Ip rtp priority/policy-maps

I want to know what happens when
ip rtp priority <start port> <range> <bandwidth>
is configured under interface configuration and a service policy is applied to the same interface where LLQ is configured for the same traffic.
Which command takes priority because both look to reserve bandwidth for the same traffic?

When you configure
ip rtp priority
your packets, that's matched to will takes a strict priority with bandwidth .
I use follow form LLQ:
class-map match-all X
match-any access-group X
policy-map X
class X
priority Y
set ip precedence Z
class class-default
faire-queue
access-list X permit ....
interface Sx
service-policy output X

Similar Messages

Map-class frame-relay , policy map

Does a service-policy output have to be applied to an interface for qos to work?
here is the config but there is nothing applied to the serial interface..
Thanks for your help
policy-map 256/128KVoice
class 256/128KVoice
priority 112
class class-default
fair-queue
map-class frame-relay 256/128KVoice
frame-relay cir 128000
frame-relay bc 1280
frame-relay be 600
frame-relay mincir 128000
no frame-relay adaptive-shaping
frame-relay fair-queue
frame-relay fragment 150
frame-relay ip rtp priority 16384 16380 210
interface Serial0/0
bandwidth 1544
ip address xxx.xxx.xxx.xxx 255.255.255.255
ip route-cache flow
no fair-queue
service-module t1 timeslots 1-24

Hello,
Will QOS will work in this way where class is put on WAN interface where it should be service policy.
router#sh run interface Se0/0/0.1
Building configuration...
Current configuration : 239 bytes
interface Serial0/0/0.1 point-to-point
bandwidth 2048
ip address XXXX
ip nat outside
frame-relay interface-dlci 555
class COS-OUT-S0/0/0.1
end
COS-OUT-S0/0/0.1 is defined as policy map with class of voice and video.
When checking on WAN int #sh policy-map interface Se0/0/0.1 , can see output of service policy input/output with policy map recpective classes and packets match entries.Is QOS working with this configuration?
Appreciate any input on this.
Regards,
Brajesh.

Policy-map issue on 7507

I have a 7507 that has policy maps for matching voice for QoS. A show access-list shows that traffic is being matched. A show interface shows that packets are being dropped. The end result is though, that latency is high and call quality is suffering. A show queueing on the interface shows that no packets are being dropped. Any suggestions?

class-map match-all 2505PlanoRd
match access-group name PlanoRd2505-voice
policy-map 2505PlanoRd
class 2505PlanoRd
priority 192
class class-default
fair-queue
interface Serial5/0/0/5:0
bandwidth 1536
ip address xx.xx.xx.xx 255.255.255.252
no ip redirects
no ip unreachables
load-interval 30
service-policy output 2505PlanoRd
ip access-list extended PlanoRd2505-voice
permit ip any any dscp ef
permit ip any any dscp cs6
permit ip any host xx.xx.xx.xx
Core-1#sh access-list PlanoRd2505-voice
Extended IP access list PlanoRd2505-voice
10 permit ip any any dscp ef (124045 matches)
20 permit ip any any dscp cs6 (9779 matches)
30 permit ip any host xx.xx.xx.xx (93010 matches)
Core-1#sh queueing int s5/0/0/5:0
Interface Serial5/0/0/5:0 queueing strategy: VIP-based fair queueing
Serial5/0/0/5:0 queue size 0
pkts output 0, wfq drops 0, nobuffer drops 0
WFQ: aggregate queue limit 384 max available buffers 384
Priority Class: limit 48 qsize 0 pkts output 0 drops 0
Non-Priority Class: limit 336 qsize 0 pkts output 0 drops 0
available bandwidth 1344
Class 0: weight 8750 limit 336 qsize 0 pkts output 0 drops 0
Core-1#sh int s5/0/0/5:0
Serial5/0/0/5:0 is up, line protocol is up
Hardware is cyBus CT3
Internet address is xx.xx.xx.xx
MTU 1500 bytes, BW 1536 Kbit, DLY 20000 usec,
reliability 255/255, txload 72/255, rxload 12/255
Encapsulation HDLC, crc 16, loopback not set
Keepalive set (10 sec)
Last input 00:00:00, output 00:00:00, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/32 (size/max/drops/flushes); Total output drops: 510996
Queueing strategy: Class-based queueing
Output queue: 0/40 (size/max)
30 second input rate 77000 bits/sec, 57 packets/sec
30 second output rate 439000 bits/sec, 78 packets/sec
80041948 packets input, 17598546217 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 9 giants, 0 throttles
696964 input errors, 38821 CRC, 302664 frame, 92 overrun, 1 ignored, 355377 abort
113990388 packets output, 96683334345 bytes, 0 underruns
0 output errors, 0 collisions, 10 interface resets
0 output buffer failures, 3437585 output buffers swapped out
10 carrier transitions no alarm present
Timeslot(s) Used: 1-24, Transmitter delay is 0 flags
non-inverted data
This is standard VoIp transport selection based on dscp.

