cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1367
Views
1
Helpful
6
Replies

service-policy does not match any packets

bwilks
Level 1
Level 1

Hi, I am trying to limit internet traffic fllooding the link by policing it but I cannot get it to match any packets on interface atm0.1.

Any ideas? Thanks

class-map match-any VOICE
match  dscp ef
match  dscp cs3
match  dscp af41
match access-group name VOICE
match access-group name VOICE-CONTROL

policy-map POLICING_INBOUND
class VOICE
   police cir 256000 bc 65536 be 65536
     conform-action transmit
     exceed-action transmit
     violate-action transmit
class class-default
    police 1408000 8000 8000 conform-action transmit  exceed-action drop  violate-action drop

interface ATM0.1 point-to-point
pvc 8/35
  vbr-nrt 512 512
  tx-ring-limit 2
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
  service-policy input POLICING_INBOUND
  service-policy output VOICEWAN

sh policy-map interface atM 0.1 vc 8/35 input
ATM0.1: VC 8/35 -

  Service-policy input: POLICING_INBOUND

    Class-map: VOICE (match-any)
      0 packets, 0 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match:  dscp ef (46)
        0 packets, 0 bytes
        5 minute rate 0 bps
      Match:  dscp cs3 (24)
        0 packets, 0 bytes
        5 minute rate 0 bps
      Match:  dscp af41 (34)
        0 packets, 0 bytes
        5 minute rate 0 bps
      Match: access-group name VOICE
        0 packets, 0 bytes
        5 minute rate 0 bps
      Match: access-group name VOICE-CONTROL
        0 packets, 0 bytes
        5 minute rate 0 bps
      police:
          cir 256000 bps, bc 65536 bytes, be 65536 bytes
        conformed 0 packets, 0 bytes; actions:
          transmit
        exceeded 0 packets, 0 bytes; actions:
          transmit
        violated 0 packets, 0 bytes; actions:
          transmit
        conformed 0 bps, exceed 0 bps, violate 0 bps

    Class-map: class-default (match-any)
      0 packets, 0 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: any
      police:
          cir 1408000 bps, bc 8000 bytes, be 8000 bytes
        conformed 0 packets, 0 bytes; actions:
          transmit
        exceeded 0 packets, 0 bytes; actions:
          drop
        violated 0 packets, 0 bytes; actions:
          drop
        conformed 0 bps, exceed 0 bps, violate 0 bps

6 Replies 6

Calin C.
Level 5
Level 5

Hello,

I'm sorry, but you have a problem understanding the QoS concept in general.

First, you try to match some packets that apparently are coming from your WAN connection. This is hard to do because you don't know if the provider trust the packets, remark them or just clear any marking that was applied. Maybe that's why you don't get any match.

Second, you apply policing on that VOICE class, which according to majority of the network engineer out there and Cisco, is wrong. You should never limit the voice packet with police. This will lead to voice degradation.

Third, you apply that policy inbound. The packet is already on your input interface. You cannot influence how it travel until there, but you just drop packets over a certain limit, established in the policy-map.

Don't get me wrong you can do inbound policing, but you have to define what you want to do, based on what destination (in the LAN) the packets arriving from WAN have. Please redefine your expectations from this configuration and let us know. "I'm trying to limit Internet traffic flooding the link" is not an explanation and logically is wrong. If somebody run a DDoS against you, the traffic is already on your interface, you don't have what to limit anymore. The limitation has to be done by the previous hop on the packet path.

Cheers,

Calin

Hi Callin,

Maybe a little more information might help I have attached a network map, basically I want to minimize the affect on inter-office voice from users downloading/ webrowing from the Internet.

I find that if I ask in too much detail I get no response so I was trying to be specific and break it down.

First, you try to match some packets that apparently are coming from your WAN connection. This is hard to do because you don't know if the provider trust the packets, remark them or just clear any marking that was applied. Maybe that's why you don't get any match.

There are three sites connected via vpn tunnels the packets are marked before leaving and arrive intact.

Second, you apply policing on that VOICE class, which according to majority of the network engineer out there and Cisco, is wrong. You should never limit the voice packet with police. This will lead to voice degradation.

The VOICE class is used egress service-policy output VOICEWAN I am just reusing it.

I am not dropping the voice (match and transmit), how else can I match all other unkown internet traffic?

Third, you apply that policy inbound. The packet is already on your input interface. You cannot influence how it travel until there, but you just drop packets over a certain limit, established in the policy-map.

Do I have any other option for unknown Internet traffic other than police it?

Cheers


Hello

Maybe a little more information might help I have attached a network map, basically I want to minimize the affect on inter-office voice from users downloading/ webrowing from the Internet.

I find that if I ask in too much detail I get no response so I was trying to be specific and break it down.

It's good to minimize, but the important details should be there

There are three sites connected via vpn tunnels the packets are marked before leaving and arrive intact.

Where your L3 interface? I assume on the tunnels. If you apply there an inbound rule that match the maked packets, can you see the counters increasing?

The VOICE class is used egress service-policy output VOICEWAN I am just reusing it.

You have a VOICE class that you use in the policy POLICING_INBOUND which is applied inboud to this interface. Am I missing something? I don't know what is your VOICEWAN policy, but for sure your use VOICE class all inbound..

interface ATM0.1 point-to-point
pvc 8/35
  vbr-nrt 512 512
  tx-ring-limit 2
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
  service-policy input POLICING_INBOUND
  service-policy output VOICEWAN

Do I have any other option for unknown Internet traffic other than police it?

If you have the 3 sites under your control here is what I would do:

- mark the packets as close as you can to the network edge (access-switches if it possible)

- on the WAN routers, you apply traffic prioritization meaning that from the total available bandwidth you reserver a certain amount for different traffic classes (e.g. 25% for voice traffic, 25% business traffic and 50% for the rest). You can do this with CBWFQ. In this way you enforce your policies only when then bandwidth is fully utilized (so, users can surf on the Internet, using the full banwidth, but as soon as you have voice traffic or business traffic this will have priority and will be forwarded before the regular user traffic)

- you apply the above step policy, outbound on the WAN interface.

Giving your expectations I think this is the best approach. As least for starting. Then you can polish your rules.

Cheers,

Calin

Hi Calin,

Thanks for your help. Yes I will try to ask better questions.

Here are some missing bits of information does this help?

class-map match-any VOICE
match  dscp ef
match  dscp cs3
match  dscp af41
match access-group name VOICE
match access-group name VOICE-CONTROL

policy-map VOICEWAN
class VOICE
    priority percent 33
class RemoteSupport
    bandwidth percent 42
class to-B
    shape average 457000
class to-A
    shape average 457000
class class-default
    fair-queue

crypto map IPSECVPN 10 ipsec-isakmp
description L2L VPN to A XXX.228.57.63
set peer XXX.228.57.63
set transform-set IPSECVPN
set pfs group2
match address 120
qos pre-classify
crypto map IPSECVPN 11 ipsec-isakmp
description L2L VPN to XXX.151.83.99 B

set peer XXX.151.83.99
set transform-set IPSECVPN
set pfs group2
match address 121
qos pre-classify

Cheers

Brett

OK, now we are getting somewhere

The class and policy map looks ok. Try to stick with the prioritization first (use only priority and bandwidth statements). Apply it outbound and check if you have some matched packets. If you are marking correctly in the LAN, then you'll see there some increasing counters.

Cheers,

Calin

Hi Calin,

The outbound policy is working and voice is good and not affected while copying files between sites.

The problem is when say a person at site A browses an Internet site with lots of big graphics while talking on the phone to site b. The voice breaks-up a bit while loading the page.

#show policy-map interface atM 0.1 output        
ATM0.1: VC 8/35 -

  Service-policy output: VOICEWAN

    queue stats for all priority classes:
      Queueing
      queue limit 64 packets
      (queue depth/total drops/no-buffer drops) 0/0/0
      (pkts output/bytes output) 130925/16002360

    Class-map: VOICE (match-any)
      130925 packets, 16002360 bytes
      5 minute offered rate 48000 bps, drop rate 0 bps
      Match:  dscp ef (46)
        129640 packets, 15297520 bytes
        5 minute rate 47000 bps
      Match:  dscp cs3 (24)
        1285 packets, 704840 bytes
        5 minute rate 0 bps
      Match:  dscp af41 (34)
        0 packets, 0 bytes
        5 minute rate 0 bps
      Match: access-group name VOICE
        0 packets, 0 bytes
        5 minute rate 0 bps
      Match: access-group name VOICE-CONTROL
        0 packets, 0 bytes
        5 minute rate 0 bps
      Priority: 33% (168 kbps), burst bytes 4470, b/w exceed drops: 0
    

    Class-map: RemoteSupport (match-any)
      2209 packets, 285086 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: access-group name RDP
        2209 packets, 285086 bytes
        5 minute rate 0 bps
      Queueing
      queue limit 64 packets
      (queue depth/total drops/no-buffer drops) 0/0/0
      (pkts output/bytes output) 2209/285086
      bandwidth 42% (215 kbps)
         
    Class-map: to-B (match-all)
      591 packets, 82066 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: access-group 121
      Match: not class-map match-any VOICE
        Match:  dscp ef (46)
          0 packets, 0 bytes
          5 minute rate 0 bps
        Match:  dscp cs3 (24)
          0 packets, 0 bytes
          5 minute rate 0 bps
        Match:  dscp af41 (34)
          0 packets, 0 bytes
          5 minute rate 0 bps
        Match: access-group name VOICE
          0 packets, 0 bytes
          5 minute rate 0 bps
        Match: access-group name VOICE-CONTROL
          0 packets, 0 bytes
          5 minute rate 0 bps
      Queueing
      queue limit 64 packets
      (queue depth/total drops/no-buffer drops) 0/0/0
      (pkts output/bytes output) 591/82066
      shape (average) cir 457000, bc 11425, be 11425
      target shape rate 457000
         
    Class-map: to-A (match-all)
      5315 packets, 649338 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: access-group 120
      Match: not class-map match-any VOICE
        Match:  dscp ef (46)
          0 packets, 0 bytes
          5 minute rate 0 bps
        Match:  dscp cs3 (24)
          0 packets, 0 bytes
          5 minute rate 0 bps
        Match:  dscp af41 (34)
          0 packets, 0 bytes
          5 minute rate 0 bps
        Match: access-group name VOICE
          0 packets, 0 bytes
          5 minute rate 0 bps
        Match: access-group name VOICE-CONTROL
          0 packets, 0 bytes
          5 minute rate 0 bps
      Queueing
      queue limit 64 packets
      (queue depth/total drops/no-buffer drops) 0/0/0
      (pkts output/bytes output) 5315/649338
      shape (average) cir 457000, bc 11425, be 11425
      target shape rate 457000
         
    Class-map: class-default (match-any)
      18933 packets, 2630752 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: any
      Queueing
      queue limit 64 packets
      (queue depth/total drops/no-buffer drops/flowdrops) 0/0/0/0
      (pkts output/bytes output) 18933/2630752
      Fair-queue: per-flow queue limit 16

Thanks for the help

Brett

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco