QoS Class-maps
Trying to understand the class-default for marking
I have the concept of Identify traffic with ACLs
Classify traffic for marking with class-maps
Mark traffic with policy-maps
the policy-map will always have a default-class for unaccounted traffic in the policy-maps
what I don't quite understand is that the there is not a class-map class-default
when servicing the "policy" the class-maps are referenced with "class A" "class B" "class class-default"
when looking for the matches on class class-default there is no reference class-map to go to....
I figured I have to accept this logic means if traffic was not specifically matched by the collection of class-maps in the config the IOS can assume the traffic would have been/is class-default.
i had put a config together to classify certain traffic as CS0, like SNMP... i wanted to force traffic there as well as having all unaccounted traffic being classified CS0.
but from what i read if i don't have snmp matched in any class-map in the config then this traffic would find itself in
policy-map XXX
class class-default
set ip precedence 0
even though class-default does not exist as class-map class-default
Hi,
You want to mark some traffic as CS0? and then count that traffic? but you won't know which traffic had CS0 imposed or was natively IPP 0 like all data traffic not specifically marked.
the class class-default exists just do a show class-map and you'll see it, it is the IOS which creates it.
Doing a show policy-map interface will show you which class-map was matched.
Similar Messages
-
3850 QoS class-map match-all?
I would like to create a QoS marking policy that re-marks packet to CS5 if the inbound traffic is SIP *and* if it is marked CS3 when it comes in. I would have expected the configuration listed below will work. I only found out when I tried to apply the config that, unlike other IOS devices, "class-map match-all" does not exist in 3850 3.3.x code. It can only do "class-map match-any" Can anyone suggest a work-around config for 3850 to achieve the same end result?
ip access-list extended ACL-QOS-SIP
permit tcp any range 5060 5061 any
permit tcp any any range 5060 5061
ip access-list extended ACL-QOS-CS3
permit ip any any dscp cs3
class-map match-all CM-QOS-CS5
match access-group name ACL-QOS-CS3
match access-group name ACL-QOS-SIP
policy-map PM-QOS-MARKING
class CM-QOS-CS5
set ip dscp cs5
Any suggestions would be appreciated.jlkeys, below is configuration I ended up using to resolve the issue:
ip access-list extended ACL-QOS-SIP
permit tcp any range 5060 5061 any dscp cs3
class-map match-any CM-QOS-CS5
match access-group name ACL-QOS-SIP
policy-map PM-QOS-MARKING
class CM-QOS-CS5
set ip dscp cs5 -
Hello,
When configuring a class-map, I want to match based on DSCP values. I see that I can configure the match statement either as "match dscp" or "match ip dscp". The router accepts either one. Is there a difference between these two, or do they accomplish the same thing?Hi,
"match dscp" matches both IPv4 and IPv6 traffic while "match ip dscp" matches only IPv4 traffic.
HTH,
Nagendra -
Hi, anyone can explain the "sh class-map list type qos" in XR platforms ? is this command used to know how many types of class-maps configured in one router ?
It is a useful command to help clean up unused class-maps:
RP/0/RSP0/CPU0:A9K-BNG#show class-map list type qos
Thu Sep 12 14:58:56.383 EDT
1) ClassMap: class1 Type: qos
Referenced by 3 Policymaps
2) ClassMap: class3 Type: qos
Referenced by 2 Policymaps
in this examples the QOS class-maps class1 and class3 which have index 1 and 2 respectively are used by respectively 3 or 2 policy-maps. can't remove them.
I could technically remove this class-map:
20) ClassMap: v6 Type: qos
Referenced by 0 Policymaps
Not used at all.
regards
xander -
Class Map Statistic Dashlet in Cisco Prime Inf. 2.1
Dear All ,
I installed the demo version of Cisco Prime infra . 2.1 and I saw that there is a specific Dashlet to monitor QOS class map .
As we have some policy-map configured , it could be very interresting.
After a day spent on Google .. I didn't found how to configure it .. I found that Cbqos must be enabled on the switch/router
So I did it by entering the following cmd
snmp-server ifindex persist
snmp mib persist cbqos
But nothing . I also deployed the Cisco monitoring template for class map statistics .
Do I need another cmd to be entered or any other device or appliance from Cisco .. ?
Thanks a lot
MarcPI 1.2 definitely does not include all the regulatory compliance features of LMS. Reference.
