Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1221
Views
0
Helpful
4
Replies

QOS order of operations and Boolean logic

Flows
Level 1
Level 1

‎02-10-2018 02:35 PM - edited ‎03-05-2019 09:54 AM

Hi folks,

I want to match protocols to higher priority queues but only if they don't use the port I reserve for my bulk traffic. eg IF protocol ssl AND NOT using port 6882 set af31

  • What order are class-maps processed in?
  • With match-any class-maps are ACLs processed before NBAR protocol matches?
  • If a packet hits a deny ACE in an ACL in a high priority class-map will it then look for matches in the remaining class-maps?

 

Infrastructure is a Cisco 897VA Switch/Router/Modem 33M/3M VDSL WAN, 1G LAN:

This is what I have done so far:

 

 

!!@@ ACL for use on NBAR class-maps to ensure no bulk traffic is matched to higher priority queues via a protocol statement - positioned above all NBAR statements
ip access-list extended ACL_BULK_DENY
 deny   udp any eq 6882 any
 deny   udp any any eq 6882
 deny   tcp any eq 6882 any
 deny   tcp any any eq 6882
 
!!@@ ACL to match Bulk traffic for this network
ip access-list extended ACL_BULK_PERMIT
 permit udp any eq 6882 any
 permit udp any any eq 6882
 permit tcp any eq 6882 any
 permit tcp any any eq 6882
 
!!@@ ACL to match Control priority traffic - ACL_BULK_DENY ACEs included - positioned above Control NBAR statements
ip access-list extended ACL_CONTROL
 remark ACL_BULK_DENY start
 deny   udp any eq 6882 any
 deny   udp any any eq 6882
 deny   tcp any eq 6882 any
 deny   tcp any any eq 6882
 remark ACL_BULK_DENY end
 permit tcp any any ack
 permit tcp any any syn
 permit udp any eq domain any
 permit udp any any eq domain

 
 
 
 
!!@@ Class-map for Realtime traffic - used to mark inbound traffic
class-map match-any CM_REALTIME
  description Realtime
 match access-group name ACL_BULK_DENY  !!@@ Do not match any Bulk traffic in case it matches as any of the below protocols
 match protocol rtp
 match protocol whatsapp
 
!!@@ Class-map for Control traffic - used to mark inbound traffic
class-map match-any CM_CONTROL
  description Network Control, VPN, SYN ACK DNS
 match access-group name ACL_CONTROL  !!@@ Includes ACL_BULK_DENY
 match protocol icmp
 match protocol gre
 match protocol isakmp
 match protocol ipsec
 match protocol ssh
 
!!@@ Class-map for Transactional traffic - used to mark inbound traffic
class-map match-any CM_TRANSACTIONAL
  description Transactional Data
 match access-group name ACL_BULK_DENY  !!@@ Do not match any Bulk traffic in case it matches as any of the below protocols
 match protocol skype
 match protocol http
 match protocol secure-http
 match protocol ssl
 match protocol citrix
 match protocol ftp
 match protocol sftp
 match protocol imap
 match protocol pop3
 match protocol smtp
 match protocol exchange
 match protocol secure-imap
 match protocol secure-pop3
 match protocol secure-smtp
 match protocol gmail
 match protocol youtube
 match protocol dropbox
 
!!@@ Class-map for Bulk traffic - used to mark inbound traffic
class-map match-any CM_BULK
  description Bulk Data
 match access-group name ACL_BULK_PERMIT

 
 
 
 
!!@@ Match Realtime markings - highest priority - used for outbound queuing of traffic already marked inbound
class-map match-any CM_REALTIME_MARKED
  description Realtime Markings
 match dscp ef
 
!!@@ Match Control markings - below Realtime - lowest threshold for WRED - used for outbound queuing of traffic already marked inbound
class-map match-any CM_CONTROL_MARKED
  description Network Control, VPN Markings
 match dscp af41

!!@@ Match Transactional markings - below Realtime and Control - lowest threshold for WRED - used for outbound queuing of traffic already marked inbound
class-map match-any CM_TRANSACTIONAL_MARKED
  description Transactional Data Markings
 match dscp af31
 
!!@@ Match Bulk markings - below default-class - lowest threshold for WRED - used for outbound queuing of traffic already marked inbound
class-map match-any CM_BULK_MARKED
  description Bulk Data Markings
 match dscp af13
 

 
 
!!@@ Policy-map for outbound LAN queues - DL stands for Download and references WAN bandwidth
policy-map PM_QUEUEING_OUT_DL  !!@@ Parent/Child limitation work around
 class class-default
  shape average 990000000 !!@@ 99% true LAN bandwidth
   service-policy PM_QUEUEING_DL
policy-map PM_QUEUEING_DL
 class CM_REALTIME_MARKED
  priority 10240
 class CM_CONTROL_MARKED
  bandwidth remaining percent 30
 class CM_TRANSACTIONAL_MARKED
  bandwidth remaining percent 50
  random-detect dscp-based
  random-detect ecn !!@@ All hosts have ECN marking enabled
 class CM_BULK_MARKED
  shape average 26680000
  random-detect dscp-based
  random-detect ecn !!@@ All hosts have ECN marking enabled
 class class-default
  bandwidth remaining percent 20
  set dscp af22 !!@@ Marking any default-class traffic not caught by inbound policy-maps on internal and external interfaces - setting the default-class above the Bulk queue with a higher WRED threshold
  random-detect dscp-based
  random-detect ecn !!@@ All hosts have ECN marking enabled
  
!!@@ Policy-map for outbound WAN Queues - UL stands for WAN Upload
policy-map PM_QUEUEING_OUT_UL  !!@@ Parent/Child limitation work around
 class class-default
  shape average 3072000  !!@@ 90% true WAN UL bandwidth
   service-policy PM_QUEUEING_UL
policy-map PM_QUEUEING_UL
 class CM_REALTIME_MARKED
  priority 1024
 class CM_CONTROL_MARKED
  bandwidth remaining percent 30
 class CM_TRANSACTIONAL_MARKED
  bandwidth remaining percent 50
  random-detect dscp-based
  random-detect ecn
 class CM_BULK_MARKED
  shape average 2668000
  random-detect dscp-based
  random-detect ecn
 class class-default
  bandwidth remaining percent 20
  set dscp af22 !!@@ Marking any default-class traffic not caught by inbound policy-maps on internal and external interfaces - setting the default-class above the Bulk queue with a higher WRED threshold
  random-detect dscp-based
  random-detect ecn
  
!!@@ Policy-map for inbound LAN and WAN traffic marking
policy-map PM_MARKING_IN
 class CM_REALTIME
  set dscp ef
 class CM_CONTROL
  set dscp af41
 class CM_TRANSACTIONAL
  set dscp af31
 class CM_BULK
  set dscp af13
 class class-default
  set dscp af22  !!@@ Marking default-class traffic on internal and external interfaces - setting the default-class above the Bulk queue with a higher WRED threshold
 



 
!!@@ Attaching policy-map for inbound traffic DSCP marking to Layer 3 WAN interface
interface Dialer0
 service-policy input PM_MARKING_IN

!!@@ Attaching outbound policy-map to underlying WAN interface where bandwidth is correctly passed by VDSL controller - does not need to be Layer 3 for outbound queues
interface Ethernet0
 service-policy output PM_QUEUEING_OUT_UL

!!@@ Attaching inbound policy-map for marking and outbound policy-map for queuing to internal interface
interface Vlan255
 bandwidth qos-reference 40960 !!@@ Setting QOS reference bandwidth for 'bandwidth remaining percent' statements as per reported bandwidth on eth0 WAN interface 
 service-policy input PM_MARKING_IN
 service-policy output PM_QUEUEING_OUT_DL

 

Labels:
0 Helpful
4 Replies 4

Peter Paluch
Cisco Employee
Cisco Employee

‎02-10-2018 04:34 PM

Hello Flows,

You have a very clear and well-formulated set of questions!

What order are class-maps processed in?

They are processed in the order they appear in the policy-map attached to an interface.

With match-any class-maps are ACLs processed before NBAR protocol matches?

I suppose you are asking about a match-any class-map using both "match protocol" and "match access-group". On top of my mind, I do not know what "match" entry would be evaluated first. However, please let me ask you whether - and why - you believe this is important. The order of evaluation inside a class-map should not be important.

