class-map and policy-map question

Unanswered Question
Oct 8th, 2009

Hi,

I'm using Cisco 3825 router and trying to set reserved bandwidth for different priority ingress traffic from different interface. I have high priority traffic comming into interface fa2/14 at rate ~1Mbps and low priority traffic comming into interface g2/0 at rate ~7Mbps. I configured the following classes and policy-map to reverse 2Mbps for Fa2/14 and 7Mbps for G2/0 over the congested Ethernet port fa2/0 (i.e. Tunnel0), which is the output Ethernet interface to the WAN:

class-map match-any high

match input-interface FastEthernet2/14

class-map match-any low

match input-interface GigabitEthernet2/0

!

!

policy-map TRAFFIC

class high

bandwidth 2000

class low

bandwidth 7000

policy-map FQ

class class-default

fair-queue

!

interface Tunnel0

bandwidth 10000

ip address 10.1.1.1 255.255.255.0

load-interval 30

ipv6 enable

ospfv3 instance 64 network manet

ospfv3 1 area 0 address-family ipv4 instance 64

tunnel source FastEthernet2/0

tunnel destination 142.x.x.10

!

interface FastEthernet2/0

no switchport

bandwidth 10000

ip address 192.x.x.10 255.255.255.0

load-interval 30

service-policy output TRAFFIC

!

The class-map and policy-map don't seem to work. The "show policy-map int f2/0" showed that int f2/0 is still running on class-default:

Router6-w-AXP#show policy-map int f2/0

FastEthernet2/0

Service-policy output: TRAFFIC

Class-map: high (match-any)

0 packets, 0 bytes

30 second offered rate 0 bps, drop rate 0 bps

Match: input-interface FastEthernet2/14

0 packets, 0 bytes

30 second rate 0 bps

Queueing

queue limit 64 packets

(queue depth/total drops/no-buffer drops) 0/0/0

(pkts output/bytes output) 0/0

bandwidth 2000 kbps

Class-map: low (match-any)

0 packets, 0 bytes

30 second offered rate 0 bps, drop rate 0 bps

Match: input-interface GigabitEthernet2/0

0 packets, 0 bytes

30 second rate 0 bps

Queueing

queue limit 64 packets

(queue depth/total drops/no-buffer drops) 0/0/0

(pkts output/bytes output) 0/0

bandwidth 7000 kbps

Class-map: class-default (match-any)

11971181 packets, 8583659812 bytes

30 second offered rate 10602000 bps, drop rate 0 bps

Match: any

queue limit 64 packets

(queue depth/total drops/no-buffer drops) 0/0/0

(pkts output/bytes output) 3165/620740

Would you please give me some advice on a proper way to configure reserved bandwidth over the congested tunnel. Attached are running-config file and show policy-map data.

Thanks!

Hugh

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
simontibbitts Thu, 10/08/2009 - 09:59

Hi Hugh.

Does all traffic go out of the tunnel and nothing goes out the physical interface? It might be that all the class-default traffic is actually GRE traffic sourced from f2/0 so none of it will match your other classes as the traffic is not coming from those interfaces.

You can see if this is right or not by adding between class 'low' and class-default a class which matches all GRE traffic. Then if you check your 'show policy-map' command you can see if it is getting hits.

Have you tried putting the service policy on the tunnel interface? Not sure if this is possible, can't test in a the lab at the mo.

Cheers

Simon

hugh2_nguyen Thu, 10/08/2009 - 11:24

Simon,

Thanks for the quick reply.

Interface Tunnel0 would not accept the "service-policy output TRAFFIC" and the error message was "Weighted Fair Queueing feature is not supported in user defined class of parent level policy." I don't know if a child level polity for the tunnel can work around the issue.

Yes, the traffic does seem like comming from GRE tunnel. I added a class "gre" to match protocol GRE traffic, not sure if that was what you suggested but here're the configuration:

class-map match-any high

match input-interface FastEthernet2/14

class-map match-any low

match input-interface GigabitEthernet2/0

class-map match-any gre

match protocol gre

!

!

policy-map TRAFFIC

class high

bandwidth 200

class low

bandwidth 700

class gre

bandwidth 9000

policy-map FQ

class class-default

fair-queue

The "show policy-map int f2/0" did show hit on class gre.

Would you please give me some advice on any other work around method. Thanks.

Hugh

simontibbitts Thu, 10/08/2009 - 12:27

Hi Hugh

looks like the only option supported on a gre tunnel is shaping

try adding PARENT to the tunnel interface

policy-map PARENT

class-default

shape average 100000000

service-policy TRAFFIC

hugh2_nguyen Thu, 10/08/2009 - 13:54

Simon,

Thanks for the input. I added the policy-map PARRENT but class high and class low still did not get any hit. Here's current interfaces and policy configuration along with "show policy-map int t0" data:

!

class-map match-any high

match input-interface FastEthernet2/14

class-map match-any low

match input-interface GigabitEthernet2/0

!

!

policy-map TRAFFIC

class high

bandwidth 2000

class low

bandwidth 7000

policy-map FQ

class class-default

fair-queue

policy-map PARENT

class class-default

shape average 10000000

service-policy TRAFFIC

!

!

!

interface FastEthernet2/14

description HIGH PRIORITY INGRESS TRAFFIC

no switchport

ip address 192.168.12.40 255.255.255.0

load-interval 30

ipv6 enable

ospfv3 1 area 0 address-family ipv4 instance 64

!

!

!

interface GigabitEthernet2/0

description LOW PRIORITY INGRESS TRAFFIC

no switchport

ip address 192.168.2.40 255.255.255.0

load-interval 30

ipv6 enable

ospfv3 1 area 0 address-family ipv4 instance 64

!

!

!

interface Tunnel0

bandwidth 10000

ip address 10.1.1.1 255.255.255.0

load-interval 30

ipv6 enable

ospfv3 instance 64 network manet

ospfv3 1 area 0 address-family ipv4 instance 64

tunnel source FastEthernet2/0

tunnel destination 142.x.x.10

service-policy output PARENT

!

!

!

interface FastEthernet2/0

description EGRESS TRAFFIC TO THE WAN

no switchport

bandwidth 10000

ip address 192.x.x.10 255.255.255.0

load-interval 30

Router6-w-AXP#show policy-map int t0

Tunnel0

Service-policy output: PARENT

Class-map: class-default (match-any)

1924994 packets, 1358517804 bytes

30 second offered rate 10065000 bps, drop rate 0 bps

Match: any

Queueing

queue limit 64 packets

(queue depth/total drops/no-buffer drops) 0/0/0

(pkts output/bytes output) 0/0

shape (average) cir 10000000, bc 40000, be 40000

target shape rate 10000000

Service-policy : TRAFFIC

Class-map: high (match-any)

0 packets, 0 bytes

30 second offered rate 0 bps, drop rate 0 bps

Match: input-interface FastEthernet2/14

0 packets, 0 bytes

30 second rate 0 bps

Queueing

queue limit 64 packets

(queue depth/total drops/no-buffer drops) 0/0/0

(pkts output/bytes output) 0/0

bandwidth 2000 kbps

Class-map: low (match-any)

0 packets, 0 bytes

30 second offered rate 0 bps, drop rate 0 bps

Match: input-interface GigabitEthernet2/0

0 packets, 0 bytes

30 second rate 0 bps

Queueing

queue limit 64 packets

(queue depth/total drops/no-buffer drops) 0/0/0

(pkts output/bytes output) 0/0

bandwidth 7000 kbps

Class-map: class-default (match-any)

1924994 packets, 1358517804 bytes

30 second offered rate 10066000 bps, drop rate 0 bps

Match: any

queue limit 64 packets

(queue depth/total drops/no-buffer drops) 0/0/0

(pkts output/bytes output) 0/0

Joseph W. Doherty Thu, 10/08/2009 - 17:03

One reason your original policy map might not be working as expected because the traffic you're trying to match against is encapsulated within GRE packets. (Confirmed by your 3rd post?) What might correct this is usage of "qos pre-classify" on the tunnel interface. (The reason I write "might", I'm not positive about usage of matching against input interfaces within the class-maps. Which also might be the problem within your 4th post.)

