Solved: QoS configuration in Sub-interface 5545-x

bensonlei · ‎12-17-2018

Hi, guys,

Port-channel is configured in ASA 5545-x as the following, and Qos service-policy configuration in VLANs under the port-channel, and just found service-policy only worked on VALN160, but not worked on VLAN1 and VLAN5.

Any suggestion, thx a lot ?

1. Port-channel configuration in ASA 5545-X:

--------Physical interfaces-----------------

interface GigabitEthernet0/2
speed 1000
channel-group 1 mode active
flowcontrol send on
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
speed 1000
channel-group 1 mode active
flowcontrol send on
no nameif
no security-level
no ip address
!

----------VLAN interfaces -----------

5545-x/act# sh run int po1
interface Port-channel1
description OA Servers
speed 1000
lacp max-bundle 8
nameif vlan1
security-level 50
ip address 192.168.100.4 255.255.255.0

5545-x/act# sh run int po1.5
interface Port-channel1.5
description Email Servers
vlan 5
nameif vlan5
security-level 50
ip address 192.168.110.4 255.255.255.0

5545-x/act# sh run int po1.160
interface Port-channel1.160
description Office Servers
vlan 160
nameif vlan160
security-level 50
ip address 192.168.160.4 255.255.255.0

--------show service-policy police------------------------

Interface vlan1:
Service-policy: BW_limit_VLAN1
    Class-map: BW_VLAN1_class
      Input police Interface vlan1:
        cir 800000000 bps, bc 25000000 bytes
        conformed 6350939896 packets, 7336473787459 bytes; actions: transmit
        exceeded 0 packets, 0 bytes; actions: drop
        conformed 1448688 bps, exceed 0 bps
      Output police Interface vlan1:
        cir 800000000 bps, bc 25000000 bytes
        conformed 2641968037 packets, 655948392997 bytes; actions: transmit
        exceeded 0 packets, 0 bytes; actions: drop
        conformed 445880 bps, exceed 0 bps

Interface vlan5:
Service-policy: BW_limit_VLAN5
    Class-map: BW_VLAN5_class
      Input police Interface vlan5:
        cir 800000000 bps, bc 25000000 bytes
        conformed 257952525411 packets, 365973961976468 bytes; actions: transmit
        exceeded 0 packets, 0 bytes; actions: drop
        conformed 343793768 bps, exceed 0 bps
      Output police Interface vlan5:
        cir 800000000 bps, bc 25000000 bytes
        conformed 35434136643 packets, 2374848834404 bytes; actions: transmit
        exceeded 0 packets, 0 bytes; actions: drop
        conformed 1875072 bps, exceed 0 bps

Interface vlan160:
Service-policy: BW_limit
    Class-map: BW_Limit_class
      Input police Interface vlan160:
        cir 800000000 bps, bc 25000000 bytes
        conformed 53994309019 packets, 17904722099558 bytes; actions: transmit
        exceeded 2180425 packets, 3117877628 bytes; actions: drop
        conformed 14955520 bps, exceed 0 bps
      Output police Interface vlan160:
        cir 800000000 bps, bc 25000000 bytes
        conformed 309338956113 packets, 432310917096044 bytes; actions: transmit
        exceeded 3545581 packets, 5021171197 bytes; actions: drop
        conformed 409027656 bps, exceed 8464 bps

Sheraz.Salim · ‎12-18-2018

your configuration are correct. seems vlan 160 utilize more than excepted and the service policy kicks in as per your configuration.
i have seen your other post where your
vlan1
5 minute input rate 192 pkts/sec, 65690 bytes/sec
5 minute output rate 197 pkts/sec, 113053 bytes/sec

vlan5
61511 packets input, 66064278 bytes

so it clear your vlan160 is ultize more and you config are kicking in to police it. as you never shared the interface vlan 160 output. however looking it to the service policy map explain it all.

all in your config you can remove this command.
policy-map BW_limit_VALN5
class BW_VLAN5_class
police input 700000000
police output 700000000

as you already configured this policy-map BW_limit_VALN5 could be a typo error.

please rate.

please do not forget to rate.

View solution in original post

Sheraz.Salim · ‎12-19-2018

packet drop could happen on number of reason. let say could be packet was not in right order etc. also i noted you have a trunk where you created a port-channel on both side at switch and on the firewall. it also depends what trunk allowed vlans are added all could be all the trunk traffic is landing on the ASA port-channel.

if i were you i would not be worried much as of why packet drop is happening. however, i would issue this command to check what is happening

show asp drop and clear asp drop it will clear everything what was added (this command is not production impact you can use is)

than if you interested you can capture the asp drop by setting up

capture ASP type asp-drop.

also you can issue the command on ASA box

show interface detail | begin Internal-Data

this command will show you if your ingress RX ring how they taking in the Frames.

Regards,

Radio

please do not forget to rate.

View solution in original post

Sheraz.Salim · ‎12-17-2018

could you share the config for the class amp and service policy map.

please do not forget to rate.

bensonlei · ‎12-17-2018

Hi, Radio_city:

It can be used only traffic policing for ASA 5545-x, so the configurations as below ( all the following VLANs is under Port-channel1):

service-policy global_policy global
service-policy BW_limit_VLAN1 interface vlan1
service-policy BW_limit_VLAN5 interface vlan5
service-policy BW_limit interface vlan160

policy-map BW_limit
class BW_Limit_class
police input 700000000
police output 700000000
policy-map BW_limit_VLAN5
class BW_VLAN5_class
police input 700000000
police output 700000000
policy-map BW_limit_VALN5
class BW_VLAN5_class
police input 700000000
police output 700000000
policy-map BW_limit_VLAN1
class BW_VLAN1_class
police input 500000000
police output 500000000
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
class class_ftp
inspect ftp
class class_ftp1
inspect ftp
class class_ftp2
inspect ftp
class class_ftp3
inspect ftp

Sheraz.Salim · ‎12-18-2018

your configuration are correct. seems vlan 160 utilize more than excepted and the service policy kicks in as per your configuration.
i have seen your other post where your
vlan1
5 minute input rate 192 pkts/sec, 65690 bytes/sec
5 minute output rate 197 pkts/sec, 113053 bytes/sec

vlan5
61511 packets input, 66064278 bytes

so it clear your vlan160 is ultize more and you config are kicking in to police it. as you never shared the interface vlan 160 output. however looking it to the service policy map explain it all.

all in your config you can remove this command.
policy-map BW_limit_VALN5
class BW_VLAN5_class
police input 700000000
police output 700000000

as you already configured this policy-map BW_limit_VALN5 could be a typo error.

please rate.

please do not forget to rate.

bensonlei · ‎12-18-2018

Hi, Radio_City,

Thanks so much for your great information firstly.

This is typo error (will be removed), and there is correct statement in the configuration ( thanks for reminder).

policy-map BW_limit_VALN5
class BW_VLAN5_class
police input 700000000
police output 700000000

VLAN160 is the same configuration as other VLANs, but it uses "policy-map BW_limit"

But I find wierd in the VLANs interfaces statistics (this is my main question), as the following:

ASA5545-x/act# sh int vlan1 detail
Interface Port-channel1 "vlan1", is up, line protocol is up
.............
Traffic Statistics for "vlan1":
176397320 packets input, 202956201240 bytes
77047911 packets output, 18297774643 bytes
1271780 packets dropped
      1 minute input rate 2159 pkts/sec, 2867221 bytes/sec
      1 minute output rate 634 pkts/sec, 73013 bytes/sec
      1 minute drop rate, 4 pkts/sec
      5 minute input rate 1411 pkts/sec, 1761937 bytes/sec
      5 minute output rate 596 pkts/sec, 95737 bytes/sec
      5 minute drop rate, 4 pkts/sec
Control Point Interface States:
Interface number is 51
Interface config status is active
Interface state is active
Members in this channel:
      Active:   Gi0/2 Gi0/3

ASA5545-x/act# sh int vlan5 detail
Interface Port-channel1.5 "vlan5", is up, line protocol is up
.........
Traffic Statistics for "vlan5":
8919732055 packets input, 12523602859074 bytes
1014320725 packets output, 46483250113 bytes
189498 packets dropped
Control Point Interface States:
Interface number is 53
Interface config status is active
Interface state is active
Control Point Vlan5 States:
Interface vlan config status is active
Interface vlan state is UP

ASA5545-x/act# sh int vlan160 detail
Interface Port-channel1.160 "vlan160", is up, line protocol is up
.........

Traffic Statistics for "vlan160":
1435429764 packets input, 392709962037 bytes
10032894110 packets output, 13929479550325 bytes
2604105 packets dropped
Control Point Interface States:
Interface number is 52
Interface config status is active
Interface state is active
Control Point Vlan160 States:
Interface vlan config status is active
Interface vlan state is UP

As the above captured, all VLAN interfaces have packet dropped, but I never see any packet drop in VLAN1 and VLAN5 of the service-policy map as the following captured( only packet drop in VLAN160) ?

ASA5545-# sh service-policy police

Interface vlan1:
Service-policy: BW_limit_VLAN1
    Class-map: BW_VLAN1_class
      Input police Interface vlan1:
        cir 500000000 bps, bc 15625000 bytes
        conformed 293002255 packets, 366664057140 bytes; actions: transmit
        exceeded 0 packets, 0 bytes; actions: drop
        conformed 9087560 bps, exceed 0 bps
      Output police Interface vlan1:
        cir 500000000 bps, bc 15625000 bytes
        conformed 107075324 packets, 23129285392 bytes; actions: transmit
        exceeded 0 packets, 0 bytes; actions: drop
        conformed 497672 bps, exceed 0 bps

Interface vlan5:
Service-policy: BW_limit_VLAN5
    Class-map: BW_VLAN5_class
      Input police Interface vlan5:
        cir 700000000 bps, bc 21875000 bytes
        conformed 4901691810 packets, 6966420234196 bytes; actions: transmit
        exceeded 0 packets, 0 bytes; actions: drop
        conformed 348740384 bps, exceed 0 bps
      Output police Interface vlan5:
        cir 700000000 bps, bc 21875000 bytes
        conformed 881459042 packets, 56731648176 bytes; actions: transmit
        exceeded 0 packets, 0 bytes; actions: drop
        conformed 2839896 bps, exceed 0 bps

Interface vlan160:
Service-policy: BW_limit
    Class-map: BW_Limit_class
      Input police Interface vlan160:
        cir 700000000 bps, bc 21875000 bytes
        conformed 1221655192 packets, 324671447517 bytes; actions: transmit
        exceeded 0 packets, 0 bytes; actions: drop
        conformed 16252648 bps, exceed 0 bps
      Output police Interface vlan160:
        cir 700000000 bps, bc 21875000 bytes
        conformed 6042855821 packets, 8491510646622 bytes; actions: transmit
        exceeded 7308 packets, 10381228 bytes; actions: drop
        conformed 425086576 bps, exceed 512 bps

Sheraz.Salim · ‎12-19-2018

packet drop could happen on number of reason. let say could be packet was not in right order etc. also i noted you have a trunk where you created a port-channel on both side at switch and on the firewall. it also depends what trunk allowed vlans are added all could be all the trunk traffic is landing on the ASA port-channel.

if i were you i would not be worried much as of why packet drop is happening. however, i would issue this command to check what is happening

show asp drop and clear asp drop it will clear everything what was added (this command is not production impact you can use is)

than if you interested you can capture the asp drop by setting up

capture ASP type asp-drop.

also you can issue the command on ASA box

show interface detail | begin Internal-Data

this command will show you if your ingress RX ring how they taking in the Frames.

Regards,

Radio

please do not forget to rate.