Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

Aggregate Policer

In CatOS, when you want to apply QOS on voice traffic, and also apply a policer, is it necessary to apply the policer in every ACL entry, or is it enough to apply it on one of the ACL entries and specify the source/destination address as "any"?

Case 1:

set qos acl ip CCM dscp 26 aggregate Policer tcp any range 2000 2002 any

set qos acl ip CCM dscp 26 aggregate Policer udp any eq 1719 any

set qos acl ip CCM dscp 26 aggregate Policer udp any any eq 1719

Case 2:

set qos acl ip CCM dscp 26 tcp any range 2000 2002 any

set qos acl ip CCM dscp 26 udp any eq 1719 any

set qos acl ip CCM dscp 26 udp any any eq 1719

set qos acl ip CCM dscp 26 aggregate Policer any

6 REPLIES

Re: Aggregate Policer

The answer depends on requirements.

If the requirement is to mark dscp 26 AND police skinny traffic from CCM, and ras in both directions, then Case 1 is correct.

Consider that in case 2, your entry for skinny will be matched before the policer line. So you effectively mark dscp 26 the skinny and ras traffic, but you only police all non-skinny and non-ras traffic.

So here's another example Case 3:

set qos acl ip CCM dscp 26 aggregate Policer any

set qos acl ip CCM dscp 26 tcp any range 2000 2002 any

set qos acl ip CCM dscp 26 udp any eq 1719 any

set qos acl ip CCM dscp 26 udp any any eq 1719

Polices and marks all traffic. The lines for skinny and ras are never matched since the first line, the "any" line, matches all traffic.

HTH,

Michael

Re: Aggregate Policer

Makes sense.

So if you want to police all skinny and ras traffic, you have to apply the policer in every single ACE. Also in case 3, all traffic would get remarked with dscp 26 correct ? which is not a good thing to do.?

Another question:

Not able to do the following in a 6500 QOS ACL.

What I want to do is

a. police all voice signalling and voice bearer traffic if it exceeds a particular rate.

b. properly mark voice bearer and voice signalling traffic in the voice vlan to appropriate dscp values.

Assume a policer (aggregate) by the name AggPolicer is defined, that marks dscp 24,46 down to 0.

set qos policer aggregate Police rate 32000 burst 13000 policed-dscp

set qos policed-dscp-map 24,46:0

set qos acl ip Pol dscp 24 aggregate AggPolicer tcp any range 2000 2002 any

set qos acl ip Pol dscp 24 aggregate AggPolicer tcp any any eq 1718

set qos acl ip Pol dscp 24 aggregate AggPolicer tcp any any eq 1720

set qos acl ip Pol dscp 24 aggregate AggPolicer udp any eq 1719 any

set qos acl ip Pol dscp 46 aggregate AggPolicer udp any any range 16384 32767

set qos acl ip Pol dscp 24 aggregate AggPolicer tcp any any range 11000 11999

set qos acl ip Pol dscp 24 aggregate AggPolicer tcp any any range 1024 4999

set qos acl ip Pol dscp 24 aggregate AggPolicer tcp any any eq 1433

set qos acl ip Pol dscp 24 aggregate AggPolicer tcp any any eq 3372

set qos acl ip Pol dscp 24 aggregate AggPolicer udp any eq 69 any

set qos acl ip Pol dscp 24 aggregate AggPolicer tcp any any range 8002 8003

set qos acl ip Pol dscp 24 aggregate AggPolicer tcp any eq 2443 any

set qos acl ip Pol dscp 24 aggregate AggPolicer tcp any any eq 5060

set qos acl ip Pol dscp 24 aggregate AggPolicer udp any any eq 5060

When I commit this ACE, it says

"New DSCP does not match with previous value for Aggregate Policer. Failed to commit ACL"

Thoughts ??

Re: Aggregate Policer

That is correct. Case 3 is for illustration only.

