Policing in QOS

Similar Messages

• Configuring rate-limit in switch 6500

  Good morning gentlemen
  Consider a 6509E (supervisor 720 3B) switch with many interface VLANs configured, one of each related to each customer. Each interface VLAN had configured a rate-limit input and output configured representing the maximum bandwidth permitted for the customer.
  I could configured that way using the old IOS s72033-ipservicesk9_wan-mz.122-18.SXF7.
  Last weekend I had to upgrade that IOS to s72033-ipservicesk9_wan-mz.122-33.SXJ7. All rate-limits in VLAN interfaces disappeared, probably not supported in this new version.
  Now, what's you recommendation to perform the same in this IOS version?...I only found the policy-map/service-policy way.
  Follow my questions:
  1 - "mls qos" is globally disabled. Should I configure globally or by interface VLAN?... Expected any impact?
  I believe that only need "police" for QOS. No need for any other kind of QOS.
  2 - Should I enable "mls qos vlan-based" for each physical layer 2 port connected to that switch related to each interface vlan with police?
  Expected only one physical port (or port-channel) for each customer (and each VLAN) connected to a switch.
  Thank you and regards
  Christian

  Interesting that I have just upgraded the IOS to the last version 12 release.
  I think that for the reason that we are facing high CPU usage for "IP Input" process, something related to mls/cef is not tunned.
  Anyone has any idea regarding the configuration presented?
  Regards
  Christian

• 2960 and configuring with a browser

  I am thinking about buying a 2960. I am not good with command line can I do advanced configuring such as traffic policing and Qos with some type of Cisco admin software?

  As a matter of fact, you can use Cisco Network Assistant (CNA) with the 2960. CNA is a free GUI-based tool that allows you to perform fairly advanced configuration including QoS.
  Here's a link with more info on it:
  http://www.cisco.com/en/US/products/ps5931/products_data_sheet0900aecd8034fbf1.html
  Hope that helps - pls rate the post if it does.
  Paresh

• UCSM 2.0(1s) Patch Availalbe on CCO

  Greetings All,
  A new patch has been released today on CCO.  This patch addresses the following bugs:
  CSCtt27260
  •IOM backplane port 1 of a 5108 chassis will not be falsely reported as  administratively down when a blade is present in slot-1 of the chassis.
  CSCtt18526
  •After upgrade to 2.0(1s), blades with UCS M81KR adapters will not show the  error "initialize error 4" during FC boot.
  CSCtt41541 - Upgrade to 2.0 is disruptive if customer has QoS policies.
  •While  upgrading to UCS 2.0 with QoS policies defined , QoS policies will not  generate error messages and VIFs with QoS policies defined on them will  remain up after upgrading the subordinate interconnect but before  upgrading the primary interconnect.
  Full release notes available here:
  http://www.cisco.com/en/US/docs/unified_computing/ucs/release/notes/OL_25363.html
  For customers asking "which version of 2.0 should I upgrade to" - this would be it as of today.  After the major release of 2.0, these minor patches only address bug fixes and do not introduce new major features.  There is an upcoming Maintenance Release (MR1) will which include new functionality.
  As always, if there are any issues please let us know.
  Cheers,
  Robert

  Grant,
  You can verify that it's only cosmetic by doing the following:
  1) SSH into your FI's
  2) Issue the following commands:
  connect nxos b
  show interface brief
  And look for interface 2511 (you could also use show interface brief | grep 2511 to show only that line but then you wouldn't have the headers)
  You could also do a "show flogi database" on the upstream switch and look for that vfc's WWPN.
  Here's the bug I think you were told you were hitting:
  http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtn89396

• ISG IP subnet subscriber

  Good day.
  Subject feature seems to be a usefull one, but with a couple of nasty restrictions. Correct me, if I'm wrong, but we can't:
  - give a subscriber arbitrary number of IP adresses, only powers of 2, like 4, 8, 16, 32, etc;
  - place two different address spaces in one session, like 4 + 16 addresses from different parts of address space. We'll have to give him a new block of 32 IPs, or create 2 different sessions with separate configuration(like policer or QoS).
  This seems to be a lot of inconvenience to me.
  Isn't there another way to place different IPs in one session? In example, giving a list of these IPs in a RADIUS attribute upon user authentication(I assume we have routed or L2-connected subscriber, with well-known MACs/IPs)?

  Hi Vladimir,
  for IP subnet sessions, ISG will actually be configured in the same way of IP sessions, meaning that it will create an IP session when a packet with an unknown source address is received.
  When the subscriber will be authorized, it may have a Framed-IP-Netmask attribute in the Radius profile.
  If the attribute is present, ISG will convert the session to IP subnet session.
  So the limitation is actually given by the Framed-IP-Netmask you configure in Radius.
  The alternative would be to assign the whole interface (or subinterface) to a single session, matching whatever IP the users may have there.
  Regards
  Marco

• Bandwidth Management(Rate Limit) Using QoS Policies

  Hello,
  I need some advice. We have an ASA 5525 running version 8.6(1)2 and a 10 MG pipe. I have execs that want to limit bandwidth on users for stuff like youtube, stream media, and downloads. I found the article on ‘Bandwidth Management(Rate Limit) Using QoS Policies’ so it appears our firewall can do what we want. I’m not a cisco person. My knowledge is limited when it comes to configuration – that’s why we have SmartNet :). The advice I need is what to ask for, so to speak, when I put a case in. Can bandwidth be limited on end users and/or can they limit the ‘bandwidth rate limit’ to just youtube, steaming media, and downloads? If so, what should the limit be? and I’m assume this would be for ‘incoming’ traffic only? we’re running into some bandwidth hogs – usually youtube and/or streaming media. We have a Barracuda web filter which we’ve used to block and monitor activity but I simply do not have time to babysit this all day. I should also mention we do have critical data running up and down the pipe; such as credit card processing, DB replication between in house DB and hosted website, TPCx and EDI, FTP, and such that we don’t want restricted.
  Need input please,
  Thanks,
  D

  Hello,
  That's a question that you as the network admin of that organization could answer.
  How much traffic for business purposes must travel via HTTP/HTTPS?
  How much bandwith are you willing to provide to this 2 protocols?
  Those are the kind of answers you need to answer before setting the number
  Regards
  Remember to rate all of the helpful posts, Just click the 5 stars at the left of each post
  Julio

• QoS 881 router not policing

  Hi,
  I'm trying to setup QoS policing to limit bandwith for some protocols. I'm using a 881 router.
  I just want to police the traffic for the protocols and configured this:
  class-map filetransfer
   match protocol itunes
   match protocol bittorrent
   match protocol ftp
  policy-map qos_filetransfer
   class filetransfer
    police 100000
     conform-action transmit
      exceed-action drop
  int f4
   service-policy input qos_filetransfer
   service-policy output qos_filetransfer
  But when I'm testing to download a file with ftp the traffic is not limited.
  If I run: sh ip nbar protocol-discovery stats bit-rate top-n 10, I can see the ftp traffic:
   FastEthernet4
   Last clearing of "show ip nbar protocol-discovery" counters 00:05:03
                              Input                    Output
     Protocol                 5min Bit Rate (bps)      5min Bit Rate (bps)
     ftp                      3340000                  104000
     stun-nat                 14000                    97000
     ipsec                    1000                     1000
     icmp                     0                        1000
     isakmp                   0                        0
     dns                      0                        0
     skype                    0                        0
     unknown                  0                        1000
     Total                    3355000                  204000
  If i run: sh policy-map interface f4
   FastEthernet4
    Service-policy input: qos_filetransfer
      Class-map: filetransfer (match-all)
        0 packets, 0 bytes
        5 minute offered rate 0000 bps, drop rate 0000 bps
        Match: protocol itunes
        Match: protocol bittorrent
        Match: protocol ftp
        police:
            cir 100000 bps, bc 3125 bytes
          conformed 0 packets, 0 bytes; actions:
            transmit
          exceeded 0 packets, 0 bytes; actions:
            drop
          conformed 0000 bps, exceeded 0000 bps
      Class-map: class-default (match-any)
        96296 packets, 139493940 bytes
        5 minute offered rate 3050000 bps, drop rate 0000 bps
        Match: any
    Service-policy output: qos_filetransfer
      Class-map: filetransfer (match-all)
        0 packets, 0 bytes
        5 minute offered rate 0000 bps, drop rate 0000 bps
        Match: protocol itunes
        Match: protocol bittorrent
        Match: protocol ftp
        police:
            cir 100000 bps, bc 3125 bytes
          conformed 0 packets, 0 bytes; actions:
            transmit
          exceeded 0 packets, 0 bytes; actions:
            drop
          conformed 0000 bps, exceeded 0000 bps
      Class-map: class-default (match-any)
        59355 packets, 7299832 bytes
        5 minute offered rate 161000 bps, drop rate 0000 bps
        Match: any
  Seems that the Class-map class-default are matching the packets, but I have not configured any class-defaults.
  Please advice what to do.
  Thanks

