cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
254
Views
20
Helpful
9
Replies
Beginner

Cisco QoS Not Working If Device Not Directly Connected

I want to  implement QoS for my company and now in testing stage. What I want to achieve are I want to give priority to Office365 public IP subnet 5 Mbps of bandwidth and the bandwidth in total is 10 Mbps for Internet

 

Upon testing with following topology it is work as expected. I can download any file with almost 10 Mbps of Internet bandwidth and the router will priority Office365 subnet if there are traffics for it.qos_work_topology.PNG

But when I connected the Router Internet to our Core Switch some how it is not working as expected, and the bandwidth is reduced to almost 10 times. With maximum of download range from 1-3 Mbps. I had make sure the Core switch not running any QoS and the port connected to router is on routed mode.

qos_not_work_topology.PNG

Here the configuration on router, please take not NAT is do on Firewall :):

router#sho running-config int g0/0
Building configuration...

Current configuration : 165 bytes
!
interface GigabitEthernet0/0
ip address 10.5.254.1 255.255.255.252
duplex auto
speed auto
service-policy output QOS-PARENT
end

router#sho running-config int g0/1
Building configuration...

Current configuration : 163 bytes
!
interface GigabitEthernet0/1
ip address 10.5.254.6 255.255.255.252
duplex auto
speed auto
service-policy output QOS-PARENT

 

router#show running-config | s access-list
ip access-list extended LOCAL-LAN-ACL
permit ip 10.5.254.0 0.0.0.255 10.5.0.0 0.0.255.255
permit ip 10.5.0.0 0.0.255.255 10.5.254.0 0.0.0.255
ip access-list extended O365-ACL
permit tcp 10.5.0.0 0.0.255.255 object-group O365-IP-RANGE eq www
permit tcp 10.5.0.0 0.0.255.255 object-group O365-IP-RANGE eq 443
PTSMOE-RTR01#show running-config | s class-map
class-map match-all LAN
match access-group name LOCAL-LAN-ACL
class-map match-any WEB
match protocol http
match protocol secure-http
class-map match-all SCAVENGER
match protocol bittorrent
class-map match-all O365
match access-group name O365-ACL

router#show running-config | s policy-map
policy-map QOS-CHILD
class O365
priority percent 50
class SCAVENGER
police 200000
class WEB
bandwidth percent 48
random-detect dscp-based
random-detect ecn
policy-map QOS-PARENT
class LAN
shape average 990000000
class class-default
shape average 10000000
service-policy QOS-CHILD

 

Please help me brother and sister quite confusing why it not working as expected, I am afraid I am missing some thing or not really understand how QoS behave on Cisco IOS.

 

Thanks

Everyone's tags (1)
1 ACCEPTED SOLUTION

Accepted Solutions
VIP Expert

Re: Cisco QoS Not Working If Device Not Directly Connected

Insufficient information to really comment on why adding your "core" L3 switch causes a slowdown, but as to your QoS config, I have several suggestions. (BTW, depending on the model and "vintage" of your L3 switch, some switches no longer require setting interface to trust when QoS is enabled.)

First, understand, downstream/ingress bandwidth management generally doesn't work very well with the features available on a Cisco router. (NB: there are some 3rd party traffic management devices that can do much better than a Cisco router, but even they cannot ideally handle all ingress traffic situations. Ideally, you want to manage other side's egress, but that's very unlikely to be allowed.) I would suggest obtaining a Internet link for just your Office 360 traffic and one for your general Internet traffic. If you do, you might only need a default class with FQ (and perhaps a class to limit BitTorrent on the general Internet link).

There's no real need for QoS on the router's inside (i.e. g0/0) facing interface (as your bottleneck is the 10 Mbps cap for Internet traffic).

You're right to think you need shaping for Internet egress interface (i.e. g0/1) if physically more than provisioned bandwidth, but you want just one shaper sized for the available egress bandwidth. However, for 10Mbps, it would be better to run the egress interface physically at 10 Mbps.

e.g.
policy-map SampleShaperParent
class class-default
shape average 10000000 !10Mbps - might need to set up to 15% less - unclear all shapers account for L2 overhead
service-policy X !the child policy - which manages bandwidth allocations

Your bandwidth management policy, for Internet facing interface (again, interface policy if running interface physically at 10 Mbps, or child policy if shaping parent at 10 Mbps) might be:

policy-map sample
class O365
bandwidth remaining percent 81
fair-queue
class SCAVENGER !optional class
bandwidth remaining percent 1
fair-queue
class class- default
bandwidth remaining percent 9
fair-queue

I highly recommend you don't use WRED (unless you're a QoS expert, and you note you're not). I also recommend you don't use LLQ for your O360 traffic. Lastly, I recommend using FQ, where possible, as it offers many advantages.

9 REPLIES 9
VIP Advisor

Re: Cisco QoS Not Working If Device Not Directly Connected

Hi there,

You should also configure the interfaces on the core switch to trust the QoS markings coming from the router:

 

!
mls qos
!
int gi1/1
  description link_to_router
  mls qos trust
!

 

 

…also you want to mark the traffic coming from the laptop to (add your existing QoS policy-maps and ACLs to the global configuration):

 

!
int gi2/1
  description link_to_laptop
  service-policy input QOS-PARENT
!

 

Cheers,

Seb.

Beginner

Re: Cisco QoS Not Working If Device Not Directly Connected

Hi seb, thank you for your answer. Lol I had configured on all of our switch trust boundary yet  I am forget to tag it on core switch when do some testing what a stupid of me. Any way thank you very much for your guide and answer.

VIP Mentor

Re: Cisco QoS Not Working If Device Not Directly Connected

Hello,

 

in addition to Seb's post, I am not really clear why the connection  between your switch and the router is a layer 3 connection, and why you are shaping LAN traffic in the LAN class (with a very high value, which basicallly only uses CPU and doesn't achieve anything). 

 

Since you are testing, try and make the link between the switch and the router a layer 2 link. Also, try the changes marked in boild below:

 

router#sho running-config int g0/0
Building configuration...

Current configuration : 165 bytes
!
interface GigabitEthernet0/0
ip address 10.5.254.1 255.255.255.252
duplex auto
speed auto
--> no service-policy output QOS-PARENT
!
interface GigabitEthernet0/1
ip address 10.5.254.6 255.255.255.252
duplex auto
speed auto
service-policy output QOS-PARENT
!
--> no ip access-list extended LOCAL-LAN-ACL
permit ip 10.5.254.0 0.0.0.255 10.5.0.0 0.0.255.255
permit ip 10.5.0.0 0.0.255.255 10.5.254.0 0.0.0.255
!
ip access-list extended O365-ACL
permit tcp 10.5.0.0 0.0.255.255 object-group O365-IP-RANGE eq www
permit tcp 10.5.0.0 0.0.255.255 object-group O365-IP-RANGE eq 443
PTSMOE-RTR01#show running-config | s class-map
--> no class-map match-all LAN
match access-group name LOCAL-LAN-ACL
class-map match-any WEB
match protocol http
match protocol secure-http
class-map match-all SCAVENGER
match protocol bittorrent
class-map match-all O365
match access-group name O365-ACL
!
policy-map QOS-CHILD
class O365
priority percent 50
class SCAVENGER
police 200000
class WEB
bandwidth percent 48
random-detect dscp-based
random-detect ecn
policy-map QOS-PARENT
--> no class LAN
shape average 990000000
class class-default
--> no shape average 10000000
service-policy QOS-CHILD

Beginner

Re: Cisco QoS Not Working If Device Not Directly Connected

Hi Georg,

Thank for your suggestion, I am really new with Cisco QoS and I will remove the configuration that you are suggesting and see the result. Actually the switch is our core switch that run layer 3 to our distribution, I just make the topology simple.

Highlighted
VIP Advisor

Re: Cisco QoS Not Working If Device Not Directly Connected

Hello

As your are traffic shaping egress traffic try removing qos from the core and your routers inside interface gig0/0

Below is a amended policy map with some fair queuing applied for the default class>

policy-map QOS-CHILD
class O365
priority percent 50
class SCAVENGER
police 200000
class WEB
bandwidth percent 48
random-detect dscp-based
random-detect ecn
class class-default
fair queue


policy-map QOS-PARENT
no class LAN
no shape average 990000000
class class-default
shape average 10000000
service-policy QOS-CHILD

 

interface GigabitEthernet0/0
no service-policy output QOS-PARENT



kind regards
Paul

Please rate and mark posts accordingly if you have found any of the information provided useful.
It will hopefully assist others with similar issues in the future
Beginner

Re: Cisco QoS Not Working If Device Not Directly Connected

Hi Paul,

Thank for your answer, I will try it later on office hour. Your answer really help me understand Cisco QoS :) since it is my first time deploy QoS on Cisco device hehehe.
VIP Expert

Re: Cisco QoS Not Working If Device Not Directly Connected

Insufficient information to really comment on why adding your "core" L3 switch causes a slowdown, but as to your QoS config, I have several suggestions. (BTW, depending on the model and "vintage" of your L3 switch, some switches no longer require setting interface to trust when QoS is enabled.)

First, understand, downstream/ingress bandwidth management generally doesn't work very well with the features available on a Cisco router. (NB: there are some 3rd party traffic management devices that can do much better than a Cisco router, but even they cannot ideally handle all ingress traffic situations. Ideally, you want to manage other side's egress, but that's very unlikely to be allowed.) I would suggest obtaining a Internet link for just your Office 360 traffic and one for your general Internet traffic. If you do, you might only need a default class with FQ (and perhaps a class to limit BitTorrent on the general Internet link).

There's no real need for QoS on the router's inside (i.e. g0/0) facing interface (as your bottleneck is the 10 Mbps cap for Internet traffic).

You're right to think you need shaping for Internet egress interface (i.e. g0/1) if physically more than provisioned bandwidth, but you want just one shaper sized for the available egress bandwidth. However, for 10Mbps, it would be better to run the egress interface physically at 10 Mbps.

e.g.
policy-map SampleShaperParent
class class-default
shape average 10000000 !10Mbps - might need to set up to 15% less - unclear all shapers account for L2 overhead
service-policy X !the child policy - which manages bandwidth allocations

Your bandwidth management policy, for Internet facing interface (again, interface policy if running interface physically at 10 Mbps, or child policy if shaping parent at 10 Mbps) might be:

policy-map sample
class O365
bandwidth remaining percent 81
fair-queue
class SCAVENGER !optional class
bandwidth remaining percent 1
fair-queue
class class- default
bandwidth remaining percent 9
fair-queue

I highly recommend you don't use WRED (unless you're a QoS expert, and you note you're not). I also recommend you don't use LLQ for your O360 traffic. Lastly, I recommend using FQ, where possible, as it offers many advantages.

Beginner

Re: Cisco QoS Not Working If Device Not Directly Connected

Hi Josepn,

Thank you for your answer, I guess it is pretty hard to implement the QoS on Internet Face Router using plain source/destination IP address and port combination although many of my friend said Cisco gear great for handling Voice and Video data :).

The real problem is all of our access switch could not implement syntax "service-policy input policy-name" as Seb answers. Although our distribution switch support it due to ip-service license :).

I will look other solution as such as using proxy or other method to do the QoS using IP address as it source or destination.
VIP Expert

Re: Cisco QoS Not Working If Device Not Directly Connected

". . . I guess it is pretty hard to implement the QoS on Internet Face Router using plain source/destination IP address and port combination . . ."

No, that's not the issue. The issue is, ingress bandwidth management. Ingress traffic can burst/surge before it hits your ingress policer, so you cannot really guarantee bandwidth to some traffic vs. other traffic on the ingress link.

Options for egress bandwidth management, on a Cisco router, are pretty good.

Cisco switches generally are much weaker in what they offer in the way of QoS. They also vary much more in their QoS support based on the actual platform. The reason for this, on a router, QoS is generally supported by software but on a switch QoS is generally supported by hardware (and it takes much/complex hardware to support complex QoS).

I thought most Cisco switches, except very old or basic (like the SMBs) models support some basic form of ingress policy, to a least look at and manage frame/packet QoS markings. It's possible, though, you might need to enable QoS, on a switch (on older models it tends to be off, by default), to activate other QoS commands.
CreatePlease to create content
Content for Community-Ad
July's Community Spotlight Awards