Packets being missed by QOS policy

warren.sullivan · ‎05-12-2013

Hi Guys,

I have created a policy to match certain flows for our business, then assign them specific bandwidths, all is working well, except for one thing, almost 10% of packets are making it through to the class-default, even though i have an ip any any on the internet match, any ideas? see below for config and output of sh policy-map

!

ip access-list extended MARK-AURION

permit ip any host 10.0.30.210

permit ip any host 10.0.65.89

permit ip any host 10.0.98.245

ip access-list extended MARK-BUSINESS-DATA-30

permit ip any 10.0.30.0 0.0.0.255

ip access-list extended MARK-BUSINESS-DATA-65

permit ip any 10.0.65.0 0.0.0.255

ip access-list extended MARK-BUSINESS-DATA-98

permit ip any 10.0.98.0 0.0.0.255

ip access-list extended MARK-BUSINESS-DATA-OTHER

permit ip any 10.0.0.0 0.255.255.255

ip access-list extended MARK-CIMS

permit ip any host 10.0.30.78

permit ip any host 10.0.30.231

permit ip any host 10.0.65.116

permit ip any host 10.0.65.224

permit ip any host 10.0.98.150

ip access-list extended MARK-EXCHANGE

permit ip any host 10.0.65.173

permit ip any host 10.0.65.174

permit ip any host 10.0.65.175

permit ip any host 10.0.98.174

permit ip any host 10.0.98.242

ip access-list extended MARK-FINANCEONE

permit ip any host 10.0.65.118

permit ip any host 10.0.98.56

ip access-list extended MARK-INTERNET

permit ip any any

ip access-list extended MARK-VOICE

permit ip any 10.2.0.0 0.0.255.255

!

class-map match-any MANAGEMENT

match protocol eigrp

match protocol ssh

match protocol cdp

match protocol icmp

match protocol arp

match protocol dhcp

match protocol ntp

match protocol snmp

match protocol secure-ftp

match protocol tftp

class-map match-any INTERNET

match dscp af13

class-map match-any MARK-EXCHANGE

match access-group name MARK-EXCHANGE

class-map match-any MARK-INTERNET

match access-group name MARK-INTERNET

class-map match-any MARK-CIMS

match access-group name MARK-CIMS

class-map match-any MARK-BUSINESS-DATA-65

match access-group name MARK-BUSINESS-DATA-65

class-map match-any MARK-BUSINESS-DATA-30

match access-group name MARK-BUSINESS-DATA-30

class-map match-any MARK-BUSINESS-DATA-98

match access-group name MARK-BUSINESS-DATA-98

class-map match-any MARK-FINANCEONE

match access-group name MARK-FINANCEONE

class-map match-any MARK-AURION

match access-group name MARK-AURION

class-map match-any BUSINESS-APPS

match dscp af41

match dscp af43

match dscp af31

match dscp af33

class-map match-any BUSINESS-DATA

match dscp af21

match dscp af22

match dscp af23

match dscp af11

class-map match-any VOICE

match dscp ef

match protocol sip

match protocol rtp

match protocol skinny

class-map match-any MARK-BUSINESS-DATA-OTHER

match access-group name MARK-BUSINESS-DATA-OTHER

class-map match-any MARK-VOICE

match access-group name MARK-VOICE

!

policy-map MARKING-POLICY

class MARK-VOICE

set dscp ef

class MARK-CIMS

set dscp af41

class MARK-EXCHANGE

set dscp af43

class MARK-FINANCEONE

set dscp af31

class MARK-AURION

set dscp af33

class MARK-BUSINESS-DATA-65

set dscp af21

class MARK-BUSINESS-DATA-30

set dscp af22

class MARK-BUSINESS-DATA-98

set dscp af23

class MARK-BUSINESS-DATA-OTHER

set dscp af11

class MARK-INTERNET

set dscp af13

policy-map CBWFQ-POLICY

class VOICE

bandwidth percent 15

class MANAGEMENT

priority percent 15

class BUSINESS-APPS

bandwidth percent 35

random-detect dscp-based

class BUSINESS-DATA

bandwidth percent 20

random-detect dscp-based

class INTERNET

bandwidth percent 10

random-detect

class class-default

policy-map QOS-POLICY

class class-default

shape average 5242880

service-policy CBWFQ-POLICY

!

cns-rt01#sh policy-map int tunnel 1 output

Tunnel1

Service-policy output: QOS-POLICY

Class-map: class-default (match-any)

57501400 packets, 24484694221 bytes

5 minute offered rate 70000 bps, drop rate 0000 bps

Match: any

Queueing

queue limit 64 packets

(queue depth/total drops/no-buffer drops) 0/19093/0

(pkts output/bytes output) 60433436/26449585928

shape (average) cir 5242880, bc 20972, be 20972

target shape rate 5242880

Service-policy : CBWFQ-POLICY

queue stats for all priority classes:

Queueing

queue limit 64 packets

(queue depth/total drops/no-buffer drops) 0/0/0

(pkts output/bytes output) 2552815/826941818

Class-map: VOICE (match-any)

6586682 packets, 522626359 bytes

5 minute offered rate 1000 bps, drop rate 0000 bps

Match: dscp ef (46)

6586682 packets, 522626359 bytes

5 minute rate 1000 bps

Match: protocol sip

0 packets, 0 bytes

5 minute rate 0 bps

Match: protocol rtp

0 packets, 0 bytes

5 minute rate 0 bps

Match: protocol skinny

0 packets, 0 bytes

5 minute rate 0 bps

Queueing

queue limit 64 packets

(queue depth/total drops/no-buffer drops) 0/0/0

(pkts output/bytes output) 6586757/912502062

bandwidth 15% (750 kbps)

Class-map: MANAGEMENT (match-any)

2549854 packets, 1302466959 bytes

5 minute offered rate 1000 bps, drop rate 0000 bps

Match: protocol eigrp

100217 packets, 8182074 bytes

5 minute rate 0 bps

Match: protocol ssh

11248 packets, 3776998 bytes

5 minute rate 0 bps

Match: protocol cdp

0 packets, 0 bytes

5 minute rate 0 bps

Match: protocol icmp

1150594 packets, 132684126 bytes

5 minute rate 0 bps

Match: protocol arp

0 packets, 0 bytes

5 minute rate 0 bps

Match: protocol dhcp

174235 packets, 52826944 bytes

5 minute rate 0 bps

Match: protocol ntp

11574 packets, 1203696 bytes

5 minute rate 0 bps

Match: protocol snmp

1101986 packets, 1103793121 bytes

5 minute rate 0 bps

Match: protocol secure-ftp

0 packets, 0 bytes

5 minute rate 0 bps

Match: protocol tftp

0 packets, 0 bytes

5 minute rate 0 bps

Priority: 15% (750 kbps), burst bytes 18750, b/w exceed drops: 21

Class-map: BUSINESS-APPS (match-any)

10021358 packets, 4237310726 bytes

5 minute offered rate 20000 bps, drop rate 0000 bps

Match: dscp af41 (34)

6706856 packets, 3064145801 bytes

5 minute rate 9000 bps

Match: dscp af43 (38)

3147495 packets, 1125484203 bytes

5 minute rate 5000 bps

Match: dscp af31 (26)

73518 packets, 26878462 bytes

5 minute rate 0 bps

Match: dscp af33 (30)

93489 packets, 20802260 bytes

5 minute rate 0 bps

Queueing

queue limit 64 packets

(queue depth/total drops/no-buffer drops) 0/29/0

(pkts output/bytes output) 10021329/4877334374

bandwidth 35% (1750 kbps)

Exp-weight-constant: 9 (1/512)

Mean queue depth: 0 packets

dscp Transmitted Random drop Tail drop Minimum Maximum Mark

pkts/bytes pkts/bytes pkts/bytes thresh thresh prob

af31 73518/31382084 0/0 0/0 32 40 1/10

af33 93489/26741750 0/0 0/0 24 40 1/10

af41 6706856/3487491824 0/0 0/0 32 40 1/10

af43 3147466/1331718716 29/41358 0/0 24 40 1/10

Class-map: BUSINESS-DATA (match-any)

32328369 packets, 12391660649 bytes

5 minute offered rate 14000 bps, drop rate 0000 bps

Match: dscp af21 (18)

2281562 packets, 953823138 bytes

5 minute rate 1000 bps

Match: dscp af22 (20)

17884002 packets, 5326475850 bytes

5 minute rate 2000 bps

Match: dscp af23 (22)

9553692 packets, 5052056637 bytes

5 minute rate 0 bps

Match: dscp af11 (10)

2609113 packets, 1059305024 bytes

5 minute rate 1000 bps

Queueing

queue limit 64 packets

(queue depth/total drops/no-buffer drops) 0/19043/0

(pkts output/bytes output) 32312416/14375643744

bandwidth 20% (1000 kbps)

Exp-weight-constant: 9 (1/512)

Mean queue depth: 0 packets

dscp Transmitted Random drop Tail drop Minimum Maximum Mark

pkts/bytes pkts/bytes pkts/bytes thresh thresh prob

af11 2610902/1219088068 438/611876 225/223142 32 40 1/10

af21 2281774/1091637204 8/2480 1/182 32 40 1/10

af22 17875653/6436312942 3749/5308830 4882/6917932 28 40 1/10

af23 9544087/5628605530 4995/7270706 4745/6840582 24 40 1/10

Class-map: INTERNET (match-any)

1974045 packets, 369748257 bytes

5 minute offered rate 0000 bps, drop rate 0000 bps

Match: dscp af13 (14)

1974045 packets, 369748257 bytes

5 minute rate 0 bps

Queueing

queue limit 64 packets

(queue depth/total drops/no-buffer drops) 0/0/0

(pkts output/bytes output) 1974045/495510878

bandwidth 10% (500 kbps)

Exp-weight-constant: 9 (1/512)

Mean queue depth: 0 packets

class Transmitted Random drop Tail drop Minimum Maximum Mark

pkts/bytes pkts/bytes pkts/bytes thresh thresh prob

0 0/0 0/0 0/0 20 40 1/10

1 1974045/495510878 0/0 0/0 22 40 1/10

2 0/0 0/0 0/0 24 40 1/10

3 0/0 0/0 0/0 26 40 1/10

4 0/0 0/0 0/0 28 40 1/10

5 0/0 0/0 0/0 30 40 1/10

6 0/0 0/0 0/0 32 40 1/10

7 0/0 0/0 0/0 34 40 1/10

Class-map: class-default (match-any)

4041113 packets, 5660886594 bytes

5 minute offered rate 12000 bps, drop rate 0000 bps

Match: any

queue limit 64 packets

(queue depth/total drops/no-buffer drops) 0/0/0

(pkts output/bytes output) 6986074/4961653052

cns-rt01#

paul driver · ‎05-13-2013

Hello

I can see you are marking on DSCP but you have wred set to IPP

class-map match-any INTERNET

match dscp af13

policy-map CBWFQ-POLICY

class INTERNET

bandwidth percent 10

random-detect

res

PAul

Please don't forget to rate any posts that have been helpful.

Thanks.

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

warren.sullivan · ‎05-14-2013

thanks for that paul, but it doesnt really answer the question, why are they getting through?

Joseph W. Doherty · ‎05-14-2013

Disclaimer

The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.

Liability Disclaimer

In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.

Posting

Yes, you have any any for input, but what about packets sourced by the router itself?

warren.sullivan · ‎05-14-2013

Thanks Joseph,

I had that thought in my head, but the MANAGEMENT class-map is showing matches for eigrp tftp etc this is traffic originating from the router....

Your thoughts?

Joseph W. Doherty · ‎05-15-2013

Disclaimer

The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.

Liability Disclaimer

In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.

Posting

Good point! (Even if your tftp count shows 0. )

It might be, NBAR matches locally sourced traffic when IP any any, does not. (Would seem strange if true.) (BTW, I vaguely also recall there's some command for treating device locally sourced traffic like transit traffic for some egress cases.)

Or, perhaps it's for non-IP traffic. Pre-HQF, by default, reserved 25% of bandwidth for such other traffic such as "control and routing".

What you might do is mark this traffic with a TOS value that's non-DSCP, and use a packet analyzer to examine so marked packets. (Some of the later IOSs have a mini-packet analyzer built into them.) If you do that, please post the results .