  Hi,
  Tested but can't get it to work.
  I have tested:
  class-map filetransfer
   match protocol itunes
   match protocol bittorrent
   match protocol ftp
   match any
  and:
  class-map match-all filetransfer
   match protocol itunes
   match protocol bittorrent
   match protocol ftp
   match any
  and:
  class-map match-any filetransfer
   match protocol itunes
   match protocol bittorrent
   match protocol ftp
   match any
  I still get full bandwith when downloading a file with ftp from internet --> a computer on vlan1
  Any more idea?
  router#sh policy-map interface f4
   FastEthernet4
    Service-policy input: qos_filetransfer
      Class-map: filetransfer (match-all)
        0 packets, 0 bytes
        5 minute offered rate 0000 bps, drop rate 0000 bps
        Match: protocol itunes
        Match: protocol bittorrent
        Match: protocol ftp
        Match: any
        police:
            cir 100000 bps, bc 3125 bytes
          conformed 0 packets, 0 bytes; actions:
            transmit
          exceeded 0 packets, 0 bytes; actions:
            drop
          conformed 0000 bps, exceeded 0000 bps
      Class-map: class-default (match-any)
        260290 packets, 385289380 bytes
        5 minute offered rate 6399000 bps, drop rate 0000 bps
        Match: any
    Service-policy output: qos_filetransfer
      Class-map: filetransfer (match-all)
        0 packets, 0 bytes
        5 minute offered rate 0000 bps, drop rate 0000 bps
        Match: protocol itunes
        Match: protocol bittorrent
        Match: protocol ftp
        Match: any
        police:
            cir 100000 bps, bc 3125 bytes
          conformed 0 packets, 0 bytes; actions:
            transmit
          exceeded 0 packets, 0 bytes; actions:
            drop
          conformed 0000 bps, exceeded 0000 bps
      Class-map: class-default (match-any)
        163215 packets, 16962903 bytes
        5 minute offered rate 283000 bps, drop rate 0000 bps
        Match: any

• Tweaking QoS port parameters and policing

  Hi,
  Is there a mathematical method of configuring bandwidth weights and queue limits or is it more art than science? For example, using the 3550 series switches, when you perform auto-qos, it chooses the following parameters:
  wrr-queue bandwidth 10 20 70 1
  wrr-queue queue-limit 50 25 15 10
  I need to know the reason for how this values were chosen, in order to understand how changing these values affect the overall queueing process. Is there some kind of best practice (recommended) values for setting them? I notice a pattern that bandwidth weights with the exception of the priority queue (qid 4) are larger; whereas the queue-limit values are lower for higher priority traffic, i.e. they get the smallest slice of the egress buffers.
  Also the burst-byte value parameter in policing under policy map. How do you obtain an appropriate value for this? How does that relate to the access-rate?
  In the auto-qos it gives the same 8000 byte value to the burst byte, see below:
  policy-map AutoQoS-Police-SoftPhone
  class AutoQoS-VoIP-RTP-Trust
  set dscp ef
  police 320000 8000 exceed-action policed-dscp-transmit
  class AutoQoS-VoIP-Control-Trust
  set dscp cs3
  police 32000 8000 exceed-action policed-dscp-transmit
  Any help is greatly appreciated.
  Many thanks

  To allocate bandwidth between standard transmit queue 1 (low priority) and standard transmit queue 2 (high priority), use the wrr-queue bandwidth command is used. Use the no form of this command to return to the default settings.
  http://www.cisco.com/en/US/products/hw/switches/ps708/products_command_reference_chapter09186a00801026fa.html#wp1085797

• NBAR, Netflow, QoS Policing, 6500s, IOS 12.1(26)E7, and MARS

  Hello. I'm having trouble seeing the forest OR the trees, and I'd appreciate some help from someone who has a better field view than myself. We're upgrading our internet connection to 200MB and management is wanting to upgrade our Packet Shaper to meet the new bandwidth. (The Packet Shaper shows top talkers, top protocols, and rate limits protocols or users.) I'm trying to make the argument that we can do this w/ existing tools (nbar, netflow, QoS policing, and MARS), at the same time I'm trying to make the argument that we need to have our supervisors (currently SUP2 MSFC2) on a 3-4 year upgrade cycle.
  To get to the 12.2 IOS, I'd require a memory or sup upgrade. What I am hoping for is someone who has gone down this road who knows what I'm lacking in 12.1 code, or if in fact I can do it all here.
  While it is self-evident to most in IT why we need to regularly upgrade equipment, I'm having difficulty making this argument to management with hard facts. I'm guessing they'd still be running Windows for Workgroups to save money...but that's another story.
  My plan is to use Netflow and MARS to track top users and top protocols. It appears that I lose some mgt functionality w/ MARS in conjunction w/ IOS 12.1, but I am currently unclear if I lose any tracking capability. (MARS is new to us and awaiting install.)
  Then, I hope to use NBAR to identify all the latest P2P traffic and police it appropriately w/ QoS tools.
  Does my thinking sound solid? Will I be able to pull this off w/ 12.1? If not, what do I need that I lack in 12.1?
  Thank you for your time,
  Joshua

  Hi,
  First of all - you need to be clear that although MARS uses netflow data, it uses it for the purpose of identifying security issues. If you want to use netflow for reporting and/or accounting purposes MARS isn't the tool you need, try one of the following freeware netflow tools:
  http://www.cisco.com/warp/public/732/Tech/nmp/netflow/partners/freeware/index.shtml
  or one of the following commercial tools:
  http://www.cisco.com/warp/public/732/Tech/nmp/netflow/partners/commercial/index.shtml
  The freeware ones are generally more difficult to set up but once running are just as good as the commercial ones.
  However, this means you need two netflow destinations - one for MARS and one for your netflow tool, and this feature is called "Netflow Multiple Export Destinations" and initially appeared at 12.1(3)T, but it seems to be VERY platform specific - for example, because we only run GD software on our 3660's we had to upgrade to 12.3(20) to get it.
  Looking at the Feature Navigator for SUP2/MSFC2 it appears that you need at least 12.2(18)SXF6 to get this feature so that might help your case.
  I'd personally keep the PacketShaper for it's reporting capability if nothing else (IOS can do the job, but not as elegantly as the PacketShaper).
  HTH - plz rate if useful.
  Andrew.

• 3650 QoS Policing

  Hi,
  I am trying to do some policing on a 3650 and for some reason, the interface doesn't seem to want to apply my service policy. Here is my config:
  class-map match-any ExchangeClass
    match vlan  410
  policy-map ExchangePolicy
   class ExchangeClass
      police cir percent 25    conform-action transmit     exceed-action drop     violate-action drop
  I use the command service-policy input ExchangePolicy on the gi1/0/1 interface, I then do a sh run int gi1/0/1 and there is no input service policy shown in the config. Does anybody know why it hasn't applied the service policy? If I use an auto qos input service policy then it seems to apply it.

  The log will have a reason as to why is was not applied.  
  I have the same problem on a 3850 have asked this question:
  https://supportforums.cisco.com/discussion/12467066/qos-routed-ports-3850
  e.g.
  Invalid queuing class-map!!! Queuing actions supported only with dscp/cos/qos-group/precedence based classification!!!

• Catalyst 3850 QoS police

  Hello,
  Here is the config for Catalyst 3560 found under the link below.
  I would like to do same setting on Catalyst 3850.
  http://itknowledgeexchange.techtarget.com/network-engineering-journey/how-to-configure-per-vlan-qos-in-cisco-3550-and-3560/
  mls qos
  interface fa0/2
  mls qos vlan-based
  class-map INT
  match input-interface fa0/2
  policy-map NESTED_POLICE
  class INT
  policy 12800 1600 exceed-action drop
  class-map HTTP
  match protocol http
  policy-map PARENT_MARK
  class HTTP
  set dscp af11
  service-policy NESTED_POLICE
  interface vlan 10
  service-policy input PARENT_MARK
  But commands like "mls qos", "mls qos vlan-based" and "match input-interface " doesn't work on 3850.
  There is no helpful Cisco manual for it.
  Could anyone help me?
  Thanks in advance,
  Taro

  Hello Paul,
  Thank you for the attention.
  Here is the information.
  #sh ver
  Cisco IOS Software, IOS-XE Software, Catalyst L3 Switch Software (CAT3K_CAA-UNIVERSALK9-M), Version 03.02.01.SE RELEASE SOFTWARE (fc1)
  Technical Support: http://www.cisco.com/techsupport
  Copyright (c) 1986-2013 by Cisco Systems, Inc.
  Compiled Wed 20-Mar-13 17:10 by prod_rel_team
  Cisco IOS-XE software, Copyright (c) 2005-2013 by cisco Systems, Inc.
  All rights reserved.  Certain components of Cisco IOS-XE software are
  licensed under the GNU General Public License ("GPL") Version 2.0.  The
  software code licensed under GPL Version 2.0 is free software that comes
  with ABSOLUTELY NO WARRANTY.  You can redistribute and/or modify such
  GPL code under the terms of GPL Version 2.0.
  (http://www.gnu.org/licenses/gpl-2.0.html) For more details, see the
  documentation or "License Notice" file accompanying the IOS-XE software,
  or the applicable URL provided on the flyer accompanying the IOS-XE
  software.
  ROM: IOS-XE ROMMON
  BOOTLDR: C3850 Boot Loader (C3850-HBOOT-M) Version 1.1, RELEASE SOFTWARE (P)
  SW01 uptime is 21 weeks, 6 days, 14 hours, 27 minutes
  Uptime for this control processor is 21 weeks, 6 days, 14 hours, 30 minutes
  System returned to ROM by reload at 22:27:58 JST Wed Jan 8 2014
  System restarted at 22:27:52 JST Wed Jan 8 2014
  System image file is "flash:packages.conf"
  Last reload reason: Reload command
  This product contains cryptographic features and is subject to United
  States and local country laws governing import, export, transfer and
  use. Delivery of Cisco cryptographic products does not imply
  third-party authority to import, export, distribute or use encryption.
  Importers, exporters, distributors and users are responsible for
  compliance with U.S. and local country laws. By using this product you
  agree to comply with applicable laws and regulations. If you are unable
  to comply with U.S. and local laws, return this product immediately.
  A summary of U.S. laws governing Cisco cryptographic products may be found at:
  http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
  If you require further assistance please contact us by sending email to
  [email protected].
  License Level: Ipservices
  License Type: Permanent
  Next reload license Level: Ipservices
  cisco WS-C3850-24T (MIPS) processor with 4194304K bytes of physical memory.
  Processor board ID FOC1717V01B
  24 Virtual Ethernet interfaces
  56 Gigabit Ethernet interfaces
  8 Ten Gigabit Ethernet interfaces
  2048K bytes of non-volatile configuration memory.
  4194304K bytes of physical memory.
  250456K bytes of Crash Files at crashinfo:.
  250456K bytes of Crash Files at crashinfo-2:.
  1609272K bytes of Flash at flash:.
  1609272K bytes of Flash at flash-2:.
  0K bytes of Dummy USB Flash at usbflash0:.
  0K bytes of Dummy USB Flash at usbflash0-2:.
  0K bytes of  at webui:.
  Base Ethernet MAC Address          : 44:ad:d9:6d:4e:00
  Motherboard Assembly Number        : 73-12238-06
  Motherboard Serial Number          : FOC17163HB8
  Model Revision Number              : B0
  Motherboard Revision Number        : D0
  Model Number                       : WS-C3850-24T
  System Serial Number               : FOC1717V01B
  Switch Ports Model              SW Version        SW Image              Mode
       1 32    WS-C3850-24T       03.02.01.SE       cat3k_caa-universalk9 INSTALL
       2 32    WS-C3850-24T       03.02.01.SE       cat3k_caa-universalk9 INSTALL
  Switch 02
  Switch uptime                      : 21 weeks, 6 days, 14 hours, 31 minutes
  Base Ethernet MAC Address          : 20:bb:c0:01:86:80
  Motherboard Assembly Number        : 73-12238-06
  Motherboard Serial Number          : FOC17163HCM
  Model Revision Number              : B0
  Motherboard Revision Number        : D0
  Model Number                       : WS-C3850-24T
  System Serial Number               : FOC1717V01K
  Configuration register is 0x102
  SW01#sh sdm prefer
  Showing SDM Template Info
  This is the Advanced template.
    Number of VLANs:                                 4094
    Unicast MAC addresses:                           32768
    Overflow Unicast MAC addresses:                  512
    IGMP and Multicast groups:                       8192
    Overflow IGMP and Multicast groups:              512
    Directly connected routes:                       32768
    Indirect routes:                                 8192
    Security Access Control Entries:                 3072
    QoS Access Control Entries:                      2816
    Policy Based Routing ACEs:                       1024
    Netflow ACEs:                                    1024
    Input Microflow policer ACEs:                    256
    Output Microflow policer ACEs:                   256
    Flow SPAN ACEs:                                  256
    Tunnels:                                         256
    Control Plane Entries:                           512
    Input Netflow flows:                             8192
    Output Netflow flows:                            16384
  These numbers are typical for L2 and IPv4 features.
  Some features such as IPv6, use up double the entry size;
  so only half as many entries can be created.

• Apply QoS policies to MPLS interfaces

  Hello all,
  We are deploying an MPLS transport network for our research project, and we are getting undefined errors about the QoS application over tunnel interfaces. The tunnel interfaces are those we configure between end points.
  For example, if we apply a rate-limit to a tunnel interface, this is not applied, although the router anc CLI let configure the policy.
  Does anybody know how to manage this kind of policies or shaping to MPLS?
  Thanks for your help.

  Hello,
  No, in fact, what we want to configure is output policies. For example, at the ingress LER of the MPLS cloud, we receive some traffic that we set it as an specific class of service, for example, "interactive traffic". Once the traffic is classified, we route it to the correct output tunnel interface, i.e., to the next LSR. It's at that interface where we want to set the policy, so.
  When we set the policy, with the "service-policy output tunnel0", for example, the CLI doesn't return any message of error. In fact, it lets to configure it, and if we use the command "show policy-map interface tunnel0", CLI returns the configuration of the policy at that interface.
  Thanks for your help.

• Cisco ASA QoS traffic policing - how to count conform burst

  hi,
  I have cisco ASA 8.4(5). I will do configuration for QoS traffic policing. Maximum output/input rate will be 850 Mbits/s.
  I am not sure if I need to do configuration also for conform burst ? if yes, can I count suitable value for it ? I must admit that I dont understand difference between conform rate and conform burst.
  access-list acl_qos_policing_admin extended permit ip any any
  class-map class_qos_policing_admin
   match access-list acl_qos_policing_admin
  policy-map policy_qos_policing_admin
   class  class_qos_policing_admin
   police output 850000000 xxxxxxx
   police input 850000000 xxxxxxx
  service-policy policy_qos_policing_admin interface
  inside_ADM

  Hi, I already have done configuration on production firewall. Bandwidth test worked very good for 200Mbps or 300 Mbps. But I got little strange results for bigger rate limits such 600Mbps or 850 Mbps. I could not see any dropped packets. I did test via http://www.speedtest.net. Maybe because
  I need to set conform-burst? there is now only default value (If you set bigger conform-rate then you get bigger conform-burst with default value).
  Interface inside_EDU:
    Service-policy: policy_qos_policing_edu
      Class-map: class_qos_policing_edu
        Output police Interface inside_EDU:
          cir 200000000 bps, bc 6250000 bytes
        Input police Interface inside_EDU:
          cir 200000000 bps, bc 6250000 bytes
  Interface inside_EDU:
    Service-policy: policy_qos_policing_edu
      Class-map: class_qos_policing_edu
        Output police Interface inside_EDU:
          cir 600000000 bps, bc 18750000 bytes
        Input police Interface inside_EDU:
          cir 600000000 bps, bc 18750000 bytes
  Interface inside_ADM:
    Service-policy: policy_qos_policing_admin
      Class-map: class_qos_policing_admin
        Output police Interface inside_ADM:
          cir 300000000 bps, bc 9375000 bytes
        Input police Interface inside_ADM:
          cir 300000000 bps, bc 9375000 bytes
  Interface inside_ADM:
    Service-policy: policy_qos_policing_admin
      Class-map: class_qos_policing_admin
        Output police Interface inside_ADM:
          cir 850000000 bps, bc 26562500 bytes
        Input police Interface inside_ADM:
          cir 850000000 bps, bc 26562500 bytes

