Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

QoS fails to police traffic - Help needed urgently

Hi All,

I have a QoS policy in place to trust dscp, using class map with acl to classify traffic and apply on Cisco Catalyst interface using service policy. I apply police on my traffic policy. I did a check and found QoS wasn't apply on any of my classified traffic using class map with acl.

Can someone help on this?

Below is my config:

mls qos

!

class-map match-any Restrict

  match access-group 100

!

policy-map Restrict_Policy

  class Restrict

    police 15000000 8000 exceed-action policed-dscp-transmit

    trust dscp

  class class-default

    trust dscp

interface GigabitEthernet0/1

description Link to Remote_Office

bandwidth 50000

service-policy input Restrict_Policy

!

interface GigabitEthernet0/2 - 28

service-policy input Restrict_Policy

access-list 100 permit tcp any host 172.18.204.130 eq 445

access-list 100 permit tcp any host 172.18.204.126 eq 445

access-list 100 permit tcp any any eq 445

access-list 100 permit tcp any any eq ftp-data

access-list 100 permit tcp any any eq ftp

access-list 100 permit tcp any any

When I do a show policy-map inter gi0/1, I don't see any traffic ( 0 byte )

I need to fix this issue cos we implement QoS to curb user from sending large file and clout up the bandwidth.

Thanks.

  • LAN Switching and Routing
12 REPLIES
Cisco Employee

QoS fails to police traffic - Help needed urgently

Hi Bernard,

If you do "show policy-map int" command on 3750 or similar platform - then you indeed will get 0 counters as this command is not supported there (even if possible to run it).

In the 3750 switch, 'show policy-map interface' privileged EXEC

command

is not supported to display classification information for traffic. The

control-plane and interface keywords are not supported, and the

statistics shown in the display should be ignored. Although this command

is allowed on the CLI, it is not supported.

More information on this case can be found on the following link:

https://supportforums.cisco.com/docs/DOC-3949

So you need to use show mls qos interface statistics

Hope this helps.

Nik

New Member

QoS fails to police traffic - Help needed urgently

u mean there's nothing wrong in my config?

New Member

QoS fails to police traffic - Help needed urgently

I am using cat 3560 and not cat 3750.

Cisco Employee

QoS fails to police traffic - Help needed urgently

For 3560 it is same.

In terms of config I think it is fine. I can't elaborate on police statement becuase I don't know what you want to reach with it. For now you are remarking the traffic exceeding your average rate and burst to different DSCP as per your policed-DSCP map (should be configured) and send through. But the counters should be increasing if there is traffic on the ports matching ACLs.

BTW you can add log keyword to ACLs in test purposes to see if traffic is hitting it  - then double check QoS policing with show mls command I gave above.

Nik

New Member

QoS fails to police traffic - Help needed urgently

I try logging ACL hits but it doesn't show hit count on acl. Suspect it is either my version c3560-ipservices-mz.122-35.SE5.bin or cat 3560 feature issue.

I did sh mls qos inter gi0/1 stats, it shows traffic hitting dscp 0-4 (which I believe is the class-default) and dscp 30-34 (whcih I believe hits my Restrict class)

I clear the counter and did a show I see counters are increasing, looks like I have been using the wrong show command to show the hit rate of my QoS.

New Member

QoS fails to police traffic - Help needed urgently

But one question, I did not indicate dscp value for traffic classification, how does the switch knows what dscp value to assign a traffic to?

Cisco Employee

QoS fails to police traffic - Help needed urgently

Hello,

Switch has defaut mappings which it is using and I guess that is map all DSCP to 0 in case of police action needed.

Just FYI policed maps are configured this way:

qos map dscp policed  DSCP_To_map_from   ..  DSCP_TO_MAP_TO

Hope this helps,

Nik

New Member

QoS fails to police traffic - Help needed urgently

C3560(config-pmap-c)#police 15000000 8000 ?
  exceed-action  action when rate is exceeded
 

C3560(config-pmap-c)#police 15000000 8000 exceed-action ?
  drop                   drop packet
  policed-dscp-transmit  change dscp per policed-dscp map and send it

C3560(config-pmap-c)#$exceed-action policed-dscp-transmit ?
 

C3560(config-pmap-c)#$exceed-action policed-dscp-transmit

Cisco Employee

QoS fails to police traffic - Help needed urgently

Hi Bernard,

Did not get your last update. Any question you have on it?

Nik

540
Views
0
Helpful
12
Replies
This widget could not be displayed.