If a packet hits a deny ACE in an ACL in a high priority class-map will it then look for matches in the remaining class-maps?

Yes, it will. The ACL in class-map is only a selector of matching packets for a particular class. If they don't match the criteria for this class (as they hit a "deny" ACE), they can still match other classes, and so the evaluation will continue.

Please feel welcome to ask further!

Best regards,
Peter

0 Helpful

Flows
Level 1
Level 1
In response to Peter Paluch

‎02-10-2018 05:26 PM - edited ‎02-10-2018 06:16 PM

Thanks Peter! :)

 

What order are class-maps processed in?

In the order they appear in the policy-map attached to an interface.

 

If a packet hits a deny ACE in an ACL in a high priority class-map will it then look for matches in the remaining class-maps?

Yes, it will. The ACL in class-map is only a selector of matching packets for a particular class. If they don't match the criteria for this class (as they hit a "deny" ACE), they can still match other classes, and so the evaluation will continue.

 

With match-any class-maps are ACLs processed before NBAR protocol matches?

I suppose you are asking about a match-any class-map using both "match protocol" and "match access-group". On top of my mind, I do not know what "match" entry would be evaluated first. However, please let me ask you whether - and why - you believe this is important. The order of evaluation inside a class-map should not be important.

 

Yes exactly. Essentially I don't want any Bulk traffic leaking into the higher priority queues like Control and Transactional. I have noticed that if I don't deny 6882 (Bulk encrypted) traffic, 6882 traffic seems to leak into higher queues as NBAR seems to match some 6882 traffic as one of the encrypted protocols. I also still seem to be getting some leaks with the config in the first post. Hence the question about order of operations NBAR vs ACLs. 

 

See excerpt below from config that is attempting to implement the following logic in, for example, the Transactional class-map (Bulk class-map and ACL included for added context)

 

Example logical operation for Transactional class-map

IF NOT using port 6882 AND protocol is ssl, set af31 AND IF using port 6882 AND protocol ssl, do not set af31, exit Transactional class-map evalution, continue evaluation in remaining class-maps as per order in policy-map 

 

Config for Transactional class-map with deny ACL for any 6882 bulk traffic

 

!!@@ ACL for use on NBAR class-maps to ensure no bulk traffic is matched to higher priority queues via a protocol statement - positioned above all NBAR statements
ip access-list extended ACL_BULK_DENY
 deny udp any eq 6882 any
 deny udp any any eq 6882
 deny tcp any eq 6882 any
 deny tcp any any eq 6882
!!@@ Class-map for Transactional traffic - used to mark inbound traffic
class-map match-any CM_TRANSACTIONAL
  description Transactional Data
 match access-group name ACL_BULK_DENY  !!@@ Do not match any Bulk traffic in case it matches as any of the below protocols
 match protocol skype
 match protocol http
 match protocol secure-http
 match protocol ssl
 match protocol citrix
 match protocol ftp
 match protocol sftp
 match protocol imap
 match protocol pop3
 match protocol smtp
 match protocol exchange
 match protocol secure-imap
 match protocol secure-pop3
 match protocol secure-smtp
 match protocol gmail
 match protocol youtube
 match protocol dropbox
 
!!@@ ACL to match Bulk traffic for this network
ip access-list extended ACL_BULK_PERMIT
 permit udp any eq 6882 any
 permit udp any any eq 6882
 permit tcp any eq 6882 any
 permit tcp any any eq 6882
!!@@ Class-map for Bulk traffic - used to mark inbound traffic
class-map match-any CM_BULK
  description Bulk Data
 match access-group name ACL_BULK_PERMIT

 

0 Helpful

Flows
Level 1
Level 1
In response to Peter Paluch

‎02-10-2018 06:27 PM - edited ‎02-11-2018 10:17 AM

My reply keeps getting deleted?

Mods, please remove. Looks like there was some site maintenance yesterday.

0 Helpful

Flows
Level 1
Level 1
In response to Flows

‎02-10-2018 06:33 PM - edited ‎02-11-2018 10:17 AM

Duplicate. Mods, please remove. Looks like there was some site maintenance yesterday?

0 Helpful
Customers Also Viewed These Support Documents