03-24-2010 09:58 AM - edited 03-06-2019 10:17 AM
Hello,
I have to test a congestion management for a customer.
Involved Hardware: 876 Series Router
IOS: advanced Security
I configured the following class-based-weighted-fair-queueing:
ip access-list extended QOS
permit tcp any host 172.16.17.21 eq 10002
permit tcp any host 172.16.17.24 eq 10002
permit tcp any host 195.145.98.212 eq 443
permit tcp any host 195.145.98.220 eq 443
permit tcp 10.0.0.0 0.255.255.255 160.83.1.240 0.0.0.7 eq 53301
permit icmp 10.0.0.0 0.255.255.255 160.83.1.240 0.0.0.7
permit tcp any 172.19.201.160 0.0.0.15 eq 1494
permit tcp any 172.19.201.160 0.0.0.15 eq 1604
class-map match-all DATA
match access-group name QOS
class-map match-all VOICE
match precedence 3 5
policy-map PRIO_QUEUEING
class VOICE
bandwidth percent 20
class DATA
bandwidth percent 50
class class-default
fair-queue
interface dialer1
service-policy output PRIO_QUEUEING
-----------------------------------------------------------------------------------------------------------
I got the following Output:
sh policy-map interface output
Dialer1
Service-policy output: PRIO_QUEUEING
Class-map: VOICE (match-all)
187112 packets, 27113032 bytes
5 minute offered rate 13000 bps, drop rate 0 bps
Match: precedence 3 5
Queueing
Output Queue: Conversation 25
Bandwidth 23 (%)
Bandwidth 12 (kbps)Max Threshold 64 (packets)
(pkts matched/bytes matched) 0/0
(depth/total drops/no-buffer drops) 0/0/0
Class-map: DATA (match-all)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: access-group name QOS
Queueing
Output Queue: Conversation 26
Bandwidth 50 (%)
Bandwidth 28 (kbps)Max Threshold 64 (packets)
(pkts matched/bytes matched) 0/0
(depth/total drops/no-buffer drops) 0/0/0
Class-map: class-default (match-any)
1395439 packets, 362149552 bytes
5 minute offered rate 216000 bps, drop rate 0 bps
Match: any
Queueing
Flow Based Fair Queueing
Maximum Number of Hashed Queues 16
(total queued/total drops/no-buffer drops) 0/0/0
My question is why there are no matches at the class-map DATA. I took a look to the traffic with Netflow Tracker by Fluke and saw that the applications generated traffic.
Could anybody help me?
Kind regards
Holger
Solved! Go to Solution.
04-06-2010 03:28 AM
Hi,
We need to use " ip qos Pre-classify" under tunnel interface or virtual-template inorder to use QOS for a tunnel.
or
Check the ACL "QOS" whether there is a match, since precedence value is not 3 or 5 it will not match Voice
I beleive your traffic is not matching ACL so it is coming under default class.
HTH,
Hari.Sivaji
03-24-2010 10:48 AM
Hi Holger,
Check if those traffic are marked as IPP 3 or 5; if yes, they will be put into VOICE class.
HTH,
Lei Tian
03-24-2010 12:08 PM
Hello Holger,
as Lei has noted the order of referencing of the class-maps in the policy map is important like in an ACL.
Because the voip class map has a generic definition based only on IP precedence values other types of traffic can be classified on it.
Hope to help
Giuseppe
03-24-2010 01:15 PM
Hello Lei, hello Guiseppe,
thanks for your fast answers. I will check if my traffic is marked with IP precedence 3 and 5. I will check in 2 weeks, because I will go on holiday.
Thanks again and happy easter.
Holger
03-24-2010 01:21 PM
Enjoy your holiday.
04-06-2010 01:23 AM
Hi all,
I have checked the traffic with Netflow Tracker by Fluke. My data packets for the class DATA is not marked with ip precedence 3 and / or 5 . I forgot to tell that there is a vpn tunnel configured at this router. Is it possible that my traffic could not be classified, because it is always IPsec?
Kind regards
Holger
04-06-2010 03:28 AM
Hi,
We need to use " ip qos Pre-classify" under tunnel interface or virtual-template inorder to use QOS for a tunnel.
or
Check the ACL "QOS" whether there is a match, since precedence value is not 3 or 5 it will not match Voice
I beleive your traffic is not matching ACL so it is coming under default class.
