Quality of Service

svbyrne · ‎12-06-2018

I am trying to shape AF1 traffic

I am seeing hits on my other queues but not AF1

I know there is traffic matching my ACL

Q has anyone got a similar configuration ?

class-map match-any ce_af1_customer
description Match AF1 Class map
match ip dscp cs1 af11 af12 af13
match access-group name preactor-gmps-critical

kf-r-park-royal-01#s hinv
bkf-r-park-royal-01#show inv
bkf-r-park-royal-01#show inventory
NAME: "Chassis", DESCR: "Cisco ISR4331 Chassis"
PID: ISR4331/K9 , VID: V04, SN: FDO2223A2N7

class-map match-any ce_af1_output
description Marking AF1 Class map
match class-map ce_af1_customer

policy-map cpe_out_child
description MGMT:8K EF:0K AF1:0K AF2:0K AF3:0K AF4:0K
class ce_mgmt_bun_output
police 8000 8000 8000 conform-action set-prec-transmit 6 exceed-action set-prec-transmit 6
bandwidth 3
random-detect
random-detect precedence 0 22 35 10
random-detect precedence 6 22 35 10
class ce_af4_output
police 3000000 conform-action set-dscp-transmit af41 exceed-action set-dscp-transmit af42
class ce_af3_output
police 400000 conform-action set-dscp-transmit af31 exceed-action set-dscp-transmit af32
class ce_ef_output
police 4000000 conform-action set-dscp-transmit ef exceed-action drop
priority
class ce_af2_output
shape average 8000000
class ce_af1_output
shape average 8000000
class class-default
random-detect

paul driver · ‎12-07-2018

Hello

i don’t see why your class map ce_af1_customer is nested into the parent class map ce_af1_output as it not nested with anything else you could try matching on ce_af1_customer instead

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Joseph W. Doherty · ‎12-07-2018

"Q has anyone got a similar configuration ?"

Depends how you define "similar.

BTW, as you've only posted part of all your QoS policy's supporting class-map, have no idea what your earlier policy-map classes are matching against. I.e. it's possible an earlier class is also matching against AF11.

Also BTW, you might consider replacing "match ip dscp cs1 af11 af12 af13" with just matching IPPrec 1.

Lastly, I generally recommend against using RED unless you're a QoS expert. I also generally recommend using class based FQ instead.

svbyrne · ‎12-11-2018

additional configuration

Joseph W. Doherty · ‎12-12-2018

Better - but ACLs you're using in class-maps?

svbyrne · ‎12-12-2018

ip access-list standard altiris-tools-burst
permit 172.23.200.76
ip access-list standard ax-critical
permit 10.20.2.12
permit 10.20.2.11
permit 10.0.106.133
permit 10.0.106.134
ip access-list standard biztalk-app-critical
permit 169.254.1.18
permit 10.0.106.194
permit 10.0.106.184
permit 10.0.106.185
permit 10.0.106.186
ip access-list standard cognos-controller-critical
permit 10.0.106.8
permit 10.0.106.9
ip access-list standard dev-web-critical
permit 10.0.106.163
permit 172.23.200.138
ip access-list standard preactor-aps-critical
permit 10.21.0.23
permit 10.21.0.22
permit 172.23.10.37
permit 172.23.10.39
ip access-list standard preactor-gmps-critical
permit 10.21.0.23
permit 10.21.0.22
permit 172.23.200.64
permit 172.23.10.37
permit 172.23.10.39
ip access-list standard protean-critical
permit 10.20.2.29
permit 10.20.2.30
permit 10.20.2.31
permit 10.0.136.135
permit 10.20.2.40
permit 10.20.2.36
permit 10.20.2.37
permit 10.20.2.38
permit 10.20.2.39
permit 10.20.2.32
permit 10.20.2.33
permit 10.20.2.34
permit 10.20.2.35
permit 10.0.106.236
permit 10.0.106.205
permit 10.0.106.206
permit 10.0.106.207
permit 10.0.106.208
permit 10.0.106.209
permit 10.0.106.210
permit 10.0.106.211
permit 10.0.106.212
permit 10.0.106.213
permit 10.0.106.214
permit 10.0.106.215
permit 10.0.106.216
permit 10.0.106.217
permit 10.0.106.218
permit 85.115.54.202
ip access-list standard qlikview-critical
permit 10.0.105.62
permit 10.0.105.61
permit 10.0.105.60
ip access-list standard rgpweb-critical
permit 10.21.2.31
permit 10.21.2.30
permit 172.23.200.167
permit 172.23.200.166
ip access-list standard ukh-critical
permit 10.0.106.174
permit 10.0.106.175
permit 10.0.106.183
permit 10.0.106.184
ip access-list standard wms-critical
permit 172.24.0.41
permit 172.24.0.42

Joseph W. Doherty · ‎12-14-2018

Hmm, so I now look at your first policy class, which is:

policy-map cpe_out_child
description MGMT:8K EF:0K AF1:0K AF2:0K AF3:0K AF4:0K
class ce_mgmt_bun_output

Then I look at the class-map:

class-map match-any ce_mgmt_bun_output
match access-group name QOS_MANAGEMENT

Then I look to see what's in "QOS_MANAGEMENT" - missing from your latest post? Other ACLs also missing?

svbyrne · ‎12-17-2018

thanks for your reply
bkf-r-park-royal-01#sh access-lists QOS_MANAGEMENT
Extended IP access list QOS_MANAGEMENT
10 permit ip any 194.72.105.0 0.0.0.31
bkf-r-park-royal-01#

note --- we have checked netflow and packet captures toe ensure there are active IP packets matching the ACL

we still do not see hits

when I change the match to protocol http -- I see hits

Q do you think this behaviour could relate to a software defect on the router ?

Joseph W. Doherty · ‎12-17-2018

Yes, software defects are always possible, including those that just impact counters showing what's happening. I.e. sometimes the routers is actually processing packets correctly, but that stats don't show that.

I'm now further confused - what ACL do you see being match, where do you set/change to match protocol http and you see hits?

In any case, any packets that match your QOS_MANAGEMENT ACL should match that first class and not be seen by your ce_af4_output class.

svbyrne · ‎12-18-2018

thanks all for your help

I had to change the ACL to extended -- saw no hits on the standard

svbyrne · ‎12-12-2018

thanks for your quick reply

I had tried removing the nested class map

it made no difference