That's why I said you need to modify as per your requirements. My purpose is to save your time in finding ports and protocols. This template is running for few big clients sized from 200 to 400 sites.

Bandwidth allocation is on your network policy and requirements.

Traffic classification and re-marking also depends upon your service provider.

I am happy if you can give me some more feedback. There is always a room for improvement.

Disclaimer

The   Author of this posting offers the information contained within this   posting without consideration and with the reader's understanding that   there's no implied or expressed suitability or fitness for any purpose.   Information provided is for informational purposes only and should not   be construed as rendering professional advice of any kind. Usage of  this  posting's information is solely at reader's own risk.

Liability Disclaimer

In   no event shall Author be liable for any damages whatsoever (including,   without limitation, damages for loss of use, data or profit) arising  out  of the use or inability to use the posting's information even if  Author  has been advised of the possibility of such damage.

Posting

That's why I said you need to modify as per your requirements.

You did, or actually "This template needs to be modified in little to accommodate your client requirements."  I've bolded the "in little" only because often I've seen engineers look for a cookie cutter template and as a "General Template" they may easily overlook the rest of what you say.

My purpose is to save your time in finding ports and protocols.

Yes, that's very nice too.

I am happy if you can give me some more feedback. There is always a room for improvement.

Well . . .

You realize in the class maps where you match IP Precedence followed by DSCP, the former overlaps the latter?

I wonder why your policy sets IP Precedence rather than DSCP since it also matches on DSCP.  You realize that leaves the lower 3 bits of DSCP what ever they were?  I also wonder why you set IP Precedence for all classes but default.

I see you occasionally use NBAR matching, but you don't use it where it might match better.  For example, you match HTTP on ports 80, 8080 but I believe NBAR will identify HTTP on other ports too.  You also match HTTP as UDP but I believe it uses TCP.

Similarly, I see you match Citrix on its ports, while NBAR can examine (later version) Citrix packets subtype.  The latter can be important if Citrix is also being used for disk-to-disk file copying or printing, neither (ideally) do you want to prioritize with "screen scraping" traffic.

I see you have a whole map class devoted to Windows Domain traffic, but you didn't include Windows (newer) SMB TCP/UDP ports 445?

In your policy map, you have an explicit policer with the same bandwidth percentage as the implicit policer.  I'm wondering why.  You also place all video in LLQ, which is often unnecessary for non-realtime video.  Your template allocates 50% for LLQ classes, while Cisco, I believe, recommends not exceeding 1/3.

You use RED within your VOICE-SIGNALLING class?

You use WRED in class-default for IP Precedence classes that you've already matched in other classes?  Choice of WRED's parameters is interesting too.

Your policy-map SHAPE-GigabitEthernet0/0 is rather unusual as you have one class that matches video and shapes while it has has peer class that doesn't shape.  I also wonder why you have the latter as an explicit class rather than use class-default.

What I've noted, above, isn't all inclusive, and what you have may be perfect for your traffic, but these are some of the reasons why what you have I wouldn't recommend as "General Template" if it's only subject to little modification.

Again, though, nice job for traffic port identifications.  That can be a real time saver.

Thanks for a good reply brother -

I see you occasionally use NBAR matching, but you don't use it where it might match better.  For example, you match HTTP on ports 80, 8080 but I believe NBAR will identify HTTP on other ports too.  You also match HTTP as UDP but I believe it uses TCP - I have some routers like 1841 where I don't want to enable NBAR as it increases the CPU Utilization a lot. I use port matching on low end routers than NBAR.

Similarly, I see you match Citrix on its ports, while NBAR can examine (later version) Citrix packets subtype.  The latter can be important if Citrix is also being used for disk-to-disk file copying or printing, neither (ideally) do you want to prioritize with "screen scraping" traffic - I followed this approach on Cisco 2921/2951/3945 Routers not on site routers.

I see you have a whole map class devoted to Windows Domain traffic, but you didn't include Windows (newer) SMB TCP/UDP ports 445? - I missed that in uploading this document.

In your policy map, you have an explicit policer with the same bandwidth percentage as the implicit policer.  I'm wondering why.  You also place all video in LLQ, which is often unnecessary for non-realtime video.  Your template allocates 50% for LLQ classes, while Cisco, I believe, recommends not exceeding 1/3 - My network is having more than 50 VC Endpoints.

Your policy-map SHAPE-GigabitEthernet0/0 is rather unusual as you have one class that matches video and shapes while it has has peer class that doesn't shape.  I also wonder why you have the latter as an explicit class rather than use class-default. - I can't drop the video traffic so I shaped it. It's a heirarchical QoS policy.

But anyway it was a great discussion.

Disclaimer

The   Author of this posting offers the information contained within this   posting without consideration and with the reader's understanding that   there's no implied or expressed suitability or fitness for any purpose.   Information provided is for informational purposes only and should not   be construed as rendering professional advice of any kind. Usage of  this  posting's information is solely at reader's own risk.

Liability Disclaimer

In   no event shall Author be liable for any damages whatsoever (including,   without limitation, damages for loss of use, data or profit) arising  out  of the use or inability to use the posting's information even if  Author  has been advised of the possibility of such damage.

Posting

I see you occasionally use NBAR matching, but you don't use it where it might match better.  For example, you match HTTP on ports 80, 8080 but I believe NBAR will identify HTTP on other ports too.  You also match HTTP as UDP but I believe it uses TCP - I have some routers like 1841 where I don't want to enable NBAR as it increases the CPU Utilization a lot. I use port matching on low end routers than NBAR.

That's understandable, but then that shows the difficultly of having a Generic Template, as you now describe different policies for different devices.

Similarly, I see you match Citrix on its ports, while NBAR can examine (later version) Citrix packets subtype.  The latter can be important if Citrix is also being used for disk-to-disk file copying or printing, neither (ideally) do you want to prioritize with "screen scraping" traffic - I followed this approach on Cisco 2921/2951/3945 Routers not on site routers.

Another different policy? 

In your policy map, you have an explicit policer with the same bandwidth percentage as the implicit policer.  I'm wondering why.  You also place all video in LLQ, which is often unnecessary for non-realtime video.  Your template allocates 50% for LLQ classes, while Cisco, I believe, recommends not exceeding 1/3 - My network is having more than 50 VC Endpoints.

Number of VC endpoints doesn't matter really.  What matters is bandwidth consumption and the requirements of the application.

Cisco, I recall, recommends the 1/3 cap as not to be too adverse to other traffic.  I too have used 50%, but there is another issue, especially with realtime video, traffic can queue against itself.  I.e. 50% can be too little "headroom".

Your policy-map SHAPE-GigabitEthernet0/0 is rather unusual as you have one class that matches video and shapes while it has has peer class that doesn't shape.  I also wonder why you have the latter as an explicit class rather than use class-default. - I can't drop the video traffic so I shaped it. It's a heirarchical QoS policy.

What you have really doesn't make sense.  Normally you would shape all your traffic, to available expected path bandwidth, and manage traffic type bandwidths within the subordinate policy.  By shaping just video, with the unbounded peer class, you're more likely to have insufficient bandwidth for the video you say you don't want to drop.  Additionally, you don't need to shape video to queue it, class queues do that normally (also it's generally easier to adjust queue depths for just "ordinary" class queues).

In a situation like yours, again where you say you "can't drop the video", you might consider shaping the non-video traffic, "leaving" sufficient bandwidth for the video (and other realtime).  The reason you might do that is to avoid any additional delay imposed by a shaper.  This approach, though, keeps the shaped traffic from taking advantage of unused non-shaped bandwidth.  (NB: reducing a shaper's Tc can be helpful when shaping realtime traffic.)

BTW:

Here's my idea of an "advanced" generic QoS policy (if the device support it):

policy-map Generic

class RealTime

priority percent 30

class High

bandwidth remaining percent 89

fair-queue

class Low

bandwidth remaining percent 1

fair-queue

class class-default

bandwidth remaining percent 9

fair-queue

NB: ideally, non-LLQ class usages are the inverse of their bandwidth allocations.