CBWFQ - no match at class-map

Answered Question
Mar 24th, 2010

Hello,

I have to test a congestion management for a customer.

Involved Hardware: 876 Series Router

IOS: advanced Security

I configured the following class-based-weighted-fair-queueing:

  ip access-list extended QOS
        permit tcp any host 172.16.17.21 eq 10002
        permit tcp any host 172.16.17.24 eq 10002
        permit tcp any host 195.145.98.212 eq 443
        permit tcp any host 195.145.98.220 eq 443
        permit tcp 10.0.0.0 0.255.255.255 160.83.1.240 0.0.0.7 eq 53301
        permit icmp 10.0.0.0 0.255.255.255 160.83.1.240 0.0.0.7
        permit tcp any 172.19.201.160 0.0.0.15 eq 1494
        permit tcp any 172.19.201.160 0.0.0.15 eq 1604

    class-map match-all DATA
        match access-group name QOS
    class-map match-all VOICE
        match precedence 3 5

    policy-map PRIO_QUEUEING
        class VOICE
            bandwidth percent 20
        class DATA
            bandwidth percent 50
        class class-default
            fair-queue

    interface dialer1
        service-policy output PRIO_QUEUEING

-----------------------------------------------------------------------------------------------------------

I got the following Output:

sh policy-map interface output
Dialer1

  Service-policy output: PRIO_QUEUEING

    Class-map: VOICE (match-all)
      187112 packets, 27113032 bytes
      5 minute offered rate 13000 bps, drop rate 0 bps
      Match:  precedence 3  5
      Queueing
        Output Queue: Conversation 25
        Bandwidth 23 (%)
        Bandwidth 12 (kbps)Max Threshold 64 (packets)
        (pkts matched/bytes matched) 0/0
        (depth/total drops/no-buffer drops) 0/0/0

    Class-map: DATA (match-all)
      0 packets, 0 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: access-group name QOS
      Queueing
        Output Queue: Conversation 26
        Bandwidth 50 (%)
        Bandwidth 28 (kbps)Max Threshold 64 (packets)
        (pkts matched/bytes matched) 0/0
        (depth/total drops/no-buffer drops) 0/0/0

    Class-map: class-default (match-any)
      1395439 packets, 362149552 bytes
      5 minute offered rate 216000 bps, drop rate 0 bps
      Match: any
      Queueing
        Flow Based Fair Queueing
        Maximum Number of Hashed Queues 16
        (total queued/total drops/no-buffer drops) 0/0/0

My question is why there are no matches at the class-map DATA. I took a look to the traffic with Netflow Tracker by Fluke and saw that the applications generated traffic.

Could anybody help me?

Kind regards

Holger

I have this problem too.
0 votes
Correct Answer by harisivaji about 6 years 8 months ago

Hi,

We need to use " ip qos Pre-classify" under tunnel interface or virtual-template inorder to use QOS for a tunnel.

or

Check the ACL "QOS" whether there is a match, since precedence value is not 3 or 5 it will not match Voice

I beleive your traffic is not matching ACL so it is coming under default class.

HTH,

Hari.Sivaji

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Lei Tian Wed, 03/24/2010 - 10:48

Hi Holger,

Check if those traffic are marked as IPP 3 or 5; if yes, they will be put into VOICE class.

HTH,

Lei Tian

Giuseppe Larosa Wed, 03/24/2010 - 12:08

Hello Holger,

as Lei has noted the order of referencing of the class-maps in the policy map is important like in an ACL.

Because the voip class map has a generic definition based only on IP precedence values other types of traffic can be classified on it.

Hope to help

Giuseppe

holgerseiler Wed, 03/24/2010 - 13:15

Hello Lei, hello Guiseppe,

thanks for your fast answers. I will check if my traffic is marked with IP precedence 3 and 5. I will check in 2 weeks, because I will go on holiday.

Thanks again and happy easter.

Holger

holgerseiler Tue, 04/06/2010 - 01:23

Hi all,

I have checked the traffic with Netflow Tracker by Fluke. My data packets for the class DATA is not marked with ip precedence 3 and / or 5 . I forgot to tell that there is a vpn tunnel configured at this router. Is it possible that my traffic could not be classified, because it is always IPsec?

Kind regards

Holger

Correct Answer
harisivaji Tue, 04/06/2010 - 03:28

Hi,

We need to use " ip qos Pre-classify" under tunnel interface or virtual-template inorder to use QOS for a tunnel.

or

Check the ACL "QOS" whether there is a match, since precedence value is not 3 or 5 it will not match Voice

I beleive your traffic is not matching ACL so it is coming under default class.

HTH,

Hari.Sivaji

holgerseiler Tue, 04/06/2010 - 04:53

I believe that the traffic is not matching the ACL, too. But I don't know why. Traffic with the needed subjects were generated at the network (right source/destination IP, right protocol-ports). The data packets are very small (1 Byte to 34 kByte).