Even though the document says PI 1.2 will do baseline compliance, I haven't figured out how they expect you to do that. -
Number of class maps (QOS) supported on 7200 and 7600
Hi,
Have few queries on class maps for QOS, putting forward for your comments/inputs.
1. Want to know if there are any limitation (s) on the number of class maps (to be applied inbound/outbound) that can be configured on the 7200 and 7600 routers.
2. Is there any imitation on the numbers (of class maps) in general or will it depend on the sum total of BW configured in the classes? I mean which one will be the deciding factor i.e. if the limit is wrt to the configured classes or the number of classes can't go beyond the consolidated bandwidth configured on the interface.
Kindly share details on the same and if there are any recommendations.
Thanks! in advance.From: http://www.cisco.com/en/US/tech/tk543/tk545/technologies_q_and_a_item09186a00800cdfab.shtml
"Q. How many classes does a Quality of Service (QoS) policy support?
A. In Cisco IOS versions earlier than 12.2 you could define a maximum of only 256 classes, and you could define up to 256 classes within each policy if the same classes are reused for different policies. If you have two policies, the total number of classes from both policies should not exceed 256. If a policy includes Class-Based Weighted Fair Queueing (CBWFQ) (meaning it contains a bandwidth [or priority] statement within any of the classes), the total number of classes supported is 64.
In Cisco IOS versions 12.2(12),12.2(12)T, and 12.2(12)S, this limitation of 256 global class-maps was changed, and it is now possible to configure up to 1024 global class-maps and to use 256 class-maps inside the same policy-map." -
QoS - Create class-map while inside policy-map
The cisco training notes for CME claim you can create a non-existant class-map while in the policy-map. Here is the what the notes say
router(config-pmap)#class class-map-name condition
? Optionally you can define a new class-map by entering the condition after the name of the new class map
Does this workIf my memory serves me, it was on a 7206VXR running a 12.3 cut. Also, I do recall that the '?' will not present this as an option but it still works...
Paresh. -
Policy map/ class map/ service policy for IOS xr
Hi,
I need to create a policy map and class map/service policy to limit the amount of bandwidth that can be used on one interface both in and out.
I need the cap for the bandwidth to traverse this circuit to ne 10 Meg.
the IOS xr version we are using is 4.3.4
I was hoping someone could help me out by giving me a configuration example I could follow.
Thank you.for instance like this:
policy-map police-in
class class-default
police rate 10 mpbs <optionally set burst>
policy-map shape-out-parent
class class-default
shape 10 mpbs <optional burst config>
service-policy shape-out-child
policy-map shape-out-child
class class-default
queue-limit 10 packets
int g 0/0/0/0
service-policy police-in in
service-policy shape-out-parent out
also have a look at CL 2013/2014 (orlando/sanfran) ID 2904 for more QOS details
and the support forum article of "asr9000 quality of service architecture"
xander -
Default class map is dropping all Packets
Hello I have a Cisco 871 router that used to have Access list based security. now I am trying the ZBFW for the first time. I thought I had a pretty good program until I found all my traffic was getting dropped. This is my first stab at ZBFWs and I am a bit confused esp with the default class part. Any help is greatly appreciated!!!!
The router is for my house and thus also has to have priority for gaming. I will add the gaming and voice QOS once I get it working,
Guest VLAN has access to 2 IP's in Data for printing.
Cisco871#sh run
Building configuration...
