Policy-map on catalyst 3550

dear all,
how to configure policy-map on catalyst 3550 to shapping bandwidth. I've tried to setting that police-map in one of interface, but when I wrote sh policy-map interface fa0/1, in class-map field, the result are
class-map: policeIn (match-all)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
match: access-group 112qm_police_inform_feature: CLASS_SHOW
Could u give me a clue..??
thx.
..::rhiez::..

hi,
i've checked statistic of interface and there is traffic on that interface :
Hardware is Fast Ethernet, address is xxxx.xxxx.xxxx.xxxx(bia xxxx.xxxx.xxxx)
MTU 1500 bytes, BW 512 Kbit, DLY 100 usec,
reliability 255/255, txload 102/255, rxload 42/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Half-duplex, 100Mb/s
input flow-control is off, output flow-control is off
ARP type: ARPA, ARP Timeout 04:00:00
Last clearing of "show interface" counters 00:03:16
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue :0/40 (size/max)
5 minute input rate 85000 bits/sec, 67 packets/sec
5 minute output rate 961000 bits/sec, 201 packets/sec
12965 packets input, 2137646 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 watchdog, 0 multicast, 0 pause input
0 input packets with dribble condition detected
38564 packets output, 23504798 bytes, 0 underruns
0 output errors, 46 collisions, 0 interface resets
0 babbles, 0 late collision, 62 deferred
0 lost carrier, 0 no carrier, 0 PAUSE output
0 output buffer failures, 0 output buffers swapped out
is there another way to shapping bandwidth per vlan or per port interface on catalyst 3550 with IOS 12.1(8).
thx.
..::rhiez::..

Similar Messages

Catalyst 4500x : Shaping traffic and appliying queuing (nested policy-maps)

Hi Everyone,
I got a question on how actually I could put kind of nested policy-maps under an interface on a 4500x switch.
This is needed because 100Mbps link connecting 2 head office locations. The 100Mpbs is a metro ethernet link and the provider is fixing port to 100Mbps speed.
Since 4500x is not supporting 100Mbps speed on interfaces, the provider's port is connected to an intermediary switch at 100Mbps. And the 4500x is connected to intermediary switch at 1Gbps.
Hence, I need to shape to 100Mpbs out to my 4500x port. But I also need do perform queuing for traffic. The thing is nested policy-maps doesn't seem to be implemented on 4500x as in routers.
Any idea on how to workaround this? In a router world I'd do something like this:
policy-map SHAPER
class class-default
shape average 100000000
service-policy QUEUING
policy-map QUEUING
class VOICE
priority
police 5000000 conform-action transmit exceed-action drop
class INTERACTIVE
bandwidth 20000
class BULK
bandwidth 20000
class class-default
dbl
interface TenGigabitEthernet2/1/9
description TO_REMOTE_HEADOFFICE
service-policy output SHAPER
Thank you.

I have the same problem. I wanted to do sub-interfaces with dot1q tags and nested shaper policies, but the 4500x doesn't appear to support either nested shapers or subifs. Really wish there was more consistency across platforms.
Instead of the subifs, I can simply create vlan interfaces (not my favorite method, but it works).
As far as shaping goes, the best I've been able to come up with is a custom policy that polices for the realtime traffic (i.e marked with EF or AF41, 42, 43) and everything else is matched by a custom class that matches any and sets the shape average % on the interface accordingly. (i.e. a 10g interface shaped to a 2G pipe would get 19% for all traffic and 100Mb for realtime apps like voice and video). Not perfect, but without nested policies it's hard to do a full 8 class policy and shape each class to a specific rate.
class-map match-any REALTIME
match dscp ef
match dscp af41 af42 af43
class-map match-any CATCH_ALL
match any
policy-map QOS_SHAPE_2G_OUT
class REALTIME
priority
police rate percent 1
class CATCH_ALL
shape average percent 19
int ten1/1/27
service-policy output QOS_SHAPE_2G_OUT
If you want queuing, then drop dbl in the catch all class and you're set. This is not ideal and doesn't do as well as a nested shaper policy. If anyone can come up with a better solution, please post it!

Catalyst 3550 & 3560/3750 command 'show mls qos interface statistics'

On the Catalyst 3550 the command 'show mls qos interface statistics' will show ingress packet (or byte) counts with DSCP values. If you have policers configured then it also shows a count of packets that have been marked down to another DSCP value due to policing or any that have been dropped (obviously 'mls qos monitor dscp x' needs configuring). The same command on the 3560/3750 only shows the ingress & egress DSCP values, there is no column that shows packets (or bytes) that have been policed or dropped. Is there any command to display the same information with the 3560/3750?
Neither platform show counters when the command 'show policy-map interface x/x' is used so this won't work.
Thanks
Andy

Hi, I believe there is a command on the 3560 'sh mls qos interface policers' may be what you are looking for.
Here is what the command says it outputs:
To display QoS information at the interface level. This information includes:
The configuration of the egress queues and the CoS3-to-egress-queue map
Which interfaces have configured policers
Ingress and egress statistics, which includes the number of bytes that have been dropped

POLICY-MAP counters

I have configured policy-maps and class-maps on 3550 and 3560 switches.
The following is excerpt....
class-map match-any voip_class
match access-group 100
policy-map voip_policy
class voip_class
trust dscp
interface GigabitEthernet0/12
service-policy input voip_policy
priority-queue out
access-list 100 permit udp any any
I have the access-list 'open' for testing purposes.
However when I run the command 'sh policy-map int gi0/12' I get no counters increasing.
Should I?
Also if I run the 'sh access-list 100' command, should I get increasing counters?
Thanks for any help
Nik Mihelioudakis

Sh policy map is not supported on this platform
http://www.cisco.com/cgi-bin/bugtool/onebug.pl?bugid=CSCdy50035
Use "show mls qos interface gig0/12 statistics" instead.

Need help - Catalyst 3550 on CCM4.1 Voip

Guys.
We had a Catalyst 3550 switch fail last week, and the guy who really knows this system has left the company.
The switch has a non-free molecules error, which i believe is terminal.
I've sourced a replacement switch and need help configuring it.
I copied the running config from it's sister switch (there are only 2 switches on this ccm), however, the sister switch is a 3560.
I changed the I.P address and switch name before uploading it to the 3550 on the off chance it might just work.
Show run on the 3550 shows that it might be configured, but when i connected it, it took the gateway down.
I'm really up the creek at the moment unless i can get someone to either look at it, find an old config or get this guy back in for a few hours.
Any advice would be greatly received.
Looking at show run, i see two refernces to VLAN's
interface Vlan1
ip address 170.205.238.3 255.255.255.0
interface Vlan10
ip address 10.10.0.254 255.255.255.0
ip classless
ip route 0.0.0.0 0.0.0.0 170.205.238.1
no ip http server
The I.P address 170.205.238.1 is alien to me.. i don't know what this is. However, what i do know is that i never changed this. This IP address is the same in the 3560.
Could this cause an issue ?. I'm not aware of anything on a 170.X.X.X subnet, this could have been some legacy from the previous owners of the building.
The first 3 ports in the switch are connected to the publisher, subscriber and gateway router.
Does it matter which port is connected to which component. ?
I believe that i can't be too far away from configuring this, but without any help, i'm a bit stuck.
LEE-SW-CC_VOIP-01#show run
Building configuration...
Current configuration : 6147 bytes
version 12.1
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname LEE-SW-CC_VOIP-01
enable secret 5 $1$2BRP$UtiYkRMAsp7roykkfRDo3/
username cisco privilege 15 secret 5 $1$mh3w$w8H5ygAfDUOBdiE2UftB8.
ip subnet-zero
ip routing
vtp domain LEE
vtp mode transparent
mls qos map cos-dscp 0 8 16 26 32 46 48 56
mls qos
no file verify auto
spanning-tree mode pvst
spanning-tree extend system-id
vlan 10
interface FastEthernet0/1
switchport access vlan 10
switchport mode access
switchport voice vlan 10
no ip address
mls qos trust device cisco-phone
mls qos trust cos
auto qos voip cisco-phone
spanning-tree portfast
interface FastEthernet0/2
switchport access vlan 10
switchport mode access
switchport voice vlan 10
no ip address
mls qos trust device cisco-phone
mls qos trust cos
auto qos voip cisco-phone
spanning-tree portfast
interface FastEthernet0/3
switchport access vlan 10
switchport mode access
switchport voice vlan 10
no ip address
mls qos trust device cisco-phone
mls qos trust cos
auto qos voip cisco-phone
spanning-tree portfast
interface FastEthernet0/4
switchport access vlan 10
switchport mode access
switchport voice vlan 10
no ip address
mls qos trust device cisco-phone
mls qos trust cos
auto qos voip cisco-phone
spanning-tree portfast
interface FastEthernet0/5
switchport access vlan 10
switchport mode access
switchport voice vlan 10
no ip address
mls qos trust device cisco-phone
mls qos trust cos
auto qos voip cisco-phone
spanning-tree portfast
interface FastEthernet0/6
switchport mode access
switchport voice vlan 10
no ip address
mls qos trust device cisco-phone
mls qos trust cos
auto qos voip cisco-phone
spanning-tree portfast
interface FastEthernet0/7
switchport mode access
switchport voice vlan 10
no ip address
mls qos trust device cisco-phone
mls qos trust cos
auto qos voip cisco-phone
spanning-tree portfast
interface FastEthernet0/8
switchport mode access
switchport voice vlan 10
no ip address
mls qos trust device cisco-phone
mls qos trust cos
auto qos voip cisco-phone
spanning-tree portfast
interface FastEthernet0/9
switchport mode access
switchport voice vlan 10
no ip address
mls qos trust device cisco-phone
mls qos trust cos
auto qos voip cisco-phone
spanning-tree portfast
interface FastEthernet0/10
switchport mode access
switchport voice vlan 10
no ip address
mls qos trust device cisco-phone
mls qos trust cos
auto qos voip cisco-phone
spanning-tree portfast
interface FastEthernet0/11
switchport mode access
switchport voice vlan 10
no ip address
mls qos trust device cisco-phone
mls qos trust cos
auto qos voip cisco-phone
spanning-tree portfast
interface FastEthernet0/12
switchport mode access
switchport voice vlan 10
no ip address
mls qos trust device cisco-phone
mls qos trust cos
auto qos voip cisco-phone
spanning-tree portfast
interface FastEthernet0/13
switchport mode access
switchport voice vlan 10
no ip address
mls qos trust device cisco-phone
mls qos trust cos
auto qos voip cisco-phone
spanning-tree portfast
interface FastEthernet0/14
switchport mode access
switchport voice vlan 10
no ip address
mls qos trust device cisco-phone
mls qos trust cos
auto qos voip cisco-phone
spanning-tree portfast
interface FastEthernet0/15
switchport mode access
switchport voice vlan 10
no ip address
mls qos trust device cisco-phone
mls qos trust cos
auto qos voip cisco-phone
spanning-tree portfast
interface FastEthernet0/16
switchport mode access
switchport voice vlan 10
no ip address
mls qos trust device cisco-phone
mls qos trust cos
auto qos voip cisco-phone
spanning-tree portfast
interface FastEthernet0/17
switchport mode access
switchport voice vlan 10
no ip address
mls qos trust device cisco-phone
mls qos trust cos
auto qos voip cisco-phone
spanning-tree portfast
interface FastEthernet0/18
switchport mode access
switchport voice vlan 10
no ip address
mls qos trust device cisco-phone
mls qos trust cos
auto qos voip cisco-phone
spanning-tree portfast
interface FastEthernet0/19
switchport mode access
switchport voice vlan 10
no ip address
mls qos trust device cisco-phone
mls qos trust cos
auto qos voip cisco-phone
spanning-tree portfast
interface FastEthernet0/20
switchport mode access
switchport voice vlan 10
no ip address
mls qos trust device cisco-phone
mls qos trust cos
auto qos voip cisco-phone
spanning-tree portfast
interface FastEthernet0/21
switchport mode access
switchport voice vlan 10
no ip address
mls qos trust device cisco-phone
mls qos trust cos
auto qos voip cisco-phone
spanning-tree portfast
interface FastEthernet0/22
switchport mode access
switchport voice vlan 10
no ip address
mls qos trust device cisco-phone
mls qos trust cos
auto qos voip cisco-phone
spanning-tree portfast
interface FastEthernet0/23
switchport mode access
switchport voice vlan 10
no ip address
mls qos trust device cisco-phone
mls qos trust cos
auto qos voip cisco-phone
spanning-tree portfast
interface FastEthernet0/24
switchport mode access
switchport voice vlan 10
no ip address
mls qos trust device cisco-phone
mls qos trust cos
auto qos voip cisco-phone
spanning-tree portfast
interface GigabitEthernet0/1
switchport trunk encapsulation dot1q
switchport mode trunk
no ip address
mls qos trust cos
udld port aggressive
auto qos voip trust
interface GigabitEthernet0/2
switchport trunk encapsulation dot1q
switchport mode trunk
no ip address
mls qos trust cos
udld port aggressive
auto qos voip trust
priority-queue out
interface Vlan1
ip address 170.205.238.3 255.255.255.0
interface Vlan10
ip address 10.10.0.254 255.255.255.0
ip classless
ip route 0.0.0.0 0.0.0.0 170.205.238.1
no ip http server
logging trap debugging
line con 0
exec-timeout 0 0
privilege level 15
login local
line vty 0 4
privilege level 15
login local
length 0
line vty 5 15
privilege level 15
login local
length 0
end
LEE-SW-CC_VOIP-01#

Always wanting to learn more, I re-instated the test config and ran those commands.
LEE-SW-CC_VOIP-01#show cdp neighbor
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone
Device ID Local Intrfce Holdtme Capability Platform Port ID
LEE-SW-CC_VOIP-01#show ip int brief
Interface IP-Address OK? Method Status Prot
ocol
Vlan1 170.205.238.2 YES NVRAM up down
Vlan10 10.10.0.254 YES NVRAM up down
FastEthernet0/1 unassigned YES unset down down
FastEthernet0/2 unassigned YES unset down down
FastEthernet0/3 unassigned YES unset down down
FastEthernet0/4 unassigned YES unset down down
FastEthernet0/5 unassigned YES unset down down
FastEthernet0/6 unassigned YES unset down down
FastEthernet0/7 unassigned YES unset down down
FastEthernet0/8 unassigned YES unset down down
FastEthernet0/9 unassigned YES unset down down
FastEthernet0/10 unassigned YES unset down down
FastEthernet0/11 unassigned YES unset down down
FastEthernet0/12 unassigned YES unset down down
FastEthernet0/13 unassigned YES unset down down
FastEthernet0/14 unassigned YES unset down down
FastEthernet0/15 unassigned YES unset down down
FastEthernet0/16 unassigned YES unset down down
FastEthernet0/17 unassigned YES unset down down
FastEthernet0/18 unassigned YES unset down down
FastEthernet0/19 unassigned YES unset down down
FastEthernet0/20 unassigned YES unset down down
FastEthernet0/21 unassigned YES unset down down
FastEthernet0/22 unassigned YES unset down down
FastEthernet0/23 unassigned YES unset down down
FastEthernet0/24 unassigned YES unset down down
GigabitEthernet0/1 unassigned YES unset down down
GigabitEthernet0/2 unassigned YES unset down down
LEE-SW-CC_VOIP-01#

Policer with IPv6 class-map on Catalyst 3750

Hi,
I've the following problem.
It's my goal to ratelimit incoming IPv6 traffic dependent on the destination IP address range.
On a Catalyst 3750 (Image: c3750-ipservicesk9-mz.122-55.SE1.bin) I've set up the configuration as follows:
mls qos
ipv6 access-list DESTINATION-RANGE-A
permit ipv6 any 2007::/16
ipv6 access-list DESTINATION-RANGE-B
permit ipv6 any 2B03::/16
class-map match-all A
match access-group name DESTINATION-RANGE-A
class-map match-all B
match access-group name DESTINATION-RANGE-B
policy-map RL-POLICY
class A
police 2000000 8000 exceed-action drop
class B
police 6000000 8000 exceed-action drop
interface GigabitEthernet1/0/7
switchport access vlan 90
load-interval 30
service-policy input RL-POLICY
The last CLI command which should bind the policy to the specific interface, leads to the following error message
QoS: class(A) IPv6 class not supported on interface GigabitEthernet1/0/7
Are hardware/software limitations the reason for this behavior or is there any misconfiguration?
Thanks in advance for your help!
Regards,
Jens

If you are thinking of IPv6 prefix I tried everything. From /128 for single host to /64, nothing works.

