Low Latency Priority Que - Percentage based.

a.shaukat · ‎07-05-2007

Hi,

E2(branch)E0-----(VPN tunnel)-----E0/0(HeadOffice)E0/1

i wanted to prioritize the mail server (residing at head office)192.168.0.35

so i setup a Low latency Priority que (percentage based) at the branch's router cisco837. i found the method at Cisco's sample documents...

can anyone check and tell me if i did it wrong or right... and any way to tell is this que really working .?

cause one of my concern is that the policy is implimented at the WAN facing interface (e0) for outbound traffic. the policy states that the class "oracle" is given 50% and the rest is set to fair-que.

the Class "oracle" specifies an ACL stating that a traffic from any source to the destination host 192.168.0.35 should be matched ..

now the traffice from the branch's LAN (192.168.2.0/24 network) to the head office' network (192.168.0.0/24 and 172.16.0.0/24) is encapsulated in a VPN tunnel made with a preshard key method.

the peer address is the head offic's loopback address.

will this interface ever be able to prioritize the traffic or is the packet (destined for 192.168.0.35) already encrypted for the VPN tunnel. and router never identifies this traffic to fall under the class "oracle"

below is the running Config of my branch's router

bkup#sh run

version 12.4

service password-encryption

hostname bkup

username admin privilege 15 secret 5 $1

!

########################################

class-map match-all oracle

match access-group 110

!

policy-map ocs_policy

class oracle

priority percent 50

class class-default

fair-queue

########################################

!

crypto isakmp policy 1

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key abcd address 192.168.9.24

crypto isakmp keepalive 10

!

crypto ipsec security-association lifetime seconds 86400

!

crypto ipsec transform-set vpntest esp-3des esp-md5-hmac

!

crypto map vpntest local-address Loopback0

crypto map vpntest 10 ipsec-isakmp

set peer 192.168.9.24

set transform-set vpntest

match address 102

!

interface Loopback0

ip address 192.168.8.25 255.255.255.255

!

interface Ethernet0

ip address 192.168.9.15 255.255.255.248

ip nbar protocol-discovery

ip route-cache flow

no cdp enable

crypto map vpntest

########################################

service-policy output orcale_policy

########################################

hold-queue 100 out

!

interface Ethernet2

ip address 192.168.2.254 255.255.255.0

ip nbar protocol-discovery

ip route-cache flow

hold-queue 100 out

!

interface ATM0

no ip address

ip nbar protocol-discovery

ip route-cache flow

no atm ilmi-keepalive

dsl operating-mode auto

pvc 0/35

pppoe-client dial-pool-number 1

!

interface FastEthernet1

duplex auto

speed auto

!

interface FastEthernet4

duplex auto

speed auto

!

interface Dialer1

ip address negotiated

encapsulation ppp

load-interval 30

dialer pool 1

ppp pap sent-username dslbkup password xxx

crypto map vpntest

!

router ospf 10

router-id 192.168.9.15

log-adjacency-changes

network 192.168.8.25 0.0.0.0 area 12

network 192.168.9.15 0.0.0.7 area 12

!

ip route 0.0.0.0 0.0.0.0 20.16.8.25

ip route 0.0.0.0 0.0.0.0 Dialer1 50 name backup

ip route 192.168.9.15 255.255.255.248 192.168.9.15

!

ip http server

ip http authentication local

no ip http secure-server

ip http timeout-policy idle 600 life 86400 requests 10000

ip flow-export source Ethernet2

ip flow-export version 5

ip flow-export destination 192.168.2.22 9996

!

access-list 102 permit ip 192.168.2.0 0.0.0.255 192.168.0.0 0.0.0.255

access-list 102 permit ip 192.168.2.0 0.0.0.255 172.16.0.0 0.0.15.255

access-list 110 permit ip any host 192.168.0.35

access-list 110 permit ip any host 192.168.0.34

bkup#

a.shaik · ‎07-05-2007

Hi,

It's not suggested to use LLQ for SMTP. LLQ is better queue for real-time traffic such us voice,video,visio,telnet and ssh.