Current configuration : 8005 bytes
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service sequence-numbers
hostname Cisco871
boot-start-marker
boot-end-marker
logging buffered 4096
no logging console
aaa new-model
aaa authentication login default local
aaa authorization exec default local
aaa session-id common
clock summer-time PST recurring
crypto pki trustpoint TP-self-signed-4004039535
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-4004039535
revocation-check none
rsakeypair TP-self-signed-4004039535
crypto pki certificate chain TP-self-signed-4004039535
certificate self-signed 01
3082024C 308201B5 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 34303034 30333935 3335301E 170D3038 30323037 30373532
32375A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D34 30303430
33393533 3530819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100CEC2 7B89C73F AB4860EE 729C3B64 82139630 239A2301 8EA8B4C4 05505E25
B0F24E7F 26ECEC53 3E266E80 F3104F61 BDDC5592 40E12537 2262D272 08D38F8E
147F5059 7F632F5E 635B9CDF 652FFE82 C2F45C60 5F619AF0 72E640E0 E69EA9EF
41C6B06C DD8ACF4B 0A1A33CF AF3C6BFB 73AD6BE0 BD84DD7F 435BD943 0A22E0E5
F4130203 010001A3 74307230 0F060355 1D130101 FF040530 030101FF 301F0603
551D1104 18301682 144C7570 696E2E44 61627567 61626F6F 732E6F72 67301F06
03551D23 04183016 801473C6 E0784818 29A89377 23A22F5E BDD430CE E282301D
0603551D 0E041604 1473C6E0 78481829 A8937723 A22F5EBD D430CEE2 82300D06
092A8648 86F70D01 01040500 03818100 299AD241 442F976F 4F030B33 C477B069
D356C518 8132E61B 1220F999 A30A4E0C D337DCE5 C408E3BC 0439BB66 543CF585
8B26AA77 91FA510B 14796239 F272A306 C942490C A44336E0 A9430B81 9FC62524
E55017FA 5C5463D7 B3492753 42315BEC 32B78F24 D10B0CA7 D1844CD5 C3E466B9
3543BD68 A4B2692D 05CBF6DC C93C8142
quit
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 10.0.0.1 10.0.0.5
ip dhcp excluded-address 172.16.15.1 172.16.15.5
ip dhcp excluded-address 172.16.15.14
ip dhcp excluded-address 172.16.17.1 172.16.17.5
ip dhcp excluded-address 192.168.19.1 192.168.19.5
ip dhcp pool MyNetNative
import all
network 10.0.0.0 255.255.255.248
default-router 10.0.0.1
domain-name MyNetNet.org
dns-server 4.2.2.1 4.2.2.6 8.8.8.8 208.67.220.220
lease 0 2
ip dhcp pool MyNetData
import all
network 172.16.15.0 255.255.255.240
dns-server 172.16.15.14 4.2.2.1 4.2.2.6 8.8.8.8 208.67.220.220
default-router 172.16.15.1
domain-name MyDomain.org
ip dhcp pool MyNetVoice
import all
network 172.16.17.0 255.255.255.240
dns-server 172.16.15.14
default-router 172.16.17.1
domain-name MyDomain.org
ip dhcp pool MyNetGuest
import all
network 192.168.19.0 255.255.255.240
default-router 192.168.19.1
domain-name MyNetGuest.org
dns-server 4.2.2.1 4.2.2.6 8.8.8.8 208.67.220.220
ip domain name MyDomain.org
ip name-server 172.16.15.14
ip name-server 4.2.2.4
ip inspect log drop-pkt
multilink bundle-name authenticated
parameter-map type inspect TCP_PARAM
parameter-map type inspect global
username MyAdmin privilege 15 secret 5 MyPassword
archive
log config
hidekeys
class-map type inspect match-all MyNetGuest-access-list
match access-group 110
class-map type inspect match-any Base-protocols
match protocol http
match protocol https
match protocol ftp
match protocol ssh
match protocol dns
match protocol ntp
match protocol ica
match protocol pptp
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-all MyNetGuest-Class
match class-map MyNetGuest-access-list
match class-map Base-protocols
class-map type inspect match-all MyNetNet-access-list
match access-group 100
class-map type inspect match-any Voice-protocols
match protocol h323
match protocol skinny
match protocol sip
class-map type inspect match-any Extended-protocols
match protocol pop3
match protocol pop3s
match protocol imap
match protocol imaps
match protocol smtp
class-map type inspect match-all MyNetNet-Class
match class-map MyNetNet-access-list
match class-map Voice-protocols
match class-map Extended-protocols
match class-map Base-protocols
policy-map type inspect MyNetNet-zone_to_MyNetWAN-zone_policy
class type inspect MyNetNet-Class
inspect
class class-default
policy-map type inspect MyNetNet-zone_to_MyNetGuest-zone_policy
class type inspect MyNetNet-Class
inspect
class class-default
policy-map type inspect MyNetGuest-zone_to_MyNetNet-zone_policy
class type inspect MyNetGuest-access-list
inspect
class class-default
policy-map type inspect MyNetGuest-zone_to_MyNetWAN-zone_policy
class type inspect MyNetGuest-Class
inspect
class class-default
policy-map type inspect MyNetNet-zone
class class-default
pass
zone security MyNetNet-zone
zone security MyNetGuest-zone
zone security MyNetWAN-zone
zone-pair security MyNetNet->MyNetGuest source MyNetNet-zone destination MyNetGuest-zone
service-policy type inspect MyNetNet-zone_to_MyNetGuest-zone_policy
zone-pair security MyNetNet->MyNetWAN source MyNetNet-zone destination MyNetWAN-zone
service-policy type inspect MyNetNet-zone_to_MyNetWAN-zone_policy
zone-pair security MyNetGuest->MyNetWAN source MyNetGuest-zone destination MyNetWAN-zone
service-policy type inspect MyNetGuest-zone_to_MyNetWAN-zone_policy
zone-pair security MyNetGuest->MyNetNet source MyNetGuest-zone destination MyNetNet-zone
service-policy type inspect MyNetGuest-zone_to_MyNetNet-zone_policy
interface FastEthernet0
description Cisco-2849-Switch
switchport mode trunk
speed 100
interface FastEthernet1
interface FastEthernet2
interface FastEthernet3
description SBS-Server
switchport access vlan 10
spanning-tree portfast
interface FastEthernet4
description WAN
no ip address
ip mtu 1492
ip nat outside
ip virtual-reassembly
zone-member security MyNetWAN-zone
ip tcp adjust-mss 1452
duplex auto
speed auto
no cdp enable
interface Vlan1
description MyNetNative
ip address 10.0.0.1 255.255.255.248
ip nat inside
ip virtual-reassembly
zone-member security MyNetNet-zone
ip tcp adjust-mss 1452
interface Vlan10
description MyNetData
ip address 172.16.15.1 255.255.255.240
ip nat inside
ip virtual-reassembly
zone-member security MyNetNet-zone
interface Vlan20
description MyNetVoice
ip address 172.16.17.1 255.255.255.240
ip nat inside
ip virtual-reassembly
zone-member security MyNetNet-zone
interface Vlan69
description MyNetGuest
ip address 192.168.19.1 255.255.255.240
ip nat inside
ip virtual-reassembly
zone-member security MyNetGuest-zone
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
access-list 100 remark MyNetnet
access-list 100 permit ip 10.0.0.0 0.0.0.7 any
access-list 100 permit ip 172.16.15.0 0.0.0.31 any
access-list 100 permit ip 172.16.17.0 0.0.0.15 any
access-list 110 remark MyNetGuest
access-list 110 permit ip 192.168.19.0 0.0.0.15 host 172.16.15.2
access-list 110 permit ip 192.168.19.0 0.0.0.15 host 172.16.15.3
access-list 110 deny ip 192.168.19.0 0.0.0.15 10.0.0.0 0.0.0.7
access-list 110 deny ip 192.168.19.0 0.0.0.15 172.16.15.0 0.0.0.31
access-list 110 deny ip 192.168.19.0 0.0.0.15 172.16.17.0 0.0.0.15
access-list 110 permit ip 192.168.19.0 0.0.0.15 any
control-plane
banner login ^CC
You know if you should be here or not.