Ratelimiter with IPv6 class-map on Catalyst 3750

Hi,
I've the following problem.
It's my goal to ratelimit incoming IPv6 traffic dependent on the destination IP address range.
On a Catalyst 3750 (Image: c3750-ipservicesk9-mz.122-55.SE1.bin) I've set up the configuration as follows:
mls qos
ipv6 access-list DESTINATION-RANGE-A
permit ipv6 any 2007::/16
ipv6 access-list DESTINATION-RANGE-B
permit ipv6 any 2B03::/16
class-map match-all A
match access-group name DESTINATION-RANGE-A
class-map match-all B
match access-group name DESTINATION-RANGE-B
policy-map RL-POLICY
class A
police 2000000 8000 exceed-action drop
class B
police 6000000 8000 exceed-action drop
interface GigabitEthernet1/0/7
switchport access vlan 90
load-interval 30
service-policy input RL-POLICY
The last CLI command which should bind the policy to the specific interface, leads to the following error message
QoS: class(A) IPv6 class not supported on interface GigabitEthernet1/0/7
Are hardware/software limitations the reason for this behavior or is there any misconfiguration?
Thanks in advance for your help!
Regards,
Jens

If you are thinking of IPv6 prefix I tried everything. From /128 for single host to /64, nothing works.

Policy map not show results in Cat6500

                   I have configured QoS in Catalyst 6513 for telepresence service and when I do "show policy interface gix/y" don't show the traffic is being marked.
I think that the QoS is marked the traffic correctly because I am sawing packets marked with AF41 in the next hop for that suspect that the problem is in the "show comand".
It´s normal this behaviour or it could be a IOS bug?
This is the configuration:
ip access-list extended ACLtelepresencia_in
permit ip any any
class-map match-any telepresencia
match access-group name ACLtelepresencia_in
policy-map telepresencia_in
class telepresencia
   set dscp af41
D08MNSSRS0#sh policy-map interface GigabitEthernet3/13
GigabitEthernet3/13
Service-policy input: telepresencia_in
    Class-map: telepresencia (match-any)
      0 packets, 0 bytes
      30 second offered rate 0 bps, drop rate 0 bps
      Match: access-group name ACLtelepresencia_in
        0 packets, 0 bytes
        30 second rate 0 bps
    Class-map: class-default (match-any)
      0 packets, 0 bytes
      30 second offered rate 0 bps, drop rate 0 bps
      Match: any
Regards
Alberto

Try the query as
select sum(t.total) from
SELECT T0.DocNum, T0.DocTotal,T0.DocTotal - T0.VatSum, T0.DocDate, Sum(T0.DocTotal) as Total,Sum(T0.DocTotal - T0.VatSum) as withoutTax FROM ORDR T0 INNER JOIN OSLP T1 ON T0.SlpCode = T1.SlpCode
WHERE T1.SlpName ='Rajesh Nair' and T1.SlpCode -1
GROUP BY T0.DocNum, T0.DocDate, T0.VatSum, T0.DocTotal
) t
or in one query at the end as sum as
SELECT T0.DocNum, T0.DocTotal,T0.DocTotal - T0.VatSum, T0.DocDate, Sum(T0.DocTotal) as Total,Sum(T0.DocTotal - T0.VatSum) as withoutTax FROM ORDR T0 INNER JOIN OSLP T1 ON T0.SlpCode = T1.SlpCode
WHERE T1.SlpName ='Rajesh Nair' and T1.SlpCode -1
GROUP BY T0.DocNum, T0.DocDate, T0.VatSum, T0.DocTotal
UNION
select null, null, null, null, sum(t.total), null from
SELECT T0.DocNum, T0.DocTotal,T0.DocTotal - T0.VatSum, T0.DocDate, Sum(T0.DocTotal) as Total,Sum(T0.DocTotal - T0.VatSum) as withoutTax FROM ORDR T0 INNER JOIN OSLP T1 ON T0.SlpCode = T1.SlpCode
WHERE T1.SlpName ='Rajesh Nair' and T1.SlpCode -1
GROUP BY T0.DocNum, T0.DocDate, T0.VatSum, T0.DocTotal
) t

Is there a policy map difference from 8.0 to 9.0?

