CBWFQ - no match at class-map

Answered Question
Mar 24th, 2010
User Badges:

Hello,


I have to test a congestion management for a customer.


Involved Hardware: 876 Series Router

IOS: advanced Security


I configured the following class-based-weighted-fair-queueing:


  ip access-list extended QOS
        permit tcp any host 172.16.17.21 eq 10002
        permit tcp any host 172.16.17.24 eq 10002
        permit tcp any host 195.145.98.212 eq 443
        permit tcp any host 195.145.98.220 eq 443
        permit tcp 10.0.0.0 0.255.255.255 160.83.1.240 0.0.0.7 eq 53301
        permit icmp 10.0.0.0 0.255.255.255 160.83.1.240 0.0.0.7
        permit tcp any 172.19.201.160 0.0.0.15 eq 1494
        permit tcp any 172.19.201.160 0.0.0.15 eq 1604


    class-map match-all DATA
        match access-group name QOS
    class-map match-all VOICE
        match precedence 3 5

    policy-map PRIO_QUEUEING
        class VOICE
            bandwidth percent 20
        class DATA
            bandwidth percent 50
        class class-default
            fair-queue

    interface dialer1
        service-policy output PRIO_QUEUEING


-----------------------------------------------------------------------------------------------------------


I got the following Output:


sh policy-map interface output
Dialer1

  Service-policy output: PRIO_QUEUEING

    Class-map: VOICE (match-all)
      187112 packets, 27113032 bytes
      5 minute offered rate 13000 bps, drop rate 0 bps
      Match:  precedence 3  5
      Queueing
        Output Queue: Conversation 25
        Bandwidth 23 (%)
        Bandwidth 12 (kbps)Max Threshold 64 (packets)
        (pkts matched/bytes matched) 0/0
        (depth/total drops/no-buffer drops) 0/0/0

    Class-map: DATA (match-all)
      0 packets, 0 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: access-group name QOS
      Queueing
        Output Queue: Conversation 26
        Bandwidth 50 (%)
        Bandwidth 28 (kbps)Max Threshold 64 (packets)
        (pkts matched/bytes matched) 0/0
        (depth/total drops/no-buffer drops) 0/0/0

    Class-map: class-default (match-any)
      1395439 packets, 362149552 bytes
      5 minute offered rate 216000 bps, drop rate 0 bps
      Match: any
      Queueing
        Flow Based Fair Queueing
        Maximum Number of Hashed Queues 16
        (total queued/total drops/no-buffer drops) 0/0/0


My question is why there are no matches at the class-map DATA. I took a look to the traffic with Netflow Tracker by Fluke and saw that the applications generated traffic.

Could anybody help me?


Kind regards


Holger

Correct Answer by harisivaji about 6 years 11 months ago

Hi,


We need to use " ip qos Pre-classify" under tunnel interface or virtual-template inorder to use QOS for a tunnel.

or

Check the ACL "QOS" whether there is a match, since precedence value is not 3 or 5 it will not match Voice

I beleive your traffic is not matching ACL so it is coming under default class.



HTH,

Hari.Sivaji

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Lei Tian Wed, 03/24/2010 - 10:48
User Badges:
  • Cisco Employee,

Hi Holger,


Check if those traffic are marked as IPP 3 or 5; if yes, they will be put into VOICE class.


HTH,

Lei Tian

Giuseppe Larosa Wed, 03/24/2010 - 12:08
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Holger,

as Lei has noted the order of referencing of the class-maps in the policy map is important like in an ACL.


Because the voip class map has a generic definition based only on IP precedence values other types of traffic can be classified on it.


Hope to help

Giuseppe

holgerseiler Wed, 03/24/2010 - 13:15
User Badges:

Hello Lei, hello Guiseppe,


thanks for your fast answers. I will check if my traffic is marked with IP precedence 3 and 5. I will check in 2 weeks, because I will go on holiday.


Thanks again and happy easter.


Holger

holgerseiler Tue, 04/06/2010 - 01:23
User Badges:

Hi all,


I have checked the traffic with Netflow Tracker by Fluke. My data packets for the class DATA is not marked with ip precedence 3 and / or 5 . I forgot to tell that there is a vpn tunnel configured at this router. Is it possible that my traffic could not be classified, because it is always IPsec?


Kind regards


Holger

Correct Answer
harisivaji Tue, 04/06/2010 - 03:28
User Badges:

Hi,


We need to use " ip qos Pre-classify" under tunnel interface or virtual-template inorder to use QOS for a tunnel.

or

Check the ACL "QOS" whether there is a match, since precedence value is not 3 or 5 it will not match Voice

I beleive your traffic is not matching ACL so it is coming under default class.



HTH,

Hari.Sivaji

holgerseiler Tue, 04/06/2010 - 04:53
User Badges:

I believe that the traffic is not matching the ACL, too. But I don't know why. Traffic with the needed subjects were generated at the network (right source/destination IP, right protocol-ports). The data packets are very small (1 Byte to 34 kByte).


Kind regards


Holger

Giuseppe Larosa Tue, 04/06/2010 - 05:33
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Holger,


>> I forgot to tell that there is a vpn tunnel configured at this  router. Is it possible that my traffic could not be classified, because  it is always IPsec?


yes indeed you need to mark the traffic inbound when received in clear text on lan interface

You need to set an IP precedence value per traffic class


Then you need to match on ip precedence values on outgoing interface.


IP precedence value is replicated on external headers


Another important advice: it can be a question of IOS image I had a similar scenario where everything was configured correctly.

After having loaded a 12.4T image it worked


sh ver | inc image
System image file is "flash:c870-advsecurityk9-mz.124-15.T7.bin"


with this image it worked on a 877-M



sh policy-map int vlan1
Vlan1


  Service-policy input: mk_voice


    Class-map: cm_voice (match-all)
      1084138 packets, 96294168 bytes
      30 second offered rate 0 bps, drop rate 0 bps
      Match: access-group name voice
      QoS Set
        precedence 5
          Packets marked 1084138


    Class-map: class-default (match-any)
      1018366 packets, 184415531 bytes
      30 second offered rate 0 bps, drop rate 0 bps
      Match: any
      QoS Set
        precedence 0
          Packets marked 1018366


sh policy-map int atm0


ATM0


  Service-policy output: llq_voice


    Class-map: llq_voice (match-all)
      1084143 packets, 176923220 bytes
      30 second offered rate 0 bps, drop rate 0 bps
      Match: ip precedence 5
      Queueing
        Strict Priority
        Output Queue: Conversation 264
        Bandwidth 350 (kbps) Burst 8750 (Bytes)
        (pkts matched/bytes matched) 0/0
        (total drops/bytes drops) 0/0


    Class-map: class-default (match-any)
      1098256 packets, 270148800 bytes
      30 second offered rate 2000 bps, drop rate 0 bps
      Match: any



notice the corrispondence between marked traffic on policy map applied inbound and that on atm interface


Hope to help

Giuseppe

holgerseiler Thu, 04/15/2010 - 02:12
User Badges:

Hi all,


after the upgrade to version c870-advsecurityk9-mz.124-15.T7.bin I am testing the router again. But I have no matches at my class-map data. There are no matches at the access-list "QOS" (you could see at my first posting), too. I disabled my crypto map, so that there is no VPN tunnel anymore. No change at the results had happened.


Is it possible that no match happen because my data packets are small (335 Byte)? But in this case there had to be matches at my ACL, even though.


Kind regards


Holger

Giuseppe Larosa Thu, 04/15/2010 - 11:07
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Holger,

I would suggest to post in attachment the whole configuration just remove username and passwords and change public ip addresses to something else for safety.


Other two checks:


a) you say you have disabled the crypto map but are you using a GRE tunnel ? if yes it is still there and the ACL cannot match on outbound traffic


b) can you check if CEF is enabled ? modular QOS relies on CEF


Hope to help

Giuseppe

stevegunner Thu, 04/15/2010 - 02:46
User Badges:

Hi,


You could try changing your class-map match-all DATA to match-any.


HTH

holgerseiler Thu, 04/15/2010 - 05:33
User Badges:

I have changed the configuration. No change of the result. That seems to be logical, because I have only one statement at the class-map.

Has anybody another idea?


Kind regards


Holger

Lei Tian Thu, 04/15/2010 - 12:07
User Badges:
  • Cisco Employee,

Hi Holger,


Can you mark the traffic on the LAN interface and use the DSCP value for queuing? The ACL doesnt match any traffic, and you confirmed the traffic is being send to the right destination/port; that makes me think the IP header might get changed. Do you have GRE or NAT configured?


Can you post the lastest configure?


HTH,

Lei Tian

holgerseiler Tue, 04/20/2010 - 05:51
User Badges:

Hi all,


I troubleshooted yesterday. I am sure I have a problem witch the IPsec. I wanted to use the command "qos pre-classify" but the advanced-security Image don't know this statement. Do you know another procedure to pre-classify the packets.

I had an idea to configure a virtual-template, but after searching for possible configuration I think that I need statement "qos pre-classify", too.


Thanks and kind regards


Holger

Lei Tian Tue, 04/20/2010 - 06:44
User Badges:
  • Cisco Employee,

Hi Holger,


If you classify and mark the traffic at LAN interface, you dont need to use 'qos pre-classify'. The DSCP value will be preserved.


HTH,

Lei Tian

holgerseiler Tue, 04/20/2010 - 07:11
User Badges:

Hi,


how I can classify the traffic at incoming interface just like at my "access-list DATA", with class-map I don't could classify sophisticated enough.


regards


Holger

Lei Tian Tue, 04/20/2010 - 08:06
User Badges:
  • Cisco Employee,

Hi Holger,


Here is an configuration example


class-map mark_data
match access-group name QOS
class-map mark_voice
match access-group name VOICE
policy-map MARKING
class mark_data
set ip dscp af21
class mark_voice
set ip dscp ef


int vlan x
service-policy in MARKING


class-map DATA
match ip dscp af21
class-map VOICE
match ip dscp ef


policy-map PRIO_QUEUEING
class VOICE
bandwidth percent 20
class DATA
bandwidth percent 50
class class-default
fair-queue


HTH,

Lei Tian

Actions

This Discussion

Related Content