if not please leave
NOW
^C
line con 0
no modem enable
line aux 0
line vty 0 4
privilege level 15
transport input telnet ssh
scheduler max-task-time 5000
ntp server 172.16.15.14
webvpn cef
end
Cisco871#sh zone security
zone self
Description: System defined zone
zone MyNetNet-zone
Member Interfaces:
Vlan1
Vlan10
Vlan20
zone MyNetGuest-zone
Member Interfaces:
Vlan69
zone MyNetWAN-zone
Member Interfaces:
FastEthernet4
Cisco871#sh zone-pair security
Zone-pair name MyNetNet->MyNetGuest
Source-Zone MyNetNet-zone Destination-Zone MyNetGuest-zone
service-policy MyNetNet-zone_to_MyNetGuest-zone_policy
Zone-pair name MyNetNet->MyNetWAN
Source-Zone MyNetNet-zone Destination-Zone MyNetWAN-zone
service-policy MyNetNet-zone_to_MyNetWAN-zone_policy
Zone-pair name MyNetGuest->MyNetWAN
Source-Zone MyNetGuest-zone Destination-Zone MyNetWAN-zone
service-policy MyNetGuest-zone_to_MyNetWAN-zone_policy
Zone-pair name MyNetGuest->MyNetNet
Source-Zone MyNetGuest-zone Destination-Zone MyNetNet-zone
service-policy MyNetGuest-zone_to_MyNetNet-zone_policy
Cisco871#sh int faste4
FastEthernet4 is up, line protocol is up
Hardware is PQUICC_FEC, address is 0016.9d29.a667 (bia 0016.9d29.a667)
Description: WAN
Internet address is 10.38.177.98/25
MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Full-duplex, 100Mb/s, 100BaseTX/FX
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:00:00, output 00:34:50, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 2000 bits/sec, 3 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
593096 packets input, 73090812 bytes
Received 592752 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 watchdog
0 input packets with dribble condition detected
9940 packets output, 1016025 bytes, 0 underruns
0 output errors, 0 collisions, 3 interface resets
0 babbles, 0 late collision, 0 deferred
0 lost carrier, 0 no carrier
0 output buffer failures, 0 output buffers swapped out
Zone-pair: MyNetNet->MyNetWAN
Service-policy inspect : MyNetNet-zone_to_MyNetWAN-zone_policy
Class-map: MyNetNet-Class (match-all)
Match: class-map match-all MyNetNet-access-list
Match: access-group 100
Match: class-map match-any Voice-protocols
Match: protocol h323
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol skinny
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol sip
0 packets, 0 bytes
30 second rate 0 bps
Match: class-map match-any Extended-protocols
Match: protocol pop3
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol pop3s
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol imap
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol imaps
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol smtp
0 packets, 0 bytes
30 second rate 0 bps
Match: class-map match-any Base-protocols
Match: protocol http
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol https
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol ftp
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol ssh
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol dns
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol ntp
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol ica
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol pptp
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol icmp
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol tcp
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol udp
0 packets, 0 bytes
30 second rate 0 bps
Inspect
Session creations since subsystem startup or last reset 0
Current session counts (estab/half-open/terminating) [0:0:0]
Maxever session counts (estab/half-open/terminating) [0:0:0]
Last session created never
Last statistic reset never
Last session creation rate 0
Maxever session creation rate 0
Last half-open session total 0
Class-map: class-default (match-any)
Match: any
Drop (default action)
5196 packets, 256211 bytes
Cisco871#sh log
Syslog logging: enabled (1 messages dropped, 0 messages rate-limited,
0 flushes, 0 overruns, xml disabled, filtering disabled)
No Active Message Discriminator.
No Inactive Message Discriminator.
Console logging: disabled
Monitor logging: level debugging, 0 messages logged, xml disabled,
filtering disabled
Buffer logging: level debugging, 1745 messages logged, xml disabled,
filtering disabled
Logging Exception size (4096 bytes)
Count and timestamp logging messages: disabled
Persistent logging: disabled
No active filter modules.
ESM: 0 messages dropped
Trap logging: level informational, 1785 message lines logged
Log Buffer (4096 bytes):
001779: *Feb 15 11:00:55.979: %FW-6-DROP_UDP_PKT: Dropping Other pkt 172.16.15.6:61806 => 168.94.0.1:53 with ip ident 511 due to policy match failure
001780: *Feb 15 11:00:59.739: %FW-6-DROP_TCP_PKT: Dropping Other pkt 172.16.15.6:4399 => 168.94.69.30:443 due to policy match failure -- ip ident 515 tcpflags 0x7002 seq.no 974122240 ack 0
001781: *Feb 15 11:01:26.507: %FW-6-DROP_UDP_PKT: Dropping Other pkt 172.16.15.6:51991 => 168.94.0.1:53 with ip ident 625 due to policy match failure
001783: *Feb 15 11:01:57.891: %FW-6-DROP_UDP_PKT: Dropping Other pkt 172.16.15.6:64470 => 168.94.0.1:53 with ip ident 677 due to policy match failureHello Charlie,
I would recomend you to investigate a little bit more about how the ZBFW features works
Now I am going to help you on this one at least, then I will give you a few links you could use to study
We are going to study traffic from MyNetNet-zone to the MyNetWan-zone
First the zone-pair
zone-pair security MyNetNet->MyNetWAN source MyNetNet-zone destination MyNetWAN-zone
service-policy type inspect MyNetNet-zone_to_MyNetWAN-zone_policy
so lets go policy-map
policy-map type inspect MyNetNet-zone_to_MyNetWAN-zone_policy
class type inspect MyNetNet-Class
inspect
class class-default
Finally to the class map
class-map type inspect match-all MyNetNet-Class
match class-map MyNetNet-access-list
match class-map Voice-protocols
match class-map Extended-protocols
match class-map Base-protocols
That keyword MATCH-ALL is the one causing the issues!!
