Example: VLAN Rate Limit Hierarchical Policy for Interface Groups Configuration

In this example, three users from a small business office are connected to an E Series router through the same VLAN interface. The contracted maximum for the business is 1 Mbps in the upstream direction. The downstream direction is served through QoS profiles and therefore is not shown here.

Figure 1 shows the following:

• User user_pol1 is attached to the first user’s IP interface and does not have a rate limit.
• User user_pol2 is attached the second user’s interface and has an individual rate limit of 300Kbps and preferred voice traffic at 64Kbps.
• User user_pol3 is attached to the third user’s interface and has some traffic marked with a low delay (Dsfield = 4), but there are no rate limitations applied.
• Policer instance VLAN_RATE is shared across all three instances of EPG1 and limits the total upstream traffic from three users to 1 Mbps.

  Figure 1: VLAN Rate-Limit Configuration

  

1. Create a rate limit to enforce the contracted maximum for the small business. Create an external parent group to hold this rate limit.
   host1(config)#rate-limit-profile VLAN_RATE two-rate hierarchical host1(config-rate-limit-profile)#committed-rate 1000000 host1(config-rate-limit-profile)#committed-action transmit final host1(config-rate-limit-profile)#exit
   host1(config)#parent-group EPG1 host1(config-parent-group)#rate-limit-profile VLAN_RATE host1(config-parent-group)#exit

   Verify the parent group configuration.

   host1#show parent-group EPG1
   

                                     Parent Group Table
                                     ------ ----- ------
   Parent Group EPG1
      Reference count: 0
      Rate limit profile: VLAN_RATE

2. Create a policy list to attach to user 1.
   host1(config)#policy-parameter A hierarchical host1(config-policy-parameter)#exit
   host1(config)#ip policy-list USER_POL1 host1(config-policy-list)#classifier-group * external parent-group EPG1
   parameter A host1(config-policy-list-classifier-group)#forward host1(config-policy-list-classifier-group)#exit host1(config-policy-list)#exit

   Verify the policy list configuration.

   host1#show policy-list USER_POL1
   

                                     Policy Table
                                     ------ ----- 
   IP Policy USER_POL1
      Administrative state: enable
      Reference count:      0
      Classifier control list: *, precedence 100, external parent-group EPG1 parameter A
         forward

3. Create a policy list to attach to user 2. Also, create a rate limit to police voice traffic and another rate limit to police all traffic for user 2. Because voice traffic is preferred, it borrows the tokens unconditionally from all aggregate policers in the hierarchy.
   host1(config)#rate-limit-profile VOICE_RATE two-rate hierarchical host1(config-rate-limit-profile)#committed-rate 64000 host1(config-rate-limit-profile)#committed-action transmit unconditional host1(config-rate-limit-profile)#exit
   host1(config)#rate-limit-profile USER_RATE two-rate hierarchical host1(config-rate-limit-profile)#committed-rate 300000 host1(config-rate-limit-profile)#committed-action transmit conditional host1(config-rate-limit-profile)#exit
   host1(config)#ip classifier-list VOICE_CLACL udp any any eq 10000
   host1(config)#ip policy-list USER_POL2 host1(config-policy-list)#classifier-group VOICE_CLACL parent-group IPG1 host1(config-policy-list-classifier-group)#rate-limit-profile VOICE_RATE host1(config-policy-list-classifier-group)#exit host1(config-policy-list)#classifier-group * parent-group IPG1 host1(config-policy-list-classifier-group)#forward host1(config-policy-list-classifier-group)#exithost1(config-policy-list)#parent-group IPG1 external parent-group EPG1
   parameter A host1(config-policy-list-parent-group)#rate-limit-profile USER_RATE host1(config-policy-list-parent-group)#exit host1(config-policy-list)#exit

   Verify the policy list configuration.

   host1#show policy-list USER_POL1
   

                                     Policy Table
                                     ------ ----- 
   IP Policy USER_POL2
      Administrative state: enable
      Reference count:      0
      Classifier control list: VOICE_CLACL, precedence 100, parent-group IPG1
         rate-limit-profile VOICE_RATE
      Classifier control list: *, precedence 100, parent-group IPG1
         forward
      Parent group: IPG1, external parent-group EPG1 parameter A
         rate-limit-profile USER_RATE

4. Create a policy list to attach to user 3 and mark Dsfield=4 traffic with a special traffic class.
   host1(config)#ip classifier-list DSFIELD4_CLACL ip any any dsfield 4 host1(config)#ip policy-list USER_POL3 host1(config-policy-list)#classifier-group DSFIELD4_CLACL external parent-group EPG1 parameter A host1(config-policy-list-classifier-group)#traffic-class LOW_DROP host1(config-policy-list-classifier-group)#exit host1(config-policy-list)#classifier-group * external parent-group EPG1
   parameter A host1(config-policy-list-classifier-group)#forward host1(config-policy-list-classifier-group)#exit host1(config-policy-list)#exit

   The policies created earlier are attached statically to the user's corresponding entry interface in the E Series router. In this case, fast3/0.1 connects to user 1, fast3/0.2 connects to user 2, and fast3/0.3 connects to user 3.

5. Create the major interface.
   host1(config)#interface fastEthernet 3/0 host1(config-interface)#encapsulation vlan host1(config-interface)#exit
6. Create an interface for user 1, attach USER_POL1, and map parameter A to the VLAN interface stacked below the shared IP interface.
   host1(config)#interface fastEthernet 3/0.1 host1(config-interface)#vlan id 1 host1(config-interface)#exit
   host1(config)#interface ip 3/0.1.1 host1(config-interface)#ip policy-parameter hierarchical A vlan host1(config-interface)#ip policy input USER_POL1 statistics enabled host1(config-interface)#exit
7. Create the interface for user 2, attach USER_POL2, and map parameter A to the VLAN interface.
   host1(config)#interface ip 3/0.1.2 host1(config-interface)#ip policy-parameter hierarchical A vlan host1(config-interface)#ip policy input USER_POL2 statistics enabled host1(config-interface)#exit
8. Create the interface for user 3, attach USER_POL3, and map parameter A to the VLAN interface.
   host1(config)#interface ip 3/0.1.3 host1(config-interface)#ip policy-parameter hierarchical A vlan host1(config-interface)#ip policy input USER_POL3 statistics enabled host1(config-interface)#exit
9. For dynamic users, under each user's record in RADIUS, you can specify the ingress policy name. However, you can only specify the policy parameter through the profile.
   host1(config)#profile PPPOE_PROF1 host1(config-profile)#ip policy-parameter hierarchical A vlan host1(config-profile)#exit
   host1(config)#interface fastEthernet 3/0.1 host1(config-interface)#vlan id 1 host1(config-interface)#encapsulation pppoe host1(config-interface)#profile PPPOE_PROF1 host1(config-interface)#pppoe auto-configure host1(config-interface)#exit