Rate Limit A Cisco 3560, 3570, 3560E Port
I sometimes use 3560Es as edge routers. This means that I no switchport the interfaces and put IPs on them to connect to customers.
Here on the edge is where I rate-limit a user’s connection speed. On a 3550 this is pretty straight forward, but on a 3560, or a variation of it, this is a little trickier.
One thing of interest is the rate-limit interface sub command itself. This would appear to allow you to limit ingress and egress traffic. It will even allow you to configure the commands…however these commands do absolutely nothing. 😛
Due to the change in interface queueing you will need to use two methods: SRR and service policies.
SRR
srr-queue bandwidth limit %
You have to set the bandwidth as a percentage of the link speed. The options are 10-99 percent. This means that if you want a limit less than 10Mb you must set the port’s physical speed to 10 and the duplex to full. You will then have to statically configure the client to 10/full. This, however, only limits the egress traffic.
1 2 | int fa0/1 srr-queue bandwidth limit 10 |
Service Policy
We use this to match and limit our ingress traffic.
First, you must enable mls qos on your switch, otherwise your matching won’t work.
1 | mls qos |
Next we define our class map. We have it set to match ip traffic with DSCP set to 0.
1 2 3 | class-map match-all rate-limit description Bandwidth Control match ip dscp default |
We then create policy maps that have our desired speeds:
1 2 3 | policy-map 8meg class rate-limit police 8192000 192000 exceed-action drop |
Last we apply this to the interface:
1 2 | int fa0/1 service-policy input 8meg |
Wondering why you didn’t just skip the srr-queue command and just apply the Service Policy to both input and output?
It is a function of the queueing mechanism on these switches…you can’t simply apply a service policy in both directions.
Thanks for the follow up. I realized a few hours after posting my last message that on these switches you can only apply a service policy in one direction. Felt a bit foolish when I realized that. I should have tried it first before posting….
BTW, I love your blog. Keep up the great work!