Any way, I always classify traffic in input interface so service policy marking on incoming interface and do another policy for outgoing interface. (One service-policy for classify and marking, and another service-policy for scheduling)

Also, please put dscp values when you classify even when you are in point-to-point

It will facilitate you when your network mode change. In this case don't forget to add "qos pre-classify" command on crypto-map.

Also, for tcp applications (except real-time applications) don't use LLQ, indeed use "bandwidth command"

a.shaukat · ‎07-05-2007

ok ..

im new at QOs so i would really like to know what i should or should not be doing,,,

u said use it for real time application.. we dont user voice or video on our networks,but aside form smtp connection there are very critical tcp applications (like centeralized Orcale database and applications) located at the head office and branch users use them via web based forms..

what is DSCP ?? please can you clearify ?

so should i change the interface for applying the service policy ? apply it on the LAN interface for all incomming traffic thats destined for the 192.168.0.35 or any other business critical server?

u said dont use LLQ instead use bandwidth command ?? do u mean to say that i shouldnt use priority percentage and user priority bandwidth instead ??

appreciate your help on this :-) thanks,

a.shaukat · ‎07-06-2007

ok i made the following changes..

i took out the priority percentage 50 command from the policy-map > class name

and i inserted bandwidth percent 50

next i entered the pre-classify command in the crypto map

cryptomap vpntest 10 ipsec-isakmp

qos pre-classify

so my CBWFQ now looks like this ..

#############################################

class-map match-all oracle

match access-group 110

!

policy-map orcale_policy

class oracle

bandwidth percent 50

class class-default

fair-queue

!

crypto isakmp policy 1

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key hello address 192.168.93.254

crypto isakmp keepalive 10

!

crypto ipsec security-association lifetime seconds 86400

!

crypto ipsec transform-set vpntest esp-3des esp-md5-hmac

!

crypto map vpntest local-address Loopback0

crypto map vpntest 10 ipsec-isakmp

set peer 192.168.93.254

set transform-set vpntest

match address 102

qos pre-classify

interface Ethernet0

ip address 192.168.97.156 255.255.255.248

ip nbar protocol-discovery

ip route-cache flow

no cdp enable

crypto map vpntest

service-policy output orcale_policy

hold-queue 100 out

#############################################

the output i get for policy map is ...

HYD-bkup#sh policy-map orcale_policy

Policy Map orcale_policy

Class oracle

Bandwidth 50 (%) Max Threshold 64 (packets)

Class class-default

Flow based Fair Queueing

Bandwidth 0 (kbps) Max Threshold 64 (packets)

HYD-bkup#sh policy-map int

HYD-bkup#sh policy-map interface e0

Ethernet0

Service-policy output: orcale_policy

Class-map: oracle (match-all)

773 packets, 196481 bytes

5 minute offered rate 2000 bps, drop rate 0 bps

Match: access-group 110

Queueing

Output Queue: Conversation 265

Bandwidth 50 (%)

Bandwidth 5000 (kbps) Max Threshold 64 (packets)

(pkts matched/bytes matched) 0/0

(depth/total drops/no-buffer drops) 0/0/0

Class-map: class-default (match-any)

95216 packets, 17869627 bytes

5 minute offered rate 24000 bps, drop rate 0 bps

Match: any

Queueing

Flow Based Fair Queueing

Maximum Number of Hashed Queues 256

(total queued/total drops/no-buffer drops) 0/0/0

HYD-bkup#

i still dont get why am i not getting any 5 minutes offered rate

mheusing · ‎07-06-2007

Hi,

Maybe there is a misunderstanding as to what the counters mean in "show policy-map interface". A detailed explanation of all counters can be found in "Understanding Packet Counters in show policy-map interface Output"

http://www.cisco.com/en/US/tech/tk543/tk760/technologies_tech_note09186a0080108e2d.shtml

In brief: the counter does not increase, if you have no congestion and the packets are CEF switched. Basically it counts the amount of packets in the L3 queueing system matching the specific class. No congestion means no packets in L3 queueing system, thus (pkts matched/bytes matched) 0/0 and thus the bandwidth might be not what you expect to see. A second explanation can be that there simply was not that much traffic, as you are averaging since the last "clear counters". So if you f.e. would fully use the bandwidth during two hours a day and not use it the rest of the day, the 24 hour average would show less that 10%.

Hope this helps!

Regards, Martin