cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
943
Views
0
Helpful
10
Replies

QoS : DSCP 0 not going in the right queue

aurelien-bern
Level 1
Level 1

Hi everyone,

I've a small issue with my QoS Policy. I'm working on a C3560X-24T-L (or 48T-L), which is located on the LAN of a customer, and I want to do this :

- on all interface, except Gi0/1, I need to classify all the traffic :

     - Voice & TSE : DSCP 46

     - Some critical application : DSCP 25

     - Some customer application, not so critical : DSCP 10

     - Other stuff (Internet...) : DSCP 0

- on output interface, I limit the bandwidth at 2Mbps (because there is a 2Mbps SDSL link and "I" want to classify and policy the traffic, not the ISP), and I shape and share the traffic I've marked before as I want (srr-queue bandwidth share 1 20 60 5 and srr-queue bandwidth shape 7 0 0 0).

I check with wireshark and with "show" commands on the switch : all the packets are marked well (in dscp: outgoing  for example)...

My dscp-output-q is ok too :

Dscp-outputq-threshold map:

     d1 :d2    0     1     2     3     4     5     6     7     8     9

     ------------------------------------------------------------

      0 :    04-01 04-01 04-01 04-01 04-01 04-01 04-01 04-01 04-01 04-01

      1 :    03-01 04-01 04-01 04-01 04-01 04-01 04-01 04-01 04-01 04-01

      2 :    04-01 04-01 04-01 04-01 04-01 02-01 04-01 04-01 04-01 04-01

      3 :    04-01 04-01 04-01 04-01 04-01 04-01 04-01 04-01 04-01 04-01

      4 :    04-01 04-01 04-01 04-01 04-01 04-01 01-01 04-01 01-01 04-01

      5 :    04-01 04-01 04-01 04-01 04-01 04-01 04-01 04-01 04-01 04-01

      6 :    04-01 04-01 04-01 04-01

btw, I've the correct comment : mls qos srr-queue output dscp-map queue 4 theshold 1 0

BUT, and here is the problem : when I generate some DSCP 0 traffic, it's absolutely not going in queue 4 (or queue 3 in sh mls qos interface statistics), but is queue 2 (or queue 1 in sh mls qos interface statistics). I tried to change the DSCP of the traffic generate (like 54), and it works well : it goes in queue 4 (or 3) like I want. But I absolutely want all the DSCP 0 traffic to go in queue 4, because queue 2 is reserved for critical data.

I can't explain why I have this behavior for this DSCP 0...

Thanks a lot for your future help.

Regards,

Aurélien

10 Replies 10

Joseph W. Doherty
Hall of Fame
Hall of Fame

Disclaimer

The  Author of this posting offers the information contained within this  posting without consideration and with the reader's understanding that  there's no implied or expressed suitability or fitness for any purpose.  Information provided is for informational purposes only and should not  be construed as rendering professional advice of any kind. Usage of this  posting's information is solely at reader's own risk.

Liability Disclaimer

In  no event shall Author be liable for any damages whatsoever (including,  without limitation, damages for loss of use, data or profit) arising out  of the use or inability to use the posting's information even if Author  has been advised of the possibility of such damage.

Posting

What IOS version and might your other traffic have L2 CoS?  If the latter, what's your CoS to DSCP map?

Thank you for the answer.

IOS version : 12.2(53r)SE2

I do not use L2 CoS, and the mapping is the default mapping. To mark the traffic, I use this kind of method :

1) ACL to match traffic

access-list extended TSE

     permit tcp any any eq 3389

access-list extended XXX

     permit tcp any any eq XXX

...

2) Class-map

class-map match-all TSE

     match access-group TSE

...

3) Policy-map

policy-map INPUT

     class TSE

          set dscp ef

     class ...

          set dscp ...

...

4) Applying on all interfaces except the output

interface range gi 0/2 - 24

     service policy input INPUT

Then, for the output, I use this method :

1) Mapping DSCP to queue

mls qos srr-queue output dscp-map queue 1 threshold 1 46 48

mls qos srr-queue output dscp-map queue 2 threshold 1 25

...

mls qos srr-queue output dscp-map queue 4 threshold 0 1 2 3 4 5 6 7

...

2) Shaping & Sharing on the output interface

int gi 0/1

     srr-queue bandwidth shape 7 0 0 0

     srr-queue bandwidth share 1 20 60 5

To have this distribution :

- queue 1 : 15%

- queue 2 : 20%

- queue 3 : 60%

- queue 4 : 5%

I have not yet change buffers & threshold for the differents queues (with "mls qos queue-set output 1...").

And, even if I put DSCP 0 on queue 4, when I generate some DSCP 0 traffic, it goes in queue 2 (queue 2 counters increase, not the others).

Thanks again.

Interesting fact :

When the DSCP is 0 because I SET IT at 0, the packet goes to the right queue (queue 4). When the packet doesn't match any ACL, he keeps a DSCP at 0 BUT it goes to the wrong queue (queue 2).

What is the difference between a default DSCP 0 and a set DSCP 0 ??

Disclaimer

The   Author of this posting offers the information contained within this   posting without consideration and with the reader's understanding that   there's no implied or expressed suitability or fitness for any purpose.   Information provided is for informational purposes only and should not   be construed as rendering professional advice of any kind. Usage of  this  posting's information is solely at reader's own risk.

Liability Disclaimer

In   no event shall Author be liable for any damages whatsoever (including,   without limitation, damages for loss of use, data or profit) arising  out  of the use or inability to use the posting's information even if  Author  has been advised of the possibility of such damage.

Posting

Normally, I wouldn't expect to see a difference, but it might help if you post the full parts of the config that are relevant.

BTW, I think you listed the bootloader version, not the IOS version.

Mayber this ^^ :

Cisco IOS Software, C3560E Software (C3560E-UNIVERSALK9-M), Version 12.2(55)SE5, RELEASE SOFTWARE (fc1)

Here is the config, just like I described before :

mls qos srr-queue output dscp-map queue 1 threshold 1 48

mls qos srr-queue output dscp-map queue 2 threshold 1 25

mls qos srr-queue output dscp-map queue 3 threshold 1 10

mls qos srr-queue output dscp-map queue 4 threshold 1 0 1 2 3 4 5 6 7

mls qos srr-queue output dscp-map queue 4 threshold 1 8 9 11 12 13 14 15 16

mls qos srr-queue output dscp-map queue 4 threshold 1 17 18 19 20 21 22 23 24

mls qos srr-queue output dscp-map queue 4 threshold 1 26 27 28 29 30 31 40 41

mls qos srr-queue output dscp-map queue 4 threshold 1 42 43 44 45 47

mls qos

class-map match-all IMPRESSION

match access-group name ACL_IMPRESSION

class-map match-all ANTIVIRUS

match access-group name ACL_ANTIVIRUS

class-map match-all TELEPHONIE

match access-group name ACL_TELEPHONIE

class-map match-all INTERNET

match access-group name ACL_INTERNET

class-map match-all TSE

match access-group name ACL_TSE

class-map match-all PARTAGE_DOC

match access-group name ACL_PARTAGE_DOC

class-map match-all ARCHIVAGE

match access-group name ACL_ARCHIVAGE

class-map match-all DICOM

match access-group name ACL_DICOM

class-map match-all VOICE_RECORD

match access-group name ACL_VOICE_RECORD

policy-map INPUT

class TELEPHONIE

  set dscp ef

class TSE

  set dscp ef

class VOICE_RECORD

  set dscp 25

class DICOM

  set dscp af11

class PARTAGE_DOC

  set dscp af11

class IMPRESSION

  set dscp af11

class ARCHIVAGE

  set dscp af11

class ANTIVIRUS

  set dscp default

class INTERNET

  set dscp default

interface GigabitEthernet0/1

bandwidth 2000

speed 10

srr-queue bandwidth share 1 20 60 5

srr-queue bandwidth shape 7 0 0 0

srr-queue bandwidth limit 20

interface GigabitEthernet0/2 - 24 (all interfaces except 0/1)

service-policy input INPUT

ip access-list extended ACL_ARCHIVAGE

permit tcp any any eq 10007

ip access-list extended ACL_DICOM

permit tcp any any eq 10004

ip access-list extended ACL_VOICE_RECORD

permit tcp any any eq 10002

ip access-list extended ACL_IMPRESSION

permit tcp any any eq 10006

ip access-list extended ACL_INTERNET

permit tcp any any eq www

permit tcp any any eq 443

ip access-list extended ACL_ANTIVIRUS

permit tcp any any eq 10008

ip access-list extended ACL_PARTAGE_DOC

permit tcp any any eq 10005

ip access-list extended ACL_TELEPHONIE

permit tcp any any eq 10001

ip access-list extended ACL_TSE

permit tcp any any eq 3389

In mls qos command, some DSCP I've put in the command doesn't appear in "show run", but I think it's because there are already in the right queue (tell me if I'm wrong).

I think I'll try to identify all traffic with ACL to mark it myself, it can be a good solution. But if someone have an explaination for that...

Thanks again.

Aurélien

Ports 1000X are just here for testing, it's not a mistake

Well, 1st solution does'nt work. In fact, I don't even know if I can match any other traffic...

BUT, I put "mls qos trust dscp" on all incoming interface (gi 0/2 -24) and it seems to be working. And I also can rewrite the DSCP with the different policy I put in my last post.

Disclaimer

The    Author of this posting offers the information contained within this    posting without consideration and with the reader's understanding that    there's no implied or expressed suitability or fitness for any  purpose.   Information provided is for informational purposes only and  should not   be construed as rendering professional advice of any kind.  Usage of  this  posting's information is solely at reader's own risk.

Liability Disclaimer

In    no event shall Author be liable for any damages whatsoever  (including,   without limitation, damages for loss of use, data or  profit) arising  out  of the use or inability to use the posting's  information even if  Author  has been advised of the possibility of such  damage.

Posting

I'm not totally surprised after seeing your policy.  Now I understand.  Your ingress policy allows some traffic to "fall through".  "Best practice" might be to process all traffic through your ingress policy, i.e. you might have a default class that either trusts (what appears to also be done by the separate DSCP trust interface statement) or sets DSCP to default.

You mean, in the Policy-map, I need to do this :

policy-map INPUT

     class class-default

          trust dscp

And that's all ?

I'll try this.

Thank you for you help ;-)

Aurélien

Disclaimer

The   Author of this posting offers the information contained within this   posting without consideration and with the reader's understanding that   there's no implied or expressed suitability or fitness for any purpose.   Information provided is for informational purposes only and should not   be construed as rendering professional advice of any kind. Usage of  this  posting's information is solely at reader's own risk.

Liability Disclaimer

In   no event shall Author be liable for any damages whatsoever (including,   without limitation, damages for loss of use, data or profit) arising  out  of the use or inability to use the posting's information even if  Author  has been advised of the possibility of such damage.

Posting

You mean, in the Policy-map, I need to do this :

policy-map INPUT

     class class-default

          trust dscp

And that's all ?

Yes, something like that, but as the last class on your existing policy.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: