12-22-2016 09:05 PM - edited 03-05-2019 07:43 AM
I have CISCO2911/K9 with IPBasek9 and SecurityK9. Link to ISP is 16 Mbps with NAT configured on g0/0. I have configured simple policy that does priority for one class and simple fair queue for rest of the classes. And as obvious i have applied the policy outbound towards my LAN side g0/2. Priority never works no matter what style of configuration I apply. The below is the config:
CLASSIFICATION
ACL OF PRIORITY USERS
ip access-list extended PRIORITY_ACL_DOWNLOAD
permit ip any host 192.168.2.250
permit ip any host 192.168.1.200
permit ip any host 192.168.1.201
permit ip any host 192.168.1.195
permit ip any host 192.168.10.7
permit ip any host 192.168.1.199
permit ip any host 192.168.1.210
permit ip any host 192.168.10.66
permit ip any host 192.168.2.201
permit ip any host 192.168.3.252
permit ip any host 192.168.10.245
permit ip any host 192.168.3.250
permit ip any host 192.168.4.51
permit ip any host 192.168.4.52
permit ip any host 192.168.10.253
permit ip any host 192.168.10.249
permit ip any host 192.168.10.62
permit ip any host 192.168.10.59
permit ip any host 192.168.10.250
permit ip any host 192.168.10.12
permit ip any host 192.168.10.254
permit ip any host 192.168.10.88
permit ip any host 192.168.10.89
permit ip any host 192.168.10.45
deny ip any any
ACL OF OTHER DEPARTMENTs
ip access-list extended ADMIN
permit ip any 192.168.10.0 0.0.0.255
deny ip any any
ip access-list extended AEI1
permit ip any 192.168.5.0 0.0.0.255
deny ip any any
ip access-list extended AEI2
permit ip any 192.168.4.0 0.0.0.255
deny ip any any
ip access-list extended CSE
permit ip any 192.168.2.0 0.0.0.255
deny ip any any
ip access-list extended DNS_
permit udp any any eq domain
deny ip any any
ip access-list extended ELECT
permit ip any 192.168.8.0 0.0.0.255
deny ip any any
ip access-list extended IT
permit ip any 192.168.1.0 0.0.0.255
deny ip any any
ip access-list extended MECH
permit ip any 192.168.6.0 0.0.0.255
deny ip any any
CLASS-MAPS
class-map match-all PRIORITY_DOWNLOAD
match access-group name PRIORITY_ACL_DOWNLOAD
class-map match-all MECH
match access-group name MECH
class-map match-all VP
match access-group name VP
class-map match-all PG
match access-group name PG
class-map match-all IT
match access-group name IT
class-map match-all ADMIN
match access-group name ADMIN
class-map match-all CSE
match access-group name CSE
class-map match-all ELECT
match access-group name ELECT
class-map match-all AEI1
match access-group name AEI1
class-map match-all AEI2
match access-group name AEI2
POLICY-MAP
policy-map MBSD
class PRIORITY_DOWNLOAD
priority 15000
class PG
bandwidth 200
class MECH
bandwidth 100
class IT
bandwidth 100
class CSE
bandwidth 100
class VP
bandwidth 100
class AEI1
bandwidth 100
class ADMIN
bandwidth 100
class AEI2
bandwidth 100
class ELECT
bandwidth 99
class class-default
bandwidth 1
policy-map MBS_DOWNLOAD
class class-default
shape average 16000000
service-policy MBSD
APPLYING THE POLICY
R1# int g0/2
R1# service-policy output MBS_DOWNLOAD
OBSERVATION:-
I want to let the priority class go out with 15Mbps bandwidth but it never works. Please help.
Solved! Go to Solution.
01-10-2017 05:15 AM
This is so frustrating.....:(
Indeed it is. It's somewhat like posting good advice, and seeing it discounted. ;)
From what you've described, all sounds like how I would expect things to behave.
Again, I've already explained why your approach won't work, using "ordinary" Cisco QoS, but I didn't mention, as it doesn't really matter in your case, that Cisco interfaces support hardware FIFO TX queues. These overflow into the CBWFQ queues. I.e. these TX queues can make it appear CBWFQ isn't working.
To make CBWFQ "more effective" you need to decrease the TX queue size.
I mention the foregoing because the TX queue size can negate much of what CBWFQ offers. Again, though, it won't help you in your case.
12-23-2016 01:51 AM
Hello
Just to confirm you wish to prioritise traffic on your Lan facing interface of the rtr ?
If so then using a policer would be more appropriate, Shaping is most applicable to egress traffic on wan interfaces
Also I can see the class maps are match-ALL which means for this to work ALL conditions in the acl has to match however a match ANY statement would mean only 1 condition in the acl would need to match
res
paul
12-27-2016 01:04 AM
Hi,
I am doing the shaping for the download traffic towards the LAN facing clients
that's why its
ip access-list extended PRIORITY_ACL_DOWNLOAD
permit ip any host 192.168.1.200
which means source is anything but destination is known to be my LAN clients and that would be their download traffic.
what you think!
12-27-2016 01:23 AM
Hello,
as far as I know, you cannot shape ingress traffic, you can only police it, as Paul has suggested.
12-28-2016 08:14 PM
Yes you are right. But clearly see as per my config the shaper is definately outbound but not towards WAN but towards the clients (LAN).
For DOWNLOAD Stream (see arrow direction)
Client (192.168.1.20)<-------[3750-X]<-------(<<outbound shaper for download at G0/2 for clients )[c2911]<--------Internet
In ACLs, I am matching on the destination address of the outgoing packet to be classified. That is why you do not see any keyword in the end!
Please also review my config I pasted above.
OR
please suggest what should i do to accomplish the goal of prioritizing the download/upload traffic for PRIORITY Internet users (with an example :)).
NOTE: My question is similar to the below post but in my case I do not see the PRIORITY working, suppose I say 192.168.2.250 and 192.168.2.100 both downloading a file and as 192.168.2.250 is in PRIORITY_ACL_DOWNLOAD it must get 15000kbps of bandwidth alone leaving rest for 192.168.2.100, but i do not see policy working this way.
https://supportforums.cisco.com/discussion/10956426/limiting-bandwidth-cisco-router-possible-1800-series
12-29-2016 05:52 AM
NOTE: My question is similar to the below post but in my case I do not see the PRIORITY working . . .
Again, I've already posted what you're doing will be ineffective, and why that's so.
To recap that, if your ingress is physically limited to some bandwidth, and downstream of that bandwidth you shape a higher bandwidth port for the same bandwidth as the upstream supports, the shaper won't queue any traffic, and if no traffic is queued, there's nothing to prioritize.
If you wanted to see your shaper do "something", shape slower than your 16 Mbps. Then you should be able to see some traffic getting priority. However, doing this, you've only mostly held back your non-priority traffic. If you queue enough of your non-priority traffic that it starts to drop packets, depending on the nature of that traffic, it may slow its transmission rate allowing more bandwidth, upstream, for your priority traffic.
As noted above, if some traffic "sees" drops, it may slow its transmission rate. So you might also police inbound non-priority traffic trying to keep bandwidth available for your priority traffic. Likewise, some traffic, for example, TCP, will also slow it's transmission rate if you slow its returning ACKs. Both of these approaches aren't very dynamic regarding the needs of the priority traffic. You may not preserve enough bandwidth for your priority traffic and/or allow bandwidth to go unused.
Where you really want your inbound QoS policy is on the service provider's egress port, unfortunately most service providers will not support/allow this.
Trying to manage ingress bandwidth, at the receiving end, can be very difficult especially if only using router QoS features. "Special" dedicated traffic shaping appliances can do much more, but even they are not 100% effective in all cases. However, if you really need to better manage ingress bandwidth, and your service provider won't provide QoS on their end of the link, that's likely your most effective option.
12-30-2016 08:49 PM
Joseph,
Thanks for the reply.
Can you please tell me a way i achieve the result? that is prioritizing the download traffic for some specific users based on ACL.
I shall be thankfull to you!
01-08-2017 10:29 PM
Any One////////////
01-08-2017 11:53 PM
Hello,
replace the 'priority' with 'police'.
policy-map MBSD
class PRIORITY_DOWNLOAD
police 15000000
policy-map MBS_DOWNLOAD
class class-default
police 16000000
Once you have changed those settings, do you get any matches when you do a 'show policy-map interface' ?
01-09-2017 01:06 AM
Yes ...but How can I be sure that PRIORITY USER is being preferred first.
One more thing.. do i need to put the non-priority users in police too!
01-09-2017 01:11 AM
Hello,
I would simplify the policy and just use the priority download class:
class-map match-all PRIORITY_DOWNLOAD
match access-group name PRIORITY_ACL_DOWNLOAD
policy-map MBSD
class PRIORITY_DOWNLOAD
priority 15000000
class class-default
01-09-2017 01:51 AM
Hello
Dont forget
class-map match-ANY PRIORITY_DOWNLOAD
res
Paul
01-09-2017 08:37 PM
class-map match-any PRIORITY_DOWNLOAD
match access-group name PRIORITY_ACL_DOWNLOAD
policy-map MBSD
class PRIORITY_DOWNLOAD
priority 15000
class class-default
..............Still the bandwidth is divided into half, if both (Priority and Non_priority) aggressively try downloading some file from Internet.
This is so frustrating.....:(
01-09-2017 11:51 PM
Hello,
I am wondering if the policy should be configured inbound instead of outbound. From the point of view of the interface, you are prioritizing inbound traffic
So try:
service-policy input MBS_DOWNLOAD
01-10-2017 05:15 AM
This is so frustrating.....:(
Indeed it is. It's somewhat like posting good advice, and seeing it discounted. ;)
From what you've described, all sounds like how I would expect things to behave.
Again, I've already explained why your approach won't work, using "ordinary" Cisco QoS, but I didn't mention, as it doesn't really matter in your case, that Cisco interfaces support hardware FIFO TX queues. These overflow into the CBWFQ queues. I.e. these TX queues can make it appear CBWFQ isn't working.
To make CBWFQ "more effective" you need to decrease the TX queue size.
I mention the foregoing because the TX queue size can negate much of what CBWFQ offers. Again, though, it won't help you in your case.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide