04-17-2008 12:35 AM - edited 03-03-2019 09:35 PM
Hello,
I have access-list, class-maps and a nested policy-map. Please below:
ip access-list extended VoIP-RTCP
permit udp any any range 16384 32767
permit ip host 10.10.10.10 any
class-map match-any real-time
match protocol rtp
match access-group name VoIP-RTCP
policy-map LEAVE
class real-time
priority 1920
set dscp ef
class mission-critical
set dscp af31
policy-map TO-WAN
class class-default
fair-queue
shape average 7808000
service-policy LEAVE
interface FastEthernet0/1
bandwidth 8192
ip address 10.10.20.1 255.255.255.0
service-policy output TO-WAN
My problem now is that the remarking of packets from 10.10.10.1 doesn't happen. So the packets arrive and they should be remarked with EF but they stay with CS0.
Any ideas what I am doing wrong?
Thanks in advance for your help,
Andreas
Solved! Go to Solution.
04-17-2008 03:10 AM
Hi Andreas,
Sorry, that I missed the issue with the "set" not being supported in a child policy.
To solve your problem, you can mark traffic at the ingress interfaces of your router in a separate policy and then use the hierarchical policy to allocate resources on the outbound interface.
Regards, Martin
04-17-2008 05:01 AM
Hi All,
I believe that the set under the child support issue was in the past, recent IOSs has no problem regarding this case, below is a very simple test using IOS version 12.3(22), i believe that the issue might be how did you validate the traffic being marked or not, and even more like Martin said, if the switches inbetween have mls qos enabled, then they will by default reset any marking.
As a side note, the ACL contains "permit ip host 10.10.10.10 any" and you are talking about 10.10.10.1, is this a typo ?
On R1:
!
policy-map child
class class-default
set dscp af41
policy-map parent
class class-default
service-policy child
!
interface Ethernet0/0
service-policy output parent
R1#sh policy-map interface e0/0
Ethernet0/0
Service-policy output: parent
Class-map: class-default (match-any)
337 packets, 36209 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: any
Service-policy : child
Class-map: class-default (match-any)
337 packets, 36209 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: any
QoS Set
dscp af41
Packets marked 231
On R2 i applied an incoming ACL matching DSCP AF41, and sent some ping traffic and here you go:
R2(config-subif)#do sh ip access 113
Extended IP access list 113
10 permit ip any any dscp af41 log (15 matches)
20 permit ip any any (2377 matches)
BR,
Mohammed Mahmoud.
04-17-2008 01:51 AM
Hi,
From what do you conclude that the packets from 10.10.10.10 are not marked? I am assuming the ACL is correct (source/destination) with respect to traffic direction.
Just an idea: if your Fa0/1 is connected to a switch, it might remark everything back to CS0 unless the switch port is configured to trust the settings from the router.
Second idea: the host 10.10.10.10 traffic matches another class?
To help judging the whole issue, could you please post "show policy-map interface FastEthernet0/1"?
Thank you, Martin
04-17-2008 01:58 AM
Please see below the show policy-map:
rt#sh policy-map interface fastEthernet 0/1
FastEthernet0/1
Service-policy output: TO-WAN
Class-map: class-default (match-any)
1816287930 packets, 709314473010 bytes
5 minute offered rate 362000 bps, drop rate 0 bps
Match: any
Queueing
Flow Based Fair Queueing
Maximum Number of Hashed Queues 256
(total queued/total drops/no-buffer drops) 0/37405/0
Traffic Shaping
Target/Average Byte Sustain Excess Interval Increment
Rate Limit bits/int bits/int (ms) (bytes)
7808000/7808000 48800 195200 195200 25 24400
Adapt Queue Packets Bytes Packets Bytes Shaping
Active Depth Delayed Delayed Active
- 13 1815053940 3266987569 118940394 2322912961 yes
Service-policy : LEAVE
Class-map: real-time (match-any)
3124853 packets, 595696712 bytes
5 minute offered rate 104000 bps, drop rate 0 bps
Match: protocol rtp
2914431 packets, 522859151 bytes
5 minute rate 29000 bps
Match: access-group name VoIP-RTCP
210422 packets, 72837561 bytes
5 minute rate 75000 bps
Queueing
Strict Priority
Output Queue: Conversation 136
Bandwidth 1920 (kbps) Burst 48000 (Bytes)
(pkts matched/bytes matched) 27332/5129111
(total drops/bytes drops) 0/0
QoS Set
dscp ef
Packets marked 3124895
Class-map: mission-critical (match-any)
455010 packets, 31882616 bytes
5 minute offered rate 5000 bps, drop rate 0 bps
Match: access-group name Voice-Control
418759 packets, 26935799 bytes
5 minute rate 5000 bps
Match: access-group 120
36251 packets, 4946817 bytes
5 minute rate 0 bps
QoS Set
dscp af31
Packets marked 455018
Class-map: class-default (match-any)
988084731 packets, 558921380717 bytes
5 minute offered rate 247000 bps, drop rate 0 bps
Match: any
Also I checked whether any other access-list match the 10.10.10.1, but there is nothing.
Basically Netflow shows me the marked packets for specific IP addresses and it only shows CS0 for 10.10.10.1 on both source interface router 1 and destination interface router 2 (both running Netflow and both show the traffic of 10.10.10.1 as marked with CS0). The switches are always located behind the routers.
Regards,
Andreas
04-17-2008 02:17 AM
Dear Andreas,
Kindly be informed that the set command is not supported in the child policy ( LEAVE )
so its useless to use "set dscp ef"
Thanks
Mohammed Ibrahim
Cairo
04-17-2008 02:39 AM
Hello,
thanks for the information of the unspported feature. What could I do to work around it?
Regards,
Andreas
04-17-2008 02:52 AM
Hello,
Ok. i'll try to find a good solution to be suitable for your requirments
Mohamed Ibrahim
Cairo
04-17-2008 02:56 AM
Hello Mohamed,
could I use the same class real-time under two policys. So in the child policy I use the priority command, and then in the parent policy I use the set dscp ef?
By the way also the set dscp af31 doesn't work?
Regards,
Andreas
04-17-2008 03:02 AM
Hello,
could you provide me with the IOS version of your router
Mohamed Ibrahim
04-17-2008 03:06 AM
IOS Version is 12.3(7)T
04-17-2008 03:10 AM
Hi Andreas,
Sorry, that I missed the issue with the "set" not being supported in a child policy.
To solve your problem, you can mark traffic at the ingress interfaces of your router in a separate policy and then use the hierarchical policy to allocate resources on the outbound interface.
Regards, Martin
04-17-2008 03:40 AM
Hi Andreas,
Could you please provide me with the Image name via " sh flash command "
Mohammed Ibrahim
04-17-2008 05:01 AM
Hi All,
I believe that the set under the child support issue was in the past, recent IOSs has no problem regarding this case, below is a very simple test using IOS version 12.3(22), i believe that the issue might be how did you validate the traffic being marked or not, and even more like Martin said, if the switches inbetween have mls qos enabled, then they will by default reset any marking.
As a side note, the ACL contains "permit ip host 10.10.10.10 any" and you are talking about 10.10.10.1, is this a typo ?
On R1:
!
policy-map child
class class-default
set dscp af41
policy-map parent
class class-default
service-policy child
!
interface Ethernet0/0
service-policy output parent
R1#sh policy-map interface e0/0
Ethernet0/0
Service-policy output: parent
Class-map: class-default (match-any)
337 packets, 36209 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: any
Service-policy : child
Class-map: class-default (match-any)
337 packets, 36209 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: any
QoS Set
dscp af41
Packets marked 231
On R2 i applied an incoming ACL matching DSCP AF41, and sent some ping traffic and here you go:
R2(config-subif)#do sh ip access 113
Extended IP access list 113
10 permit ip any any dscp af41 log (15 matches)
20 permit ip any any (2377 matches)
BR,
Mohammed Mahmoud.
04-17-2008 04:21 PM
Hello,
the IOS is c3725-spservicesk9-mz.123-7.T.bin
The 10.10.10.10 and 10.10.10.1 was a typo, I always meant the same IP (just an example anyway).
Regarding the implementation, marking the packets on the ingress sounds good to me, and I think it also complies with Cisco best practice to mark traffic on the ingress and police/shape on the egress.
I am planning to do this:
policy-map out
class antivirus
police 3072000
class wsus
police 2048000
class SAP
police 1024000
class real-time
priority 3468
policy-map TO-WAN
class class-default
fair-queue
shape average 7808000
service-policy out
attached in output direction to fastethernet 0/1
policy-map from-LAN
class real-time
set dscp ef
class mission-critical
set dscp af41
attached in input direction to fastethernet 0/0
Do I need a class class-default in the policy-map from-LAN or will it work as shown?
Regards,
Andreas
04-17-2008 07:19 PM
Hello all,
thank you for your great help abd effort, I finally got it working!!!!
Regards,
Andreas
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: