Re: What is this QoS policy doing?

Steven Williams · ‎09-25-2017

class-map match-any FileServer
match access-group name FileServer
class-map match-any AnSvrs
match access-group name AnSvrs
class-map match-any TN-Exchange
match access-group name TNExch
class-map match-any IN-Exchange
match access-group name INExch
class-map match-any SCCM
match access-group name SCCM
class-map match-any VoIP
match ip dscp ef
match ip dscp af31
match ip dscp cs3
match access-group name VoIP
class-map match-any Sophos
match access-group name Sophos
class-map match-any SVN
match access-group name SVN
class-map match-any AutoQoS-VoIP-RTP-Trust
match ip dscp ef
class-map match-any AutoQoS-VoIP-Control-Trust
match ip dscp cs3
match ip dscp af31
class-map match-any AppNet
match access-group name CenterNet
!
policy-map WAN_Interface
class VoIP
set ip dscp ef
priority percent 35
class AppNet
set ip dscp af11
priority percent 10
class SCCM
police cir percent 5 bc 300 ms pir percent 10 be 300 ms
conform-action transmit
exceed-action drop
violate-action drop
class Sophos
police cir percent 5 bc 300 ms pir percent 10 be 300 ms
conform-action transmit
exceed-action drop
violate-action drop
class SVN
police cir percent 10 bc 300 ms pir percent 20 be 300 ms
conform-action transmit
exceed-action drop
violate-action drop
class FileServer
police cir percent 15 bc 300 ms pir percent 25 be 300 ms
conform-action transmit
exceed-action drop
violate-action drop
class TN-Exchange
police cir percent 15 bc 300 ms pir percent 25 be 300 ms
conform-action transmit
exceed-action drop
violate-action drop
class IN-Exchange
police cir percent 15 bc 300 ms pir percent 25 be 300 ms
conform-action transmit
exceed-action drop
violate-action drop
class AnSvrs
police cir percent 15 bc 300 ms pir percent 25 be 300 ms
conform-action transmit
exceed-action drop
violate-action drop
class class-default
fair-queue
policy-map LAN_Interface
class AutoQoS-VoIP-RTP-Trust
priority percent 65
class AutoQoS-VoIP-Control-Trust
priority percent 5
class CenterNet
priority percent 10
class SCCM
police cir 786000 bc 147456 be 294912
conform-action transmit
exceed-action drop
violate-action drop
class Sophos
police cir 786000 bc 147456 be 294912
conform-action transmit
exceed-action drop
violate-action drop
class SVN
police cir 1572500 bc 294912 be 589824
conform-action transmit
exceed-action drop
violate-action drop
class FileServer
police cir 2359000 bc 442368 be 884736
conform-action transmit
exceed-action drop
violate-action drop
class TN-Exchange
police cir 2359000 bc 442368 be 884736
conform-action transmit
exceed-action drop
violate-action drop
class IN-Exchange
police cir 2359000 bc 442368 be 884736
conform-action transmit
exceed-action drop
violate-action drop
class AnSvrs
police cir 2359000 bc 442368 be 884736
conform-action transmit
exceed-action drop
violate-action drop
class class-default
fair-queue

!

ip access-list extended AnSvrs
permit ip any host 10.100.6.119 time-range AnSvrs
permit ip host 10.100.6.119 any time-range AnSvrs
permit ip any host 10.100.6.118 time-range AnSvrs
permit ip host 10.100.6.118 any time-range AnSvrs
permit ip any host 10.100.6.84 time-range AnSvrs
permit ip host 10.100.6.84 any time-range AnSvrs
permit ip any host 10.225.225.100 time-range AnSvrs
permit ip host 10.225.225.100 any time-range AnSvrs
permit ip any host 10.225.225.67 time-range AnSvrs
permit ip host 10.225.225.67 any time-range AnSvrs
permit ip any host 10.225.225.69 time-range AnSvrs
permit ip host 10.225.225.69 any time-range AnSvrs
permit ip any host 10.225.220.10 time-range AnSvrs
permit ip host 10.225.220.10 any time-range AnSvrs
permit ip host 10.100.10.100 any time-range AnSvrs
permit ip any host 10.100.10.100 time-range AnSvrs
permit ip host 10.100.10.25 any time-range AnSvrs
permit ip any host 10.100.10.25 time-range AnSvrs
permit ip host 10.100.10.50 any time-range AnSvrs
permit ip any host 10.100.10.50 time-range AnSvrs

!
ip access-list extended AppNet
permit ip any host 10.100.6.87
permit ip host 10.100.6.87 any
permit ip any host 10.100.6.144
permit ip host 10.100.6.144 any
permit ip any host 10.100.6.13
permit ip host 10.100.6.13 any
permit ip any host 10.100.6.109
permit ip host 10.100.6.109 any
permit ip any host 63.146.98.33
permit ip host 63.146.98.33 any
permit ip any host 63.146.98.34
permit ip host 63.146.98.34 any
permit ip any host 63.146.172.225
permit ip host 63.146.172.225 any
permit ip any host 10.10.2.193
permit ip host 10.10.2.193 any
permit ip any host 10.10.2.194
permit ip host 10.10.2.194 any
permit ip any host 10.10.2.195
permit ip host 10.10.2.195 any
permit ip any host 10.10.2.200
permit ip host 10.10.2.200 any
permit ip any host 10.10.2.201
permit ip host 10.10.2.201 any

!

ip access-list extended FileServer
permit ip any host 10.100.6.36 time-range FileServer
permit ip host 10.100.6.36 any time-range FileServer
permit ip any host 10.100.6.171 time-range FileServer
permit ip host 10.100.6.171 any time-range FileServer
permit ip any host 10.130.10.216 time-range FileServer
permit ip host 10.130.10.216 any time-range FileServer
permit ip any host 10.110.6.151 time-range FileServer
permit ip host 10.110.6.151 any time-range FileServer

!

ip access-list extended INExch
permit ip any host 10.110.6.161 time-range INExch
permit ip host 10.110.6.161 any time-range INExch
permit ip any host 10.110.6.171 time-range INExch
permit ip host 10.110.6.171 any time-range INExch
permit ip any host 10.110.6.172 time-range INExch
permit ip host 10.110.6.172 any time-range INExch
permit ip any host 10.110.6.173 time-range INExch
permit ip host 10.110.6.173 any time-range INExch

!

ip access-list extended SCCM
permit ip any host 10.100.6.40 time-range SCCM
permit ip host 10.100.6.40 any time-range SCCM
permit ip any host 10.100.6.6 time-range SCCM
permit ip host 10.100.6.6 any time-range SCCM

!

ip access-list extended SVN
permit ip any host 10.100.6.224 time-range SVN
permit ip host 10.100.6.224 any time-range SVN
permit ip any host 10.100.6.25 time-range SVN
permit ip host 10.100.6.25 any time-range SVN
!

ip access-list extended Sophos
permit ip any host 10.100.6.34
permit ip host 10.100.6.34 any
permit ip any host 192.168.105.61
permit ip host 192.168.105.61 any

!

ip access-list extended TNExch
permit ip any host 10.100.6.161 time-range TNExch
permit ip host 10.100.6.161 any time-range TNExch
permit ip any host 10.100.6.173 time-range TNExch
permit ip host 10.100.6.173 any time-range TNExch
permit ip any host 10.100.6.174 time-range TNExch
permit ip host 10.100.6.174 any time-range TNExch
permit ip any host 10.100.6.206 time-range TNExch
permit ip host 10.100.6.206 any time-range TNExch
permit ip any host 10.100.6.100 time-range TNExch
permit ip host 10.100.6.100 any time-range TNExch

!

ip access-list extended VoIP
permit ip any 172.26.0.0 0.0.255.255
permit ip 172.26.0.0 0.0.255.255 any
permit ip any 172.27.0.0 0.0.255.255
permit ip 172.27.0.0 0.0.255.255 any
permit ip any 172.28.0.0 0.0.255.255
permit ip 172.28.0.0 0.0.255.255 any
permit ip any 172.29.0.0 0.0.255.255
permit ip 172.29.0.0 0.0.255.255 any
permit ip any host 10.11.2.1
permit ip host 10.11.2.1 any
permit ip any host 10.11.2.11
permit ip host 10.11.2.11 any
permit ip any host 10.11.2.30
permit ip host 10.11.2.30 any
permit ip any host 10.11.2.2
permit ip host 10.11.2.2 any

!

Seems you would not want to police as excess traffic would be dropped?

But what does this mean/do? and why are the values different

class SCCM
police cir percent 5 bc 300 ms pir percent 10 be 300 ms
conform-action transmit
exceed-action drop
violate-action drop
class Sophos
police cir percent 5 bc 300 ms pir percent 10 be 300 ms
conform-action transmit
exceed-action drop
violate-action drop
class SVN
police cir percent 10 bc 300 ms pir percent 20 be 300 ms
conform-action transmit
exceed-action drop
violate-action drop
class FileServer

Julio E. Moisa · ‎09-25-2017

Hi Steven,

Please correct me if Im understanding wrong the question, but for example:

class SCCM
police cir percent 5 bc 300 ms pir percent 10 be 300 ms
conform-action transmit
exceed-action drop
violate-action drop

For the Class SCCM, police will mark the following paramenters:

Police to 5% of the available banwidth

Conform burst of 300 miliseconds, indicate the interval time range used to foward packets.

Pir percent specify the percent of banwidth in certain time.

The following information will explain step by step the use of these commands

Syntax Description

cir	Committed information rate. Indicates that the CIR will be used for policing traffic.
percent	Specifies that a percentage of bandwidth will be used for calculating the CIR.
percentage	Specifies the bandwidth percentage. Valid range is a number from 1 to 100.
burst-in-msec	(Optional) Burst in milliseconds. Valid range is a number from 1 to 2000.
bc	(Optional) Conform burst (bc) size used by the first token bucket for policing traffic.
conform-burst-in-msec	(Optional) Specifies the bc value in milliseconds. Valid range is a number from 1 to 2000.
ms	(Optional) Indicates that the burst value is specified in milliseconds.
be	(Optional) Peak burst (be) size used by the second token bucket for policing traffic.
peak-burst-in-msec	(Optional) Specifies the be size in milliseconds. Valid range is a number from 1 to 2000.
pir	(Optional) Peak information rate. Indicates that the PIR will be used for policing traffic.
percent	(Optional) Specifies that a percentage of bandwidth will be used for calculating the PIR.
conform-action	(Optional) Action to take on packets whose rate is less than the conform burst. You must specify a value for peak-burst-in-msec before you specify the conform-action.
exceed-action	(Optional) Action to take on packets whose rate is within the conform and conform plus exceed burst.
violate-action	(Optional) Action to take on packets whose rate exceeds the conform plus exceed burst. You must specify the exceed-action before you specify the violate-action.
action	(Optional) Action to take on packets. Specify one of the following keywords: All Supported Platforms •drop—Drops the packet. •set-clp-transmit—Sets the ATM Cell Loss Priority (CLP) bit from 0 to 1 on the ATM cell and sends the packet with the ATM CLP bit set to 1. •set-dscp-transmit new-dscp—Sets the IP differentiated services code point (DSCP) value and sends the packet with the new IP DSCP value setting. •set-frde-transmit—Sets the Frame Relay discard eligible (DE) bit from 0 to 1 on the Frame Relay frame and sends the packet with the DE bit set to 1. •set-prec-transmit new-prec—Sets the IP precedence and sends the packet with the new IP precedence value setting. •transmit—Sends the packet with no alteration. Supported Platforms Except the Cisco 10000 Series Router •policed-dscp-transmit—(Exceed and violate action only). Changes the DSCP value per the policed DSCP map and sends the packet. •set-cos-inner-transmit value—Sets the inner class of service field as a policing action for a bridged frame on the Enhanced FlexWAN module, and when using bridging features on SPAs with the Cisco 7600 SIP-200 and Cisco 7600 SIP-400 on the Cisco 7600 series router. •set-cos-transmit value—Sets the packet cost of service (CoS) value and sends the packet. •set-mpls-exposition-transmit—Sets the Multiprotocol Label Switching (MPLS) experimental bits from 0 to 7 and sends the packet with the new MPLS experimental bit value setting. •set-mpls-topmost-transmit—Sets the MPLS experimental bits on the topmost label and sends the packet.
action(continued)	Cisco 10000 Series Routers •drop—Drops the packet. •set-clp-transmit value—Sets the ATM Cell Loss Priority (CLP) bit from 0 to 1 on the ATM cell and transmits the packet with the ATM CLP bit set to 1. •set-cos-inner-transmit value—Sets the inner class of service field as a policing action for a bridged frame on the Enhanced FlexWAN module, and when using bridging features on SPAs with the Cisco 7600 SIP-200 and Cisco 7600 SIP-400 on the Cisco 7600 series router. •set-cos-transmit value—Sets the packet COS value and sends it. •set-discard-class-transmit—Sets the discard class attribute of a packet and transmits the packet with the new discard class setting. •set-dscp-transmit value—Sets the IP differentiated services code point (DSCP) value and transmits the packet with the new IP DSCP value setting. •set-frde-transmit value—Sets the Frame Relay Discard Eligibility (DE) bit from 0 to 1 on the Frame Relay frame and transmits the packet with the DE bit set to 1. •set-mpls-experimental-imposition-transmit value—Sets the Multiprotocol Label Switching (MPLS) experimental (EXP) bits (0 to 7) in the imposed label headers and transmits the packet with the new MPLS EXP bit value setting. •set-mpls-experimental-topmost-transmit value—Sets the MPLS EXP field value in the topmost MPLS label header at the input and/or output interfaces. •set-prec-transmit value—Sets the IP precedence and transmits the packet with the new IP precedence value setting. •set-qos-transmit value—Sets the quality of service (QoS) group value and transmits the packet with the new QoS group value setting. Valid values are from 0 to 99. •transmit—Transmits the packet. The packet is not altered.

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

Joseph W. Doherty · ‎09-25-2017

"Seems you would not want to police as excess traffic would be dropped? "

Well that depends on what your QoS goals are and what the equipment supports. it appears many classes are traffic are rate limited and perhaps the equipment doesn't support shaping.

"But what does this mean/do? and why are the values different "

It limits class traffic to certain bandwidth usage. Why it differs between classes also depends on your QoS goals. It's not uncommon to treat different kinds of traffic unalike. You might treat traffic differently because different traffic kinds of traffic often have different network requirements to work well, or at all, and different kinds of traffic often have different importances to the business.

Steven Williams · ‎09-25-2017

the device is a 2921 router, and it looks like theres a policy that says "auto-qos" but when I do a show mls auto-qos it says no auto qos is enabled device...so did someone take this from another device that had auto-qos on it and paste it in? Seems silly.

Julio E. Moisa · ‎09-25-2017

Hi

This configuration is based on DSCP using MQC to classify and marking packets, now if you are referring to this police:

class AutoQoS-VoIP-RTP-Trust
priority percent 65

It is providing priority of 65% of the bandwidth for voice.

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

Steven Williams · ‎09-25-2017

but 65 percent based off what? How doe sit know what 65 percent is?

Julio E. Moisa · ‎09-25-2017

For example, this police map should be applied to under some interface for outbound traffic.

policy-map WAN_Interface

So the percent is based on type of interface, for example, you have 10Gb interface:

65% will be 6.5 Gb of that interface.

Rest of the traffic will have available 45% = 4.5Gb of bandwidth.

The priority command will restrict traffic for that percentage so it can not be used for other kind of traffic.

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

Steven Williams · ‎09-25-2017

So with this its a serial port using a T1 so does it know the speed of that interface? So this would become and issue if my port was 1000mbps and my service was only 30mbps, so I would want to set the bandwidth command on that interface in that case?

Julio E. Moisa · ‎09-25-2017

Hi

if your port is 1000Mbps and the service is only 30mbps, is not a problem, basically with a 1G (1000Mbps) port you will have a download transfer rate of 1000 Mbps as maximum.

The 30Mbps is the contracted Internet plan. The ISP is providing you 30Mbps of Bandwidth that you are paying for that plan.

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

Steven Williams · ‎09-25-2017

I guess I am thinking a MPLS situation where my port speed is 1000 but my provider is giving me 30mbps, would my policy thinking the port will transfer at 1000mbps and not 30mbps be an issue? like the shoving a golf ball into a garden hose analogy.