Saturday, July 12, 2014

A Nexus 3548 traffic policer howto

In NX OS 6.0  and on a 3548 switch it's a little bit different than cisco-ios and with regards on how to craft a traffic "policer"  for rate-limiting traffic inbound on a interface.

Here's a  few quick methods for rate-limit traffic . It requires applying this under the class-default class or by using a class-map.

1: e.g ( rate limit traffic on a 1gig interfaces eth 1/1 to 1/3  to not exceed 10mbps )

config t
   policy-map type qos 10mbps-RATE_limter
        description rate-limit of 10mbps 
        class class-default
           police cir percent 1 bc 200 ms conform transmit violate drop

interface Ethernet1/1-3
  description1GIGE access to my server
  switchport access vlan 1001
  spanning-tree port type edge
  spanning-tree bpduguard enable
  speed 1000
  storm-control broadcast level 1.50
  storm-control multicast level 5.00 

  service -policy in  10mbps-RATE_limter

copy running start

Another option could be to match a class-map with the match dscp options

2: e.g ( by defining a class-map and a rate limiter of 50mbps )

class-map type qos match-any  QOS_class

  match dscp 0-7

policy-map type qos SOCPUP01

   description  rate-limit of 50mbps

  class QOS_class

    police cir percent 5 bc 200 ms conform transmit violate drop

 For the bc value you need to determine what burst-commit value  you want the time measurement.

Ken Felix
Freelance Network/Security Engineer
kfelix  -----a----t---- socpuppets ---dot---com

   ^    ^
=( # # )=
     /  \


  1. Hi Ken, i came across this article, but seems it's not policing my ingress traffic on N3548 as expected. Also opened TAC case with Cisco, and they claim it's not available on this platform, are you sure you were able to implement it? Thanks -Baolong

  2. I am also having this issue and currently have a TAC case as the below quote is from the cisco document
    Guidelines and Limitations
    Policing has the following configuration guidelines and limitations:

    Starting with Release 7.0(3)I2(1), ingress and egress policing is supported only on the Cisco Nexus 3100 Series platforms and it is not supported on the Cisco Nexus 3000 Series platforms.

    But there must be a work around.

    I will post if i get anywhere