The marking or trust value needs to be consistent within the acl. To meet your requirements, I'd do something like the following:

set qos cos-dscp-map 0 8 16 24 32 40 48 56

set qos policed-dscp-map excess-rate 0,24,46:0

set qos policer aggregate Police rate 32000 burst 13000 policed-dscp

set qos acl ip Pol trust-cos aggregate AggPolicer tcp any range 2000 2002 any

set qos acl ip Pol trust-cos aggregate AggPolicer tcp any any eq 1718

set qos acl ip Pol trust-cos aggregate AggPolicer tcp any any eq 1720

set qos acl ip Pol trust-cos aggregate AggPolicer udp any eq 1719 any

set qos acl ip Pol trust-cos aggregate AggPolicer udp any any range 16384 32767

set qos acl ip Pol trust-cos aggregate AggPolicer tcp any any range 11000 11999

set qos acl ip Pol trust-cos aggregate AggPolicer tcp any any range 1024 4999

set qos acl ip Pol trust-cos aggregate AggPolicer tcp any any eq 1433

set qos acl ip Pol trust-cos aggregate AggPolicer tcp any any eq 3372

set qos acl ip Pol trust-cos aggregate AggPolicer udp any eq 69 any

set qos acl ip Pol trust-cos aggregate AggPolicer tcp any any range 8002 8003

set qos acl ip Pol trust-cos aggregate AggPolicer tcp any eq 2443 any

set qos acl ip Pol trust-cos aggregate AggPolicer tcp any any eq 5060

set qos acl ip Pol trust-cos aggregate AggPolicer udp any any eq 5060

Of course, this assumes that the appropriate trusts (trust-cos or trust-dscp) are set up on ports/vlans to enable cos-dscp and dscp-cos mappings to occur.

All that said, I'd be surprised at a requirement to aggregate all bearer and voice in the same policer. It would make more sense to limit control and bearer separately with different aggregate values.

Michael

Re: Aggregate Policer

I originally had it configured with a trust-cos setting then a question hit me..

a. phone ports will have cos values coming in on the dot1q frames.

b. Gateway, Callmanager, Unity, VG248 etc will not have cos values coming in on the frames (untagged). Whats the point in trusting cos on those ports ?. It would make sense to trust dscp on those ports or remark incoming packets with dscp 26/24 or 46 depending upon type of traffic. But some 6500 series line cards do not support trusting DSCP at the port level. (6348s)

Another workaround I found is to define two sets of Policers with the same rate (or different rates in real world scenarios)

set qos policer aggregate AggPolicer24 rate 32000 burst 13000 policed-dscp

set qos policer aggregate AggPolicer46 rate 32000 burst 13000 policed-dscp

set qos acl ip Pol dscp 24 aggregate AggPolicer24 tcp any range 2000 2002 any

set qos acl ip Pol dscp 24 aggregate AggPolicer24 tcp any any eq 1718

set qos acl ip Pol dscp 24 aggregate AggPolicer24 tcp any any eq 1720

set qos acl ip Pol dscp 24 aggregate AggPolicer24 udp any eq 1719 any

set qos acl ip Pol dscp 46 aggregate AggPolicer46 udp any any range 16384 32767

set qos acl ip Pol dscp 24 aggregate AggPolicer24 tcp any any range 11000 11999

set qos acl ip Pol dscp 24 aggregate AggPolicer24 tcp any any range 1024 4999

set qos acl ip Pol dscp 24 aggregate AggPolicer24 tcp any any eq 1433

set qos acl ip Pol dscp 24 aggregate AggPolicer24 tcp any any eq 3372

set qos acl ip Pol dscp 24 aggregate AggPolicer24 udp any eq 69 any

set qos acl ip Pol dscp 24 aggregate AggPolicer24 tcp any any range 8002 8003

set qos acl ip Pol dscp 24 aggregate AggPolicer24 tcp any eq 2443 any

set qos acl ip Pol dscp 24 aggregate AggPolicer24 tcp any any eq 5060

set qos acl ip Pol dscp 24 aggregate AggPolicer24 udp any any eq 5060

Re: Aggregate Policer

True, but in those cases, ie. call-manager, unity, vg248, and the like, you can trust dscp at the vlan level and trust-cos on the IP-phone ports. Let the cos-dscp and dscp-cos maps handle re-marking before policer treatment by the pfc.

So you have in this example, two policers configured, and hence two aggregates. This is what I was referring to earlier. And this approach is probably closer to the "real world." However, this approach doesn't meet your original requirement to police all voice traffic, control and bearer, to an aggregate of 32kbps.

Re: Aggregate Policer

Michael...

I m getting back to this post a little late...

So do you agree that if the requirement is to police all voice control traffic to an aggregate of 32kbps, you have to apply the aggregate on each line of the acl ?

Thanks

Sankar.

228
Views
12
Helpful
6
Replies
CreatePlease login to create content