option,
match-all, configures the switch to subject the packet to all the match statements in order
to enact on the policy map class actions.
Furthermore, the class map defines three matching rules. For the switch to execute the class
actions in the policy map, a packet must match ACL 100, have an IP precedence value of 5,
or have an IP DSCP value of 35. Otherwise, the switch does not execute the class actions
for the packet. Because the switch applies the policy map on ingress, the switch performs
the matching operation on all ingress frames on GigabitEthernet0/1.
For packets that match the classification rules in the class map, the switch executes the class
actions defined in the policy map. In Example 6-15, the switch rate limits this traffic by
dropping frames above the defined rate of 1.0 Mbps and sets the internal DSCP value to 55.
Chapter 5 provides additional configuration information on class maps and policy maps.
The “Traffic-Rate Policing” section later in this chapter discusses the rate policer in
Example 6-15.
Ingress and Egress Policing
Ingress policing logically refers to applying a set of class actions such as trusting, marking,
or rate policing to specific packets as the switch receives packets inbound. Ingress policing
logically occurs when a switch receives a packet, but actually occurs later in packet
processing on Catalyst switches. Nevertheless, the logical concept of ingress policing is
applying class actions to received packets. Egress policing applies a set of class actions on
transmit; however, this feature is not found on all Catalyst switches. At the time of publi-
cation, only the Catalyst 3550 Family and 4000 IOS Family of switches support egress
policing and the Catalyst 3550 Family of switches supports only traffic-rate policers for
egress policing.
police 1000000 8000 exceed-action drop
set ip dscp 55
!
(text deleted)
interface GigabitEthernet0/1
switchport trunk encapsulation dot1q
switchport mode trunk
no ip address
service-policy input RATE_MARK
(text deleted)
access-list 100 permit ip 10.1.1.0 0.0.0.255 10.2.1.0 0.0.0.255
(text deleted)
!
end
Example 6-15 Sample Class Map and Policy Map Configuration (Continued)
Policing 165
Applying a policy on ingress versus egress may result in significant behavioral differences
in packet flow. In Figure 6-9, for example, an ingress policer is rate limiting the traffic to
100 Mbps ingress on interfaces GigabitEthernet0/1. As shown in the diagram, ingress
traffic from Switch-1 is at 1.0 Gbps. Based on the rate limiting, the switch restricts ingress
traffic collectively to 100 Mbps. Assuming all ingress traffic into Switch-2 is unicast, only
100 Mbps of total traffic is sent out interfaces GigabitEthernet0/2 and 0/3. In Figure 6-10,
the switch applies the same policer outbound, and the switch only limits the traffic trans-
mitted out interfaces Gigabit Ethernet0/2 and 0/3 to 100 Mbps individually. Traffic from
interface GigabitEthernet0/4 to other interfaces flows without any restriction on rate.
Figure 6-9 Ingress Policing
Figure 6-10 Egress Policing
Switch-1 Switch-2
Catalyst 3550
(EMI)
Ingress
Rate
Policer
1.0
Gbps
Gig0/1
Gig0/2
Gig0/3
Cummulative
Rate Is 100
Mbps
Switch-3
Switch-4
Switch-1 Switch-2
Catalyst 3550
(EMI)
1.0
Gbps
Gig0/1
Gig0/2
Gig0/3
Cummulative
Rate Is 100
Mbps
Switch-3
Switch-4
Egress
Rate
Policers
Switch-5
100 Mbps
100 Mbps
No Rate
Restriction
Gig0/4
166 Chapter 6: QoS Features Available on the Catalyst 2950 and 3550 Family of Switches
Individual and Aggregate Policing
Individual policers apply bandwidth limits discretely to each interface for defined policy
maps. The Catalyst 2950 Family of switches supports only individual policers; however, the
Catalyst 3550 Family of switches supports aggregate policers.
Class maps define traffic classes within a policy map. Use the following policy map class
clause configuration command to configure individual policers:
police
rate burst
[exceed-action {transmit | drop | policed-DSCP-transmit}]
Example 6-16 illustrates a sample configuration for individual policing. The policy map in
Example 6-16 drops packets exceeding the 100-Mbps rate defined in the policer for all
packets ingress on interface GigabitEthernet0/1.
Aggregate policers apply rate-limiting constraints collectively among multiple class maps
within the same policy map. This behavior is unique compared to other switch platforms such
as the Catalyst 4000 IOS Family and Catalyst 6000 Family of switches. These switches use
aggregate policers to apply rate-limiting constraints among multiple ports or VLANs.
Use the following global configuration command to configure an aggregate policer:
mls qos aggregate-police
aggregate-policer-name rate-bps burst-byte
exceed-action
{drop | policed-dscp-transmit}
aggregate_policer_name defines the name to represent the aggregate policer. Aggregate
policers support dropping or marking down packets that exceed the define rate. Later
Example 6-16 Sample Configuration of Individual Policer
Switch#show running-config
Building configuration…
!
(text deleted)
mls qos
!
class-map match-all MATCH_ALL_PCKTS
match any
!
!
policy-map RATE_RESTRICT
class MATCH_ALL_PCKTS
police 100000000 16000 exceed-action drop
!
(text deleted)
!
interface GigabitEthernet0/1
switchport trunk encapsulation dot1q
switchport mode trunk
no ip address
service-policy input RATE_MARK
!
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.