Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

DSCP Not Matching?

I have a handful of sites, and most of them seem to process our service policies properly. We use IPSEC tunnels between sites.

From a fast ethernet interface coming from our LAN, we have a service policy that tags our Citrix traffic.

IE:

BranchSite1#sh policy-map int fa0/0

FastEthernet0/0

Service-policy input: APPLICATION-CLASS-IN

Class-map: CITRIX (match-any)

115832764 packets, 12875217022 bytes

5 minute offered rate 54000 bps, drop rate 0 bps

Match: protocol citrix

40920837 packets, 3624987967 bytes

5 minute rate 9000 bps

Match: access-group 105

74911928 packets, 9250229055 bytes

5 minute rate 41000 bps

QoS Set

dscp af23

Packets marked 115832774

Class-map: class-default (match-any)

199473388 packets, 38224786140 bytes

5 minute offered rate 218000 bps, drop rate 0 bps

Match: any

Here is the policy on our outbound WAN link.

IE:

BranchSite1#sh policy-map int multi1 output class GOLD-DATA

Multilink1

Service-policy output: WAN-EDGE-OUTPUT-SPRINT

Class-map: GOLD-DATA (match-any)

115837229 packets, 20737738338 bytes

30 second offered rate 50000 bps, drop rate 0 bps

Match: ip dscp af23 (22)

115837227 packets, 20737738110 bytes

30 second rate 50000 bps

Match: ip precedence 2

0 packets, 0 bytes

30 second rate 0 bps

Queueing

Output Queue: Conversation 267

Bandwidth 40 (%)

Bandwidth 1228 (kbps)Max Threshold 256 (packets)

(pkts matched/bytes matched) 9777025/4751777650

(depth/total drops/no-buffer drops) 0/0/0

This remote site appears to be functioning correctly. The number of packets matched by dscp af23 on both policies are the same.

At our central site, we have a slightly different router configuration. The service policies are pretty similar, but in at our central site, we have the internet connections terminating on Router1, which is where the WAN-EDGE-OUTPUT-SPRINT policy lives. The IPSEC tunnel terminates on Router2, with a tunnel source of a fast ethernet interface on Router1 specified. The APPLICATION-CLASS-IN policy is applied to the LAN interface on Router2.

I cleared the counters on these 2 routers at the same time. There is a huge descrephancy between what Router2 tags, and what Router1 sees.

IE:

Router1#sh policy-map int multi1 output class GOLD-DATA

Multilink1

Service-policy output: WAN-EDGE-OUTPUT-SPRINT

Class-map: GOLD-DATA (match-any)

6082 packets, 1161428 bytes

5 minute offered rate 2000 bps, drop rate 0 bps

Match: ip dscp af23 (22)

6082 packets, 1161428 bytes

5 minute rate 2000 bps

Match: ip precedence 2

0 packets, 0 bytes

5 minute rate 0 bps

Queueing

Output Queue: Conversation 267

Bandwidth 45 (%)

Bandwidth 2764 (kbps)Max Threshold 256 (packets)

(pkts matched/bytes matched) 2445/468354

(depth/total drops/no-buffer drops) 0/0/0

Router2#sh policy-map int fa0/1

FastEthernet0/1

Service-policy input: APPLICATION-CLASS-IN

Class-map: CITRIX (match-any)

736618 packets, 255842309 bytes

5 minute offered rate 561000 bps, drop rate 0 bps

Match: protocol citrix

76466 packets, 38644392 bytes

5 minute rate 111000 bps

Match: access-group 105

660152 packets, 217197917 bytes

5 minute rate 433000 bps

QoS Set

dscp af23

Packets marked 736618

Class-map: class-default (match-any)

992673 packets, 249097895 bytes

5 minute offered rate 927000 bps, drop rate 0 bps

Match: any

Any ideas?

103
Views
0
Helpful
0
Replies