POLICY-MAP counters

I have configured policy-maps and class-maps on 3550 and 3560 switches.
The following is excerpt....
class-map match-any voip_class
match access-group 100
policy-map voip_policy
class voip_class
trust dscp
interface GigabitEthernet0/12
service-policy input voip_policy
priority-queue out
access-list 100 permit udp any any
I have the access-list 'open' for testing purposes.
However when I run the command 'sh policy-map int gi0/12' I get no counters increasing.
Should I?
Also if I run the 'sh access-list 100' command, should I get increasing counters?
Thanks for any help
Nik Mihelioudakis

Sh policy map is not supported on this platform
http://www.cisco.com/cgi-bin/bugtool/onebug.pl?bugid=CSCdy50035
Use "show mls qos interface gig0/12 statistics" instead.

Sh policy-map LLQ counters showing strange results.

I've config'd LLQ for video conferencing across a dual-T1 multilink connection. When I have a video conf. session going, the Class-map counters for 'packets', 'match' and 'pkts matched' under queueing being exactly the same. This is supposed to show either that all packets are being processed switched - which they aren't, or that there is congestion on the link, but there isn't. There is nothing else going across the link except my telnet session I use to get the counters. I would have expected all counters, except Class-default, to be zero under the queueing area, and then when I flood the link with large file transfers, the other class queueing counters to begin incrementing - but all counters are equal even without congestion. This doesn't help me prove that my QOS LLQ is working properly. What gives?
Here is the config and some outputs:
policy-map WAN-multilink
class Voice
priority 90
class Video
bandwidth 460
class Call-Control
bandwidth 27
class class-default
fair-queue
random-detect
policy-map QOS_classes
class Voice
priority 90
class Video
bandwidth 460
class Call-Control
bandwidth 27
class class-default
fair-queue
interface Multilink1
ppp multilink
ppp multilink fragment delay 20
ppp multilink interleave
ppp multilink group 1
max-reserved-bandwidth 95
service-policy output WAN-multilink
interface Serial0/2/0
bandwidth 1536
encapsulation ppp
no fair-queue
service-module t1 timeslots 1-24
ppp multilink
ppp multilink group 1
max-reserved-bandwidth 95
interface Serial0/3/0
bandwidth 1536
encapsulation ppp
no fair-queue
service-module t1 timeslots 1-24
ppp multilink
ppp multilink group 1
max-reserved-bandwidth 95
MDF-VoIP-RT2811#sh int stats
Multilink1
Switching path Pkts In Chars In Pkts Out Chars Out
Processor 2175 179609 2436 237735
Route cache 7519 3809321 7416 2108198
Total 9694 3988930 9852 2345933
MDF-VoIP-RT2811#sh policy-map int mu 1
Multilink1
Service-policy output: WAN-multilink
Class-map: Voice (match-any)
2037 packets, 411126 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: ip dscp ef (46)
2037 packets, 411126 bytes
5 minute rate 0 bps
Queueing
Strict Priority
Output Queue: Conversation 264
Bandwidth 90 (kbps) Burst 2250 (Bytes)
(pkts matched/bytes matched) 2037/411126
(total drops/bytes drops) 0/0
Class-map: Video (match-any)
1919 packets, 1087702 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: ip dscp af41 (34)
1919 packets, 1087702 bytes
5 minute rate 0 bps
Match: ip precedence 4
0 packets, 0 bytes
5 minute rate 0 bps
Queueing
Output Queue: Conversation 265
Bandwidth 460 (kbps) Max Threshold 64 (packets)
(pkts matched/bytes matched) 1919/1087702
(depth/total drops/no-buffer drops) 0/0/0
Class-map: Call-Control (match-any)
430 packets, 31418 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: ip dscp cs3 (24)
430 packets, 31418 bytes
5 minute rate 0 bps
Match: ip precedence 3
0 packets, 0 bytes
5 minute rate 0 bps
Queueing
Output Queue: Conversation 266
Bandwidth 27 (kbps) Max Threshold 64 (packets)
(pkts matched/bytes matched) 430/31418
(depth/total drops/no-buffer drops) 0/0/0
Class-map: class-default (match-any)
4669 packets, 612771 bytes
5 minute offered rate 3000 bps, drop rate 0 bps
Match: any
Queueing
Flow Based Fair Queueing
Maximum Number of Hashed Queues 256
(total queued/total drops/no-buffer drops) 0/0/0
exponential weight: 9

In accordance with the above, you would need to apply the policy to the subinterface.
As my collegue clearly depicts, you should be able to combine the two pvc's into one, that would also be the scenario where the policy comes in action. When you are sending voice over a dedicated pvc there is little need to prioritize the flow. This equals the configuration where you have a dedicated leased line for voice.
regards,
Leo

Regarding policy map

HI Team,
If we use the folowing comands for QOS, what is the effect of
   service-policy NIC-QOS-OUT, as i have studied service policy will be applied under physical interfaces. Here policy map has been defined and again it is referred under Parent-QoS-2.5GIG policy map. So please clarify
policy-map NIC-QoS-OUT
description #### Common Child Policy ####
class VIDEO&VOICE-OUT
   police cir percent 20
    priority
class NICNET-OUT
    bandwidth percent 20
    random-detect dscp-based
class CONTROL-OUT
    bandwidth percent 10
    random-detect dscp-based
class INTERNET-SURF-OUT
    bandwidth percent 10
    random-detect dscp-based
class class-default
    random-detect
policy-map Parent-QoS-2.5GIG
description #### Parent QoS Policy for 2.5 GIG Link ####
class class-default
    shape average 2300000000
   service-policy NIC-QoS-OUT
policy-map NIC-QOS-OUT
Thanks in advance,
Naveen

The two ASA syslogs you posted were both from an internal host to port 80 on an external host. This would indicate that a sucessful DNS resolution has occured in these two instances.
If the cause of your problem is bad DNS lookups, you should see evidence in your AIP-SSM event log of the packets being dropped.
- Bob

QoS on 3560, 2960 and 3750 does not work (Policy-map).

Hi
I am tryng to configure QoS on 3 switches (2960, 3560 and 3750) with this configuration:
mls qos
class-map match-all QOS_DATA_CLASS
match access-group name QOS-DATA
class-map match-all QOS_DEFAULT_CLASS
match access-group name QOS-DEFAULT
class-map match-all QOS_VOICE_CLASS
match access-group name QOS-VOICE
class-map match-all QOS_SIGNALING_CLASS
match access-group name QOS-SIGNALING
policy-map QOS-SOFTPHONE-POLICY
class QOS_DEFAULT_CLASS
set dscp default
class QOS_SIGNALING_CLASS
set dscp cs2
class QOS_DATA_CLASS
set dscp cs1
class QOS_VOICE_CLASS
set dscp cs3
interface GigabitEthernet0/34
no switchport
ip address 10.10.11.1 255.255.255.252
ip ospf network point-to-point
priority-queue out
service-policy input QOS-SOFTPHONE-POLICY
interface GigabitEthernet0/47
switchport access vlan 150
spanning-tree portfast
service-policy input QOS-SOFTPHONE-POLICY
ip access-list extended QOS-DATA
permit tcp any any eq 22
permit tcp any any eq 465
permit tcp any any eq 143
permit tcp any any eq 993
permit tcp any any eq 995
permit tcp any any eq 1914
permit tcp any any eq ftp
permit tcp any any eq ftp-data
permit tcp any any eq smtp
permit tcp any any eq pop3
ip access-list extended QOS-DEFAULT
permit ip any any
ip access-list extended QOS-SIGNALING
permit tcp any any range 2000 2002
permit tcp any any range 5060 5061
permit udp any any range 5060 5061
ip access-list extended QOS-VOICE
permit udp any any range 16384 32767
but when I check the show commands I see that QoS is not working.
CoreA#sh policy-map interface g0/34
GigabitEthernet0/34
Service-policy input: QOS-SOFTPHONE-POLICY
Class-map: QOS_DEFAULT_CLASS (match-all)
3 packets, 198 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: access-group name QOS-DEFAULT
Class-map: QOS_SIGNALING_CLASS (match-all)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: access-group name QOS-SIGNALING
Class-map: QOS_DATA_CLASS (match-all)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: access-group name QOS-DATA
Class-map: QOS_VOICE_CLASS (match-all)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: access-group name QOS-VOICE
Class-map: class-default (match-any)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: any
CoreA#sh policy-map interface g0/47
GigabitEthernet0/47
Service-policy input: QOS-SOFTPHONE-POLICY
Class-map: QOS_DEFAULT_CLASS (match-all)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: access-group name QOS-DEFAULT
Class-map: QOS_SIGNALING_CLASS (match-all)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: access-group name QOS-SIGNALING
Class-map: QOS_DATA_CLASS (match-all)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: access-group name QOS-DATA
Class-map: QOS_VOICE_CLASS (match-all)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: access-group name QOS-VOICE
Class-map: class-default (match-any)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: any
What do I do bad?
The flow is the next:
Computer with CIPC --------> Switch 2960 or 3560 or 3750 ------------------> switch core ---------------> CIPC
I have wireshark in a port mirror on switch 2960, 3560 and 3750. In wireshark I always see the packets marked with default label.
I hope you can help me.
Regards.

Try this config:
policy-map QOS-SOFTPHONE-POLICY
class QOS_VOICE_CLASS
set dscp cs3
class QOS_SIGNALING_CLASS
set dscp cs2
class QOS_DATA_CLASS
set dscp cs1
class class-default
set dscp default
BR

Catalyst 4500x : Shaping traffic and appliying queuing (nested policy-maps)

Hi Everyone,
I got a question on how actually I could put kind of nested policy-maps under an interface on a 4500x switch.
This is needed because 100Mbps link connecting 2 head office locations. The 100Mpbs is a metro ethernet link and the provider is fixing port to 100Mbps speed.
Since 4500x is not supporting 100Mbps speed on interfaces, the provider's port is connected to an intermediary switch at 100Mbps. And the 4500x is connected to intermediary switch at 1Gbps.
Hence, I need to shape to 100Mpbs out to my 4500x port. But I also need do perform queuing for traffic. The thing is nested policy-maps doesn't seem to be implemented on 4500x as in routers.
Any idea on how to workaround this? In a router world I'd do something like this:
policy-map SHAPER
class class-default
shape average 100000000
service-policy QUEUING
policy-map QUEUING
class VOICE
priority
police 5000000 conform-action transmit exceed-action drop
class INTERACTIVE
bandwidth 20000
class BULK
bandwidth 20000
class class-default
dbl
interface TenGigabitEthernet2/1/9
description TO_REMOTE_HEADOFFICE
service-policy output SHAPER
Thank you.

I have the same problem. I wanted to do sub-interfaces with dot1q tags and nested shaper policies, but the 4500x doesn't appear to support either nested shapers or subifs. Really wish there was more consistency across platforms.
Instead of the subifs, I can simply create vlan interfaces (not my favorite method, but it works).
As far as shaping goes, the best I've been able to come up with is a custom policy that polices for the realtime traffic (i.e marked with EF or AF41, 42, 43) and everything else is matched by a custom class that matches any and sets the shape average % on the interface accordingly. (i.e. a 10g interface shaped to a 2G pipe would get 19% for all traffic and 100Mb for realtime apps like voice and video). Not perfect, but without nested policies it's hard to do a full 8 class policy and shape each class to a specific rate.
class-map match-any REALTIME
match dscp ef
match dscp af41 af42 af43
class-map match-any CATCH_ALL
match any
policy-map QOS_SHAPE_2G_OUT
class REALTIME
priority
police rate percent 1
class CATCH_ALL
shape average percent 19
int ten1/1/27
service-policy output QOS_SHAPE_2G_OUT
If you want queuing, then drop dbl in the catch all class and you're set. This is not ideal and doesn't do as well as a nested shaper policy. If anyone can come up with a better solution, please post it!

CSM: order of choice in policy-map

A Quick one:
In the CSM how is the order of choice within the policy map?
Let's say, I have for example the following:
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
mso-para-margin:0cm;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:"Times New Roman";
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;}
   policy DOC-CSFSAP-PROD
    header-map DOC-CSFSAP-PROD
    URL-MAP ctr_es_SAP
    URL-MAP ctr_uk_SAP
    URL-MAP ctr_ru_SAP
    URL-MAP ctr_ch_SAP
    serverfarm DOC-CSFSAP-PROD
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
mso-para-margin:0cm;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:"Times New Roman";
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;}
Will CSM choose based on the following boolean logic?
header-map AND (url-map1 OR url-map2 OR url-map3 OR url-mapx)
In other words, must both the header-map *and* one of the url-map be TRUE?
If header-map is true and none of url-map, then i guess this policy-map wouldnt be valid....

You are correct. With the example you provided the policy must meet the *header-map* and one of the URL maps. Typically there is a wildcard match (last URL-map statement) that will be a catchall.   What exactly are you looking to do?

Is there a policy map difference from 8.0 to 9.0?

We have been testing blocking a few select websites (no web filtering yet) with some of our smaller location ASA's. Following the document at:
https://supportforums.cisco.com/docs/DOC-1268
I have been successful at sites which run ASA's with version 8.0 of the IOS on them, but not with 9.0. With 9.0 (2) it appears that when you institute the policy map to make it take effect, it blocks all web traffic, not just the ones specified.
So, I guess I'm asking, is there that large of a difference between 8.0 and 9.0 that would cause this to no longer work properly?

You went to the same page I did 7 hours ago. Use the "FILES TYPE EDIT" solution and follow almost all of the instructions...Edit FIREFOX URL, HYPERTEXT TRANSFER PROTOCOL and HYPERTEXT TRANSFER PROTOCOL WITH PRIVACY....It isn't necessary to take the step of "unchecking the "DDE BOX", just follow the instructions to delete the characters in the "DDE Message Box" and the problem is fixed. If you uncheck the "DDE BOX", as instructed, it may come back to bite you.
Thank you for helping,
Sel Warren

Policy MAP Issue on ASA

Hi i have configured following Policy MAp to restrict 12.203 to use 5mb bandwidth.
Issue is that i dont recieve any hits when i apply this on outside interface like that
service-policy PM-RATELIMIT interface outside
But when i add permit ip any any in ACL then i receive hits.
Else This map work fine in inside interface but i want to apply it on outside .
Conf are as follows
access-list vlan10_rate_limit extended permit ip host 192.168.12.203 any
class-map CM-RATELIMIT
match access-list vlan10_rate_limit
policy-map PM-RATELIMIT
class CM-RATELIMIT
police input 5000000

the ACL that you have configured is sourcing from the internal host to any on the outside. So you would need to apply that on the inside interface.
If you would like to limit the return traffic towards that host, then you would need to configure ACL with source any and destination the NATed ip address of that internal host.

Policy map/ class map/ service policy for IOS xr

Hi,
I need to create a policy map and class map/service policy to limit the amount of bandwidth that can be used on one interface both in and out.
I need the cap for the bandwidth to traverse this circuit to ne 10 Meg.
the IOS xr version we are using is 4.3.4
I was hoping someone could help me out by giving me a configuration example I could follow.
Thank you.

for instance like this:
policy-map police-in
class class-default
police rate 10 mpbs <optionally set burst>
policy-map shape-out-parent
class class-default
shape 10 mpbs <optional burst config>
service-policy shape-out-child
policy-map shape-out-child
class class-default
queue-limit 10 packets
int g 0/0/0/0
service-policy police-in in
service-policy shape-out-parent out
also have a look at CL 2013/2014 (orlando/sanfran) ID 2904 for more QOS details
and the support forum article of "asr9000 quality of service architecture"
xander

Class-Map and Policy-Map Configuration in CM Confusion

Hi,
I'm implementing a green field WAAS deployment for a customer. We currently have a Proof-of-Concept up and running.
I've got some questions regarding custom class-map and policy-map configuration in the CM. I'd like to nail-down the custom class-map and policy-map configuration (and understanding) in the PoC before cutting over the PoC branches to the production WAAS environment.
Assuming a typical WAAS Deployment using WCCP for off-path interception, branch to DC.
==> 61 in LAN (BRANCH ROUTER) <== 62 in WAN (WAN CLOUD) ==> 61 in WAN (DC ROUTER) <== 62 in LAN
We are using two distinct device groups, BRANCH and DATA CENTER.
If the customer has traffic that we need to classify in order to provide TFO only optimisation, should the single class-map include the traffic in both directions? Ie., (assume the SERVER is 10.1.1.1 TCP Port 443). Should the class-map be configured as:
Class-Map
Line 1: DST IP 10.1.1.1 DST Port 443
Line 2: SRC IP 10.1.1.1 SRC Port 443
Or in this case is only the DST line required? And in which Device Group should the custom policy be applied? Or should it be applied to both Device Groups? If it should be applied to both Device Groups, then would it make more sense to have the policy-map in the Branch DG configured to match the DST traffic, and on the Data Center DG have a different class-map match the SRC traffic?
My confusion is how to classify the traffic (SRC or DST or Both - Separate classes for each or different lines within the same class-map), and where to apply the appropriate policy (both Device Groups, just Branch, just DC) and why...
I tried to apply a custom policy and the impact in the PoC was that the TCP Summary report stopped reporting the individual traffic classes showed 'other traffic' only. Can anyone explain why this may have occurred?
I hope this makes sense.

for instance like this:
policy-map police-in
class class-default
police rate 10 mpbs <optionally set burst>
policy-map shape-out-parent
class class-default
shape 10 mpbs <optional burst config>
service-policy shape-out-child
policy-map shape-out-child
class class-default
queue-limit 10 packets
int g 0/0/0/0
service-policy police-in in
service-policy shape-out-parent out
also have a look at CL 2013/2014 (orlando/sanfran) ID 2904 for more QOS details
and the support forum article of "asr9000 quality of service architecture"
xander

1 policy-map for more than 1 physical interface

Hi,
the situation I want to achieve is, that 2 physical interfaces (here 2 TP GigbitEthernet Ports of a 3750) are limited together from one 'service-policy'/'policy-map'.
In the example below I have 2 Ports on one switch and the traffic coming in on both ports in total (traffic port #1 + traffic port #2) should be limited to the 'policy-map 5MBits'.
Right now I have configured a 3750 with:
class-map match-all EveryMAC
match access-group name everythingL2
policy-map 5MBits
class EveryMAC
police 5000000 32768 exceed-action drop
policy-map TEST
class EveryMAC
set dscp default
mac access-list extended everythingL2
permit any any
interface GigabitEthernet1/0/1
description port #1
switchport access vlan 123
switchport mode access
speed 10
duplex auto
interface GigabitEthernet1/0/2
description port #2
switchport access vlan 123
switchport mode access
speed 10
duplex auto
interface Vlan123
service-policy input TEST
And at the 'other side' a 2950 works with the following config:
class-map match-all EveryMAC
match access-group name everythingL2
policy-map 5MBits
class EveryMAC
police 5000000 32768 exceed-action drop
mac access-list extended everythingL2
permit any any
interface FastEthernet0/1
description port #A
switchport access vlan 123
switchport mode access
speed 10
duplex auto
As far as I can see this seems to work. But it would be nice if someone can confirm this or provide an other suggestion.
thanks in advance
Mark

Only thing i can think of is instead of using a MAC ACL , u cud jus use the default class
Policy Map Test
class class-default
police 56000 8000 exceed-action drop
Class Map match-any class-default (id 0)
Match any
You would be saving a MAC-ACL ;-).

Radius accounting for QoS pppoe policy-map

Hi folks
I have a radius pushing an AVPAIR ip:sub-qos-policy-out to a virtual template for clients connected to a BRAS through PPPOE.
The AVPAIR is correctly applied to each and every pppoe session but the following link http://www.cisco.com/c/en/us/td/docs/ios/12_2sb/feature/guide/sbbbrs1c.html is indicating that I should be able to push back to the RADIUS some traffic info per class-map/policy map. This would allow some Quota stuff and getting some info about traffic used per customer
From what I have been able to configure, i'm not getting any of this stats back to the RADIUS
the debug radius accounting :
*Mar 12 05:29:00.419: RADIUS/ENCODE(0000000E):Orig. component type = PPPoE
*Mar 12 05:29:00.419: RADIUS/ENCODE(0000000E): Acct-session-id pre-pended with Nas Port = 0/0/3/0
*Mar 12 05:29:00.419: RADIUS(0000000E): Config NAS IP: 0.0.0.0
*Mar 12 05:29:00.419: RADIUS(0000000E): sending
*Mar 12 05:29:00.419: RADIUS/ENCODE: Best Local IP-Address 192.168.38.133 for Radius-Server 192.168.38.131
*Mar 12 05:29:00.419: RADIUS(0000000E): Send Accounting-Request to 192.168.38.131:1813 id 1646/55, len 299
*Mar 12 05:29:00.419: RADIUS: authenticator ED 94 CF EE BD 73 30 7E - 93 07 A4 C3 50 A6 03 DE
*Mar 12 05:29:00.419: RADIUS: Acct-Session-Id [44] 18 "0/0/3/0_00000005"
*Mar 12 05:29:00.419: RADIUS: Framed-Protocol [7] 6 PPP [1]
*Mar 12 05:29:00.419: RADIUS: Framed-IP-Address [8] 6 10.10.10.2
*Mar 12 05:29:00.419: RADIUS: User-Name [1] 9 "olivier"
*Mar 12 05:29:00.419: RADIUS: Vendor, Cisco [26] 35
*Mar 12 05:29:00.419: RADIUS: Cisco AVpair [1] 29 "connect-progress=LAN Ses Up"
*Mar 12 05:29:00.419: RADIUS: Vendor, Cisco [26] 29
*Mar 12 05:29:00.419: RADIUS: Cisco AVpair [1] 23 "nas-tx-speed=10000000"
*Mar 12 05:29:00.419: RADIUS: Vendor, Cisco [26] 29
*Mar 12 05:29:00.419: RADIUS: Cisco AVpair [1] 23 "nas-rx-speed=10000000"
*Mar 12 05:29:00.419: RADIUS: Acct-Session-Time [46] 6 2582
*Mar 12 05:29:00.419: RADIUS: Acct-Input-Octets [42] 6 7232
*Mar 12 05:29:00.419: RADIUS: Acct-Output-Octets [43] 6 7232
*Mar 12 05:29:00.419: RADIUS: Acct-Input-Packets [47] 6 517
*Mar 12 05:29:00.419: RADIUS: Acct-Output-Packets [48] 6 517
*Mar 12 05:29:00.419: RADIUS: Acct-Authentic [45] 6 RADIUS [1]
*Mar 12 05:29:00.419: RADIUS: Acct-Status-Type [40] 6 Watchdog [3]
*Mar 12 05:29:00.419: RADIUS: NAS-Port-Type [61] 6 Virtual [5]
*Mar 12 05:29:00.419: RADIUS: Vendor, Cisco [26] 15
*Mar 12 05:29:00.419: RADIUS: cisco-nas-port [2] 9 "0/0/3/0"
*Mar 12 05:29:00.419: RADIUS: NAS-Port [5] 6 50331648
*Mar 12 05:29:00.419: RADIUS: NAS-Port-Id [87] 9 "0/0/3/0"
*Mar 12 05:29:00.419: RADIUS: Vendor, Cisco [26] 41
*Mar 12 05:29:00.419: RADIUS: Cisco AVpair [1] 35 "client-mac-address=aabb.cc00.6430"
*Mar 12 05:29:00.419: RADIUS: Service-Type [6] 6 Framed [2]
*Mar 12 05:29:00.419: RADIUS: NAS-IP-Address [4] 6 192.168.38.133
*Mar 12 05:29:00.419: RADIUS: Ascend-Session-Svr-K[151] 10
*Mar 12 05:29:00.419: RADIUS: 37 39 38 32 45 41 38 30 [ 7982EA80]
*Mar 12 05:29:00.419: RADIUS: Acct-Delay-Time [41] 6 0
*Mar 12 05:29:00.419: RADIUS(0000000E): Started 5 sec timeout
*Mar 12 05:29:00.419: RADIUS: Received from id 1646/55 192.168.38.131:1813, Accounting-response, len 20
*Mar 12 05:29:00.419: RADIUS: authenticator A7 0E 79 40 C5 B5 CF DC - 09 46 27 48 52 BE 01 7D
What I get in the freeradius log :
Tue Mar 11 22:30:04 2014
Acct-Session-Id = "0/0/3/0_00000005"
Framed-Protocol = PPP
Framed-IP-Address = 10.10.10.2
User-Name = "olivier"
Cisco-AVPair = "connect-progress=LAN Ses Up"
Cisco-AVPair = "nas-tx-speed=10000000"
Cisco-AVPair = "nas-rx-speed=10000000"
Acct-Session-Time = 2646
Acct-Input-Octets = 7428
Acct-Output-Octets = 7428
Acct-Input-Packets = 531
Acct-Output-Packets = 531
Acct-Authentic = RADIUS
Acct-Status-Type = Interim-Update
NAS-Port-Type = Virtual
Cisco-NAS-Port = "0/0/3/0"
NAS-Port = 50331648
NAS-Port-Id = "0/0/3/0"
Cisco-AVPair = "client-mac-address=aabb.cc00.6430"
Service-Type = Framed-User
NAS-IP-Address = 192.168.38.133
X-Ascend-Session-Svr-Key = "7982EA80"
Acct-Delay-Time = 0
Acct-Unique-Session-Id = "523eac6ae326a778"
Timestamp = 1394602204
Request-Authenticator = Verified
user config in the users file on the freeradius server :
olivier Cleartext-Password := "olivier"
Service-Type = Framed-User,
Cisco-AVPair += "ip:addr-pool=pppoepool",
Cisco-AVpair += "ip:sub-qos-policy-out=TEST"
I see that the policy map name is pulled correctly from the radius server and applied to the session :
#sh policy-map session uid 14
SSS session identifier 14 -
Service-policy output: TEST
Class-map: TEST (match-all)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: any
police:
cir 8000 bps, bc 1500 bytes
conformed 0 packets, 0 bytes; actions:
transmit
exceeded 0 packets, 0 bytes; actions:
drop
conformed 0 bps, exceed 0 bps
Class-map: class-default (match-any)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: any
Any input very welcome

Cisco sever is working fine. When you do use non-standard or non-RFC requests from your NAS to the AAA server for instance, you have to configure your server accordingly to instruct it how to handle this kind of requests.
This is typically done with something called "dictionary", which should be included in your radius server. The server typically decodes all RFC 2865 VSAs (or should), but when a new NAS model is introduced into the network, you can modify it to add any VSAs not appearing in the dictionary, which is your case.
As an example, imagine you want to change the attribute cisco-vsa-port-string to tagged-string, your dictionary will look somethign similar than:
And finally you will have to modify with a text editor, or XML editor and change type="tagged-string" supposing your device comply with RFC 2868. Probably
the AAA server will have to restarted for taking this
changes into account.
Also,since this does apply to all devices for this vendor, you've got other option more, which is define your own dictionary for a specific vendor, or even if you wish for a specific NAS or group or NASes.
In NavisRadius you could associate a dictionary to a
device adding a client-class:
# Client-IP Client-Secret Client-Class
10.0.0.1 secret taos-old
And then specifying the dictionary later in client_properties for this device:
# This file contains information about client classes # and is used to set per-client specific information.
# TAOS Devices in OLD mode with RFC conflicts
taos-old
Client-Dictionary=max_dictionary
# Other devices now, etc.
Hope it helps

Ip rtp priority/policy-maps

Similar Messages

Maybe you are looking for