Policing 167
sections in this chapter cover rate and burst parameters in more detail. To attach the
aggregate policer, use the following policy map class clause configuration command:
police aggregate
policer_name
Aggregate policers cannot be used across different policy maps or interfaces. Define
multiple aggregate policers to work around this limitation. Example 6-17 illustrates an
aggregate policer.
In Example 6-17, the switch subjects all traffic ingress from interface GigabitEthernet0/1
to the aggregate rate limiting policer of 500 Mbps. However, the switch rewrites the IP
precedence value differently based on class maps while maintaining the aggregate policer
of 500 Mbps to traffic that matches either policer.
Use the following command to display the policy maps-to-policer configuration:
show mls qos aggregate-policer [
aggregate-policer-name
]
Example 6-17 Sample Configuration of an Aggregate Policer
Switch#show running-config
Building configuration…
!
(text deleted)
mls qos aggregate-policer RATE_500MBPS 500000000 64000 exceed-action drop
mls qos
!
class-map match-all MATCH_ACL_100
match access-group 100
class-map match-all MATCH_ACL_101
match access-group 101
!
policy-map AGGR_TRAFFIC_LIMITING
class MATCH_ACL_100
set ip precedence 0
police aggregate RATE_500MBPS
class MATCH_ACL_101
set ip precedence 5
police aggregate RATE_500MBPS
!
(text deleted)
!
interface GigabitEthernet0/1
switchport trunk encapsulation dot1q
switchport mode trunk
no ip address
service-policy input AGGR_TRAFFIC_LIMITING
!
access-list 101 permit ip any any
access-list 101 permit ip 10.1.1.0 0.0.0.255 10.2.1.0 0.0.0.255
!
end
168 Chapter 6: QoS Features Available on the Catalyst 2950 and 3550 Family of Switches
Example 6-18 illustrates the use of the show mls qos aggregate-policer command.
Port-Based, VLAN-Based, and Per-Port Per-VLAN-Based Policing
Port-based policing entails binding policy maps to individual ports. VLAN-based policing
involves attaching a policy map to a VLAN interface. The Catalyst 2950 Family of switches
supports only port-based policing. The Catalyst 3550 Family of switches supports port-
based policing and a variant of VLAN-based policing referred to as per-port per-VLAN
policing. The Catalyst 3550 Family of switches does not support applying policers to
VLAN interfaces. Per-port per-VLAN policing consists of the typical class map clauses
nested in a second-class map with a VLAN-class match clause. The switch is only able to
bind per-port per-VLAN to trunk ports and VLAN access ports. Example 6-19 illustrates a
sample configuration of per-port per-VLAN-based policing.
Example 6-18 Displaying Policy Map–to–Aggregate Policers Mapping
Switch#show mls qos aggregate-policer
aggregate-policer RATE_500MBPS 500000000 64000 exceed-action drop
Used by policy map AGGR_TRAFFIC_LIMITING
Example 6-19 Sample Configuration of Per-Port Per-VLAN Policing
Switch#show running-config
Building configuration. . .
(text deleted)
!
mls qos
!
class-map match-any MATCH_LIST
match access-group 100
match ip precedence 5
match ip dscp 35
class-map match-all MATCH_VLAN_LIST
match vlan 2 100-105
match class-map MATCH_LIST
!
!
policy-map RATE_LIMIT_VLAN_2_100-105
class MATCH_VLAN_LIST
set ip dscp 22
!
(text deleted)
!
interface GigabitEthernet0/1
switchport trunk encapsulation dot1q
switchport mode trunk
no ip address
service-policy input RATE_MARK
!
(text deleted)
!
Policing 169
The only difference between Example 6-19 and Example 6-17 is Example 6-19 applies the
policy map only to packets ingress from VLANs 2 and 100 through 105. This per-port per-
VLAN configuration requires the nested class map configuration to operate correctly.
Furthermore, a per-port per-VLAN configuration requires that the class map that nests the
match VLAN classification rule with the regular class map must use the match-all config-
uration option. Also, a per-port per-VLAN class map requires the match VLAN class map
clause before the match class map clause.
