class-map syntax is:

class-map (match-all or match-any) classname

Match-all requires all match statements within the class to be true (an "and" condition), match-any is true if any match statement is true (an "or" condition) within the class match statements.

Classname, the last parameter, is the name of the class, it's used within the policy.

What might be confusing is you can use the same name for different objects, but the example that follows might be clearer.

ip access-list extended anACLname

permit . . .

.

.

class-map match-axx aClassname

match access-group name anACLname

policy-map aPolicyname

class aClassname

bandwidth . . .

Yes, there's an implicit deny all at the end of ACLs, but we're using an ACL to match interesting traffic for our QoS policy, not as a security ACL on the interface itself.

I.e., other VLANs will just not get special QoS treatment.

CBWFQ policies can be used for both in and out, at least on routers, but not all features are allowed based on usage. Since we're using "bandwidth" statements, we're restricted to outbound policies (and if you're working with a 3560/3750 you can't use an outbound CBWFQ policy at all (I believe).

We can do something similar, at least with up to 4 queues on a 3650, but the syntax is a lot different and I don't do QoS on those type of L3 switches very often. You might want to start a new post for help on how to do something similar on a L3 switch.

If we using a device that allows the full CBWFQ policy, you can define another class. We can't do exactly what you desire where A pushes B pushes C aside although we can set ratios such that A can obtain more bandwidth than B which can obtain more bandwith than C.

Something like:

service-policy x

class A

bandwidth remaining 25

class B

bandwidth remaining 5

class C

bandwidth remaing 1

(Actually there's another queuing method supported on Cisco routers called priority queuing, which would allow up to 4 classes, each with total priority over lower classes, but very easy to starve lower classes of all bandwidth.)

[edit]

It's important whether you're going to use a 3560 or 28xx.

Thanks for comming back, Joe!

I got it into the router. Here's what it looks like.

ip access-list extended ownerdata

remark match ownerdata source subnet addresses

permit ip 192.168.51.0 0.0.0.255 any

remark match ownderdata destination subnet addresses

permit ip any 192.168.51.0 0.0.0.255

ip access-list extended crewdata

remark match crewdata source subnet addresses

permit ip 192.168.54.0 0.0.0.255 any

remark match crewdata destination subnet addresses

permit ip any 192.168.54.0 0.0.0.255

Class-map match-all crewdata

match access-group name crewdata

Class-map match-all crewdata

match access-group mane ownerdata

!

!

policy-map QoS

class ownerdata

bandwidth remaining percent 99

class crewdata

bandwidth remaining percent 1

Int Fa0/1

service policy output QoS

I don't know how to test.. So i put a PC on each vlan and started doing download races. I didn't see the diff between the two. 99 vs. 1 percent should be pretty obvious I bet.

Do you know a standard test and a few handy IOS commands to verify it's all working?

Policy will only be active if there's congestion. One issue, don't recall if I touched upon it, your policy is on a Ethernet interface, but you note a WAN interface of 256 Kbps. (Ethernet connection to something like cable or DSL?) So, you'll also need to "shape" your outbound rate to match your WAN bandwidth (i.e. slow down the Ethernet interface).

Add/modify:

policy-map QoS_shape

class-map class-default

!might need to shape a bit slower to account for L2 overhead

!I forget whether shaper uses bps or Kbps, example assume bps

shape average 200000

service-policy QoS

int fa0/1

service-policy output QoS_shape

To see the difference, you'll would need to load the QoS policy; could be done with a traffic generator. If interface loaded with "crewdata", its pings should slow but "ownerdata" pings should not. (BTW: your one class-map needs to be renamed to "ownerdata".)

"show policy-map interface out" will show what the policy "sees". Change interface's load-interval to 30 to get stats closer to real-time.

Hi Joe,

I somehow slipped another post in before your last reply.

I'd rather use the 2801 to attack the problem at the internet facing interface.

You mentioned that I could use another style of QoS that would starve the "class C". That's ok if they starve because class A wouldn't be onboard and using the net very often.

Do you have any clever commands or testing methods I could use to verify that I've set it up and things are active?

The other method wouldn't have class A just starve class C, it would also starve class B. Also, class B would also starve class C.

Quickway to test, is with a traffic generator. I often use a little freebie, pcattcp, and tell it to generate UDP packets at a certain rate. If you ran it from you class C VLAN, and targeted anything outside on the WAN, it would easily fill the link with class C traffic.

I'm interested in the other style of QoS, too.

This one doesn't seem to be working at all. I woudn't be surprised if I haven't completely turned it on.

I made an ACL called ownerdata

then a then clas-map pointed at the ACL

then I made the service-policies

put in outbound on my WAN int.

Is it possible that nothing is happening because it's set to "output?" or do you think it's possible that the three processes just aren't seeing each other because I've named things wrong?

I think I did a

Show service-policy QoS

It showed me the 2 policies with the percent and some stats but it was all zeros. It didn't look like QoS had ever sprung to action.

service-policy

Try the command,

show policy-map interface

Cool!

I did that command and I see my policy listed under Fa0/1!

It shows my two bandwitdh remaining groups, one at 99 and one a 1. But they are both all zeros.

That's traffic generator is cool but I don't think I have time to learn how to use it...

This is my last day to get things working.

I wonder if I moved this policy-map to my router's internal interface and set the policy to input... Maybe if I put ownerdata at 100% and crewdata at 0 it would push it aside?

I know I'm attacking it at the wrong place but I'm ready to try anything.

I

I have now moved it to the inside int of my 2801 router but it didn't change anything.

I also thought I would try to change it to an input policy but it won't even let me do that.

It gives me the "CBWFQ is only allowed outbound" error.

It might help if you post what you're seeing from the show policy command.

Outbound on the WAN facing interface is where you want the policy.

If you also do a show access-list, we confirm the ACLs are matching traffic.

Here's what my sh access-list comes up with

Standard IP access list 1

10 permit 192.168.0.0 wildcard bits 0.0.255.255 (13449 matches)

Extended IP access list crewdata

10 permit ip 192.168.54.0 0.0.0.255 any

20 permit ip any 192.168.54.0 0.0.0.255 (217995 matches)

Extended IP access list crewdata

10 permit ip 192.168.54.0 0.0.0.255 any

20 permit ip any 192.168.54.0 0.0.0.255

I worry that my fist ACL is letting everything past.

Is there supposed to be matches on both ACL's?

There should be matches on both ACLs if there traffic from both subnets. However, you have "crewdata" listed twice, one showing matches and the other doesn't? Also, the matches that do show appear to be inbound?

Please post your whole config.