×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

QoS : DSCP 0 not going in the right queue

Unanswered Question
Jul 24th, 2013
User Badges:

Hi everyone,


I've a small issue with my QoS Policy. I'm working on a C3560X-24T-L (or 48T-L), which is located on the LAN of a customer, and I want to do this :

- on all interface, except Gi0/1, I need to classify all the traffic :

     - Voice & TSE : DSCP 46

     - Some critical application : DSCP 25

     - Some customer application, not so critical : DSCP 10

     - Other stuff (Internet...) : DSCP 0

- on output interface, I limit the bandwidth at 2Mbps (because there is a 2Mbps SDSL link and "I" want to classify and policy the traffic, not the ISP), and I shape and share the traffic I've marked before as I want (srr-queue bandwidth share 1 20 60 5 and srr-queue bandwidth shape 7 0 0 0).


I check with wireshark and with "show" commands on the switch : all the packets are marked well (in dscp: outgoing  for example)...


My dscp-output-q is ok too :


Dscp-outputq-threshold map:

     d1 :d2    0     1     2     3     4     5     6     7     8     9

     ------------------------------------------------------------

      0 :    04-01 04-01 04-01 04-01 04-01 04-01 04-01 04-01 04-01 04-01

      1 :    03-01 04-01 04-01 04-01 04-01 04-01 04-01 04-01 04-01 04-01

      2 :    04-01 04-01 04-01 04-01 04-01 02-01 04-01 04-01 04-01 04-01

      3 :    04-01 04-01 04-01 04-01 04-01 04-01 04-01 04-01 04-01 04-01

      4 :    04-01 04-01 04-01 04-01 04-01 04-01 01-01 04-01 01-01 04-01

      5 :    04-01 04-01 04-01 04-01 04-01 04-01 04-01 04-01 04-01 04-01

      6 :    04-01 04-01 04-01 04-01


btw, I've the correct comment : mls qos srr-queue output dscp-map queue 4 theshold 1 0


BUT, and here is the problem : when I generate some DSCP 0 traffic, it's absolutely not going in queue 4 (or queue 3 in sh mls qos interface statistics), but is queue 2 (or queue 1 in sh mls qos interface statistics). I tried to change the DSCP of the traffic generate (like 54), and it works well : it goes in queue 4 (or 3) like I want. But I absolutely want all the DSCP 0 traffic to go in queue 4, because queue 2 is reserved for critical data.


I can't explain why I have this behavior for this DSCP 0...


Thanks a lot for your future help.


Regards,

Aurélien

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Joseph W. Doherty Wed, 07/24/2013 - 02:52
User Badges:
  • Super Bronze, 10000 points or more

Disclaimer


The  Author of this posting offers the information contained within this  posting without consideration and with the reader's understanding that  there's no implied or expressed suitability or fitness for any purpose.  Information provided is for informational purposes only and should not  be construed as rendering professional advice of any kind. Usage of this  posting's information is solely at reader's own risk.


Liability Disclaimer


In  no event shall Author be liable for any damages whatsoever (including,  without limitation, damages for loss of use, data or profit) arising out  of the use or inability to use the posting's information even if Author  has been advised of the possibility of such damage.


Posting


What IOS version and might your other traffic have L2 CoS?  If the latter, what's your CoS to DSCP map?

aurelien-bern Wed, 07/24/2013 - 05:19
User Badges:

Thank you for the answer.


IOS version : 12.2(53r)SE2


I do not use L2 CoS, and the mapping is the default mapping. To mark the traffic, I use this kind of method :


1) ACL to match traffic

access-list extended TSE

     permit tcp any any eq 3389

access-list extended XXX

     permit tcp any any eq XXX

...


2) Class-map

class-map match-all TSE

     match access-group TSE

...


3) Policy-map

policy-map INPUT

     class TSE

          set dscp ef

     class ...

          set dscp ...

...


4) Applying on all interfaces except the output

interface range gi 0/2 - 24

     service policy input INPUT



Then, for the output, I use this method :


1) Mapping DSCP to queue


mls qos srr-queue output dscp-map queue 1 threshold 1 46 48

mls qos srr-queue output dscp-map queue 2 threshold 1 25

...

mls qos srr-queue output dscp-map queue 4 threshold 0 1 2 3 4 5 6 7

...



2) Shaping & Sharing on the output interface

int gi 0/1

     srr-queue bandwidth shape 7 0 0 0

     srr-queue bandwidth share 1 20 60 5


To have this distribution :

- queue 1 : 15%

- queue 2 : 20%

- queue 3 : 60%

- queue 4 : 5%



I have not yet change buffers & threshold for the differents queues (with "mls qos queue-set output 1...").



And, even if I put DSCP 0 on queue 4, when I generate some DSCP 0 traffic, it goes in queue 2 (queue 2 counters increase, not the others).


Thanks again.

aurelien-bern Wed, 07/24/2013 - 07:38
User Badges:

Interesting fact :


When the DSCP is 0 because I SET IT at 0, the packet goes to the right queue (queue 4). When the packet doesn't match any ACL, he keeps a DSCP at 0 BUT it goes to the wrong queue (queue 2).


What is the difference between a default DSCP 0 and a set DSCP 0 ??

Joseph W. Doherty Wed, 07/24/2013 - 07:52
User Badges:
  • Super Bronze, 10000 points or more

Disclaimer


The   Author of this posting offers the information contained within this   posting without consideration and with the reader's understanding that   there's no implied or expressed suitability or fitness for any purpose.   Information provided is for informational purposes only and should not   be construed as rendering professional advice of any kind. Usage of  this  posting's information is solely at reader's own risk.


Liability Disclaimer


In   no event shall Author be liable for any damages whatsoever (including,   without limitation, damages for loss of use, data or profit) arising  out  of the use or inability to use the posting's information even if  Author  has been advised of the possibility of such damage.


Posting


Normally, I wouldn't expect to see a difference, but it might help if you post the full parts of the config that are relevant.


BTW, I think you listed the bootloader version, not the IOS version.

aurelien-bern Wed, 07/24/2013 - 08:08
User Badges:

Mayber this ^^ :

Cisco IOS Software, C3560E Software (C3560E-UNIVERSALK9-M), Version 12.2(55)SE5, RELEASE SOFTWARE (fc1)



Here is the config, just like I described before :


mls qos srr-queue output dscp-map queue 1 threshold 1 48

mls qos srr-queue output dscp-map queue 2 threshold 1 25

mls qos srr-queue output dscp-map queue 3 threshold 1 10

mls qos srr-queue output dscp-map queue 4 threshold 1 0 1 2 3 4 5 6 7

mls qos srr-queue output dscp-map queue 4 threshold 1 8 9 11 12 13 14 15 16

mls qos srr-queue output dscp-map queue 4 threshold 1 17 18 19 20 21 22 23 24

mls qos srr-queue output dscp-map queue 4 threshold 1 26 27 28 29 30 31 40 41

mls qos srr-queue output dscp-map queue 4 threshold 1 42 43 44 45 47

mls qos

class-map match-all IMPRESSION

match access-group name ACL_IMPRESSION

class-map match-all ANTIVIRUS

match access-group name ACL_ANTIVIRUS

class-map match-all TELEPHONIE

match access-group name ACL_TELEPHONIE

class-map match-all INTERNET

match access-group name ACL_INTERNET

class-map match-all TSE

match access-group name ACL_TSE

class-map match-all PARTAGE_DOC

match access-group name ACL_PARTAGE_DOC

class-map match-all ARCHIVAGE

match access-group name ACL_ARCHIVAGE

class-map match-all DICOM

match access-group name ACL_DICOM

class-map match-all VOICE_RECORD

match access-group name ACL_VOICE_RECORD


policy-map INPUT

class TELEPHONIE

  set dscp ef

class TSE

  set dscp ef

class VOICE_RECORD

  set dscp 25

class DICOM

  set dscp af11

class PARTAGE_DOC

  set dscp af11

class IMPRESSION

  set dscp af11

class ARCHIVAGE

  set dscp af11

class ANTIVIRUS

  set dscp default

class INTERNET

  set dscp default



interface GigabitEthernet0/1

bandwidth 2000

speed 10

srr-queue bandwidth share 1 20 60 5

srr-queue bandwidth shape 7 0 0 0

srr-queue bandwidth limit 20


interface GigabitEthernet0/2 - 24 (all interfaces except 0/1)

service-policy input INPUT


ip access-list extended ACL_ARCHIVAGE

permit tcp any any eq 10007

ip access-list extended ACL_DICOM

permit tcp any any eq 10004

ip access-list extended ACL_VOICE_RECORD

permit tcp any any eq 10002

ip access-list extended ACL_IMPRESSION

permit tcp any any eq 10006

ip access-list extended ACL_INTERNET

permit tcp any any eq www

permit tcp any any eq 443

ip access-list extended ACL_ANTIVIRUS

permit tcp any any eq 10008

ip access-list extended ACL_PARTAGE_DOC

permit tcp any any eq 10005

ip access-list extended ACL_TELEPHONIE

permit tcp any any eq 10001

ip access-list extended ACL_TSE

permit tcp any any eq 3389




In mls qos command, some DSCP I've put in the command doesn't appear in "show run", but I think it's because there are already in the right queue (tell me if I'm wrong).



I think I'll try to identify all traffic with ACL to mark it myself, it can be a good solution. But if someone have an explaination for that...


Thanks again.


Aurélien

aurelien-bern Wed, 07/24/2013 - 08:27
User Badges:

Well, 1st solution does'nt work. In fact, I don't even know if I can match any other traffic...


BUT, I put "mls qos trust dscp" on all incoming interface (gi 0/2 -24) and it seems to be working. And I also can rewrite the DSCP with the different policy I put in my last post.

Joseph W. Doherty Wed, 07/24/2013 - 08:51
User Badges:
  • Super Bronze, 10000 points or more

Disclaimer


The    Author of this posting offers the information contained within this    posting without consideration and with the reader's understanding that    there's no implied or expressed suitability or fitness for any  purpose.   Information provided is for informational purposes only and  should not   be construed as rendering professional advice of any kind.  Usage of  this  posting's information is solely at reader's own risk.


Liability Disclaimer


In    no event shall Author be liable for any damages whatsoever  (including,   without limitation, damages for loss of use, data or  profit) arising  out  of the use or inability to use the posting's  information even if  Author  has been advised of the possibility of such  damage.


Posting


I'm not totally surprised after seeing your policy.  Now I understand.  Your ingress policy allows some traffic to "fall through".  "Best practice" might be to process all traffic through your ingress policy, i.e. you might have a default class that either trusts (what appears to also be done by the separate DSCP trust interface statement) or sets DSCP to default.

aurelien-bern Wed, 07/24/2013 - 08:55
User Badges:

You mean, in the Policy-map, I need to do this :

policy-map INPUT

     class class-default

          trust dscp


And that's all ?


I'll try this.


Thank you for you help ;-)


Aurélien

Joseph W. Doherty Wed, 07/24/2013 - 10:28
User Badges:
  • Super Bronze, 10000 points or more

Disclaimer


The   Author of this posting offers the information contained within this   posting without consideration and with the reader's understanding that   there's no implied or expressed suitability or fitness for any purpose.   Information provided is for informational purposes only and should not   be construed as rendering professional advice of any kind. Usage of  this  posting's information is solely at reader's own risk.


Liability Disclaimer


In   no event shall Author be liable for any damages whatsoever (including,   without limitation, damages for loss of use, data or profit) arising  out  of the use or inability to use the posting's information even if  Author  has been advised of the possibility of such damage.


Posting


You mean, in the Policy-map, I need to do this :

policy-map INPUT

     class class-default

          trust dscp


And that's all ?

Yes, something like that, but as the last class on your existing policy.

Actions

This Discussion