Monday, February 2, 2009

3560 QoS: Per-port per-vlan policing

I know the name is scary, but I do dig Catalyst QoS. This is the second of back-to-back posts on the subject. This is one is a little more complex than classification and decided on a Visio for it:

Per-van policing in the 3560s is different from the 3550s because there is no "match VLAN" clause available. Instead you create hierarchical policies and attach them to the SVI.

Here is the scenario:

VLAN100 will be policed to 64k (
VLAN200 Will be policed to 128k (

Because of bursts, I was not able to get these exact rates, but you will see how these policies are applied and the effect they have on traffic flow. Plus you can always play with the burst sizes on your own :)

Here is the tracker I created on R2:

access-list 1 permit
access-list 1 permit
access-list 2 permit
class-map match-any VLAN100
match access-group 1
class-map match-any VLAN200
match access-group 2
policy-map TRACKER
class VLAN100
class VLAN200
interface Ethernet0/0
no ip address
load-interval 30
interface Ethernet0/0.100
encapsulation dot1Q 100
ip address
service-policy input TRACKER
interface Ethernet0/0.200
encapsulation dot1Q 200
ip address
service-policy input TRACKER

All configuration is being done on SW2. There really is not an order of operations to follow, but basically you just need to make sure class-maps and policy-maps are created before you apply them. The logical flow is what you want to get used to. Otherwise you will be jumping into and out of classes and policies, reconfiguring them like I did :)

At our child (aka "second") level we have a class-map that matches the interface and we have our policer. The interface matching here is whats is referred into in the first clause of "per-port per-vlan" policing.

class-map match-all TRUNK
match input-interface FastEthernet0/13
policy-map VLAN100-POLICER
class TRUNK
police 64000 12000 exceed-action drop
policy-map VLAN200-POLICER
class TRUNK
police 128000 24000 exceed-action drop

As far as I know, this "bottom" or "second" level class-map can only match input-interface. And this second level policy must be a policer.

Now, at the parent level we create a new class to match IP traffic and then apply our child polices below that. This top-level class must match an ACL (match protocol ip gave me errors when applying the policy).

access-list 100 permit ip any any
class-map match-all IP
match access-group 100
policy-map VLAN100-PARENT
class IP
set ip precedence 1
service-policy VLAN100-POLICER
policy-map VLAN200-PARENT
class IP
set ip precedence 2
service-policy VLAN200-POLICER

Notice that I have the "set ip precedence" clause in our parent policies. These first level policies are required to have an action. You will get an error message stating this if you try to apply it to the SVI without an action:

SW2(config)#int vlan 100
SW2(config-if)#service-policy input VLAN100-PARENT
%QoS: No action is configured in the policymap VLAN100-PARENT classmap IP, or it is being modified.

So make sure you have set or trust clause in there. Now we can apply them to the SVIs:

mls qos
interface FastEthernet0/13

mls qos vlan-based
interface Vlan100
no ip address
service-policy input VLAN100-PARENT
interface Vlan200
no ip address
service-policy input VLAN200-PARENT

From R1, R3 and R5 I will send a bunch of pings to R2:

R1#ping re 1000000
R3#ping re 1000000
R5#ping re 1000000

Let's look at R2 after a few minutes.

R2#sho policy-map interface e0/0.100 | section VLAN100
Class-map: VLAN100 (match-any)
107819 packets, 12722642 bytes
30 second offered rate 50000 bps
Match: access-group 1
107819 packets, 12722642 bytes
30 second rate 50000 bps

R2#sho policy-map interface e0/0.200 | section VLAN200
Class-map: VLAN200 (match-any)
156873 packets, 18511014 bytes
30 second offered rate 107000 bps
Match: access-group 2
156873 packets, 18511014 bytes
30 second rate 107000 bps

We don't see the limits of 64k and 128k being reached, but the drops on the senders indicate that policing is working. And we can also tell VLAN 200 is getting roughly twice the bandwidth that VLAN 100 is getting. We could get closer to the limit by adjusting the burst sizes appropriately.

Key things to remember:
  • Child classes use match input-interface
  • Child policies use police
  • Parent classes match ACL (I think you can also match dscp, maybe others)
  • Parent policies must have an action (e.g. set or trust)
  • Apply parent policies to SVI
I strongly recommend getting your hands dirty with these configurations if you want to master them. I read a lot about switch qos, but it wasn't until I started playing around with scenarios like this that I got a better understanding of how to do it and what is required. If we truly understand what each QoS method does, then we should have no trouble deciphering what we are asked to do on the lab :)


  1. At first when l started reading this l was confused and l was wondering where you were heading to.However, as l read through your meticulous steps its a helpful explanation.And the summary at the end make it even simpler.Thanks

  2. thankx but can you added more details about configuration

  3. Beautiful Blog
    Visit My Blog::
    Online Mehndi Designs

  4. This is great. Everything laid out nice and clear sinc I'm looking to do this same scenario. Thanks!

  5. Superb explantn.....


Note: Only a member of this blog may post a comment.