Solved: QoS Remarking of packets doesn't happen

andreas.plaul · ‎04-17-2008

Hello,

I have access-list, class-maps and a nested policy-map. Please below:

ip access-list extended VoIP-RTCP

permit udp any any range 16384 32767

permit ip host 10.10.10.10 any

class-map match-any real-time

match protocol rtp

match access-group name VoIP-RTCP

policy-map LEAVE

class real-time

priority 1920

set dscp ef

class mission-critical

set dscp af31

policy-map TO-WAN

class class-default

fair-queue

shape average 7808000

service-policy LEAVE

interface FastEthernet0/1

bandwidth 8192

ip address 10.10.20.1 255.255.255.0

service-policy output TO-WAN

My problem now is that the remarking of packets from 10.10.10.1 doesn't happen. So the packets arrive and they should be remarked with EF but they stay with CS0.

Any ideas what I am doing wrong?

Thanks in advance for your help,

Andreas

mheusing · ‎04-17-2008

Hi Andreas,

Sorry, that I missed the issue with the "set" not being supported in a child policy.

To solve your problem, you can mark traffic at the ingress interfaces of your router in a separate policy and then use the hierarchical policy to allocate resources on the outbound interface.

Regards, Martin

View solution in original post

mohammedmahmoud · ‎04-17-2008

Hi All,

I believe that the set under the child support issue was in the past, recent IOSs has no problem regarding this case, below is a very simple test using IOS version 12.3(22), i believe that the issue might be how did you validate the traffic being marked or not, and even more like Martin said, if the switches inbetween have mls qos enabled, then they will by default reset any marking.

As a side note, the ACL contains "permit ip host 10.10.10.10 any" and you are talking about 10.10.10.1, is this a typo ?

On R1:

!

policy-map child

class class-default

set dscp af41

policy-map parent

class class-default

service-policy child

!

interface Ethernet0/0

service-policy output parent

R1#sh policy-map interface e0/0

Ethernet0/0

Service-policy output: parent

Class-map: class-default (match-any)

337 packets, 36209 bytes

5 minute offered rate 0 bps, drop rate 0 bps

Match: any

Service-policy : child

Class-map: class-default (match-any)

337 packets, 36209 bytes

5 minute offered rate 0 bps, drop rate 0 bps

Match: any

QoS Set

dscp af41

Packets marked 231

On R2 i applied an incoming ACL matching DSCP AF41, and sent some ping traffic and here you go:

R2(config-subif)#do sh ip access 113

Extended IP access list 113

10 permit ip any any dscp af41 log (15 matches)

20 permit ip any any (2377 matches)

BR,

Mohammed Mahmoud.

View solution in original post

mheusing · ‎04-17-2008

Hi,

From what do you conclude that the packets from 10.10.10.10 are not marked? I am assuming the ACL is correct (source/destination) with respect to traffic direction.

Just an idea: if your Fa0/1 is connected to a switch, it might remark everything back to CS0 unless the switch port is configured to trust the settings from the router.

Second idea: the host 10.10.10.10 traffic matches another class?

To help judging the whole issue, could you please post "show policy-map interface FastEthernet0/1"?

Thank you, Martin

andreas.plaul · ‎04-17-2008

Please see below the show policy-map:

rt#sh policy-map interface fastEthernet 0/1

FastEthernet0/1

Service-policy output: TO-WAN

Class-map: class-default (match-any)

1816287930 packets, 709314473010 bytes

5 minute offered rate 362000 bps, drop rate 0 bps

Match: any

Queueing

Flow Based Fair Queueing

Maximum Number of Hashed Queues 256

(total queued/total drops/no-buffer drops) 0/37405/0

Traffic Shaping

Target/Average Byte Sustain Excess Interval Increment

Rate Limit bits/int bits/int (ms) (bytes)

7808000/7808000 48800 195200 195200 25 24400

Adapt Queue Packets Bytes Packets Bytes Shaping

Active Depth Delayed Delayed Active

- 13 1815053940 3266987569 118940394 2322912961 yes

Service-policy : LEAVE

Class-map: real-time (match-any)

3124853 packets, 595696712 bytes

5 minute offered rate 104000 bps, drop rate 0 bps

Match: protocol rtp

2914431 packets, 522859151 bytes

5 minute rate 29000 bps

Match: access-group name VoIP-RTCP

210422 packets, 72837561 bytes

5 minute rate 75000 bps

Queueing

Strict Priority

Output Queue: Conversation 136

Bandwidth 1920 (kbps) Burst 48000 (Bytes)

(pkts matched/bytes matched) 27332/5129111

(total drops/bytes drops) 0/0

QoS Set

dscp ef

Packets marked 3124895

Class-map: mission-critical (match-any)

455010 packets, 31882616 bytes

5 minute offered rate 5000 bps, drop rate 0 bps

Match: access-group name Voice-Control

418759 packets, 26935799 bytes

5 minute rate 5000 bps

Match: access-group 120

36251 packets, 4946817 bytes

5 minute rate 0 bps

QoS Set

dscp af31

Packets marked 455018

Class-map: class-default (match-any)

988084731 packets, 558921380717 bytes

5 minute offered rate 247000 bps, drop rate 0 bps

Match: any

Also I checked whether any other access-list match the 10.10.10.1, but there is nothing.

Basically Netflow shows me the marked packets for specific IP addresses and it only shows CS0 for 10.10.10.1 on both source interface router 1 and destination interface router 2 (both running Netflow and both show the traffic of 10.10.10.1 as marked with CS0). The switches are always located behind the routers.

Regards,

Andreas

mibrahim81 · ‎04-17-2008

Dear Andreas,

Kindly be informed that the set command is not supported in the child policy ( LEAVE )

so its useless to use "set dscp ef"

Thanks

Mohammed Ibrahim

Cairo

andreas.plaul · ‎04-17-2008

Hello,

thanks for the information of the unspported feature. What could I do to work around it?

Regards,

Andreas

mibrahim81 · ‎04-17-2008

Hello,

Ok. i'll try to find a good solution to be suitable for your requirments

Mohamed Ibrahim

Cairo

andreas.plaul · ‎04-17-2008

Hello Mohamed,

could I use the same class real-time under two policys. So in the child policy I use the priority command, and then in the parent policy I use the set dscp ef?

By the way also the set dscp af31 doesn't work?

Regards,

Andreas

mibrahim81 · ‎04-17-2008

Hello,

could you provide me with the IOS version of your router

Mohamed Ibrahim

andreas.plaul · ‎04-17-2008

IOS Version is 12.3(7)T

mheusing · ‎04-17-2008

Hi Andreas,

Sorry, that I missed the issue with the "set" not being supported in a child policy.

To solve your problem, you can mark traffic at the ingress interfaces of your router in a separate policy and then use the hierarchical policy to allocate resources on the outbound interface.

Regards, Martin

mibrahim81 · ‎04-17-2008

Hi Andreas,

Could you please provide me with the Image name via " sh flash command "

Mohammed Ibrahim

mohammedmahmoud · ‎04-17-2008

Hi All,

I believe that the set under the child support issue was in the past, recent IOSs has no problem regarding this case, below is a very simple test using IOS version 12.3(22), i believe that the issue might be how did you validate the traffic being marked or not, and even more like Martin said, if the switches inbetween have mls qos enabled, then they will by default reset any marking.

As a side note, the ACL contains "permit ip host 10.10.10.10 any" and you are talking about 10.10.10.1, is this a typo ?

On R1:

!

policy-map child

class class-default

set dscp af41

policy-map parent

class class-default

service-policy child

!

interface Ethernet0/0

service-policy output parent

R1#sh policy-map interface e0/0

Ethernet0/0

Service-policy output: parent

Class-map: class-default (match-any)

337 packets, 36209 bytes

5 minute offered rate 0 bps, drop rate 0 bps

Match: any

Service-policy : child

Class-map: class-default (match-any)

337 packets, 36209 bytes

5 minute offered rate 0 bps, drop rate 0 bps

Match: any

QoS Set

dscp af41

Packets marked 231

On R2 i applied an incoming ACL matching DSCP AF41, and sent some ping traffic and here you go:

R2(config-subif)#do sh ip access 113

Extended IP access list 113

10 permit ip any any dscp af41 log (15 matches)

20 permit ip any any (2377 matches)

BR,

Mohammed Mahmoud.

andreas.plaul · ‎04-17-2008

Hello,

the IOS is c3725-spservicesk9-mz.123-7.T.bin

The 10.10.10.10 and 10.10.10.1 was a typo, I always meant the same IP (just an example anyway).

Regarding the implementation, marking the packets on the ingress sounds good to me, and I think it also complies with Cisco best practice to mark traffic on the ingress and police/shape on the egress.

I am planning to do this:

policy-map out

class antivirus

police 3072000

class wsus

police 2048000

class SAP

police 1024000

class real-time

priority 3468

policy-map TO-WAN

class class-default

fair-queue

shape average 7808000

service-policy out

attached in output direction to fastethernet 0/1

policy-map from-LAN

class real-time

set dscp ef

class mission-critical

set dscp af41

attached in input direction to fastethernet 0/0

Do I need a class class-default in the policy-map from-LAN or will it work as shown?

Regards,

Andreas

andreas.plaul · ‎04-17-2008

Hello all,

thank you for your great help abd effort, I finally got it working!!!!

Regards,

Andreas