often have a task: to limit speed Vila, passing in transit through the Switch from one interface to another.
Catalyst easily supports ingress policing on a physical interface, but if you want does not restrict all traffic from an interface, and separate from Leland trunk ports, everything becomes harder. Especially if the rate should be limited to no the sum of all areas of Vila, and to each side independently (and usually it is true). Nevertheless, the problem is solved as the 3560 (3550, 3750, 3560-E, etc.), and in 6500.
3560 - through hierarchical policy-maps.
Пример конфига:
mls qos
no mls qos rewrite ip dscp
!
access-list 101 remark ANY
access-list 101 permit ip any any
!
class-map match-all INTERFACES-FOR-VLAN-10
match input-interface GigabitEthernet0/8
class-map match-all ANY
match access-group 101
!
policy-map POLICY-FOR-INTERFACES-FOR-VLAN-10
class INTERFACES-FOR-VLAN-10
police 10240000 1920000 exceed-action drop
!
policy-map POLICY-FOR-VLAN-10
class ANY
set dscp 7
service-policy POLICY-FOR-INTERFACES-FOR-VLAN-10
!
interface Vlan10
no ip address
service-policy input POLICY-FOR-VLAN-10
Счётчики do not work, but the speed is limited. Insignificant in view of (match of access-list to "permit any", an unused "set dscp") are really needed, without them no longer work. As they say, it is difficult to understand, but you must remember. Which dscp set - no matter (most importantly, not to 0), but apparently for different Wilanow need to install different values.
At the physical interface should be spelled "mls qos vlan-based". In the policy on an interface may be a few classes - for different input interfaces.
for 6500 is otherwise. The above method does not work there, the terms "match input-interface", "match vlan" and other head-on methods - too (at least on the "cheap" cards such as WS-X6724-SFP or WS-X6748-GE-TX) .
First had to try to bridge the speed limit for SVI and vlan-mapping back (to the number Vilan has not changed). Works, but cpu-based, routing processor immediately killed, and customers do not like the jitter. Therefore
was found more acceptable solution (tested on sup32, sup720 and vs-s720 with different line cards).
mac packet-classify use vlan! mac access-list extended VLAN10 permit any any vlan 10! class-map match-all vlan10-in match access-group name VLAN10 policy-map iface1 class-map vlan10-in police cir 100000000 bc 1000000 be 2000000 conform-action transmit exceed-action drop! interface Vlan10 no ip address mac packet-classify
At the physical interface (trunk), apply service-policy iface1. There may be many classes for different Wilanow. And on this physical interface should not be "mls qos vlan-based". That is the trouble: Vila in the trunk, which terminates locally, can no longer be restricted to the SVI, everything should be confined to on this physical interface to Wilanow.
In this case, the processor consumes humanity (up to certain limits), jitter is practically not growing, but the application control-plane such Whelan will still fall off (which makes one sad thought).
Incidentally, in this case, we can not only limit the speed, but also consider the traffic of Wilanow transit in each direction - the counters in policy-map regularly work.
0 comments:
Post a Comment