HTH,
Hari.Sivaji
04-06-2010 04:53 AM
I believe that the traffic is not matching the ACL, too. But I don't know why. Traffic with the needed subjects were generated at the network (right source/destination IP, right protocol-ports). The data packets are very small (1 Byte to 34 kByte).
Kind regards
Holger
04-06-2010 05:33 AM
Hello Holger,
>> I forgot to tell that there is a vpn tunnel configured at this router. Is it possible that my traffic could not be classified, because it is always IPsec?
yes indeed you need to mark the traffic inbound when received in clear text on lan interface
You need to set an IP precedence value per traffic class
Then you need to match on ip precedence values on outgoing interface.
IP precedence value is replicated on external headers
Another important advice: it can be a question of IOS image I had a similar scenario where everything was configured correctly.
After having loaded a 12.4T image it worked
sh ver | inc image
System image file is "flash:c870-advsecurityk9-mz.124-15.T7.bin"
with this image it worked on a 877-M
sh policy-map int vlan1
Vlan1
Service-policy input: mk_voice
Class-map: cm_voice (match-all)
1084138 packets, 96294168 bytes
30 second offered rate 0 bps, drop rate 0 bps
Match: access-group name voice
QoS Set
precedence 5
Packets marked 1084138
Class-map: class-default (match-any)
1018366 packets, 184415531 bytes
30 second offered rate 0 bps, drop rate 0 bps
Match: any
QoS Set
precedence 0
Packets marked 1018366
sh policy-map int atm0
ATM0
Service-policy output: llq_voice
Class-map: llq_voice (match-all)
1084143 packets, 176923220 bytes
30 second offered rate 0 bps, drop rate 0 bps
Match: ip precedence 5
Queueing
Strict Priority
Output Queue: Conversation 264
Bandwidth 350 (kbps) Burst 8750 (Bytes)
(pkts matched/bytes matched) 0/0
(total drops/bytes drops) 0/0
Class-map: class-default (match-any)
1098256 packets, 270148800 bytes
30 second offered rate 2000 bps, drop rate 0 bps
Match: any
notice the corrispondence between marked traffic on policy map applied inbound and that on atm interface
Hope to help
Giuseppe
04-15-2010 02:12 AM
Hi all,
after the upgrade to version c870-advsecurityk9-mz.124-15.T7.bin I am testing the router again. But I have no matches at my class-map data. There are no matches at the access-list "QOS" (you could see at my first posting), too. I disabled my crypto map, so that there is no VPN tunnel anymore. No change at the results had happened.
Is it possible that no match happen because my data packets are small (335 Byte)? But in this case there had to be matches at my ACL, even though.
Kind regards
Holger
04-15-2010 11:07 AM
Hello Holger,
I would suggest to post in attachment the whole configuration just remove username and passwords and change public ip addresses to something else for safety.
Other two checks:
a) you say you have disabled the crypto map but are you using a GRE tunnel ? if yes it is still there and the ACL cannot match on outbound traffic
b) can you check if CEF is enabled ? modular QOS relies on CEF
Hope to help
Giuseppe
04-15-2010 02:46 AM
Hi,
You could try changing your class-map match-all DATA to match-any.
HTH
04-15-2010 05:33 AM
I have changed the configuration. No change of the result. That seems to be logical, because I have only one statement at the class-map.
Has anybody another idea?
Kind regards
Holger
04-15-2010 12:07 PM
Hi Holger,
Can you mark the traffic on the LAN interface and use the DSCP value for queuing? The ACL doesnt match any traffic, and you confirmed the traffic is being send to the right destination/port; that makes me think the IP header might get changed. Do you have GRE or NAT configured?
Can you post the lastest configure?
HTH,
Lei Tian
04-20-2010 05:51 AM
Hi all,
I troubleshooted yesterday. I am sure I have a problem witch the IPsec. I wanted to use the command "qos pre-classify" but the advanced-security Image don't know this statement. Do you know another procedure to pre-classify the packets.
I had an idea to configure a virtual-template, but after searching for possible configuration I think that I need statement "qos pre-classify", too.
Thanks and kind regards
Holger
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: