07-24-2013 01:59 AM - edited 03-07-2019 02:33 PM
Hi everyone,
I've a small issue with my QoS Policy. I'm working on a C3560X-24T-L (or 48T-L), which is located on the LAN of a customer, and I want to do this :
- on all interface, except Gi0/1, I need to classify all the traffic :
- Voice & TSE : DSCP 46
- Some critical application : DSCP 25
- Some customer application, not so critical : DSCP 10
- Other stuff (Internet...) : DSCP 0
- on output interface, I limit the bandwidth at 2Mbps (because there is a 2Mbps SDSL link and "I" want to classify and policy the traffic, not the ISP), and I shape and share the traffic I've marked before as I want (srr-queue bandwidth share 1 20 60 5 and srr-queue bandwidth shape 7 0 0 0).
I check with wireshark and with "show" commands on the switch : all the packets are marked well (in dscp: outgoing for example)...
My dscp-output-q is ok too :
Dscp-outputq-threshold map:
d1 :d2 0 1 2 3 4 5 6 7 8 9
------------------------------------------------------------
0 : 04-01 04-01 04-01 04-01 04-01 04-01 04-01 04-01 04-01 04-01
1 : 03-01 04-01 04-01 04-01 04-01 04-01 04-01 04-01 04-01 04-01
2 : 04-01 04-01 04-01 04-01 04-01 02-01 04-01 04-01 04-01 04-01
3 : 04-01 04-01 04-01 04-01 04-01 04-01 04-01 04-01 04-01 04-01
4 : 04-01 04-01 04-01 04-01 04-01 04-01 01-01 04-01 01-01 04-01
5 : 04-01 04-01 04-01 04-01 04-01 04-01 04-01 04-01 04-01 04-01
6 : 04-01 04-01 04-01 04-01
btw, I've the correct comment : mls qos srr-queue output dscp-map queue 4 theshold 1 0
BUT, and here is the problem : when I generate some DSCP 0 traffic, it's absolutely not going in queue 4 (or queue 3 in sh mls qos interface statistics), but is queue 2 (or queue 1 in sh mls qos interface statistics). I tried to change the DSCP of the traffic generate (like 54), and it works well : it goes in queue 4 (or 3) like I want. But I absolutely want all the DSCP 0 traffic to go in queue 4, because queue 2 is reserved for critical data.
I can't explain why I have this behavior for this DSCP 0...
Thanks a lot for your future help.
Regards,
Aurélien
07-24-2013 02:52 AM
Disclaimer
The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
Liability Disclaimer
In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
Posting
What IOS version and might your other traffic have L2 CoS? If the latter, what's your CoS to DSCP map?
07-24-2013 05:19 AM
Thank you for the answer.
IOS version : 12.2(53r)SE2
I do not use L2 CoS, and the mapping is the default mapping. To mark the traffic, I use this kind of method :
1) ACL to match traffic
access-list extended TSE
permit tcp any any eq 3389
access-list extended XXX
permit tcp any any eq XXX
...
2) Class-map
class-map match-all TSE
match access-group TSE
...
3) Policy-map
policy-map INPUT
class TSE
set dscp ef
class ...
set dscp ...
...
4) Applying on all interfaces except the output
interface range gi 0/2 - 24
service policy input INPUT
Then, for the output, I use this method :
1) Mapping DSCP to queue
mls qos srr-queue output dscp-map queue 1 threshold 1 46 48
mls qos srr-queue output dscp-map queue 2 threshold 1 25
...
mls qos srr-queue output dscp-map queue 4 threshold 0 1 2 3 4 5 6 7
...
2) Shaping & Sharing on the output interface
int gi 0/1
srr-queue bandwidth shape 7 0 0 0
srr-queue bandwidth share 1 20 60 5
To have this distribution :
- queue 1 : 15%
- queue 2 : 20%
- queue 3 : 60%
- queue 4 : 5%
I have not yet change buffers & threshold for the differents queues (with "mls qos queue-set output 1...").
And, even if I put DSCP 0 on queue 4, when I generate some DSCP 0 traffic, it goes in queue 2 (queue 2 counters increase, not the others).
Thanks again.
07-24-2013 07:38 AM
Interesting fact :
When the DSCP is 0 because I SET IT at 0, the packet goes to the right queue (queue 4). When the packet doesn't match any ACL, he keeps a DSCP at 0 BUT it goes to the wrong queue (queue 2).
What is the difference between a default DSCP 0 and a set DSCP 0 ??
07-24-2013 07:52 AM
Disclaimer
The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
Liability Disclaimer
In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
Posting
Normally, I wouldn't expect to see a difference, but it might help if you post the full parts of the config that are relevant.
BTW, I think you listed the bootloader version, not the IOS version.