What you might also try is using an input service policy to ToS mark (different markings) the traffic arriving on the two "special" interfaces and then on the outbound policy match against those markings. Unless you need to shape the tunnel slower, you can have the policy again on the outbound interface. You won't need the pre-classify since the ToS markings will be copied to the GRE header. The only issues are what ToS marking to use and whether you want to pass them along.

e.g. (NB: syntax might be incorrect)

policy-map high

class class-default

set dscp 2

policy-map low

class class-default

set dscp 1

class-map match-any high

match dscp 2

class-map match-any low

match dscp 1

policy-map TRAFFIC

class high

bandwidth 2000

set dscp be

class low

bandwidth 7000

set dscp be

policy-map FQ

class class-default

!btw, FQ on many platforms can skew the other class bandwidth reservations

fair-queue

interface GigabitEthernet2/0

service-policy input low

interface FastEthernet2/14

service-policy input high

interface FastEthernet2/0

service-policy output TRAFFIC

hugh2_nguyen Thu, 10/08/2009 - 17:17

Hi Joe,

It finally worked but not as expected. I don't know what I mucked around with that got it to work. I still see class low gets more than 7Mbps bandwidth and class high only get about 1Mbps. I changed bandwidth to priority and saw the same bandwidth ratio. I'll try your suggestion and let you know the result.

Here's show policy data with current configuration:

Router6-w-AXP#sh policy-map int t0

Tunnel0

Service-policy output: PARENT

Class-map: class-default (match-any)

6008931 packets, 4240298312 bytes

30 second offered rate 10498000 bps, drop rate 0 bps

Match: any

Queueing

queue limit 64 packets

(queue depth/total drops/no-buffer drops) 0/0/0

(pkts output/bytes output) 0/0

shape (average) cir 10000000, bc 40000, be 40000

target shape rate 10000000

Service-policy : TRAFFIC

queue stats for all priority classes:

queue limit 64 packets

(queue depth/total drops/no-buffer drops) 0/0/0

(pkts output/bytes output) 0/0

Class-map: high (match-any)

303905 packets, 214533040 bytes

30 second offered rate 1061000 bps, drop rate 0 bps

Match: input-interface FastEthernet2/14

104215 packets, 73575172 bytes

30 second rate 1061000 bps

Priority: 2000 kbps, burst bytes 50000, b/w exceed drops: 0

Class-map: low (match-any)

1842540 packets, 1300348088 bytes

30 second offered rate 9436000 bps, drop rate 0 bps

Match: input-interface GigabitEthernet2/0

738719 packets, 521343420 bytes

30 second rate 9436000 bps

Priority: 7000 kbps, burst bytes 175000, b/w exceed drops: 0

Class-map: class-default (match-any)

3862466 packets, 2725403064 bytes

30 second offered rate 0 bps, drop rate 0 bps

Match: any

queue limit 64 packets

(queue depth/total drops/no-buffer drops) 0/0/0

(pkts output/bytes output) 0/0

Router6-w-AXP#

Joseph W. Doherty Fri, 10/09/2009 - 03:11

Could you post the "working" policy?

As to seeing a class obtain more bandwidth then the defined bandwidth statement, that's normal for non-LLQ classes. Their bandwidth statements defined a minimum, not maximum. Even with your LLQ, the implicit policer only engages if there's congestion and the defined rate is exceeded. (Also note that policing can be "rough" on traffic; something you might not want. Shaping is often a better approach.)

Depending on your requirements, physical interfaces QoS generally behaves better than a shaper (which QoS on the tunnel appears to require).

hugh2_nguyen Fri, 10/09/2009 - 11:24

Here's the policy:

class-map match-any high

match input-interface FastEthernet2/14

class-map match-any low

match input-interface GigabitEthernet2/0

!

!

policy-map DATA

class high

priority 8000

class low

priority 1000

policy-map FQ

class class-default

fair-queue

policy-map PARENT

class class-default

shape average 10000000

service-policy DATA

!

!

With or without the command line "qos pre-classify" the policy worked the same. Class low still competed with class high for bandwidth during congestion:

!

!

interface Tunnel0

bandwidth 10000

ip address 10.1.1.1 255.255.255.0

load-interval 30

ipv6 enable

ospfv3 instance 64 network manet

ospfv3 1 area 0 address-family ipv4 instance 64

tunnel source FastEthernet2/0

tunnel destination 142.x.x.10

service-policy output PARENT

!

!

Router6-w-AXP#sh policy-map int t0

Tunnel0

Service-policy output: PARENT

Class-map: class-default (match-any)

6008931 packets, 4240298312 bytes

30 second offered rate 10498000 bps, drop rate 0 bps

Match: any

Queueing

queue limit 64 packets

(queue depth/total drops/no-buffer drops) 0/0/0

(pkts output/bytes output) 0/0

shape (average) cir 10000000, bc 40000, be 40000

target shape rate 10000000

Service-policy : TRAFFIC

queue stats for all priority classes:

queue limit 64 packets

(queue depth/total drops/no-buffer drops) 0/0/0

(pkts output/bytes output) 0/0

Class-map: high (match-any)

303905 packets, 214533040 bytes

30 second offered rate 1061000 bps, drop rate 0 bps

Match: input-interface FastEthernet2/14

104215 packets, 73575172 bytes

30 second rate 1061000 bps

Priority: 2000 kbps, burst bytes 50000, b/w exceed drops: 0

Class-map: low (match-any)

1842540 packets, 1300348088 bytes

30 second offered rate 9436000 bps, drop rate 0 bps

Match: input-interface GigabitEthernet2/0

738719 packets, 521343420 bytes

30 second rate 9436000 bps

Priority: 7000 kbps, burst bytes 175000, b/w exceed drops: 0

Class-map: class-default (match-any)

3862466 packets, 2725403064 bytes

30 second offered rate 0 bps, drop rate 0 bps

Match: any

queue limit 64 packets

(queue depth/total drops/no-buffer drops) 0/0/0

(pkts output/bytes output) 0/0

Router6-w-AXP#

Joseph W. Doherty Sat, 10/10/2009 - 04:58

"With or without the command line "qos pre-classify" the policy worked the same."

That's because your policy is configured on the tunnel. The purpose of the command is to allow QoS to "see" pre-tunnel traffic packet headers on the interface that's sending the tunnel traffic.

"Class low still competed with class high for bandwidth during congestion:"

Unclear what you mean. Results look alright for this configuration altough the policy itself, with the two LLQ classes may not. Then again, you haven't described what you want to accomplish.

hugh2_nguyen Mon, 10/12/2009 - 07:52

Hi Joe,

I want to reserve a minimum tunnel bandwidth of 2Mbps for class high (i.e. traffic from interface fa2/14). I tried either "bandwidth" or "priority" but did not acchieved the minimum reserved bandwidth of 2Mbps for class high. I would like to limit class low bandwidth (i.e. traffic from g2/0) to below 8Mbps over the tunnel. Thanks.

Hugh

Joseph W. Doherty Mon, 10/12/2009 - 09:03

You might need to "define" what you consider reserving bandwidth. The priority or bandwidth commands do reserve bandwidth but perhaps not as you expect.

What might be a cause of confusion, such bandwidth reservations don't normally preclude other traffic from using that bandwidth if the traffic for that class isn't using all of it. (Normally this is a good thing).

If you really wanted to limit your other class to not exceed 8 Mbps, you would use a shaper or policer. (However, if you can priorize and/or guarantee bandwidth for other classes, this, restricting bandwidth, I suggest, isn't often the optimal approach for taking advanage of WAN bandwidth.)

e.g.

policy-map sample

class high

bandwidth 2000

class low

bandwidth 8000

shape average 8000000

hugh2_nguyen Mon, 10/12/2009 - 09:45

Joe,

I have a highly congested WAN; that is if I let class low goes freely then it would clog up the whole 10Mbps WAN. I really need to throttle class low bandwidth down to no higher than 8Mbps.

Here's the DSCP policy map per your suggestion. The router wouldn't accept command "set dscp be":

class-map match-any high

match dscp 2

class-map match-any low

match dscp 1

!

!

policy-map high

class class-default

set dscp 2

policy-map TRAFFIC

class high

bandwidth 2000

class low

bandwidth 7000

shape average 7000000

policy-map low

class class-default

set dscp 1

!

!

interface FastEthernet2/14

description HIGH PRIORITY INGRESS TRAFFIC

no switchport

bandwidth 1544

ip address 192.168.12.40 255.255.255.0

load-interval 30

ipv6 enable

ospfv3 1 area 0 address-family ipv4 instance 64

service-policy input high

!

!

interface GigabitEthernet2/0

description LOW PRIORITY INGRESS TRAFFIC

no switchport

ip address 192.168.2.40 255.255.255.0

load-interval 30

ipv6 enable

ospfv3 1 area 0 address-family ipv4 instance 64

service-policy input low

!

!

interface FastEthernet2/0

description WAN INTERFACE

no switchport

bandwidth 10000

ip address 192.x.x.10 255.255.255.0

load-interval 30

service-policy output TRAFFIC

!

!

interface Tunnel0

bandwidth 10000

ip address 10.1.1.1 255.255.255.0

load-interval 30

ipv6 enable

ospfv3 instance 64 network manet

ospfv3 1 area 0 address-family ipv4 instance 64

tunnel source FastEthernet2/0

tunnel destination 142.x.x.10

!

hugh2_nguyen Mon, 10/12/2009 - 09:47

And here's the show policy-map:

Router6-w-AXP#sh policy-map int f2/0

FastEthernet2/0

Service-policy output: TRAFFIC

Class-map: high (match-any)

474505 packets, 341640510 bytes

30 second offered rate 1148000 bps, drop rate 0 bps

Match: dscp 2

474505 packets, 341640510 bytes

30 second rate 1148000 bps

Queueing

queue limit 64 packets

(queue depth/total drops/no-buffer drops) 0/0/0

(pkts output/bytes output) 0/0

bandwidth 2000 kbps

Class-map: low (match-any)

3320165 packets, 2388688270 bytes

30 second offered rate 9477000 bps, drop rate 0 bps

Match: dscp 1

3320165 packets, 2388688270 bytes

30 second rate 9477000 bps

Queueing

queue limit 64 packets

(queue depth/total drops/no-buffer drops) 0/0/0

(pkts output/bytes output) 0/0

bandwidth 7000 kbps

shape (average) cir 7000000, bc 28000, be 28000

target shape rate 7000000

Class-map: class-default (match-any)

184 packets, 35258 bytes

30 second offered rate 0 bps, drop rate 0 bps

Match: any

queue limit 64 packets

(queue depth/total drops/no-buffer drops) 0/0/0

(pkts output/bytes output) 125/25060

Router6-w-AXP#

hugh2_nguyen Mon, 10/12/2009 - 10:17

Joe,

"police" seemed to work for my situation. I was able to keep class low not to exceed 8Mbps. Here the policy-map and show data:

!

class-map match-any high

match dscp 2

class-map match-any low

match dscp 1

!

!

policy-map high

class class-default

set dscp 2

policy-map TRAFFIC

class high

bandwidth 2000

class low

police rate 8000000 bps

conform-action transmit

exceed-action drop

policy-map low

class class-default

set dscp 1

!

!

Router6-w-AXP#sh policy-map int f2/0

FastEthernet2/0

Service-policy output: TRAFFIC

Class-map: high (match-any)

780244 packets, 561761736 bytes

30 second offered rate 1164000 bps, drop rate 0 bps

Match: dscp 2

780244 packets, 561761736 bytes

30 second rate 1164000 bps

Queueing

queue limit 64 packets

(queue depth/total drops/no-buffer drops) 0/0/0

(pkts output/bytes output) 0/0

bandwidth 2000 kbps

Class-map: low (match-any)

706010 packets, 508024908 bytes

30 second offered rate 9514000 bps, drop rate 1568000 bps

Match: dscp 1

706010 packets, 508024908 bytes

30 second rate 9514000 bps

police:

rate 8000000 bps, burst 250000 bytes, peak-burst 1500 bytes

conformed 631608 packets, 433410268 bytes; actions:

transmit

exceeded 74368 packets, 74611308 bytes; actions:

drop

violated 0 packets, 0 bytes; actions:

drop

drop

conformed 7946000 bps, exceed 1568000 bps, violate 0 bps

Class-map: class-default (match-any)

323 packets, 58720 bytes

30 second offered rate 0 bps, drop rate 0 bps

Match: any

queue limit 64 packets

(queue depth/total drops/no-buffer drops) 0/0/0

(pkts output/bytes output) 231/46268

Router6-w-AXP#

Joseph W. Doherty Mon, 10/12/2009 - 17:15

Policier works but shaper doesn't?! What IOS are you running?

Also rather interesting that your one set of stats show 10+ Mbps on an 10 Mbps Ethernet.(?)

"The router wouldn't accept command "set dscp be": "

Just use a value of zero.

hugh2_nguyen Tue, 10/13/2009 - 08:02

I'm running IOS 12.4(24)GC1. I think there's 1024 bits per 1Mb perhaps 10Mbps equal 10240000 bits !!??

I'll try shaper again but I really don't want class low bursts above 8Mbps which shaper usually allows.

Joseph W. Doherty Tue, 10/13/2009 - 09:04

I've not worked with that IOS variant. Shaper should also restrict rate, if it doesn't, perhaps an issue within that IOS variant.

Actions

This Discussion