Kind regards

Holger

Giuseppe Larosa Tue, 04/06/2010 - 05:33

Hello Holger,

>> I forgot to tell that there is a vpn tunnel configured at this  router. Is it possible that my traffic could not be classified, because  it is always IPsec?

yes indeed you need to mark the traffic inbound when received in clear text on lan interface

You need to set an IP precedence value per traffic class

Then you need to match on ip precedence values on outgoing interface.

IP precedence value is replicated on external headers

Another important advice: it can be a question of IOS image I had a similar scenario where everything was configured correctly.

After having loaded a 12.4T image it worked

sh ver | inc image
System image file is "flash:c870-advsecurityk9-mz.124-15.T7.bin"

with this image it worked on a 877-M

sh policy-map int vlan1
Vlan1

  Service-policy input: mk_voice

    Class-map: cm_voice (match-all)
      1084138 packets, 96294168 bytes
      30 second offered rate 0 bps, drop rate 0 bps
      Match: access-group name voice
      QoS Set
        precedence 5
          Packets marked 1084138

    Class-map: class-default (match-any)
      1018366 packets, 184415531 bytes
      30 second offered rate 0 bps, drop rate 0 bps
      Match: any
      QoS Set
        precedence 0
          Packets marked 1018366

sh policy-map int atm0

ATM0

  Service-policy output: llq_voice

    Class-map: llq_voice (match-all)
      1084143 packets, 176923220 bytes
      30 second offered rate 0 bps, drop rate 0 bps
      Match: ip precedence 5
      Queueing
        Strict Priority
        Output Queue: Conversation 264
        Bandwidth 350 (kbps) Burst 8750 (Bytes)
        (pkts matched/bytes matched) 0/0
        (total drops/bytes drops) 0/0

    Class-map: class-default (match-any)
      1098256 packets, 270148800 bytes
      30 second offered rate 2000 bps, drop rate 0 bps
      Match: any

notice the corrispondence between marked traffic on policy map applied inbound and that on atm interface

Hope to help

Giuseppe

holgerseiler Thu, 04/15/2010 - 02:12

Hi all,

after the upgrade to version c870-advsecurityk9-mz.124-15.T7.bin I am testing the router again. But I have no matches at my class-map data. There are no matches at the access-list "QOS" (you could see at my first posting), too. I disabled my crypto map, so that there is no VPN tunnel anymore. No change at the results had happened.

Is it possible that no match happen because my data packets are small (335 Byte)? But in this case there had to be matches at my ACL, even though.

Kind regards

Holger

Giuseppe Larosa Thu, 04/15/2010 - 11:07

Hello Holger,

I would suggest to post in attachment the whole configuration just remove username and passwords and change public ip addresses to something else for safety.

Other two checks:

a) you say you have disabled the crypto map but are you using a GRE tunnel ? if yes it is still there and the ACL cannot match on outbound traffic

b) can you check if CEF is enabled ? modular QOS relies on CEF

Hope to help

Giuseppe

stevegunner Thu, 04/15/2010 - 02:46

Hi,

You could try changing your class-map match-all DATA to match-any.

HTH

holgerseiler Thu, 04/15/2010 - 05:33

I have changed the configuration. No change of the result. That seems to be logical, because I have only one statement at the class-map.

Has anybody another idea?

Kind regards

Holger

Lei Tian Thu, 04/15/2010 - 12:07

Hi Holger,

Can you mark the traffic on the LAN interface and use the DSCP value for queuing? The ACL doesnt match any traffic, and you confirmed the traffic is being send to the right destination/port; that makes me think the IP header might get changed. Do you have GRE or NAT configured?

Can you post the lastest configure?

HTH,

Lei Tian

holgerseiler Tue, 04/20/2010 - 05:51

Hi all,

I troubleshooted yesterday. I am sure I have a problem witch the IPsec. I wanted to use the command "qos pre-classify" but the advanced-security Image don't know this statement. Do you know another procedure to pre-classify the packets.

I had an idea to configure a virtual-template, but after searching for possible configuration I think that I need statement "qos pre-classify", too.

Thanks and kind regards

Holger

Lei Tian Tue, 04/20/2010 - 06:44

Hi Holger,

If you classify and mark the traffic at LAN interface, you dont need to use 'qos pre-classify'. The DSCP value will be preserved.

HTH,

Lei Tian

holgerseiler Tue, 04/20/2010 - 07:11

Hi,

how I can classify the traffic at incoming interface just like at my "access-list DATA", with class-map I don't could classify sophisticated enough.

regards

Holger

Lei Tian Tue, 04/20/2010 - 08:06

Hi Holger,

Here is an configuration example

class-map mark_data
match access-group name QOS
class-map mark_voice
match access-group name VOICE
policy-map MARKING
class mark_data
set ip dscp af21
class mark_voice
set ip dscp ef

int vlan x
service-policy in MARKING

class-map DATA
match ip dscp af21
class-map VOICE
match ip dscp ef

policy-map PRIO_QUEUEING
class VOICE
bandwidth percent 20
class DATA
bandwidth percent 50
class class-default
fair-queue

HTH,

Lei Tian

Actions

This Discussion

Related Content