Here are the main points to keep in mind:
- The configuration requires a nested policy-map
- The policy-map applied to the SVI references another policy map that actually does the policing
- Do not forget to enable vlan-based QoS on the appropriate range of ports
- In the parent policy-map, you must perform some action (besides calling another policy map)
In order to configure policing on a Switched Virtual Interface (SVI or VLAN interface), here is a sample configuration:
CAT2(config)#int range fa0/1 – 5 CAT2(config-if-range)#mls qos vlan-based CAT2(config-if-range)#exit ! CAT2(config)#access-list 100 permit udp any any range 16384 32767 ! CAT2(config)#class-map RTP CAT2(config-cmap)#match access-group 100 CAT2(config-cmap)#exit ! CAT2(config)#class-map PORTS CAT2(config-cmap)#match input-interface fa0/1 - fa0/5 CAT2(config-cmap)#exit ! CAT2(config)#policy-map PORT CAT2(config-pmap)#class PORTS CAT2(config-pmap-c)#police 256000 8000 exceed-action drop CAT2(config-pmap-c)#exit CAT2(config-pmap)#exit ! CAT2(config)#policy-map VLAN CAT2(config-pmap)#class RTP CAT2(config-pmap-c)#set dscp 46 CAT2(config-pmap-c)#service-policy PORT CAT2(config-pmap-c)#exit CAT2(config-pmap)#exit ! CAT2(config)#int vlan 100 CAT2(config-if)#service-policy input VLAN CAT2(config-if)#end
Notice we set the DSCP value in the parent policy map in order to meet the requirement of “performing some action!” Also remember, both of the sample configurations above require mls qos configured globally on the device.