I am trying to create a Policy-Map to use it at the ingress of a Fastethernet interface to be able to enforce bandwidth utilization and marking for incoming packets.
One of my queues is used for VOICE. My objective for this queue, is to be able to guarantee around 6Mbps. I started using the below configuration, but after using 3rd party testing software (WAN Killer and Qcheck) I realized that the enforcing wasn't working because I was reaching speeds of 90Mbs for that particular class.
The first thing I thought about, was queueing at the egress.
As you can see, at a queueing level, I am using shaping for the PQ with a 10% (10 0 0 0), so I assume all traffic should be dropped after using 10Mbps (assuming I use a 100Mbps port).
After not being able to explain why my shape wasn't working the way I thought, I focused on the policer.
Looking at the Burst value, I tried to modify it, but the results of my testing didn't make any sense *.
I started testing with pairs of Bandwidth/Burst and the average speed reached just didn't make any sense.
I would like to be able to predict the max. speed based on my Policers (Bandwidth/burst). Is there any way to do it?
I agree ur point , that if you shape 10 0 0 0 , then queue1 would be policed to 10M , but in ur case , queue 1 would be used by default dscp value 40-47 .
I have a query wheter the third party application what you use , is it set to some dscp value in that range or it falls in the default class . If there is no traffic in the other queues , default class can utilise the entire bandwidth.
The third party app does send the data with a DSCP=0 (I confirmed that with ethereal) however, in my input Policer, I do specify "set dscp EF" for that particular class. I am able confirm that the data is being marked EF by the Policer using Ethereal.
I would supposed that before the packet is sent to the Output interface, it is tagged with EF and consequently, sent to PQ1 at the egress, right?
I have tested with two scenarios, 1) Using one Cat3750 and two PCs and 2) Using two CAT3750 (Access) one Cat6500(Core/Dist) and the two PCs. Same result.
None of this is making sense to me. Please provide more details after considering the following:
1. The priority-queue on the c3750 is output only, so setting a 'shape' to 10% would only effect outgoing traffic from the port, not inbound traffic. You can configure one ingress queue as the priority queue by using the 'mls qos srr-queue input priority-queue bandwidth ' global configuration command (see the docs).
2. The 'shaping' that you are describing for the priority queue is queue shaping, not a traffic shaper as if you had a policy map with a 'shape average ' command. This 'queue shaping' is outbound only and will not impact inbound traffic to the port. This is different if this is a metro c3750 on the ES ports.
3. Why are all 48 ports configured as trunks?
4. Why are you configuring portfast on each port instead of globally 'spanning-tree portfast default'?
5. What is the egress port for this switch? A Gig port or just other copper ports? Where does this traffic go from these copper ports? What is the config on the uplink or downlink ports? If this is the only switch involved in your test than you are definitely creating an interesting test environment in which your policer is policing inbound traffic and each port is 'queue shaping' outbound traffic. I would suggest one or the other and configure what is appropriate for what you need rather than configuring what looks like everything and trying to find out what works. I've been down this road, you will never get it exactly the way you want it.
6. Why on earth are the burst parameters so high on your config example? In most cases you should just configure the average and have the switch determine the appropriate burst values.
7. Why are you using access-lists for matching voice traffic? Your ACL matching udp ports from 16384 to 32767 have two huge problems: first, no guarantee that the udp packet is voice (many worms use ports in that range), second RTP traffic only uses even port numbers, not odd, odd port numbers are SRTP signalling packets. I want to be on your network, if I configure my laptop to trunk and send my edonkey traffic on udp port 16999 I will have high priority! At least include the destination ip of the call manager and voice gateways in the ACL to be more restrictive.
8. Why aren't you trusting the end device like an ip phone rather than trying to re-write the IP DSCP value using an ACL? The best practice is that the switch ports be configured (using auto qos or not) to use CDP to allow access to the voice vlan and NOT to use a trunk (the ip phone will tag the voice traffic using dot1q for the voice vlan and the port will never 'trunk'.
9. There are significant restrictions on how you can apply QoS policies to the switch ports on the ASIC based Catalyst platforms, including policing granularity, number of TCAM entries required, number of match statements per class, number of classes, etc.
10. Last, can you provide the IOS version and switch model that you are using?
I will provide some more advise once I understand the above information.
1. My main question is about input Policers, although, if the packet is being marked at the ingress (I can confirm this) why isn't this being limited to a 10% at the egress? Better, why isn't the traffic being limited to 6M at the ingress with the Policy-Map?
3. This is copy and paste typo. Voice VLANs are only supported on access-ports.
4. The Port Fast feature is automatically enabled when voice VLAN is configured.
5. Cooper-to-Cooper. No uplinks involved at this time but they will once the Policers are tested and operational. Thanks for the suggestion but this is required for SLAs. We need to make the switch limit the ingress traffic at a certain rate.
6. You are asking me the question I originally asked. That's what I want to know, "What would be right combination of Bandwidth/Burst".
7. Thanks for the suggestion but involving the Call Manager and VG IP addresses in the access-list would exclude the traffic between the IP Phones themselves (no to mention that the protocol is different -SCCP). If any, I could include the Voice VLANs defined, which still doesn't cover me from your edonkey.
8. There will be more applications defined. If you trust at a port level, you cannot apply a port Policy Map. So, in order to support a Policy Map, I would have to trust within the voice class (RTP) the savings on configuration lines will be negligible, don't you think?
9. Yep, 256 Policers per ASIC and no more than 64 per port -Not the case here though. I believe we have 2 ASICs, so I think I am in range, you can use 10 policers per port MAX. Of course I won?t go this far but I?ll be aware.
You have reached the Cisco Logistics Support Center.. To Check Status of
your RMA, visit Product Returns & Replacements (RMA). Need help? Contact
us by Phone or Email. North Americas Phone: 1800 553 2447 Option 4
Email: email@example.com Europe Phone: +3...
The short answer is that you don't.... That isn't entirely true while at
the same time it kind of is, but for the most part you don't configure
the softkeys. You enable or disable them via TCL. Here is the long
answer. Be sure to read the whole thing or e...
Topology: IP Phone > Switches > Microsoft NPS setup to forward 802.1x
proxy to > ISE 2.1 patch 3 Authentication: EAP-TLS using Cisco MIC SANs
Phone Models 802.1X support? 802.1x flavor Addtl Comment EAP-MD5 EAP-TLS
Cisco 3905 Y Y N Cisco 6911 Y Y N Cisco ...