03-30-2014 04:55 AM - edited 03-04-2019 10:41 PM
I run QoS in my WAN environment. Traffic passing through the router either is tagged or gets tagged as it passes the router. QoS works fine for traffic passing through the router. My trouble is with traffic sourced at the router. TACACS, for example, is sourced with the loopback. The TACACS traffic does not get marked and uses the default-class for QoS. Is there a way to tag this type of traffic?
03-31-2014 12:15 AM
do yo have any config to share?,and also if traffic is not get marked it should use the default class so cant see the problem here
thanks
03-31-2014 05:28 AM
class-map match-any qos_ether_ef_apps_cm
description voice video
match access-group name qos_ether_ef_apps_acl
class-map match-any qos_wan_af21_cm
description Burst Low Applications
match ip dscp af21
class-map match-any qos_wan_af31_cm
description Burst High Applications
match ip dscp af31
class-map match-any qos_wan_ef_cm
description Expedited Flow applications
match ip dscp ef
class-map match-any qos_ether_af31_user_apps_cm
description burst high user apps applied to ethernet
match access-group name qos_ether_af31_user_apps_acl
class-map match-any qos_ether_af21_user_apps_cm
description burst low user apps
match access-group name qos_ether_af21_user_apps_acl
class-map match-any qos_ether_af31_mgmt_apps_cm
description burst high mgmt apps
match access-group name qos_ether_af31_mgmt_apps_acl
match input-interface Loopback0
!
!
policy-map qos_ether_pm
description ethernet interface qos policy
class qos_ether_ef_apps_cm
set ip dscp ef
class qos_ether_af31_mgmt_apps_cm
set ip dscp af31
class qos_ether_af31_user_apps_cm
set ip dscp af31
class qos_ether_af21_user_apps_cm
set ip dscp af21
policy-map qos_wan_pm_test
description wan interface qos policy
class qos_wan_ef_cm
priority percent 40
class qos_wan_af31_cm
bandwidth remaining percent 60
class qos_wan_af21_cm
bandwidth remaining percent 30
class class-default
fair-queue
random-detect dscp-based
set ip dscp default
!
!
!
!
!
interface Loopback0
service-policy input qos_ether_pm
!
interface Loopback1
service-policy input qos_ether_pm
!
interface FastEthernet0/0
service-policy input qos_ether_pm
!
interface Serial0/0/0
service-policy output qos_wan_pm_test
03-31-2014 12:51 AM
Hi,
You can use local PBR to set the IP Precedence.
Regards
Alain
03-31-2014 05:24 AM
PBR...I am not as familiar. I will need to read up and put a config together.
Thanks
03-31-2014 01:32 AM
Hello
Try this:
class-map match-all tacacs_cm
match input-interface Loopback0
match access-group name tacacs_acl
ip access-list extended tacacs_acl
permit tcp host x.x.x.x any eq tacacs
exisitng policy-map xxxx
class tacacs_cm
set dscp xxx
res
Paul
03-31-2014 05:22 AM
I already had most of your suggestion. I added the input interface with no luck.
class-map match-any qos_ether_af31_mgmt_apps_cm
description burst high mgmt apps
match access-group name qos_ether_af31_mgmt_apps_acl
match input-interface Loopback0
The class-map/policy-map has been applied to the loopback and Ethernet interfaces.
My verification is to capture traffic at my HQ WAN router. So far, the packets are not tagged.
03-31-2014 06:07 AM
Hello
Okay I see you using match-any, if there is a match on the first acl it wont check the second in the the CM- Can you test it using different CM with config i posted previously using the match-all instead?
res
Paul
03-31-2014 07:36 AM
Config below. I had the TACACS ACL entries in place for some time. The ACL take hits for traffic passing through the router (the local switch). Interestingly, my ICMP traffic from my monitoring server (192.168.107.28) is tagged as EF. The monitoring server polls the loopback0 (192.168.105.13).
class-map match-any qos_ether_ef_apps_cm
description voice video
match access-group name qos_ether_ef_apps_acl
class-map match-all qos_loopback_af31_cm
match input-interface Loopback0
class-map match-any qos_wan_af21_cm
description Burst Low Applications
match ip dscp af21
class-map match-any qos_wan_af31_cm
description Burst High Applications
match ip dscp af31
class-map match-any qos_wan_ef_cm
description Expedited Flow applications
match ip dscp ef
class-map match-any qos_ether_af31_user_apps_cm
description burst high user apps applied to ethernet
match access-group name qos_ether_af31_user_apps_acl
class-map match-any qos_ether_af21_user_apps_cm
description burst low user apps
match access-group name qos_ether_af21_user_apps_acl
class-map match-any qos_ether_af31_mgmt_apps_cm
description burst high mgmt apps
match access-group name qos_ether_af31_mgmt_apps_acl
!
end
policy-map qos_ether_pm
description ethernet interface qos policy
class qos_ether_ef_apps_cm
set ip dscp ef
class qos_ether_af31_mgmt_apps_cm
set ip dscp af31
class qos_ether_af31_user_apps_cm
set ip dscp af31
class qos_ether_af21_user_apps_cm
set ip dscp af21
class qos_loopback_af31_cm
set ip dscp af31
policy-map qos_wan_pm_test
description wan interface qos policy
class qos_wan_ef_cm
priority percent 40
class qos_wan_af31_cm
bandwidth remaining percent 60
class qos_wan_af21_cm
bandwidth remaining percent 30
class class-default
fair-queue
random-detect dscp-based
set ip dscp default
Extended IP access list qos_ether_af31_mgmt_apps_acl
40 permit tcp any host 192.168.86.5 eq tacacs
50 permit tcp any host 192.168.251.13 eq tacacs (3945 matches)
Extended IP access list qos_ether_ef_apps_acl
40 permit ip any 192.168.107.0 0.0.0.255 (2498861 matches)
03-31-2014 07:53 AM
Hello
I can see traffic hitting in your ACL to the loopback from any source, however I was on the understanding you want to mark traffic originating from the loopback also?
IP access list qos_ether_af31_mgmt_apps_acl Extended
45 permit tcp host 192.168.251.13 any eq tacacs
res
Paul
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: