Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1178
Views
0
Helpful
2
Replies

ACE module - Qos - set ip tos #

bshellrude
Level 1
Level 1

‎01-27-2010 01:38 PM

All,

Trying to mark traffic to/from L4 rules in the ACE.

Documentation (like always) says it's really easy.  Mark traffic by using the "set ip tos <value>" command in Policy/Class configuration.  Ok, so I do this, set ip tos 24.

Enable qos globally on the 6500 host, but don't see the traffic being marked.

sh mls qos says that packets are being modified by module 5 (ACE)

But I never see the tos value in any of my captures either via netflow from the host 6500, or at the firewall one hop away.

sh mls qos:

QoS is enabled globally
  Policy marking depends on port_trust
  QoS ip packet dscp rewrite enabled globally
  Input mode for GRE Tunnel is Pipe mode
  Input mode for MPLS is Pipe mode
QoS Trust state is CoS on the following interface:
Te3/1
QoS Trust state is DSCP on the following interface:
Gi2/3
  Vlan or Portchannel(Multi-Earl) policies supported: Yes
  Egress policies supported: Yes

----- Module [5] -----
  QoS global counters:
    Total packets: 207147888661
    IP shortcut packets: 0
    Packets dropped by policing: 0
    IP packets with TOS changed by policing: 2663386
    IP packets with COS changed by policing: 4889352
    Non-IP packets with COS changed by policing: 0
    MPLS packets with EXP changed by policing: 0

Can someone explain to me what I've got wrong here?  Is the ACE simply marking traffic destined for the servers behind it and not the return traffic?  Am I missunderstanding something?

Labels:
0 Helpful
2 Replies 2

bshellrude
Level 1
Level 1

‎01-28-2010 09:27 AM

Well... hopefully someone knows how to classify traffic coming from the ACE.

I've given up on using the ACE to mark traffic as I'm fairly certain it won't do it.  At least not the way I want.

However, now I've taken to marking ingress on the rserver switch ports... which has resulted in a partially sucessful solution.  Problem is, "partially" successful.

You'll have a bunch of little conversations like this with no tos value full of push-acks:
10:29:53.527526 207.161.222.68.2828 > 205.200.114.228.http: P 2954:3455(501) ack 203152 win 65535 (DF)
10:29:53.527698 205.200.114.228.http > 207.161.222.68.2828: . ack 3455 win 32267
10:29:53.555271 207.161.222.68.2828 > 205.200.114.228.http: P 3455:3686(231) ack 203152 win 65535 (DF)
10:29:53.562676 205.200.114.228.http > 207.161.222.68.2828: P 203152:203784(632) ack 3686 win 32768
10:29:53.674758 207.161.222.68.2828 > 205.200.114.228.http: P 3686:4036(350) ack 203784 win 64903 (DF)
10:29:53.690853 205.200.114.228.http > 207.161.222.68.2828: P 203784:205244(1460) ack 4036 win 32768
10:29:53.690863 205.200.114.228.http > 207.161.222.68.2828: P 205244:206704(1460) ack 4036 win 32768
10:29:53.690871 205.200.114.228.http > 207.161.222.68.2828: P 206704:208164(1460) ack 4036 win 32768
10:29:53.690879 205.200.114.228.http > 207.161.222.68.2828: P 208164:209624(1460) ack 4036 win 32768
10:29:53.690887 205.200.114.228.http > 207.161.222.68.2828: P 209624:211084(1460) ack 4036 win 32768
10:29:53.690895 205.200.114.228.http > 207.161.222.68.2828: P 211084:212544(1460) ack 4036 win 32768

But then you'll see another conversation pop up with the correct markings
10:31:53.845287 205.200.114.228.http > 207.161.222.68.2828: . 32753:34213(1460) ack 1082 win 62808 (DF) [tos 0x48]
10:31:53.845298 205.200.114.228.http > 207.161.222.68.2828: . 34213:35673(1460) ack 1082 win 62808 (DF) [tos 0x48]
10:31:53.845306 205.200.114.228.http > 207.161.222.68.2828: . 35673:37133(1460) ack 1082 win 62808 (DF) [tos 0x48]
10:31:53.845313 205.200.114.228.http > 207.161.222.68.2828: . 37133:38593(1460) ack 1082 win 62808 (DF) [tos 0x48]
10:31:53.845321 205.200.114.228.http > 207.161.222.68.2828: . 38593:40053(1460) ack 1082 win 62808 (DF) [tos 0x48]
10:31:53.845328 205.200.114.228.http > 207.161.222.68.2828: . 40053:41513(1460) ack 1082 win 62808 (DF) [tos 0x48]
10:31:53.845335 205.200.114.228.http > 207.161.222.68.2828: . 41513:42973(1460) ack 1082 win 62808 (DF) [tos 0x48]
10:31:53.845343 205.200.114.228.http > 207.161.222.68.2828: . 42973:44433(1460) ack 1082 win 62808 (DF) [tos 0x48]
I think what's happening, is that the conversations full of the P-acks is the load balancer communicating directly with the client (i.e. LB pretending to be the server), whereas the marked traffic is "data only" which the load balancer isn't mangling (like it might/probably is doing with the p-acks) on it's way back to the client.
I also can't modify the configuration of the "virtual ten gig" interface that the 6500 uses as a connection to the ACE module, so can't mark traffic there either.  And though I still have a couple of things to try, I don't believe I can do egress marking on a trunk from the 6500 either (connection to the firewalls).
So.... PLEASE... Anyone???  Ideas???
0 Helpful

Gilles Dufour
Cisco Employee
Cisco Employee

‎02-02-2010 01:00 AM

You can set the TOS on ACE itself with a parameter-map.

That might be easier than doing on the Cat6k itself.

The configuration guide for this command is

http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/command/reference/parammap.html#wp1028391

Gilles

0 Helpful
Customers Also Viewed These Support Documents