I have a Cisco 3550 and  want to apply rate limit on the interfaces for both ingress and egress. 
As per Cisco documentation in
Understanding QoS Policing and Marking on the Catalyst 3550
"Policing is not to be confused with traffic shaping, although both make sure the traffic stays within the profile or contract.
Policing does not buffer the traffic, so policing does not affect the transmission delay. Instead of buffering out-of-profile packets, policing drops them or marks them with different QoS levels (DSCP markdown).
The policing action can be either drop the packet or change the DSCP of the packet (markdown). In order to markdown the packet, a policed DSCP map must be modified. A default policed DSCP map remarks the packet to the same DSCP. Therefore, no markdown occurs.
Referring to the Cisco documentation again , we see from the table listing the Policing and Marking Features Supported by the Catalyst 3550. For ingress traffic we have many options but for egress we have only two (policer markdown, match dscp)
So one option is to use individual port-based QoS policing to limit the traffic. For ingress policy to use match access-group to match any IP address and for egress policy to match ip dscp .
2) Define criteria to select traffic for policing . For Ingress traffic, suppose we want to include all TCP IP traffic
3) Define a class-map to select traffic using defined criteria. We create an access list to match all TCP IP addresses. For Egress traffic we select ( match ) all IP packets with DSCP 0. (0 means best-effort delivery.)
Note that ,Traffic with other DSCP values will not be policed. For better usage of match ip dscp , all of hte DSCP bits for police must be matched. (Mind that this will work if default settings are used and there is no default value for CoS)
------------------------------------------------------------
Server listening on TCP port 5001
TCP window size: 85.3 KByte (default)
------------------------------------------------------------
------------------------------------------------------------
Client connecting to 192.168.0.10, TCP port 5001
TCP window size: 71.3 KByte (default)
------------------------------------------------------------
[ 5] local 192.168.0.99 port 34618 connected with 192.168.0.10 port 5001
[ ID] Interval Transfer Bandwidth
[ 5] 0.0-10.3 sec 9.75 MBytes 7.92 Mbits/sec
[ 4] local 192.168.0.99 port 5001 connected with 192.168.0.10 port 35625
[ 4] 0.0-10.7 sec 5.00 MBytes 3.94 Mbits/sec
As per Cisco documentation in
Understanding QoS Policing and Marking on the Catalyst 3550
"Policing is not to be confused with traffic shaping, although both make sure the traffic stays within the profile or contract.
Policing does not buffer the traffic, so policing does not affect the transmission delay. Instead of buffering out-of-profile packets, policing drops them or marks them with different QoS levels (DSCP markdown).
Traffic shaping buffers out-of-profile traffic and smoothes the traffic bursts, but affects the delay and delay variation. Shaping can only be applied on the outgoing interface, while policing can be applied on both the incoming and outgoing interface.
The Catalyst 3550 supports policing for both incoming and outgoing directions. Traffic shaping is not supported."
The policer is defined by rate,  burst parameters, and the action for excess traffic.
Two types of policers are supported that is a) Aggregate b)Individual
The aggregate policer acts upon the traffic across all instances where it is applied. 
The individual policer acts separately upon traffic across each instance where it is applied.
Referring to the Cisco documentation again , we see from the table listing the Policing and Marking Features Supported by the Catalyst 3550. For ingress traffic we have many options but for egress we have only two (policer markdown, match dscp)
So one option is to use individual port-based QoS policing to limit the traffic. For ingress policy to use match access-group to match any IP address and for egress policy to match ip dscp .
Configure QoS Policing
1) Globally Enable Qos 
2) Define criteria to select traffic for policing . For Ingress traffic, suppose we want to include all TCP IP traffic
3) Define a class-map to select traffic using defined criteria. We create an access list to match all TCP IP addresses. For Egress traffic we select ( match ) all IP packets with DSCP 0. (0 means best-effort delivery.)
Note that ,Traffic with other DSCP values will not be policed. For better usage of match ip dscp , all of hte DSCP bits for police must be matched. (Mind that this will work if default settings are used and there is no default value for CoS)
4) Define a service-policy using class and applying a policer to the specified class. I defined rate limits of 2,4 or 8 Mbps for ingress and and 2 or 4 Mbps for egress.
5) Apply a service-policy to a port
$ iperf -c 192.168.0.10 -r5) Apply a service-policy to a port
 mls qos  
 !  
 class-map match-any ACL_IN  
  match access-group 110  
 class-map match-any ALL_OUT  
  match ip dscp 0  
 !  
 policy-map 4MBps_OUT  
  class ALL_OUT  
   police 4000000 256000 exceed-action drop  
 policy-map 2MBps_OUT  
  class ALL_OUT  
   police 2000000 128000 exceed-action drop  
 policy-map 4Mbps_IN  
  class ACL_IN  
   police 4000000 256000 exceed-action drop  
 policy-map 2Mbps_IN  
  class ACL_IN  
   police 2000000 128000 exceed-action drop  
 policy-map 8Mbps_IN  
  class ACL_IN  
   police 8000000 512000 exceed-action drop  
 !  
 interface FastEthernet0/1  
  description --Notebook--  
  switchport access vlan 30  
  switchport mode access  
  no ip address  
  service-policy input 8Mbps_IN  
  service-policy output 4MBps_OUT  
 end  
 access-list 110 permit tcp any any  
 cat3550#show mls qos interface fa0/1   
 FastEthernet0/1  
 Attached policy-map for Ingress: 8Mbps_IN  
 trust state: not trusted  
 trust mode: not trusted  
 COS override: dis  
 Attached policy-map for Egress: 4MBps_OUT  
 default COS: 0  
 DSCP Mutation Map: Default DSCP Mutation Map  
 trust device: none  
 cat3550#show mls qos interface fastEthernet 0/1 statistics   
 FastEthernet0/1  
 Ingress  
  dscp: incoming  no_change classified policed  dropped (in bytes)  
 Others: 39452756  39451429  1327    0     5179416    
 Egress  
  dscp: incoming  no_change classified policed  dropped (in bytes)  
 Others: 19647439   n/a    n/a   0     2231427    
------------------------------------------------------------
Server listening on TCP port 5001
TCP window size: 85.3 KByte (default)
------------------------------------------------------------
------------------------------------------------------------
Client connecting to 192.168.0.10, TCP port 5001
TCP window size: 71.3 KByte (default)
------------------------------------------------------------
[ 5] local 192.168.0.99 port 34618 connected with 192.168.0.10 port 5001
[ ID] Interval Transfer Bandwidth
[ 5] 0.0-10.3 sec 9.75 MBytes 7.92 Mbits/sec
[ 4] local 192.168.0.99 port 5001 connected with 192.168.0.10 port 35625
[ 4] 0.0-10.7 sec 5.00 MBytes 3.94 Mbits/sec
The following commands does not seem to be supported because it gives zeros everywhere.
#show  policy-map interface fa0/1
Verifying with live traffic from the computer Ethernet port.
       eth0       
Kbps in Kbps out
234.29 10017.46
190.57 8115.54
238.25 10135.44
191.25 8121.17
237.55 10135.51
189.62 8115.55
238.57 10147.34
190.16 8103.76
237.99 10135.48
189.44 8115.36
4777.87 2782.34
3130.43 93.91
4607.09 128.80
3791.94 109.87
3768.86 110.51
3591.16 124.03
3650.30 102.92
3933.61 112.59
4063.73 115.92
3627.09 104.68
3908.13 141.13
Reference :
Understanding QoS Policing and Marking on the Catalyst 3550
Kbps in Kbps out
234.29 10017.46
190.57 8115.54
238.25 10135.44
191.25 8121.17
237.55 10135.51
189.62 8115.55
238.57 10147.34
190.16 8103.76
237.99 10135.48
189.44 8115.36
4777.87 2782.34
3130.43 93.91
4607.09 128.80
3791.94 109.87
3768.86 110.51
3591.16 124.03
3650.30 102.92
3933.61 112.59
4063.73 115.92
3627.09 104.68
3908.13 141.13
Reference :
Understanding QoS Policing and Marking on the Catalyst 3550
Hello, I have a catalyst 3550 and this config works great for ingress but the egress is still wide opened. Do you have any ideas why?
ReplyDeleteHi Mike,
ReplyDeleteI'm using Model number: WS-C3550-24-SMI ( upgraded to EMI)
System image file is "flash:c3550-i5q3l2-mz.121-19.EA1a/c3550-i5q3l2-mz.121-19.EA1a.bin"
Check your burst limits because if lower it will not allow the throughput.
Check mls qos interface statistics.
If still problems send me the configuration by email.
I follow the same configuration and repeated the bidirectional test with Iperf and works fine for me.
I use same policers as described in the post and use port fa0/14 going to a notebook and fa0/15 going to a server.
interface FastEthernet0/14
description --Notebook--
switchport access vlan 30
switchport mode access
no ip address
service-policy input 8Mbps_IN
service-policy output 4MBps_OUT
end
interface FastEthernet0/15
description --Server--
switchport access vlan 30
switchport mode access
no ip address
end
#show mls qos interface fa0/14 statistics
FastEthernet0/14
Ingress
dscp: incoming no_change classified policed dropped (in bytes)
Others: 26530 26530 0 0 0
Egress
dscp: incoming no_change classified policed dropped (in bytes)
Others: 23060 n/a n/a 0 0
@notebook ~ $ iperf -s
[ ID] Interval Transfer Bandwidth
[ 4] 0.0-10.7 sec 5.00 MBytes 3.94 Mbits/sec
@server $ iperf -c 192.168.3.99
[ ID] Interval Transfer Bandwidth
[ 3] 0.0-10.2 sec 5.00 MBytes 4.10 Mbits/sec
Repeated the bidirectional test but this time sending traffic from the other side.
@server $ iperf -s
[ 4] 0.0-10.3 sec 9.75 MBytes 7.92 Mbits/sec
@notebook ~ $ iperf -c 192.168.3.10
[ 3] 0.0-10.3 sec 9.75 MBytes 7.93 Mbits/sec
Also change the policers on fa0/14 to other limits to reconfirm that it is actually working
service-policy input 2Mbps_IN
service-policy output 4MBps_OUT
@server ~ $ iperf -s
[ 4] 0.0-11.0 sec 2.62 MBytes 1.99 Mbits/sec
@notebook ~ $ iperf -c 192.168.3.10
[ 3] 0.0-11.0 sec 2.62 MBytes 2.00 Mbits/sec
Repeated the bidirectional test but this time sending traffic from the other side.
@notebook ~ $ iperf -s
[ 4] 0.0-10.7 sec 5.00 MBytes 3.94 Mbits/sec
@server ~ $ iperf -c 192.168.3.99
[ 3] 0.0-10.4 sec 5.00 MBytes 4.03 Mbits/sec
DLS1#show mls qos interface fa0/14 statistics
FastEthernet0/14
Ingress
dscp: incoming no_change classified policed dropped (in bytes)
Others: 16210235 16210235 0 0 2193374
Egress
dscp: incoming no_change classified policed dropped (in bytes)
Others: 13548636 n/a n/a 0 1967000