Policing Actions
The Catalyst 2950 Family and 3550 Family of switches support the following class actions:
Trusting
Marking
Traffic-rate policing
Policing is similar to Cisco IOS rate limiting. Policing limits traffic flow the same as rate
limiting. However, policing uses the leaky token bucket algorithm, discussed in Chapter 2,
to apply a burst parameter to rate limiting. Both the Catalyst 2950 Family and 3550 Family
of switches support dropping or marking down traffic exceeding the rate.
Trusting Action
The use of trusting as a policing action is identical to trusting based on an ACL. The
Catalyst 3550 Family of switches supports trusting as a policing action. The supported
trusting options include trusting CoS or DSCP.
Policy maps organize the trusting actions using the following policy map class clause
command:
trust [DSCP | CoS]
Example 6-20 illustrates a Catalyst 3550 configured to trust DSCP for packets that match
ACL 100.
access-list 100 permit ip 10.1.1.0 0.0.0.255 10.2.1.0 0.0.0.255
!
(text deleted)
!
end
Example 6-19 Sample Configuration of Per-Port Per-VLAN Policing (Continued)
170 Chapter 6: QoS Features Available on the Catalyst 2950 and 3550 Family of Switches
For configurations using trusting in class map clauses, there is no need for a trusting config-
uration on the interface. You must carefully consider whether to configure an interface for
trusting and whether to configure a policing action of trusting because the policing action
takes precedence over the port configuration.
Marking Action
Both the Catalyst 2950 Family and 3550 Family of switches support marking as a policing
action. Both switches supports marking of DSCP using the following policy map class
action command:
set ip dscp
new-dscp
new-dscp indicates the DSCP value used to mark the frame in the policing action. The
marking occurs on the internal DSCP value and the internal DSCP determines the DSCP
value in the frame on egress. The Catalyst 3550 Family of switches also supports marking
Example 6-20 Sample Configuration of Trusting as a Policing Action
Switch#show running-config
Building configuration…
(text deleted)
!
mls qos
!
class-map match-all MATCH_ACL_100
match access-group 100
!
!
policy-map Classify_ACL
class MATCH_ACL_100
trust dscp
!
!
(text deleted)
!
interface FastEthernet0/1
switchport access vlan 2
switchport voice vlan 700
no ip address
duplex full
speed 100
service-policy input Classify_ACL
spanning-tree portfast
!
(text deleted)
!
access-list 100 permit ip 10.1.1.0 0.0.0.255 10.2.1.0 0.0.0.255
!
(text deleted)
end
Policing 171
of IP precedence. To configure marking of IP precedence in a policing action, use the
following policy map class action command:
set ip precedence
new-precedence
new-precedence indicates the IP precedence value used to mark the frame. The marking
actually occurs on the internal DSCP value by marking the 3 MSBs of the DSCP. Example 6-21
illustrates a Catalyst 3550 switch configured to mark frames as a policing action.
Traffic-Rate Policing
The Catalyst 2950 Family and 3550 Family of switches use the leaky token bucket
algorithm to determine whether a packet is conforming or exceeding a specified policer rate.
The leaky token bucket algorithm is transparent to the policing behavior of the switch. An under-
standing of the leaky token bucket is only necessary when refining the burst size parameter of a
policer. For more information about the leaky token bucket algorithm, see Chapter 2.
Use the following command to configure the Catalyst 2950 Family of switches traffic-rate
and burst parameters of a class map policer:
police
rate-bps burst-byte
[exceed-action {drop | dscp
dscp-value
}]
Example 6-21 Sample Configuration of Marking as a Policing Action
Switch#show running-config
mls qos
!
class-map match-all MATCH_ACL_100
match access-group 100
!
!
policy-map Mark_Frames
class MATCH_ACL_100
set ip dscp 45
!
(text deleted)
!
interface FastEthernet0/1
switchport access vlan 2
switchport voice vlan 700
no ip address
duplex full
speed 100
service-policy input Mark_Frames
spanning-tree portfast
!
(text deleted)
!
access-list 100 permit ip 10.1.1.0 0.0.0.255 10.2.1.0 0.0.0.255
!
(text deleted)
end
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset