Marking FE traffic for QOS process

Answered Question
Nov 25th, 2009

Hallo,

I need mark traffic from specific FE switch port on C1802 when in goes thrue Dialer there is done some Qos process.

How can I do this on FE 8 if all ports are in BVI1?

I tryed IP based marking that is not good in case of DHCP clinets off course.

!

interface FastEthernet1
!
!
interface FastEthernet2
!
!
interface FastEthernet3
!
!
interface FastEthernet4
!
!
interface FastEthernet5
!
!
interface FastEthernet6
!
!
interface FastEthernet7
!
!
interface FastEthernet8
!

!
interface Vlan1
  no ip address
  bridge-group 1
  !

interface BVI1

description $ES_LAN$$FW_INSIDE$

ip address 192.168.X.X 255.255.255.0

no ip redirects

no ip unreachables

ip nbar protocol-discovery

ip flow ingress

ip flow egress

ip nat inside

ip virtual-reassembly

zone-member security in-zone

ip tcp adjust-mss 1452

!

!
bridge 1 protocol ieee
bridge 1 route ip
!

Thanks,

Urbanek

I have this problem too.
0 votes
Correct Answer by Giuseppe Larosa about 7 years 1 week ago

Hello Mark,

you may only approximate this with an extended ACL that matches source ip address of device connected to Fas8 and then you apply a policy-map inbound on BVI interface

Hope to help

Giuseppe

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Giuseppe Larosa Wed, 11/25/2009 - 09:45

Hello Mark,

you may only approximate this with an extended ACL that matches source ip address of device connected to Fas8 and then you apply a policy-map inbound on BVI interface

Hope to help

Giuseppe

locus2007 Wed, 11/25/2009 - 09:59

Thanks, I have on mind to mark all trafic from FE8 -> DSCP er, and then I will after NAT on Dialer make policy-map to search for DSCP er and give bulk.

locus2007 Thu, 11/26/2009 - 07:59

Yes there is no posibility to mark Ethernet port as origin of traffic. So must be done on IP address or protocol.

Edison Ortiz Thu, 11/26/2009 - 08:09

You can create policy-map and attach this policy-map to the FE 8 interface

.

policy-map DSCP-EF

class class-default

set dscp ef

interface fastethernet 8

service-policy input DSCP-EF

You can change the DSCP marking to the intended one in your configuration.

Regards

Edison

locus2007 Thu, 11/26/2009 - 08:31

Thanks I tryed this

look - I have it on FE6 now I know, for testing only on FE6 is my testing notebook that generate traffic

class-map match-any Dialer1_out
match  dscp ef

class-map match-any class_local_FE8_mark
match access-group name Rule_local_FE8_mark

policy-map CCP-QoS-Policy-1
class Dialer1_out
    priority percent 33

policy-map CCP-QoS-Policy-1
class Dialer1_out
    priority percent 33

policy-map policy_local_FE8_mark
class class_local_FE8_mark
  set dscp ef

!
interface FastEthernet1
!
!
interface FastEthernet2
!
!
interface FastEthernet3
!
!
interface FastEthernet4
!
!
interface FastEthernet5
!
!
interface FastEthernet6
!
service-policy input policy_local_FE8_mark
!
interface FastEthernet7
!
!
interface FastEthernet8
!

interface Dialer1
description $FW_OUTSIDE$
ip address negotiated
no ip redirects
no ip unreachables
ip mtu 1492
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat outside
ip virtual-reassembly
zone-member security out-zone
encapsulation ppp
dialer pool 2
dialer-group 2
ppp authentication chap pap callin
ppp chap hostname X
ppp chap password 0 X
ppp pap sent-username X password 0 X
no cdp enable
!
service-policy output CCP-QoS-Policy-1

!

ip access-list extended Rule_local_FE8_mark
remark CCP_ACL Category=256
permit ip any any

but all trafic is in class-default and not in Dialer1_out class

Edison Ortiz Thu, 11/26/2009 - 08:36

If I understand you correctly, you want to mark all traffic entering switchport FE 8 to a certain DSCP value.

I recommended to use the class class-default on a policy-map but I don't see that in your configuration.

You are matching on ip protocol, this won't work.

Please try the config I posted before and once you do, generate traffic that enters FE 8 and post the show policy-map interface output.


Regards

Edison.

locus2007 Thu, 11/26/2009 - 09:09

Yes based on your recomend now I got

policy-map DSCP_EF
class class-default
  set dscp ef

interface FastEthernet6
!
service-policy input DSCP_EF
service-policy output DSCP_EF
!

Router#show policy-map interface output
FastEthernet6

  Service-policy output: DSCP_EF

    Class-map: class-default (match-any)
      232 packets, 13920 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: any
      QoS Set
        dscp ef
          Packets marked 0

Now i get that packets on class-default on port FE6 there is ping command

Now are packets marked with ef?

So I can make other policy on dialer to look for EF and then make qos?

Edison Ortiz Thu, 11/26/2009 - 09:21

I recommend to mark on input, yet you applied the service-policy on input and output direction.

Your 'show policy-map interface' only includes the output from the 'service-policy output', I need to see the 'service-policy input' as well - that's where packets must be marked.

If you noticed in the output

QoS Set
        dscp ef
          Packets marked 0

No packets were marked while leaving the port, the intention is to mark packets as they enter the port.

What I need from you is to remove the 'service-policy output' from FE6 and post back with the 'show policy-map interface' with only the input policy-map applied.

Regards

Edison.

locus2007 Thu, 11/26/2009 - 09:32

Thank you that you spend time with this.

policy-map DSCP_EF
class class-default
  set dscp ef

interface FastEthernet6
!
service-policy input DSCP_EF
!

ping command still goes and I tried also come TCP traffic (WWW browsing)

Router#show policy-map interface
FastEthernet6

  Service-policy input: DSCP_EF

    Class-map: class-default (match-any)
      0 packets, 0 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: any
      QoS Set
        dscp ef
          Packets marked 0

I noticed packets marked 0 after sending last reply.

Edison Ortiz Thu, 11/26/2009 - 10:14

And you are sure traffic is entering FE 6?

Clear the counters and post the output from typing 'show interface f6' and 'show policy-map interface'

Regards

Edison

locus2007 Thu, 11/26/2009 - 10:23

I look at http://www.cisco.com/en/US/partner/docs/ios/qos/configuration/guide/mrkg_netwk_traffic_ps10591_TSD_Products_Configuration_Guide_Chapter.html

and didn't  found nothing wrong.

IOS 15.0.1M

Router#clear counters fastEthernet 6
Clear "show interface" counters on this interface [confirm]
Router#show interfaces fastEthernet 6
FastEthernet6 is up, line protocol is up
  Hardware is FastEthernet, address is 0021.5556.35d5 (bia 0021.5556.35d5)
  MTU 1500 bytes, BW 100000 Kbit/sec, DLY 100 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation ARPA, loopback not set
  Keepalive set (10 sec)
  Full-duplex, 100Mb/s
  ARP type: ARPA, ARP Timeout 04:00:00
  Last input never, output never, output hang never
  Last clearing of "show interface" counters 00:00:37
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/40 (size/max)
  5 minute input rate 1000 bits/sec, 2 packets/sec
  5 minute output rate 2000 bits/sec, 3 packets/sec
     75 packets input, 5836 bytes, 0 no buffer
     Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
     0 input packets with dribble condition detected
     111 packets output, 8830 bytes, 0 underruns
     0 output errors, 0 collisions, 0 interface resets
     0 unknown protocol drops
     0 babbles, 0 late collision, 0 deferred
     0 lost carrier, 0 no carrier
     0 output buffer failures, 0 output buffers swapped out

And it increase.


Router#show interfaces fastEthernet 6
FastEthernet6 is up, line protocol is up
  Hardware is FastEthernet, address is 0021.5556.35d5 (bia 0021.5556.35d5)
  MTU 1500 bytes, BW 100000 Kbit/sec, DLY 100 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation ARPA, loopback not set
  Keepalive set (10 sec)
  Full-duplex, 100Mb/s
  ARP type: ARPA, ARP Timeout 04:00:00
  Last input never, output never, output hang never
  Last clearing of "show interface" counters 00:00:39
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/40 (size/max)
  5 minute input rate 1000 bits/sec, 2 packets/sec
  5 minute output rate 1000 bits/sec, 2 packets/sec
     79 packets input, 6148 bytes, 0 no buffer
     Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
     0 input packets with dribble condition detected
     116 packets output, 9206 bytes, 0 underruns
     0 output errors, 0 collisions, 0 interface resets
     0 unknown protocol drops
     0 babbles, 0 late collision, 0 deferred
     0 lost carrier, 0 no carrier
     0 output buffer failures, 0 output buffers swapped out
Router#

And still same.

Router#show policy-map interface
FastEthernet6

  Service-policy input: DSCP_EF

    Class-map: class-default (match-any)
      0 packets, 0 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: any
      QoS Set
        dscp ef
          Packets marked 0

Giuseppe Larosa Thu, 11/26/2009 - 12:59

Hello,

I think the problem is that Fas6 is a port of an etherswitch module in an ISR router.

Probably QoS features are not supported on Etherswitch ports.

let's see the restrictions section of the link you have provided:

Traffic marking can be configured on an interface, a subinterface, or an ATM permanent virtual circuit (PVC). Marking network traffic is not supported on the following interfaces:

Any interface that does not support CEF

ATM switched virtual circuit (SVC)

Fast EtherChannel

PRI

Tunnel

Fas6 should be a L2 only port  that does not support CEF.

Hope to help

Giuseppe

locus2007 Thu, 11/26/2009 - 14:38

It looks real, all I can find is

10/100 LAN Switch

Eight 10/100BASE-T fully managed switch ports with 802.1Q VLAN and 802.3af PoE support

Edison Ortiz Fri, 11/27/2009 - 10:05

giuslar wrote:

Hello,

I think the problem is that Fas6 is a port of an etherswitch module in an ISR router.

Probably QoS features are not supported on Etherswitch ports.


According to the documentation:

http://www.cisco.com/en/US/docs/ios/lanswitch/configuration/guide/lsw_enet_switch_net_ps6350_TSD_Products_Configuration_Guide_Chapter.html#wp1130377

QoS is supported on etherswitch modules with some caveats. One of those caveats is the class class-default isn't supported.

With that said, we can modify my previous recommendation as followed:

class-map DSCP-EF

match any

policy-map DSCP-EF

  class DSCP-EF

   set dscp ef

interface fastethernet 6

  service-policy input DSCP-EF

Regards

Edison

Edison Ortiz Fri, 11/27/2009 - 09:59

Giuseppe has illustrated the requirements for QoS marking, thanks Giuseppe.

You can verify if that interface does run CEF with the 'show ip cef fastethernet 6' command.

You mentioned about applying the ingress policy on the BVI - you could do that but it won't target the information on per-switchport basis.

I'm not sure if you can match on interface with this hardware but it's worth a try.

class-map DSCP-EF

  match input-interface fastethernet 6

policy-map DSCP-EF

  class DSCP-EF

    set dscp ef

interface BVI

service-policy input DSCP-EF

Regards

Edison

locus2007 Sat, 11/28/2009 - 02:34

I have try it end no success with class test

Router#show policy-map interface bvI 1
BVI1

  Service-policy input: policy_mark

    Class-map: class_reznik (match-any)
      168709 packets, 20827818 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: access-group name access_reznik
        168709 packets, 20827818 bytes
        5 minute rate 0 bps
      QoS Set
        dscp ef
          Packets marked 168709

    Class-map: class_honza (match-any)
      112818 packets, 9869099 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: access-group name access_honza
        112818 packets, 9869099 bytes
        5 minute rate 0 bps
      QoS Set
        dscp af12
          Packets marked 112818

    Class-map: test (match-all)
      0 packets, 0 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: input-interface FastEthernet6
      QoS Set
        dscp af21
          Packets marked 0

    Class-map: class-default (match-any)
      146312 packets, 21565553 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: any

and on FE6 the traffic was

Router#show interfaces fastEthernet 6
FastEthernet6 is up, line protocol is up
  Hardware is FastEthernet, address is 0021.5556.35d5 (bia 0021.5556.35d5)
  MTU 1500 bytes, BW 100000 Kbit/sec, DLY 100 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation ARPA, loopback not set
  Keepalive set (10 sec)
  Full-duplex, 100Mb/s
  ARP type: ARPA, ARP Timeout 04:00:00
  Last input never, output never, output hang never
  Last clearing of "show interface" counters 1d16h
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/40 (size/max)
  5 minute input rate 1000 bits/sec, 1 packets/sec
  5 minute output rate 2000 bits/sec, 3 packets/sec
     19154 packets input, 1872292 bytes, 0 no buffer
     Received 388 broadcasts, 0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
     0 input packets with dribble condition detected
     47318 packets output, 19757094 bytes, 0 underruns
     0 output errors, 0 collisions, 1 interface resets
     0 unknown protocol drops
     0 babbles, 0 late collision, 0 deferred
     0 lost carrier, 0 no carrier
     0 output buffer failures, 0 output buffers swapped out

and post before not succes too

Router#show policy-map interface fastEthernet 6
FastEthernet6

  Service-policy input: test_in

    Class-map: test (match-all)
      0 packets, 0 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: any
      QoS Set
        dscp af21
          Packets marked 0

    Class-map: class-default (match-any)
      0 packets, 0 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: any

As you see I use ip based marking that work for me now, but it is not solution to marking all interface traffic.

Actions

This Discussion