08-12-2013 01:10 AM - edited 03-04-2019 08:43 PM
I have been working with so many clients and service providers and came up with a Cisco Quality of Service template that suits most of my clients. This template needs to be modified in little to accomodate your client requirements. I have captured traffic for more than a month to know about all the ports and protocols.
This template is a property of DNSIT but can be replicated by you for your MPLS WAN.
General Template is as below –
ip access-list extended RTP
remark Real-Time Transport Protocol
permit udp any any range 16383 32767
permit udp any range 16383 32767 any
ip access-list extended TCP-PRINTING
remark TCP Printing port
permit tcp any any eq 9100
permit tcp any eq 9100 any
ip access-list extended REMOTE-ACCESS
remark Administrative Remote Management
permit tcp any any eq 6129
permit tcp any any eq 3389
permit tcp any any eq 9535
permit tcp any any eq 5900
permit tcp any any eq 22
permit tcp any eq 6129 any
permit tcp any eq 3389 any
permit tcp any eq 9535 any
permit tcp any eq 5900 any
permit tcp any eq 22 any
ip access-list extended DOMAIN
remark Windows Domain Related Traffic
permit tcp any any eq 389
permit udp any any eq 389
permit tcp any any eq 135
permit udp any any eq 135
permit tcp any any eq 445
permit udp any any eq 445
permit tcp any any eq 137
permit udp any any eq 137
permit tcp any any eq 138
permit udp any any eq 138
permit tcp any any eq 139
permit udp any any eq 139
permit tcp any any eq 88
permit udp any any eq 88
permit tcp any any eq 53
permit udp any any eq 53
permit udp any any eq 123
permit tcp any any eq 3268
permit udp any any eq 67
permit tcp any eq 389 any
permit udp any eq 389 any
permit tcp any eq 137 any
permit udp any eq 137 any
permit tcp any eq 138 any
permit udp any eq 138 any
permit tcp any eq 139 any
permit udp any eq 139 any
permit tcp any eq 88 any
permit udp any eq 88 any
permit tcp any eq 53 any
permit udp any eq 53 any
permit udp any eq 123 any
permit tcp any eq 3268 any
permit udp any eq 67 any
ip access-list extended RTSP
remark Real Time Streaming Protocols
permit tcp any any eq 554
permit tcp any any eq 8554
permit tcp any eq 554 any
permit tcp any eq 8554 any
ip access-list extended CITRIX
remark Citrix Session Protocols
permit udp any any eq 1604
permit tcp any any eq 2598
permit tcp any any eq 2512
permit tcp any any eq 2513
permit tcp any any eq 1494
permit udp any eq 1604 any
permit tcp any eq 2598 any
permit tcp any eq 2512 any
permit tcp any eq 2513 any
permit tcp any eq 1494 any
ip access-list extended BGP
remark BGP Protocols
permit udp any any eq 179
permit tcp any any eq 179
permit udp any eq 179 any
permit tcp any eq 179 any
ip access-list extended SKINNY
remark SCCP Protocols
permit tcp any any eq 2000
permit tcp any any eq 2001
permit tcp any any eq 2002
permit tcp any eq 2000 any
permit tcp any eq 2001 any
permit tcp any eq 2002 any
ip access-list extended H323
remark H323 Protocol
permit tcp any any eq 1300
permit tcp any any eq 1718
permit tcp any any eq 1719
permit tcp any any eq 1720
permit tcp any any range 11000 11999
permit udp any eq 1300 any
permit udp any eq 1718 any
permit udp any eq 1719 any
permit udp any eq 1720 any
permit udp any eq 11720 any
permit tcp any eq 1300 any
permit tcp any eq 1718 any
permit tcp any eq 1719 any
permit tcp any eq 1720 any
permit tcp any range 11000 11999 any
permit udp any any eq 1300
permit udp any any eq 1718
permit udp any any eq 1719
permit udp any any eq 1720
permit udp any any eq 11720
ip access-list extended HTTP
permit udp any any eq 80
permit udp any any eq 443
permit udp any eq 80 any
permit udp any eq 443 any
permit udp any any eq 8080
permit udp any eq 8080 any
class-map match-any SHAPE-GigabitEthernet0/0
match any
class-map match-any VOICE
match ip precedence 5
match dscp ef
match access-group name RTP
match protocol rtp audio
match protocol sip
class-map match-any VIDEO
match access-group name RTSP
match protocol rtp video
class-map match-any PREMIUM
match ip precedence 3
match ip dscp af31
match access-group name CITRIX
match access-group name REMOTE-ACCESS
class-map match-any VOICE-SIGNALLING
match ip dscp cs3
match access-group name SKINNY
match access-group name H323
class-map match-any BUSINESS
match ip precedence 1
match dscp af11
match access-group name DOMAIN
match access-group name TCP-PRINTING
match access-group name HTTP
class-map match-any BGP-UPDATE
match access-group name BGP
policy-map To-PE-GigabitEthernet0/0
class VOICE
set precedence 5
priority percent 30
police cir percent 30
conform-action transmit
exceed-action drop
class VIDEO
set precedence 5
priority percent 20
police cir percent 20
conform-action transmit
class VOICE-SIGNALLING
set precedence 3
bandwidth percent 5
random-detect
class PREMIUM
set precedence 3
bandwidth percent 20
random-detect
class BUSINESS
set precedence 1
bandwidth percent 20
random-detect
class BGP-UPDATE
bandwidth percent 2
set precedence 1
class class-default
bandwidth percent 3
random-detect
random-detect exponential-weighting-constant 7
random-detect precedence 0 50 100 2
random-detect precedence 1 50 100 2
random-detect precedence 2 50 100 2
random-detect precedence 3 50 100 2
random-detect precedence 4 50 100 2
random-detect precedence 5 50 100 2
policy-map SHAPE-GigabitEthernet0/0
Class VIDEO
shape average 768000 7680
service-policy To-PE-GigabitEthernet0/0
class SHAPE-GigabitEthernet0/0
service-policy To-PE-GigabitEthernet0/0
08-12-2013 02:53 AM
Disclaimer
The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
Liability Disclaimer
In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
Posting
Saurabh, thanks for sharing, it's obvious you've invested much effort in defining this policy, but I would not recommend it as a general QoS policy.
08-12-2013 02:59 AM
That's why I said you need to modify as per your requirements. My purpose is to save your time in finding ports and protocols. This template is running for few big clients sized from 200 to 400 sites.
Bandwidth allocation is on your network policy and requirements.
Traffic classification and re-marking also depends upon your service provider.
I am happy if you can give me some more feedback. There is always a room for improvement.
08-12-2013 05:25 PM
Disclaimer
The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
Liability Disclaimer
In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
Posting
That's why I said you need to modify as per your requirements.
You did, or actually "This template needs to be modified in little to accommodate your client requirements." I've bolded the "in little" only because often I've seen engineers look for a cookie cutter template and as a "General Template" they may easily overlook the rest of what you say.
My purpose is to save your time in finding ports and protocols.
Yes, that's very nice too.
I am happy if you can give me some more feedback. There is always a room for improvement.
Well . . .
You realize in the class maps where you match IP Precedence followed by DSCP, the former overlaps the latter?
I wonder why your policy sets IP Precedence rather than DSCP since it also matches on DSCP. You realize that leaves the lower 3 bits of DSCP what ever they were? I also wonder why you set IP Precedence for all classes but default.
I see you occasionally use NBAR matching, but you don't use it where it might match better. For example, you match HTTP on ports 80, 8080 but I believe NBAR will identify HTTP on other ports too. You also match HTTP as UDP but I believe it uses TCP.
Similarly, I see you match Citrix on its ports, while NBAR can examine (later version) Citrix packets subtype. The latter can be important if Citrix is also being used for disk-to-disk file copying or printing, neither (ideally) do you want to prioritize with "screen scraping" traffic.
I see you have a whole map class devoted to Windows Domain traffic, but you didn't include Windows (newer) SMB TCP/UDP ports 445?
In your policy map, you have an explicit policer with the same bandwidth percentage as the implicit policer. I'm wondering why. You also place all video in LLQ, which is often unnecessary for non-realtime video. Your template allocates 50% for LLQ classes, while Cisco, I believe, recommends not exceeding 1/3.
You use RED within your VOICE-SIGNALLING class?
You use WRED in class-default for IP Precedence classes that you've already matched in other classes? Choice of WRED's parameters is interesting too.
Your policy-map SHAPE-GigabitEthernet0/0 is rather unusual as you have one class that matches video and shapes while it has has peer class that doesn't shape. I also wonder why you have the latter as an explicit class rather than use class-default.
What I've noted, above, isn't all inclusive, and what you have may be perfect for your traffic, but these are some of the reasons why what you have I wouldn't recommend as "General Template" if it's only subject to little modification.
Again, though, nice job for traffic port identifications. That can be a real time saver.
08-12-2013 05:48 PM
Thanks for a good reply brother -
I see you occasionally use NBAR matching, but you don't use it where it might match better. For example, you match HTTP on ports 80, 8080 but I believe NBAR will identify HTTP on other ports too. You also match HTTP as UDP but I believe it uses TCP - I have some routers like 1841 where I don't want to enable NBAR as it increases the CPU Utilization a lot. I use port matching on low end routers than NBAR.
Similarly, I see you match Citrix on its ports, while NBAR can examine (later version) Citrix packets subtype. The latter can be important if Citrix is also being used for disk-to-disk file copying or printing, neither (ideally) do you want to prioritize with "screen scraping" traffic - I followed this approach on Cisco 2921/2951/3945 Routers not on site routers.
I see you have a whole map class devoted to Windows Domain traffic, but you didn't include Windows (newer) SMB TCP/UDP ports 445? - I missed that in uploading this document.
In your policy map, you have an explicit policer with the same bandwidth percentage as the implicit policer. I'm wondering why. You also place all video in LLQ, which is often unnecessary for non-realtime video. Your template allocates 50% for LLQ classes, while Cisco, I believe, recommends not exceeding 1/3 - My network is having more than 50 VC Endpoints.
Your policy-map SHAPE-GigabitEthernet0/0 is rather unusual as you have one class that matches video and shapes while it has has peer class that doesn't shape. I also wonder why you have the latter as an explicit class rather than use class-default. - I can't drop the video traffic so I shaped it. It's a heirarchical QoS policy.
But anyway it was a great discussion.
08-12-2013 06:37 PM
Disclaimer
The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
Liability Disclaimer
In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
Posting
I see you occasionally use NBAR matching, but you don't use it where it might match better. For example, you match HTTP on ports 80, 8080 but I believe NBAR will identify HTTP on other ports too. You also match HTTP as UDP but I believe it uses TCP - I have some routers like 1841 where I don't want to enable NBAR as it increases the CPU Utilization a lot. I use port matching on low end routers than NBAR.
That's understandable, but then that shows the difficultly of having a Generic Template, as you now describe different policies for different devices.
Similarly, I see you match Citrix on its ports, while NBAR can examine (later version) Citrix packets subtype. The latter can be important if Citrix is also being used for disk-to-disk file copying or printing, neither (ideally) do you want to prioritize with "screen scraping" traffic - I followed this approach on Cisco 2921/2951/3945 Routers not on site routers.
Another different policy?
In your policy map, you have an explicit policer with the same bandwidth percentage as the implicit policer. I'm wondering why. You also place all video in LLQ, which is often unnecessary for non-realtime video. Your template allocates 50% for LLQ classes, while Cisco, I believe, recommends not exceeding 1/3 - My network is having more than 50 VC Endpoints.
Number of VC endpoints doesn't matter really. What matters is bandwidth consumption and the requirements of the application.
Cisco, I recall, recommends the 1/3 cap as not to be too adverse to other traffic. I too have used 50%, but there is another issue, especially with realtime video, traffic can queue against itself. I.e. 50% can be too little "headroom".
Your policy-map SHAPE-GigabitEthernet0/0 is rather unusual as you have one class that matches video and shapes while it has has peer class that doesn't shape. I also wonder why you have the latter as an explicit class rather than use class-default. - I can't drop the video traffic so I shaped it. It's a heirarchical QoS policy.
What you have really doesn't make sense. Normally you would shape all your traffic, to available expected path bandwidth, and manage traffic type bandwidths within the subordinate policy. By shaping just video, with the unbounded peer class, you're more likely to have insufficient bandwidth for the video you say you don't want to drop. Additionally, you don't need to shape video to queue it, class queues do that normally (also it's generally easier to adjust queue depths for just "ordinary" class queues).
In a situation like yours, again where you say you "can't drop the video", you might consider shaping the non-video traffic, "leaving" sufficient bandwidth for the video (and other realtime). The reason you might do that is to avoid any additional delay imposed by a shaper. This approach, though, keeps the shaped traffic from taking advantage of unused non-shaped bandwidth. (NB: reducing a shaper's Tc can be helpful when shaping realtime traffic.)
BTW:
Here's my idea of an "advanced" generic QoS policy (if the device support it):
policy-map Generic
class RealTime
priority percent 30
class High
bandwidth remaining percent 89
fair-queue
class Low
bandwidth remaining percent 1
fair-queue
class class-default
bandwidth remaining percent 9
fair-queue
NB: ideally, non-LLQ class usages are the inverse of their bandwidth allocations.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide