Re: Is my QoS Policy working?

Travis-Fleming · ‎02-28-2020

Hey community! We have a Cisco 4331 or 10 in our environment. Below is our current QoS policy. When I do a "show access-lists" I don't get a count for matches for access list 101, which is used in our QoS policy. Does that mean the access list isn't catching traffic for the "rdpfromlan" class map, therefor won't really do anything in our service policy tied to our MPLS interface Gi0/0/2? We are taking Citrix traffic and putting it on our MPLS network with a precedence of 2 via access list 101 so our ISP can properly QoS it if we ever reached bandwidth limits.

The 172.29.0.0/16 subnet is our remote network data subnets, and 172.17.99.0/24 is our citrix server environment subnet.

at-grsc-mpls-rt01#show access-lists
Standard IP access list 20
10 permit 172.16.1.166 (24833476 matches)
Standard IP access list CoreSwitch
10 permit 172.17.101.129 log
20 permit 172.17.101.2 log
Standard IP access list Management
10 permit 172.16.0.0, wildcard bits 0.15.255.255 (918 matches)
Extended IP access list 101
10 permit tcp 172.29.0.0 0.0.255.255 172.16.0.0 0.0.255.255 eq 3389
20 permit tcp 172.30.0.0 0.0.255.255 172.16.0.0 0.0.255.255 eq 3389
30 permit tcp 172.29.0.0 0.0.255.255 172.17.99.0 0.0.0.255 eq 3389
40 permit tcp 172.30.0.0 0.0.255.255 172.17.99.0 0.0.0.255 eq 3389
50 permit tcp 172.29.0.0 0.0.255.255 172.17.99.0 0.0.0.255 eq 1494
60 permit tcp 172.29.0.0 0.0.255.255 172.17.99.0 0.0.0.255 eq 2598
70 permit udp 172.29.0.0 0.0.255.255 172.17.99.0 0.0.0.255 eq 2598
Extended IP access list 102
10 permit tcp 172.17.99.0 0.0.0.255 172.29.0.0 0.0.255.255
20 permit udp 172.17.99.0 0.0.0.255 172.29.0.0 0.0.255.255
Extended IP access list guestwifi
10 permit udp any any eq bootps (24264 matches)
20 permit udp any any eq bootpc
30 deny ip 172.31.16.0 0.0.0.255 10.0.0.0 0.255.255.255
40 deny ip 172.31.16.0 0.0.0.255 172.16.0.0 0.15.255.255 (438495 matches)
50 deny ip 172.31.16.0 0.0.0.255 192.168.0.0 0.0.255.255 (11998 matches)
60 permit ip any any (62092796 matches)
70 permit icmp any any

class-map match-any voicefromlan

match ip dscp ef

class-map match-any rdpfromlan

match access-group 101

class-map match-any voicefromwan

match ip precedence 5

class-map match-any cntrfromwan

match ip precedence 4

class-map match-any cntrfromlan

match ip dscp cs3

match ip dscp af31

class-map match-any rdpfromwan

match access-group 102

!

policy-map lanedge

class voicefromwan

bandwidth percent 25

set dscp ef

class cntrfromwan

bandwidth percent 10

set dscp cs3

class rdpfromwan

bandwidth percent 35

class class-default

fair-queue

policy-map wanedge

class voicefromlan

bandwidth percent 25

set precedence 5

class cntrfromlan

bandwidth percent 10

set precedence 4

class rdpfromlan

bandwidth percent 35

set precedence 2

class class-default

fair-queue

shape average percent 10

interface GigabitEthernet0/0/0

description To LAN

bandwidth 100000

ip flow monitor NetFlowMonitor1 input

ip flow monitor NetFlowMonitor1 output

ip address 172.17.101.1 255.255.255.252

negotiation auto

service-policy output lanedge

!

interface GigabitEthernet0/0/1

description CID- CenturyLink ETH1000-XXXX

ip flow monitor NetFlowMonitor1 input

ip flow monitor NetFlowMonitor1 output

ip address 1.2.3.4 255.255.255.252

negotiation auto

service-policy output wanedge

Muhammad Awais Khan · ‎02-28-2020

Hi,

to confirm whether traffic is getting classified and policed , can you get the output from the Router of below:

show policy-map interface gi0/0

it will show you the packets classified and shaped/policed.

Georg Pauwen · ‎02-29-2020

Hello,

when your access lists don't show any matches, that could indicate that the access list somehow does not match the traffic flow. Try and temporarily change the access list to:

access list 101 permit tcp any any eq 3389
access list 101 permit tcp any any eq 1494
access list 101 permit tcp any any eq 2598
access list 101 permit udp any any eq 2598

or change the class map to match citrix:

class-map match-any rdpfromlan
match protocol citrix

and check if you get any hits then...

Travis-Fleming · ‎02-29-2020

Ah so I’m right, there should be a count next to it correct when I do the show access list like the others had?

Georg Pauwen · ‎02-29-2020

The count should be there indeed...

paul driver · ‎02-29-2020

Hello

easiest way is as suggested @Muhammad Awais Khan look at the policy map

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Joseph W. Doherty · ‎02-29-2020

It looks to me as if your src/dest for your ACLs 101 and 102 may be "backwards", for their intended usage.

BTW, don't know if it's still true, but it may still be possible to use NBAR to examine CITRIX subtype, which allows you to treat differently screen scraping traffic from file copying and/or printing traffic.

Travis-Fleming · ‎03-02-2020

EDIT: I cleared the counters on the interface, and if I do a "show policy-map interface gi0/0/2", on the MPLS interface, I can see the packet count going up for rdpfromlan, but if I do a "show access-lists" the count next to access list 101 does not go up? From the ACL the 172.29.0.0/16 subnet is the data subnet of our remote site, and 172.17.99.0/24 are our citrix servers at our data center.

at-chtx-mpls-rt01#show policy-map interface gi0/0/2

Class-map: rdpfromlan (match-any)
11886 packets, 823950 bytes
5 minute offered rate 19000 bps, drop rate 0000 bps
Match: access-group 101
Queueing
queue limit 64 packets
(queue depth/total drops/no-buffer drops) 0/0/0
(pkts output/bytes output) 11886/823950
bandwidth 35% (3584 kbps)
QoS Set
precedence 2
Marker statistics: Disabled

at-chtx-mpls-rt01#show access-lists

Standard IP access list Management
10 permit 172.16.0.0, wildcard bits 0.15.255.255 (92 matches)
Extended IP access list 101
10 permit tcp 172.29.0.0 0.0.255.255 172.16.0.0 0.0.255.255 eq 3389
20 permit tcp 172.30.0.0 0.0.255.255 172.16.0.0 0.0.255.255 eq 3389
30 permit tcp 172.29.0.0 0.0.255.255 172.17.99.0 0.0.0.255 eq 3389
40 permit tcp 172.30.0.0 0.0.255.255 172.17.99.0 0.0.0.255 eq 3389
50 permit tcp 172.29.0.0 0.0.255.255 172.17.99.0 0.0.0.255 eq 1494
60 permit tcp 172.29.0.0 0.0.255.255 172.17.99.0 0.0.0.255 eq 2598
70 permit udp 172.29.0.0 0.0.255.255 172.17.99.0 0.0.0.255 eq 2598
80 permit tcp 172.16.0.0 0.0.255.255 172.29.0.0 0.0.255.255 eq 3389
90 permit tcp 172.16.0.0 0.0.255.255 172.30.0.0 0.0.255.255 eq 3389
100 permit tcp 172.17.99.0 0.0.0.255 172.29.0.0 0.0.255.255 eq 3389
110 permit tcp 172.17.99.0 0.0.0.255 172.30.0.0 0.0.255.255 eq 3389
120 permit tcp 172.17.99.0 0.0.0.255 172.29.0.0 0.0.255.255 eq 1494
130 permit tcp 172.17.99.0 0.0.0.255 172.29.0.0 0.0.255.255 eq 2598
140 permit udp 172.17.99.0 0.0.0.255 172.29.0.0 0.0.255.255 eq 2598
Extended IP access list guestwifi
10 permit udp any any eq bootps (28677 matches)
20 permit udp any any eq bootpc
30 deny ip 172.31.11.0 0.0.0.255 10.0.0.0 0.255.255.255 (266 matches)
40 deny ip 172.31.11.0 0.0.0.255 172.16.0.0 0.15.255.255 (14016 matches)
50 deny ip 172.31.11.0 0.0.0.255 192.168.0.0 0.0.255.255 (5620 matches)
60 permit ip any any (20769840 matches)
70 permit icmp any any

Joseph W. Doherty · ‎03-02-2020

Hmm, your showing results from g0/0/2 but OP only had g0/0/0 and g0/0/1.(?)

Okay, if 172.17.99.0/24 is the LAN side and 172.29.0.0/16 the WAN side, the traffic going out g0/0/1 would have a
src of 172.17.99.0/24 and dest of 172.29.0.0/16
but the ACL being used for WAN egress is:
Extended IP access list 101
10 permit tcp 172.29.0.0 0.0.255.255 172.16.0.0 0.0.255.255 eq 3389
20 permit tcp 172.30.0.0 0.0.255.255 172.16.0.0 0.0.255.255 eq 3389
30 permit tcp 172.29.0.0 0.0.255.255 172.17.99.0 0.0.0.255 eq 3389
40 permit tcp 172.30.0.0 0.0.255.255 172.17.99.0 0.0.0.255 eq 3389
50 permit tcp 172.29.0.0 0.0.255.255 172.17.99.0 0.0.0.255 eq 1494
60 permit tcp 172.29.0.0 0.0.255.255 172.17.99.0 0.0.0.255 eq 2598
70 permit udp 172.29.0.0 0.0.255.255 172.17.99.0 0.0.0.255 eq 2598
i.e. src/dest look "backwards".

Travis-Fleming · ‎03-02-2020

Sorry the 172.29.0.0/16 is the LAN side of this remote site MPLS router, and 172.17.99.0/24 is over the MPLS WAN to our datacenter. This is from the perspective of the remote site router as it classifies traffic going onto the mpls coming from a 172.29.0.0/16 data subnet going to a 172.17.99.0/24 citrix server.

On our example router the Gi0/0/2 is the MPLS connection, Gi0/2/0 goes to our FTD 1010 firewall where our DMVPN traffic goes, and Gi0/0/1.X is our subinterfaces for vlan tagging.

Long story short example is we have a computer at IP 172.29.11.20 trying to reach a citrix server over the MPLS connection through Gi0/0/2 at 172.17.99.100 on port 2598 or 1494. We want to take that traffic and give it a precedence of 2 when it goes onto the MPLS network out interface Gi0/0/2 destined for 172.17.99.100 from 172.29.11.20.