Showing results for 
Search instead for 
Did you mean: 

ASR9000/XR: Understanding QOS, default marking behavior and troubleshooting



This document provides details on how QOS is implemented in the ASR9000 and how to interpret and troubleshoot qos related issues.


Core Issue

QOS is always a complex topic and with this article I'll try to describe the QOS architecture and provide some tips for troubleshooting.

Based on feedback on this document I'll keep enhancing it to document more things bsaed on that feedback.


The ASR9000 employs an end to end qos architecture throughout the whole system, what that means is that priority is propagated throughout the systems forwarding asics. This is done via backpressure between the different fowarding asics.

One very key aspect of the A9K's qos implementation is the concept of using VOQ's (virtual output queues). Each network processor, or in fact every 10G entity in the system is represented in the Fabric Interfacing ASIC (FIA) by a VOQ on each linecard.

That means in a fully loaded system with say 24 x 10G cards, each linecard having 8 NPU's and 4 FIA's, a total of 192 (24 times 8 slots) VOQ's are represented at each FIA of each linecard.

The VOQ's have 4 different priority levels: Priority 1, Priority 2, Default priority and multicast.

The different priority levels used are assigned on the packets fabric headers (internal headers) and can be set via QOS policy-maps (MQC; modular qos configuration).

When you define a policy-map and apply it to a (sub)interface, and in that policy map certain traffic is marked as priority level 1 or 2 the fabric headers will represent that also, so that this traffic is put in the higher priority queues of the forwarding asics as it traverses the FIA and fabric components.

If you dont apply any QOS configuration, all traffic is considered to be "default" in the fabric queues. In order to leverage the strength of the asr9000's asic priority levels, you will need to configure (ingress) QOS at the ports to apply the priority level desired.


In this example T0 and T1 are receiving a total of 16G of traffic destined for T0 on the egress linecard. For a 10G port that is obviously too much.

T0 will flow off some of the traffic, depending on the queue, eventually signaling it back to the ingress linecard. While T0 on the ingress linecard also has some traffic for T1 on the egress LC (green), this traffic is not affected and continues to be sent to the destination port.



The ASR9000 has the ability of 4 levels of qos, a sample configuration and implemenation detail presented in this picture:





Policer having exceeddrops, not reaching configured rate


When defining policers at high(er) rates, make sure the committed burst and excess burst are set correctly.
This is the formula to follow:

Set the Bc to CIR bps * (1 byte) / (8 bits) * 1.5 seconds



Default burst values are not optimal

Say you are allowing 1 pps, and then 1 second you don’t send anything, but the next second you want to send 2. in that second you’ll see an exceed, to visualize the problem.


Alternatively, Bc and Be can be configured in time units, e.g.:

     policy-map OUT

      class EF

       police rate percent 25 burst 250 ms peak-burst 500 ms


For viewing the Bc and Be applied in hardware, run the "show qos interface interface [input|output]".



Why do I see non-zero values for Queue(conform) and Queue(exceed) in show policy-map commands?

On the ASR9k, every HW queue has a configured CIR and PIR value. These correspond to the "guaranteed" bandwidth for the queue, and the "maximum" bandwidth (aka shape rate) for the queue.

In some cases the user-defined QoS policy does NOT explicitly use both of these.  However, depending on the exact QoS config the queueing hardware may require some nonzero value for these fields.  Here, the system will choose a default value for the queue CIR.  The "conform" counter in show policy-map is the number of packets/bytes that were transmitted within this CIR value, and the "exceed" value is the number of packets/bytes that were transmitted within the PIR value.

Note that "exceed" in this case does NOT equate to a packet drop, but rather a packet that is above the CIR rate on that queue.

You could change this behavior by explicitly configuring a bandwidth and/or a shape rate on each queue, but in general it's just easier to recognize that these counters don't apply to your specific situation and ignore them.


What is counted in QOS policers and shapers?


When we define a shaper in a qos pmap, the shaper takes the L2 header into consideration.

The shape rate defined of say 1Mbps would mean that if I have no dot1q or qinq, I can technically send more IP traffic then having a QIQ which has more L2 overhead. When I define a bandwidth statement in a class, same applies, also L2 is taken into consideration.

When defining a policer, it looks at L2 also.

In Ingress, for both policer & shaper, we use the incoming packet size (including the L2 header).

In order to account the L2 header in ingress shaper case, we have to use a TM overhead accounting feature, that will only let us add overhead in 4 byte granularity, which can cause a little inaccuracy.

In egress, for both policer & shaper we use the outgoing packet size (including the L2 header).


ASR9K Policer implementation supports 64Kbps granularity. When a rate specified is not a multiple of 64Kbps the rate would be rounded down to the next lower 64Kbps rate.


For policing, shaping, BW command for ingress/egress direction the following fields are included in the accounting.






L3 headers/payload



Port level shaping

Shaping action requires a queue on which the shaping is applied. This queue must be created by a child level policy. Typically shaper is applied at parent or grandparent level, to allow for differentiation between traffic classes within the shaper. If there is a need to apply a flat port-level shaper, a child policy should be configured with 100% bandwidth explicitly allocated to class-default.

Understanding show policy-map counters


QOS counters and show interface drops:


Policer counts are directly against the (sub)interface and will get reported on the "show interface" drops count.
The drop counts you see are an aggregate of what the NP has dropped (in most cases) as well as policer drops.


Packets that get dropped before the policer is aware of them are not accounted for by the policy-map policer drops but may
show under the show interface drops and can be seen via the show controllers np count command.


Policy-map queue drops are not reported on the subinterface drop counts.
The reason for that is that subinterfaces may share queues with each other or the main interface and therefore we don’t
have subinterface granularity for queue related drops.



Counters come from the show policy-map interface command



Class name as per   configuration Class   precedence6
Statistics for this class   Classification statistics          (packets/bytes)     (rate - kbps)
Packets that were matched     Matched             :            31583572/2021348608           764652
packets that were sent to the wire     Transmitted         : Un-determined
packets that were dropped for any reason   in this class     Total Dropped       : Un-determined
Policing stats   Policing statistics                (packets/bytes)     (rate - kbps)
Packets that were below the CIR rate     Policed(conform)    :            31583572/2021348608           764652
Packets that fell into the 2nd bucket   above CIR but < PIR     Policed(exceed)     :                   0/0                    0
Packets that fell into the 3rd bucket   above PIR     Policed(violate)    :                   0/0                    0
Total packets that the policer dropped     Policed and dropped :                   0/0
Statistics for Q'ing   Queueing statistics  <<<----
Internal unique queue reference     Queue ID                             : 136

how many packets were q'd/held at max one   time

(value not supported by HW)

    High watermark  (Unknown)

number of 512-byte particles which are currently

waiting in the queue

    Inst-queue-len  (packets)            : 4096

how many packets on average we have to   buffer

(value not supported by HW)

    Avg-queue-len   (Unknown)

packets that could not be buffered   because we held

more then the max length

    Taildropped(packets/bytes)           : 31581615/2021223360
see description above (queue exceed section)     Queue(conform)      :            31581358/2021206912           764652
see description above (queue exceed section)     Queue(exceed)       :                   0/0                    0

Packets subject to Randon Early detection

and were dropped.

    RED random drops(packets/bytes)      : 0/0



Understanding the hardware qos output


RP/0/RSP0/CPU0:A9K-TOP#show qos interface g0/0/0/0 output


With this command the actual hardware programming can be verified of the qos policy on the interface

(not related to the output from the previous example above)

Tue Mar  8 16:46:21.167 UTC
Interface: GigabitEthernet0_0_0_0 output
Bandwidth configured: 1000000 kbps Bandwidth programed: 1000000
ANCP user configured: 0 kbps ANCP programed in HW: 0 kbps
Port Shaper programed in HW: 0 kbps
Policy: Egress102 Total number of classes: 2
Level: 0 Policy: Egress102 Class: Qos-Group7
QueueID: 2 (Port Default)
Policer Profile: 31 (Single)
Conform: 100000 kbps (10 percent) Burst: 1248460 bytes (0 Default)
Child Policer Conform: TX
Child Policer Exceed: DROP
Child Policer Violate: DROP
Level: 0 Policy: Egress102 Class: class-default
QueueID: 2 (Port Default)



Default Marking behavior of the ASR9000


If you don't configure any service policies for QOS, the ASR9000 will set an internal cos value based on the IP Precedence, 802.1 Priority field or the mpls EXP bits.

Depending on the routing or switching scenario, this internal cos value will be used to do potential marking on newly imposed headers on egress.


Scenario 1


Scenario 2



Scenario 3



Scenario 4




Scenario 5




Scenario 6



Special consideration:

If the node is L3 forwarding, then there is no L2 CoS propagation or preservation as the L2 domain stops at the incoming interface and restarts at the outgoing interface.

Default marking PHB on L3 retains no L2 CoS information even if the incoming interface happened to be an 802.1q or 802.1ad/q-in-q sub interface.

CoS may appear to be propagated, if the corresponding L3 field (prec/dscp) used for default marking matches the incoming CoS value and so, is used as is for imposed L2 headers at egress.


If the node is L2 switching, then the incoming L2 header will be preserved unless the node has ingress or egress rewrites configured on the EFPs.
If an L2 rewrite results in new header imposition, then the default marking derived from the 3-bit PCP (as specified in 802.1p) on the incoming EFP is used to mark the new headers.


An exception to the above is that the DEI bit value from incoming 802.1ad / 802.1ah headers is propagated to imposed or topmost 802.1ad / 802.1ah headers for both L3 and L2 forwarding;


Related Information

ASR9000 Quality of Service configuration guide


Xander Thuijs, CCIE #6775



This helps me a lot. We almost purchased the 9001 and we thought it has few linecard slots available. Thank you for your quick response.

Does the ASR9K capable of doing PfR/OER? This is also a requirement in our design.



Cisco Employee

glad we have this chat then Hosam

XR doesnt have perf routing by nature, but you can use an exteranl source for that with a bgp peering and adjust route characteristics with RPL (route policy language) etc to affect path forwarding easily.

One of the VSM apps looked at is such an application/capability (not committed yet!)



Thanks much. I will post again if I have more questions if that is okay with you?

Best regards,

Hosam B.

Cisco Employee

awesome and any time!!

also, if you have further questions raise a discussion on the XR OS and platforms forum, then more folks get alerted and see, and can respond/learn from our chats



It is interesting that our Cisco Engineers keep saying that ASR9K can do NBAR? Is it an additional linecard or module or something?

- Hosam

Cisco Employee

I can tell you, as one of the lead folks of the platform that there is no nbar running on the linecards.

It just doesnt fit in the ucode of the NPU's that do the forwarding capabilities.

it needs to be outsourced to other components, such as today the SCE or when the VSM has the DPI capability there.




I would like to thank you for the quick and continues response to my questions related to the ASR9K. Your questions really helped us make a firm decision on what we do with it and where to put it. You are awesome!



Cisco Employee

Thanks Hosam, that's very nice to hear!! And any time! raise a Q on the forums and we'll get you sorted!!!

have a great weekend and thanksgiving (if you are in the US )



Is there a way to overcome this limitation?

If there is a need to apply a flat port-level shaper, a child policy should be configured with 100% bandwidth explicitly allocated to class-default.

Consider a scenario in which I need to configure LLQ and shaping

Normally, I'd configure a shaper at the parent policy and attach a child policy with the LLQ config.

Currently the ASR9K allows such shaping only up to 128Mbps..

Cisco Employee

there are 2 ways you can go about it. If you dont need classification but you only need a "shaped" queue on that phy interface (aka flat policy), then you can do this

policy-map flat

class class-default

  bandwidth 2 gbps

But what you are in need of is truly a hierarchical policy that shapes a parent policy and subdivides that bw by the child providing the LLQ functionality etc.



Hi Xander,

The problem is that I need a hierarchical policy like the one below, but the device doen't seem to support a shaper more than 128 mbps. Am I missing something?

policy-map parent

  class class-default

    service-policy child

    shape average 2 gbps

policy-map child

  class voice


  class business

    bandwidth 100 mbps

  class mgmt

    bandwidth 10 mbps

Best regards



Cisco Employee

Hi George,

you should configure a policer in voice class.

We support shaper at parent rate all the way up to the interface line rate. With the mentioned modificaton you should be able to apply this policy to a 10G or 100G interface. Once the config is accepted, check out the "show qos interface ..." command to see what is actually programmed in HW.


Hi Aleks,

We support shaper at parent rate all the way up to the interface line rate.

Well.. Normally it should be supported..

If you try to configure the policy map with the shaper you get the following..

'Cannot support child/flat shape rate > 128Mbps'

Cisco Employee

Hi Georgios,

there is no shaper at child level in your policy. Show me what you have configured.

Compared to your config I only had to lower the shaper rate because I was applying it to a 1G interface, not to a 10G. This is how it worked for me:

policy-map parent

class class-default

  service-policy child

  shape average 700 mbps




policy-map child

class voice

  priority level 1

  police rate 50 mbps



class business

  bandwidth 100 mbps


class mgmt

  bandwidth 10 mbps


class class-default




interface GigabitEthernet0/0/0/0


service-policy output parent

ipv4 address

negotiation auto

carrier-delay up 1000 down 0


RP/0/RSP0/CPU0:WEST-PE-ASR9K-2#sh qos interface g0/0/0/0 out

Tue Feb 18 06:29:02.820 EST

Interface: GigabitEthernet0_0_0_0 output

Bandwidth configured: 700000 kbps Bandwidth programed: 700000 kbps

ANCP user configured: 0 kbps ANCP programed in HW: 0 kbps

Port Shaper programed in HW: 700000 kbps

Policy: parent Total number of classes: 5


Level: 0 Policy: parent Class: class-default

QueueID: N/A

Shape Profile: 1 CIR: 64 kbps CBS: 10240 bytes PIR: 699968 kbps PBS: 8781824 bytes

WFQ Profile: 4 Committed Weight: 1 Excess Weight: 1

Bandwidth: 0 kbps, BW sum for Level 0: 0 kbps, Excess Ratio: 1


Level: 1 Policy: child Class: voice

Parent Policy: parent Class: class-default

QueueID: 640 (Priority 1)

Queue Limit: 524 kbytes Profile: 3 Scale Profile: 5

Policer Profile: 53 (Single)

Conform: 50000 kbps (50 mbps) Burst: 622592 bytes (0 Default)

Child Policer Conform: TX

Child Policer Exceed: DROP

Child Policer Violate: DROP


Level: 1 Policy: child Class: business

Parent Policy: parent Class: class-default

QueueID: 642 (Priority Normal)

Queue Limit: 8388 kbytes Profile: 2 Scale Profile: 2

WFQ Profile: 5 Committed Weight: 928 Excess Weight: 928

Bandwidth: 100000 kbps, BW sum for Level 1: 110000 kbps, Excess Ratio: 1


Level: 1 Policy: child Class: mgmt

Parent Policy: parent Class: class-default

QueueID: 643 (Priority Normal)

Queue Limit: 786 kbytes Profile: 1 Scale Profile: 13

WFQ Profile: 9 Committed Weight: 92 Excess Weight: 92

Bandwidth: 10000 kbps, BW sum for Level 1: 110000 kbps, Excess Ratio: 1


Level: 1 Policy: child Class: class-default

Parent Policy: parent Class: class-default

QueueID: 644 (Priority Normal)

Queue Limit: 393 kbytes Profile: 1 Scale Profile: 12

WFQ Profile: 4 Committed Weight: 1 Excess Weight: 1

Bandwidth: 0 kbps, BW sum for Level 1: 110000 kbps, Excess Ratio: 1



Hi Aleks,

I'm embarrassed to admit that I found a mistake in my actual config..

I fixed it and it seems ok now.

Thanks for your time and effort to help me


CreatePlease to create content
Content for Community-Ad

Cisco COVID-19 Survey