Why?
Because you are telling the ZBFW to inspect traffic only if matches all of those class-maps so a packet will need to math the base protocols and the extended protocol and as you know that is not possible ( Just one protocol )
So here are the links
http://blogg.kvistofta.nu/cisco-ios-zone-based-policy-firewall/
https://supportforums.cisco.com/thread/2138873
http://pktmaniac.info/2011/08/zone-based-firewalls-something-to-keep-in-mind/
http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00808bc994.shtml
You have some work to do
Please remember to rate all the helpful posts
Julio
CCSP -
Class-Map and Policy-Map Configuration in CM Confusion
Hi,
I'm implementing a green field WAAS deployment for a customer. We currently have a Proof-of-Concept up and running.
I've got some questions regarding custom class-map and policy-map configuration in the CM. I'd like to nail-down the custom class-map and policy-map configuration (and understanding) in the PoC before cutting over the PoC branches to the production WAAS environment.
Assuming a typical WAAS Deployment using WCCP for off-path interception, branch to DC.
==> 61 in LAN (BRANCH ROUTER) <== 62 in WAN (WAN CLOUD) ==> 61 in WAN (DC ROUTER) <== 62 in LAN
We are using two distinct device groups, BRANCH and DATA CENTER.
If the customer has traffic that we need to classify in order to provide TFO only optimisation, should the single class-map include the traffic in both directions? Ie., (assume the SERVER is 10.1.1.1 TCP Port 443). Should the class-map be configured as:
Class-Map
Line 1: DST IP 10.1.1.1 DST Port 443
Line 2: SRC IP 10.1.1.1 SRC Port 443
Or in this case is only the DST line required? And in which Device Group should the custom policy be applied? Or should it be applied to both Device Groups? If it should be applied to both Device Groups, then would it make more sense to have the policy-map in the Branch DG configured to match the DST traffic, and on the Data Center DG have a different class-map match the SRC traffic?
My confusion is how to classify the traffic (SRC or DST or Both - Separate classes for each or different lines within the same class-map), and where to apply the appropriate policy (both Device Groups, just Branch, just DC) and why...
I tried to apply a custom policy and the impact in the PoC was that the TCP Summary report stopped reporting the individual traffic classes showed 'other traffic' only. Can anyone explain why this may have occurred?
I hope this makes sense.for instance like this:
policy-map police-in
class class-default
police rate 10 mpbs <optionally set burst>
policy-map shape-out-parent
class class-default
shape 10 mpbs <optional burst config>
service-policy shape-out-child
policy-map shape-out-child
class class-default
queue-limit 10 packets
int g 0/0/0/0
service-policy police-in in
service-policy shape-out-parent out
also have a look at CL 2013/2014 (orlando/sanfran) ID 2904 for more QOS details
and the support forum article of "asr9000 quality of service architecture"
xander -
How to get OIDs of indexes for class-map ?
I have policy-map configured on cisco router with some class-maps inside. I need to draw a graph traffic passing through these classes. To make a graphs I use Cacti which use SNMP query to draw the graphs (object name cbQosObjectsIndex).
How to get OIDs of class-map indexes ?
I tried to do this by following query:
#snmpwalk -c community_string -v 2c 192.168.0.252 1.3.6.1.4.1.9.9.166.1.5.1.1.1
but the answer was:
iso.3.6.1.4.1.9.9.166.1.5.1.1.1 = No Such Object available on this agent at this OID
The information i need is contained at the OID 1.3.6.1.4.1.9.9.166.1.15.1.1.7:
# snmpwalk -c community_string -v 2c 192.168.0.252 1.3.6.1.4.1.9.9.166.1.15.1.1.7
iso.3.6.1.4.1.9.9.166.1.15.1.1.7.1251.1277 = Gauge32: 0
iso.3.6.1.4.1.9.9.166.1.15.1.1.7.1251.13363 = Gauge32: 0
iso.3.6.1.4.1.9.9.166.1.15.1.1.7.1251.13383 = Gauge32: 0
iso.3.6.1.4.1.9.9.166.1.15.1.1.7.1251.13435 = Gauge32: 734000
iso.3.6.1.4.1.9.9.166.1.15.1.1.7.1251.13481 = Gauge32: 233000Because 192.168.0.252 1.3.6.1.4.1.9.9.166.1.5.1.1.1 is marked "non-accessible" according to http://tools.cisco.com/Support/SNMP/do/BrowseOID.do?local=en&translate=Translate&objectInput=cbQosObjectsIndex
You'll need to obtain the indices as explained in this blog post:
http://pierky.wordpress.com/2009/04/09/cisco-class-based-qos-snmp-mib-and-statistics-monitor-for-nms/
Joe wrote a very illustrative post on the subject of snmptables: https://supportforums.cisco.com/message/3051004#3051004
And if your IOS supports it, you would want to configure the following to keep the indices from changing after every reboot or OIR:
"snmp mib persist cbqos" -
Hello, sorry because of my bad English at first,
I have a problem with my IPv6 ACL, IPv6 Class-map or IOS I'm not sure so I'm asking you.
I have one 1721 router with one Ethernet and one FastEthernet interface, on Fa interface is 3 subinterfaces, and Eth interface is connected to 10 Mbps link to another 1721 router. I'm working on QoS for VoIPv6. My softphone emulator address is FEC2::1/64.
This is my configuration:
class-map match-any v6
match access-group name v6
policy-map v6
class v6
set ip dscp ef
ipv6 access-list v6 permit FEC2::/64 any
Question is, why is output of command show policy-map interface Fa0/0 showing that not a single one packet of IPv6 is not beeing marked:
R1#sho policy-map interface fa0
FastEthernet0
Service-policy input: v6
Class-map: v6 (match-any)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: access-group name v6
0 packets, 0 bytes
5 minute rate 0 bps
QoS Set
ip dscp ef
Packets marked 0
Class-map: class-default (match-any)
92 packets, 9134 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: any
This exact configuration, with IPv4 is working fine. My IOS version is c1700-y-mz.122-11.T11.bin
If IOS version is too old, can you tell my what version will work so I can purchase it?
ThanksIf you are thinking of IPv6 prefix I tried everything. From /128 for single host to /64, nothing works.
-
Match-any or Match All For Class-map On Nexus?
I have an access-list MANAGEMENT
permit udp any eq snmp any
permit udp any any eq snmp
permit tcp any any eq telnet
permit tcp any eq telnet any
permit tcp any any eq 22
permit tcp any eq 22 any
My question does it matter if I use a match-any or match-all. I want to match anything in the access-list to classify the traffic correctly
class-map type qos match-any MANAGEMENT
match access-group name MANAGEMENT
Or
class-map type qos match-all MANAGEMENT
match access-group name MANAGEMENT
I understand a match-any is an or and a match-all is an and function. Does this apply to an access-list for a class-map?
ThanksIt applies to match statements within the class map. In your case, you're only using one match statement, so there will be no difference between match-all and match-any, no matter how many entries are in the ACL. If your class map had two different ACLs in two different match statements , then the and/or logic of match-all and match-any would come into play.
-
Total drops for class-map class-default
Hi,
I have a gigabit ethernet interface on a 2951 configured with 4x sub interfaces providing connectivity to our four WAN sites. Each sub interface services a 100mb connection to another site.
I have configured a QoS policy and attached to each sub interface with the primary function of limiting each sub interface to 100mbs. I am now seeing drops (total drops) on the class default and not sure why. I would not expect to see any drops on this interface as it never even reaches 15mb (15%) capacity.
Any ideas?
Class-map: class-default (match-any)
175934881 packets, 95319007968 bytes
5 minute offered rate 23000 bps, drop rate 0000 bps
Match: any
queue limit 64 packets
(queue depth/total drops/no-buffer drops) 0/340/0
(pkts output/bytes output) 314212026/180287074028
policy-map PM-Branch-QoS
class CM-OAM
set dscp af11
class CM-Network
set dscp cs6
class CM-VC
bandwidth percent 5
class CM-Citrix
set dscp af21
class CM-CAPWAP
set dscp af22
policy-map PM-WAN
class class-default
shape peak 100000000
service-policy PM-Branch-QoSDisclaimer
The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
Liability Disclaimer
In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
Posting
I would not expect to see any drops on this interface as it never even reaches 15mb (15%) capacity.
Your expectations might be incorrect. Often percentage of bandwidth capacity measurements are misunderstood.
Let's assume your ingress is 100 Mbps. Let's also assume your measuring over a five minute period. Lastly, assume the ingress transmits at 100% for 1 minute and then stops for 4 minutes. Bandwidth utilization across the 1 minute would be 100% and 0% for the other 4 minutes, but it would be 20% for the 5 minutes.
But if the 100 Mbps was sent at 100% for each 12 seconds, and not sent for each 48 seconds, 5 minute utilization would still be 20% but unlike the prior 1 minute stats of 100% and 0%, each minute would now also be 20%.
So these first two examples show how bandwidth utilization don't reveal what's happening within the measured time period.
Since ingress was same bandwidth as egress, in the above, there would be no queuing.
If ingress is gig, though, suppose gig ingress arrives for 6 seconds and stops for a remaining 4 minutes and 54 seconds. This too would measure as 20% usage across 5 minutes, but since it will take 60 seconds to transmit the same traffic at 100 Mbps, packets will need to be queued. If queuing buffers are insufficient to hold all the packets, some will be dropped.
The above is a long way of saying, if your ingress rate exceeds your egress rate, there can be a need to queue packets, and if queuing is insufficient, packets will be dropped, this even if utilization is "low". Most likely, you have occasional "bursts" if ingress bandwidth exceeds the egress bandwidth.
From your actual stats, the drop rate percentage is so low, you might not need to concern yourself with the few drops you're seeing. If it is a concern, you might be able to reduce the drop rate by increasing egress buffering, but doing so, also increases egress queuing delay. -
Policer with IPv6 class-map on Catalyst 3750
Hi,
I've the following problem.
It's my goal to ratelimit incoming IPv6 traffic dependent on the destination IP address range.
On a Catalyst 3750 (Image: c3750-ipservicesk9-mz.122-55.SE1.bin) I've set up the configuration as follows:
mls qos
ipv6 access-list DESTINATION-RANGE-A
permit ipv6 any 2007::/16
ipv6 access-list DESTINATION-RANGE-B
permit ipv6 any 2B03::/16
class-map match-all A
match access-group name DESTINATION-RANGE-A
class-map match-all B
match access-group name DESTINATION-RANGE-B
policy-map RL-POLICY
class A
police 2000000 8000 exceed-action drop
class B
police 6000000 8000 exceed-action drop
interface GigabitEthernet1/0/7
switchport access vlan 90
load-interval 30
service-policy input RL-POLICY
The last CLI command which should bind the policy to the specific interface, leads to the following error message
QoS: class(A) IPv6 class not supported on interface GigabitEthernet1/0/7
Are hardware/software limitations the reason for this behavior or is there any misconfiguration?
Thanks in advance for your help!
Regards,
JensIf you are thinking of IPv6 prefix I tried everything. From /128 for single host to /64, nothing works.
Maybe you are looking for
-
How to turn off LED near modem connector
T500 has an amazingly bright green LED on the left side between the modem port and the DVD drive. It is on all the time, from what I can tell. Any way to turn it off - find it very annoying...
-
Folder with question mark after unpartitioning hard drive
I am running Snow Leopard on my Mac Book Pro.I unpartitioned my hard drive with Boot Camp. Now when I start up I get a folder with a question mark (not a flashing question mark) and then the apple logo. I repaired the disk permissions but there is no
-
System crashes on clicking bc- bsp- sap node in SICF
Hi all I was trying to change the logon settings for a BSP application. when i clicked the bc->bsp->sap node in the transaction SICF, the system crashed with a exeception a popup window displays [Sapfewdbg Exception Exception #1 has occured and du
-
I started LR5 yesterday and now have some folders with ? marks on the file symbol. What did I do???
-
Hi, Maps in iPhoto are not displayed on my home wifi. It worked last week end on another wifi but not on mine. I reset my wifi router and it worked during 5 minutes, then iPhoto could not show me the full maps with all pictures neither the maps for t