Solved: class map matching question.

Nick Currie · ‎03-02-2016

Hi there I am trying to create a class of traffic for our QOS policy that matches all http and https traffic going to an external endpoint.

I have applied this config but it doesn't seem to be matching any traffic, I was wondering if someone can point out where I am going wrong.

I have tried to use the match not command to exclude any traffic going to one of our internal private range addresses.

The class map in question is the http2 class shown below, I have included the other classes in case there is a conflict.

Config

class-map match-all doubletake
description matches doubletake traffic
match access-group name doubletake_acl
class-map match-all http2
match not access-group name http_internal_acl
match access-group name http_acl
class-map match-all abn_mobile
description matches ABN Mobile traffic
match access-group name abn_mobile_acl
class-map match-all MS_File
description Microsoft CIFS protocol
match access-group name ms_file_acl

policy-map QOS
class MS_File
shape average 10240000
class doubletake
shape average 10240000
class abn_mobile
shape average 4000000
class http2
shape average 20000000

interface GigabitEthernet0/0/1
description AMCOM
bandwidth 50000
ip address x.x.x.x
ip flow monitor Flow_Mon input
speed 100
no negotiation auto
service-policy output QOS

ip access-list extended abn_mobile_acl
permit ip 192.168.68.0 0.0.0.255 any
permit tcp 192.168.68.0 0.0.0.255 any
permit udp 192.168.68.0 0.0.0.255 any
ip access-list extended doubletake_acl
permit tcp any any eq 6320
permit tcp any host 192.168.12.20
ip access-list extended http_acl
permit tcp any eq www any time-range Production_Hours
permit tcp any eq 443 any time-range Production_Hours
ip access-list extended http_internal_acl
permit tcp any 192.168.0.0 0.0.255.255
permit tcp any 10.0.0.0 0.255.255.255
permit tcp any 172.30.0.0 0.0.255.255

time-range Production_Hours
periodic weekdays 6:00 to 18:00

When I check to see if the class map is matching any traffic I get 0 packets matched:

DAC_WAN1_4321#show policy-map interface gi0/0/1 output class http2
GigabitEthernet0/0/1

Service-policy output: QOS

    Class-map: http2 (match-all)
      0 packets, 0 bytes
      5 minute offered rate 0000 bps, drop rate 0000 bps
      Match: not access-group name http_internal_acl
      Match: access-group name http_acl
      Queueing
      queue limit 83 packets
      (queue depth/total drops/no-buffer drops) 0/0/0
      (pkts output/bytes output) 0/0
      shape (average) cir 20000000, bc 80000, be 80000
      target shape rate 20000000

Philip D'Ath · ‎03-02-2016

I can't see anything wrong with that, but perhaps try creating a single access list and match on that.

ip access-list extended http_internal_acl_v2
 deny ip any 192.168.0.0 0.0.255.255
 deny ip any 10.0.0.0 0.255.255.255
 deny ip any 172.30.0.0 0.0.255.255
 permit tcp any eq www any time-range Production_Hours
 permit tcp any eq 443 any time-range Production_Hours

View solution in original post

Philip D'Ath · ‎03-02-2016

What kind of Cisco model of Cisco device is this being done on, and what software version are you running?

With the http traffic, are you concerned about limiting it coming into your site (aka typical web browsing) or going out of your site (aka like a web server)? If you are worried about it coming in then note you need to shape the traffic as it heads towards the inside of the network (such as an internal VLAN interface), rather than on the Internet facing interface.

Nick Currie · ‎03-02-2016

Hi Phillip - this is on a 4321 router. I know the feature works as there are other shape average policies which are matching traffic.

software version: Cisco IOS Software, ISR Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 15.5(2)S, RELEASE SOFTWARE (fc3)

Its outbound web traffic, this is a remote site WAN router, I want to shape the internet bound traffic without affecting any web traffic to internal services.

Philip D'Ath · ‎03-02-2016

The class has two match criteria and bot have to be true for it to work.

To isolate the issue down, try only using one match at a time. For example, if you just use " match not access-group name http_internal_acl" does it start getting hits. If you just use " match access-group name http_acl" does it start getting hits.

I'm guessing one of them wont. Once we understand which one is not working we can try and figure out why.

Nick Currie · ‎03-02-2016

Thanks Phil,

I was running the rule as a single ACL match previously just using match access-group name http_acl. There were no issues with that, however I wanted to exclude internal http and https traffic which is why I added the match not access-group name http_internal_acl condition. Can you see anything wrong with that statement?

I didn't bother with the port on the ACL for matching traffic as I didn't think it was needed.

ip access-list extended http_internal_acl
permit tcp any 192.168.0.0 0.0.255.255
permit tcp any 10.0.0.0 0.255.255.255
permit tcp any 172.30.0.0 0.0.255.255

Philip D'Ath · ‎03-02-2016

I can't see anything wrong with that, but perhaps try creating a single access list and match on that.

ip access-list extended http_internal_acl_v2
 deny ip any 192.168.0.0 0.0.255.255
 deny ip any 10.0.0.0 0.255.255.255
 deny ip any 172.30.0.0 0.0.255.255
 permit tcp any eq www any time-range Production_Hours
 permit tcp any eq 443 any time-range Production_Hours

Nick Currie · ‎03-02-2016

Ahh ok thanks Phillip, I wasn't aware that I could exclude any traffic to 192.168.0.0 255.255.0.0 by just including a deny statement at the start of the ACL. I assume the deny has to come before the permit?

Philip D'Ath · ‎03-02-2016

That is correct.

Shaunak · ‎03-03-2016

Hi Nick,

If the traffic is destined to external HTTP servers and the direction is outbound can you verify the below mentioned ACL--

ip access-list extended http_acl
permit tcp any eq www any time-range Production_Hours
permit tcp any eq 443 any time-range Production_Hours

The ports mentioned here are source ports but they should be destination ports since the client will be trying to open a specific port on the external servers in this case HTTP and HTTPS and not use these reserved port numbers as source ports.

Can you change this and check--

ip access-list extended http_acl

permit tcp any any eq www time-range Production_Hours
permit tcp any any eq 443 time-range Production_Hours

This is the start, if this doesn't help please revert and we'll try to sift through the config again.

Regards,

Shaunak

Nick Currie · ‎03-03-2016

Hi Shaunak, thanks for your reply!

I spotted this too and changed the acl to this:

ip access-list extended http_acl
deny ip any 192.168.0.0 0.0.255.255
deny ip any 10.0.0.0 0.255.255.255
deny ip any 172.30.0.0 0.0.255.255
permit tcp any any eq 443 time-range Production_Hours
permit tcp any any eq www time-range Production_Hours

It is actually working properly, i tested with iperf3 to see the effects of the shaping. However seeing as its web traffic the traffic flow is heavily weighted to incoming rather than outgoing. I have applied the relevant config to our inbound routers and have achieved shaping heaven, thank you for your help guys!!!

Philip D'Ath · ‎03-02-2016

Just looking at this further, does the ms_file_acl exist? That is the first match criteria.

abn_mobile is the third match criteria, and it matches:

permit ip 192.168.68.0 0.0.0.255 any
permit tcp 192.168.68.0 0.0.0.255 any
permit udp 192.168.68.0 0.0.0.255 any

Could this class be catching the test traffic? If does overlap with your internal class - but will be tested first because it is higher up.

Nick Currie · ‎03-02-2016

Hi Phil

Yes sorry the ms_file ACL was missed out on that post, but its there.

ip access-list extended ms_file_acl
permit tcp any eq 445 any time-range Production_Hours

192.168.68.0/24 network is not part of this traffic, that network is to be shaped to 4 mb.