QoS 881 router not policing

Johan Olsson · ‎09-24-2014

Hi,

I'm trying to setup QoS policing to limit bandwith for some protocols. I'm using a 881 router.
I just want to police the traffic for the protocols and configured this:

class-map filetransfer
match protocol itunes
match protocol bittorrent
match protocol ftp

policy-map qos_filetransfer
class filetransfer
police 100000
conform-action transmit
exceed-action drop

int f4
service-policy input qos_filetransfer
service-policy output qos_filetransfer

But when I'm testing to download a file with ftp the traffic is not limited.

If I run: sh ip nbar protocol-discovery stats bit-rate top-n 10, I can see the ftp traffic:

FastEthernet4

Last clearing of "show ip nbar protocol-discovery" counters 00:05:03

                            Input                    Output
                            -----                    ------
   Protocol                 5min Bit Rate (bps)      5min Bit Rate (bps)
   ------------------------ ------------------------ ------------------------
   ftp                      3340000                  104000
   stun-nat                 14000                    97000
   ipsec                    1000                     1000
   icmp                     0                        1000
   isakmp                   0                        0
   dns                      0                        0
   skype                    0                        0
   unknown                  0                        1000
   Total                    3355000                  204000

If i run: sh policy-map interface f4

FastEthernet4

Service-policy input: qos_filetransfer

    Class-map: filetransfer (match-all)
      0 packets, 0 bytes
      5 minute offered rate 0000 bps, drop rate 0000 bps
      Match: protocol itunes
      Match: protocol bittorrent
      Match: protocol ftp
      police:
          cir 100000 bps, bc 3125 bytes
        conformed 0 packets, 0 bytes; actions:
          transmit
        exceeded 0 packets, 0 bytes; actions:
          drop
        conformed 0000 bps, exceeded 0000 bps

    Class-map: class-default (match-any)
      96296 packets, 139493940 bytes
      5 minute offered rate 3050000 bps, drop rate 0000 bps
      Match: any

Service-policy output: qos_filetransfer

    Class-map: filetransfer (match-all)
      0 packets, 0 bytes
      5 minute offered rate 0000 bps, drop rate 0000 bps
      Match: protocol itunes
      Match: protocol bittorrent
      Match: protocol ftp
      police:
          cir 100000 bps, bc 3125 bytes
        conformed 0 packets, 0 bytes; actions:
          transmit
        exceeded 0 packets, 0 bytes; actions:
          drop
        conformed 0000 bps, exceeded 0000 bps

    Class-map: class-default (match-any)
      59355 packets, 7299832 bytes
      5 minute offered rate 161000 bps, drop rate 0000 bps
      Match: any

Seems that the Class-map class-default are matching the packets, but I have not configured any class-defaults.

Please advice what to do.

Thanks

luke-zhang · ‎09-25-2014

misconfigure at "class-map filetransfer", the default action is match all protocol

just change to "match any", QoS can work properly.

Joseph W. Doherty · ‎09-25-2014

Ditto.

Johan Olsson · ‎09-26-2014

Hi,
Tested but can't get it to work.

I have tested:

class-map filetransfer
match protocol itunes
match protocol bittorrent
match protocol ftp
match any

and:

class-map match-all filetransfer
match protocol itunes
match protocol bittorrent
match protocol ftp
match any

and:

class-map match-any filetransfer
match protocol itunes
match protocol bittorrent
match protocol ftp
match any

I still get full bandwith when downloading a file with ftp from internet --> a computer on vlan1

Any more idea?

router#sh policy-map interface f4
FastEthernet4

Service-policy input: qos_filetransfer

    Class-map: filetransfer (match-all)
      0 packets, 0 bytes
      5 minute offered rate 0000 bps, drop rate 0000 bps
      Match: protocol itunes
      Match: protocol bittorrent
      Match: protocol ftp
      Match: any
      police:
          cir 100000 bps, bc 3125 bytes
        conformed 0 packets, 0 bytes; actions:
          transmit
        exceeded 0 packets, 0 bytes; actions:
          drop
        conformed 0000 bps, exceeded 0000 bps

    Class-map: class-default (match-any)
      260290 packets, 385289380 bytes
      5 minute offered rate 6399000 bps, drop rate 0000 bps
      Match: any

Service-policy output: qos_filetransfer

    Class-map: filetransfer (match-all)
      0 packets, 0 bytes
      5 minute offered rate 0000 bps, drop rate 0000 bps
      Match: protocol itunes
      Match: protocol bittorrent
      Match: protocol ftp
      Match: any
      police:
          cir 100000 bps, bc 3125 bytes
        conformed 0 packets, 0 bytes; actions:
          transmit
        exceeded 0 packets, 0 bytes; actions:
          drop
        conformed 0000 bps, exceeded 0000 bps

    Class-map: class-default (match-any)
      163215 packets, 16962903 bytes
      5 minute offered rate 283000 bps, drop rate 0000 bps
      Match: any

Joseph W. Doherty · ‎09-26-2014

Disclaimer

The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.

Liability Disclaimer

In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.

Posting

class-map filetransfer
match protocol itunes
match protocol bittorrent
match protocol ftp
match any

~~and:~~

class-map match-all filetransfer
match protocol itunes
match protocol bittorrent
match protocol ftp
match any

~~and:~~

class-map match-any filetransfer
match protocol itunes
match protocol bittorrent
match protocol ftp
~~match any~~

Johan Olsson · ‎09-27-2014

Hi Joseph,
I configured it but it still not limit the bandwith. I get full bandwith when downloading with ftp from internet --> computer on vlan1.

Any other idea?

#sh policy-map interface f4
FastEthernet4

Service-policy input: qos_filetransfer

    Class-map: filetransfer (match-any)
      75077 packets, 113637817 bytes
      5 minute offered rate 2409000 bps, drop rate 0000 bps
      Match: protocol itunes
        0 packets, 0 bytes
        5 minute rate 0 bps
      Match: protocol bittorrent
        0 packets, 0 bytes
        5 minute rate 0 bps
      Match: protocol ftp
        75077 packets, 113637817 bytes
        5 minute rate 2409000 bps
      police:
          cir 100000 bps, bc 3125 bytes
        conformed 0 packets, 0 bytes; actions:
          transmit
        exceeded 0 packets, 0 bytes; actions:
          drop
        conformed 0000 bps, exceeded 0000 bps

    Class-map: class-default (match-any)
      2135 packets, 306227 bytes
      5 minute offered rate 11000 bps, drop rate 0000 bps
      Match: any

Service-policy output: qos_filetransfer

    Class-map: filetransfer (match-any)
      41494 packets, 2684305 bytes
      5 minute offered rate 60000 bps, drop rate 0000 bps
      Match: protocol itunes
        0 packets, 0 bytes
        5 minute rate 0 bps
      Match: protocol bittorrent
        0 packets, 0 bytes
        5 minute rate 0 bps
      Match: protocol ftp
        41494 packets, 2684305 bytes
        5 minute rate 60000 bps
      police:
          cir 100000 bps, bc 3125 bytes
        conformed 10 packets, 737 bytes; actions:
          transmit
        exceeded 0 packets, 0 bytes; actions:
          drop
        conformed 0000 bps, exceeded 0000 bps

    Class-map: class-default (match-any)
      3005 packets, 1756471 bytes
      5 minute offered rate 41000 bps, drop rate 0000 bps
      Match: any

Johan Olsson · ‎10-01-2014

Hi,
I tested the configuration with another 881 router but with the advipservices license instead of advsecurity and it works!

Is there any qos limitations in the advsecurity? Can't find anything about it, but it seems to be or if it's a bug in my ios version.

Joseph W. Doherty · ‎10-01-2014

Disclaimer

The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.

Liability Disclaimer

In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.

Posting

There may be.

I've noticed on 871s, with 12.4T, that advsecurity doesn't offer all the same QoS options as advipservices.