We have been testing blocking a few select websites (no web filtering yet) with some of our smaller location ASA's. Following the document at:
https://supportforums.cisco.com/docs/DOC-1268
I have been successful at sites which run ASA's with version 8.0 of the IOS on them, but not with 9.0. With 9.0 (2) it appears that when you institute the policy map to make it take effect, it blocks all web traffic, not just the ones specified.
So, I guess I'm asking, is there that large of a difference between 8.0 and 9.0 that would cause this to no longer work properly?

You went to the same page I did 7 hours ago. Use the "FILES TYPE EDIT" solution and follow almost all of the instructions...Edit FIREFOX URL, HYPERTEXT TRANSFER PROTOCOL and HYPERTEXT TRANSFER PROTOCOL WITH PRIVACY....It isn't necessary to take the step of "unchecking the "DDE BOX", just follow the instructions to delete the characters in the "DDE Message Box" and the problem is fixed. If you uncheck the "DDE BOX", as instructed, it may come back to bite you.
Thank you for helping,
Sel Warren

Using Catalyst 3550 Switch with Linksys Home Router and Cable Internet

I've about pulled what little hair I have out of my head on this one, and need some configuration help.
I have a Cisco Catalyst 3550 switch with five Windows 7 desktops, an Avaya PBX and five Avaya IP phones attached. All of these devices are on a 192.168.0.0/24 subnet, and are communicating properly. I will refer to this as network # 1. I also have SEPARATE network, we'll call network # 2, using AT&T ADSL service and a Netgear 4-port/wireless router/ADSL modem combo device, which is functioning properly with a couple of other Windows 7 desktops over its own wired Ethernet network, using DHCP, and also on a 192.168.0.0/24 subnet. I thought it would be a simple integration, just plugging one of the 3550's ports to one of the DSL router's ports, in order to give the five Windows 7 desktop computers on network # 1 internet access via the DSL modem. Guess I was wrong. When I connect the two switches together, although I get a good connectivity (green lights on both ports) and am able to ping the DSL router's gateway address (192.168.0.252) from network # 1's computers, the computers on network # 1 cannot access the internet. Also, the working computers on network # 2 lose their internet access as long as the two switches are connected together. I am not a Cisco guru, but there's got to be a way to make this scenario work. Can someone provide me with a 3550 configuration that will allow me to extend my internet service from network # 2 on the DSL router to my 3550 switch and their computers? Here's what I am looking for:
INTERNET ---> ADSL MODEM ---> NETGEAR ROUTER ---> CISCO 3550 SWITCH ---> NETWORK DEVICES WITH INTERNET ACCESS

The Netgear router is probably what's doing the natting. Is the 3550 configured for routing or is it straight L2? If you have the 3550 configured as L3, then it's going to be easy to do what you want. Just add a static route on the Netgear to point the subnet that it doesn't know about to the 3550. For example, if the Netgear is addressed at 192.168.1.1 and the Cisco 3550 is addressed at 192.168.1.2, but it also knows about the 192.168.0.0/24 (separate vlan), then you would put a static route on your Netgear for 192.168.0.0/24 to go to 192.168.1.2.
The way that I would do it is to create a separate vlan on the 3550 and assign an address to it. Once you do that, make the port that the other switch connects to an access port of that vlan. (It would need to be on the same subnet as the existing equipment.) All of your devices would use it as a default gateway and then you would do the rest as above. You could also use RIP between the Netgear and Cisco if you can't do static routing.
HTH,
John

Policy MAP Issue on ASA

Hi i have configured following Policy MAp to restrict 12.203 to use 5mb bandwidth.
Issue is that i dont recieve any hits when i apply this on outside interface like that
service-policy PM-RATELIMIT interface outside
But when i add permit ip any any in ACL then i receive hits.
Else This map work fine in inside interface but i want to apply it on outside .
Conf are as follows
access-list vlan10_rate_limit extended permit ip host 192.168.12.203 any
class-map CM-RATELIMIT
match access-list vlan10_rate_limit
policy-map PM-RATELIMIT
class CM-RATELIMIT
police input 5000000

the ACL that you have configured is sourcing from the internal host to any on the outside. So you would need to apply that on the inside interface.
If you would like to limit the return traffic towards that host, then you would need to configure ACL with source any and destination the NATed ip address of that internal host.

Policy map/ class map/ service policy for IOS xr

Hi,
I need to create a policy map and class map/service policy to limit the amount of bandwidth that can be used on one interface both in and out.
I need the cap for the bandwidth to traverse this circuit to ne 10 Meg.
the IOS xr version we are using is 4.3.4
I was hoping someone could help me out by giving me a configuration example I could follow.
Thank you.

for instance like this:
policy-map police-in
class class-default
police rate 10 mpbs <optionally set burst>
policy-map shape-out-parent
class class-default
shape 10 mpbs <optional burst config>
service-policy shape-out-child
policy-map shape-out-child
class class-default
queue-limit 10 packets
int g 0/0/0/0
service-policy police-in in
service-policy shape-out-parent out
also have a look at CL 2013/2014 (orlando/sanfran) ID 2904 for more QOS details
and the support forum article of "asr9000 quality of service architecture"
xander

Class-Map and Policy-Map Configuration in CM Confusion

Hi,
I'm implementing a green field WAAS deployment for a customer. We currently have a Proof-of-Concept up and running.
I've got some questions regarding custom class-map and policy-map configuration in the CM. I'd like to nail-down the custom class-map and policy-map configuration (and understanding) in the PoC before cutting over the PoC branches to the production WAAS environment.
Assuming a typical WAAS Deployment using WCCP for off-path interception, branch to DC.
==> 61 in LAN (BRANCH ROUTER) <== 62 in WAN (WAN CLOUD) ==> 61 in WAN (DC ROUTER) <== 62 in LAN
We are using two distinct device groups, BRANCH and DATA CENTER.
If the customer has traffic that we need to classify in order to provide TFO only optimisation, should the single class-map include the traffic in both directions? Ie., (assume the SERVER is 10.1.1.1 TCP Port 443). Should the class-map be configured as:
Class-Map
Line 1: DST IP 10.1.1.1 DST Port 443
Line 2: SRC IP 10.1.1.1 SRC Port 443
Or in this case is only the DST line required? And in which Device Group should the custom policy be applied? Or should it be applied to both Device Groups? If it should be applied to both Device Groups, then would it make more sense to have the policy-map in the Branch DG configured to match the DST traffic, and on the Data Center DG have a different class-map match the SRC traffic?
My confusion is how to classify the traffic (SRC or DST or Both - Separate classes for each or different lines within the same class-map), and where to apply the appropriate policy (both Device Groups, just Branch, just DC) and why...
I tried to apply a custom policy and the impact in the PoC was that the TCP Summary report stopped reporting the individual traffic classes showed 'other traffic' only. Can anyone explain why this may have occurred?
I hope this makes sense.

for instance like this:
policy-map police-in
class class-default
police rate 10 mpbs <optionally set burst>
policy-map shape-out-parent
class class-default
shape 10 mpbs <optional burst config>
service-policy shape-out-child
policy-map shape-out-child
class class-default
queue-limit 10 packets
int g 0/0/0/0
service-policy police-in in
service-policy shape-out-parent out
also have a look at CL 2013/2014 (orlando/sanfran) ID 2904 for more QOS details
and the support forum article of "asr9000 quality of service architecture"
xander

1 policy-map for more than 1 physical interface

Hi,
the situation I want to achieve is, that 2 physical interfaces (here 2 TP GigbitEthernet Ports of a 3750) are limited together from one 'service-policy'/'policy-map'.
In the example below I have 2 Ports on one switch and the traffic coming in on both ports in total (traffic port #1 + traffic port #2) should be limited to the 'policy-map 5MBits'.
Right now I have configured a 3750 with:
class-map match-all EveryMAC
match access-group name everythingL2
policy-map 5MBits
class EveryMAC
police 5000000 32768 exceed-action drop
policy-map TEST
class EveryMAC
set dscp default
mac access-list extended everythingL2
permit any any
interface GigabitEthernet1/0/1
description port #1
switchport access vlan 123
switchport mode access
speed 10
duplex auto
interface GigabitEthernet1/0/2
description port #2
switchport access vlan 123
switchport mode access
speed 10
duplex auto
interface Vlan123
service-policy input TEST
And at the 'other side' a 2950 works with the following config:
class-map match-all EveryMAC
match access-group name everythingL2
policy-map 5MBits
class EveryMAC
police 5000000 32768 exceed-action drop
mac access-list extended everythingL2
permit any any
interface FastEthernet0/1
description port #A
switchport access vlan 123
switchport mode access
speed 10
duplex auto
As far as I can see this seems to work. But it would be nice if someone can confirm this or provide an other suggestion.
thanks in advance
Mark

Only thing i can think of is instead of using a MAC ACL , u cud jus use the default class
Policy Map Test
class class-default
police 56000 8000 exceed-action drop
Class Map match-any class-default (id 0)
Match any
You would be saving a MAC-ACL ;-).

Catalyst 3550: Loading IOS via TFTP from ROMmon?

Hi everybody,
I need to load an IOS from ROMmon-mode to a Catalyst 3550.
Of cause I could do that via xmodem but I thought it should also be possible via TFTP.
What I did:
switch: IP_ADDRESS=192.168.1.1
switch: IP_SUBNET_MASK=255.255.255.0
switch: TFTP_SERVER=192.168.1.2
switch: TFTP_FILE=c3550-ipservicesk9-mz.122-35.SE5.bin
switch: DEFAULT_GATEWAY=192.168.1.1
switch: set
BOOT=tftp://192.168.1.2/c3550-ipservicesk9-mz.122-35.SE5.bin
DEFAULT_GATEWAY=192.168.1.1
IP_ADDRESS=192.168.1.1
IP_SUBNET_MASK=255.255.255.0
MAC_ADDR=00:0F:90:7F:B1:00
MODEL_NUM=WS-C3550-48-SMI
MODEL_REVISION_NUM=L0
MOTHERBOARD_ASSEMBLY_NUM=73-5701-09
MOTHERBOARD_REVISION_NUM=A0
MOTHERBOARD_SERIAL_NUM=CAT08130PUT
POWER_SUPPLY_PART_NUM=34-0967-02
POWER_SUPPLY_SERIAL_NUM=DTH08094HH7
SYSTEM_SERIAL_NUM=CAT0813Z29A
TFTP_FILE=c3550-ipservicesk9-mz.122-35.SE5.bin
TFTP_SERVER=192.168.1.2
switch: boot tftp://192.168.1.2/c3550-ipservicesk9-mz.122-35.SE5.bin
Loading "tftp://192.168.1.2/c3550-ipservicesk9-mz.122-35.SE5.bin"...tftp://192.168.1.2/c35 50-ipservicesk9-mz.122-35.SE5.bin: permission denied
Error loading "tftp://192.168.1.2/c3550-ipservicesk9-mz.122-35.SE5.bin"
Interrupt within 5 seconds to abort boot process.
Boot process failed...
switch: boot
Loading "tftp://192.168.1.2/c3550-ipservicesk9-mz.122-35.SE5.bin"...tftp://192.168.1.2/c35 50-ipservicesk9-mz.122-35.SE5.bin: permission denied
Error loading "tftp://192.168.1.2/c3550-ipservicesk9-mz.122-35.SE5.bin"
Interrupt within 5 seconds to abort boot process.
Boot process failed...
Am I doing something wrong or is it generally impossible to load an IOS via TFTP to a 3550?
Thanks in advance
Rolf

I am pretty sure you can't boot from a TFTP server with the Catalyst 3550 (or any of the other standalone access switches - 2950, 3550, 3560 3750 etc). If you want to recover one you need to recover it using XModem via the console:
http://www.cisco.com/en/US/products/hw/switches/ps628/products_tech_note09186a0080169696.shtml
I used to think you had to do this at 9600-baud, however you can increase the baudrate and it only takes 10-20 minutes (I couldn't get 115200 to work but 57600 worked OK and took about 20-minutes).
You need to remember to put the baud rate back to 9600 when the image is back on as it gets stored in NVRAM and reboots etc are at the stored speed (i.e. changing it after it has booted under the line con 0 doesn't get saved to NVRAM).
HTH
Andy

Policy-map on catalyst 3550

Similar Messages

Maybe you are looking for