• CoS or DSCP based QoS Policies

  I have to configure QoS on a VSS with the following modules installed:
  Switch Number:     1   Role:   Virtual Switch Active
  Mod Ports Card Type                              Model              Serial No.
    1   48  CEF720 48 port 1000mb SFP              WS-X6848-SFP       SAL16042610
    3   48  CEF720 48 port 10/100/1000mb Ethernet  WS-X6848-GE-TX     SAL16095Y48
    4   48  CEF720 48 port 10/100/1000mb Ethernet  WS-X6848-GE-TX     SAL16095Y3F
    5    5  Supervisor Engine 2T 10GE w/ CTS (Acti VS-SUP2T-10G       SAL1543TRQ9
    9    8  DCEF2T 8 port 10GE                     WS-X6908-10G       SAL1539QYTC
  Mod MAC addresses                       Hw    Fw           Sw           Status
    1  c464.1341.7a50 to c464.1341.7a7f   1.0   12.2(18r)S1  15.0(1)SY4   Ok
    3  0007.7df7.4618 to 0007.7df7.4647   1.0   12.2(18r)S1  15.0(1)SY4   Ok
    4  442b.0311.4a58 to 442b.0311.4a87   1.0   12.2(18r)S1  15.0(1)SY4   Ok
    5  7081.0583.88e8 to 7081.0583.88ef   1.1   12.2(50r)SYS 15.0(1)SY4   Ok
    9  0007.7d90.a1a0 to 0007.7d90.a1a7   1.1   12.2(50r)SYL 15.0(1)SY4   Ok
  Mod  Sub-Module                  Model              Serial       Hw     Status
    1  Distributed Forwarding Card WS-F6K-DFC4-A      SAL16085BLE  1.2    Ok
    3  Distributed Forwarding Card WS-F6K-DFC4-A      SAL16085BLL  1.2    Ok
    4  Distributed Forwarding Card WS-F6K-DFC4-A      SAL16095GH7  1.2    Ok
    5  Policy Feature Card 4       VS-F6K-PFC4        SAL1544UAL2  1.1    Ok
    5  CPU Daughterboard           VS-F6K-MSFC5       SAL1544UB95  1.1    Ok
    9  Distributed Forwarding Card WS-F6K-DFC4-E      SAL1529K4QC  1.0    Ok
  On Cat6500 with SUP 2T and PFC4 QoS is enabled by default.
  DSCP is trusted and preserved by default, independent of port state.
  CoS is preserved by default for Layer 2 packets by default, independent of port state.
  Additional Info about the queuing on the modules installed:
  SUP 2T 10G - with Gigabit Ethernet Ports enabled it works CoS-based, with this interfaces disabled it works DSCP-based.
  WS-X6848-GE-TX an WS-X6848-SFB works CoS-based, does not support DSCP-based queuing.
  WS-X6908-10G - supports DSCP-based queuing
  The options now are:
  1) All policies CoS-based although the WS-X6980-10G supports DSCP-based queuing.
  2) Policies for SUP and WS-X6848 CoS-based and the policies for the WS-X6908 DSCP-based
  3) Disable Gigabit Ethernet Interfaces on the SUP hence it supports DSCP-based queuing policies, also use DSCP-based policies for the WS-X6908 and use CoS-based queuing policies for the WS-X6848.
  The recommendation in the core is to use DSCP-based QoS.
  The question is what to do?
  Option 1) Less complexity and simpler configuration if only CoS-based policies are used.
  Option 2) Least configuration necessary, mixture of CoS and DSCP-based policies
  Option 3) Gigabit Ethernet ports on SUP have to be disabled, uses then DSCP-based queuing on all supported modules and CoS-based policies on all other modules.

  You don't trust "to" a device, only from.
  The advice I've gotten from switching guys is "If you're not sure - just trust DSCP".
  If you try to trust cos on an access port where there is no VLAN header, there is no cos, and you can have problems.
  If you have a trunk to another switch, you can trust cos and you shouldn't have any problems.
  hth,
  nick

• How do people manage QoS Policies in large network without using QPM

  We are using QPM to manage QoS polices however we are looking at decommissioning CiscoWorks. How are people managing with their QoS settings in large environments?

  I have no idea about the modem and bridge mode (I don't do networking -- hopefully Bob Timmons, Tesserax, or one of the other networking gurus will drop in and address that).
  But . . . you should be able to back up to the TC as long as it's on your network and recognized by your Macs.  I think being in bridge mode means it will be rather slow, but it should work.  Until/unless we hear otherwise, you might want to see #Q1 in Using Time Machine with a Time Capsule.