07-24-2013 08:08 AM
Mayber this ^^ :
Cisco IOS Software, C3560E Software (C3560E-UNIVERSALK9-M), Version 12.2(55)SE5, RELEASE SOFTWARE (fc1)
Here is the config, just like I described before :
mls qos srr-queue output dscp-map queue 1 threshold 1 48
mls qos srr-queue output dscp-map queue 2 threshold 1 25
mls qos srr-queue output dscp-map queue 3 threshold 1 10
mls qos srr-queue output dscp-map queue 4 threshold 1 0 1 2 3 4 5 6 7
mls qos srr-queue output dscp-map queue 4 threshold 1 8 9 11 12 13 14 15 16
mls qos srr-queue output dscp-map queue 4 threshold 1 17 18 19 20 21 22 23 24
mls qos srr-queue output dscp-map queue 4 threshold 1 26 27 28 29 30 31 40 41
mls qos srr-queue output dscp-map queue 4 threshold 1 42 43 44 45 47
mls qos
class-map match-all IMPRESSION
match access-group name ACL_IMPRESSION
class-map match-all ANTIVIRUS
match access-group name ACL_ANTIVIRUS
class-map match-all TELEPHONIE
match access-group name ACL_TELEPHONIE
class-map match-all INTERNET
match access-group name ACL_INTERNET
class-map match-all TSE
match access-group name ACL_TSE
class-map match-all PARTAGE_DOC
match access-group name ACL_PARTAGE_DOC
class-map match-all ARCHIVAGE
match access-group name ACL_ARCHIVAGE
class-map match-all DICOM
match access-group name ACL_DICOM
class-map match-all VOICE_RECORD
match access-group name ACL_VOICE_RECORD
policy-map INPUT
class TELEPHONIE
set dscp ef
class TSE
set dscp ef
class VOICE_RECORD
set dscp 25
class DICOM
set dscp af11
class PARTAGE_DOC
set dscp af11
class IMPRESSION
set dscp af11
class ARCHIVAGE
set dscp af11
class ANTIVIRUS
set dscp default
class INTERNET
set dscp default
interface GigabitEthernet0/1
bandwidth 2000
speed 10
srr-queue bandwidth share 1 20 60 5
srr-queue bandwidth shape 7 0 0 0
srr-queue bandwidth limit 20
interface GigabitEthernet0/2 - 24 (all interfaces except 0/1)
service-policy input INPUT
ip access-list extended ACL_ARCHIVAGE
permit tcp any any eq 10007
ip access-list extended ACL_DICOM
permit tcp any any eq 10004
ip access-list extended ACL_VOICE_RECORD
permit tcp any any eq 10002
ip access-list extended ACL_IMPRESSION
permit tcp any any eq 10006
ip access-list extended ACL_INTERNET
permit tcp any any eq www
permit tcp any any eq 443
ip access-list extended ACL_ANTIVIRUS
permit tcp any any eq 10008
ip access-list extended ACL_PARTAGE_DOC
permit tcp any any eq 10005
ip access-list extended ACL_TELEPHONIE
permit tcp any any eq 10001
ip access-list extended ACL_TSE
permit tcp any any eq 3389
In mls qos command, some DSCP I've put in the command doesn't appear in "show run", but I think it's because there are already in the right queue (tell me if I'm wrong).
I think I'll try to identify all traffic with ACL to mark it myself, it can be a good solution. But if someone have an explaination for that...
Thanks again.
Aurélien
07-24-2013 08:10 AM
Ports 1000X are just here for testing, it's not a mistake
07-24-2013 08:27 AM
Well, 1st solution does'nt work. In fact, I don't even know if I can match any other traffic...
BUT, I put "mls qos trust dscp" on all incoming interface (gi 0/2 -24) and it seems to be working. And I also can rewrite the DSCP with the different policy I put in my last post.
07-24-2013 08:51 AM
Disclaimer
The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
Liability Disclaimer
In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
Posting
I'm not totally surprised after seeing your policy. Now I understand. Your ingress policy allows some traffic to "fall through". "Best practice" might be to process all traffic through your ingress policy, i.e. you might have a default class that either trusts (what appears to also be done by the separate DSCP trust interface statement) or sets DSCP to default.
07-24-2013 08:55 AM
You mean, in the Policy-map, I need to do this :
policy-map INPUT
class class-default
trust dscp
And that's all ?
I'll try this.
Thank you for you help ;-)
Aurélien
07-24-2013 10:28 AM
Disclaimer
The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
Liability Disclaimer
In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
Posting
You mean, in the Policy-map, I need to do this :policy-map INPUT
class class-default
trust dscp
And that's all ?
Yes, something like that, but as the last class on your existing policy.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: