Solved: Catalyst 6506 vlan-based qos configuration

Eugene Khabarov · ‎02-13-2012

Hi All!

I was unable to configure vlan-based qos on

Cisco IOS Software, s72033_rp Software (s72033_rp-IPSERVICESK9-M), Version 12.2(33)SXH6, RELEASE SOFTWARE (fc1)

Seems to me my configuration is not working. Here is the output of the interface:

sh int G1/6 | i rate

Queueing strategy: fifo

30 second input rate 25231000 bits/sec, 4282 packets/sec

30 second output rate 46940000 bits/sec, 9257 packets/sec

And here is my configuration:

interface Vlan3

ip address 192.168.1.1 255.255.252.0

service-policy input TEST_IN_PMAP

service-policy output TEST_OUT_PMAP

interface GigabitEthernet1/6

switchport

switchport access vlan 3

load-interval 30

mls qos vlan-based

mls qos trust dscp

#sh class-map

Class Map match-any class-default (id 0)

Match any

Class Map match-all TEST_IN_CMAP (id 2)

Match access-group 119

Class Map match-all TEST_OUT_CMAP (id 1)

Match access-group 118

#sh policy-map

Policy Map TEST_IN_PMAP

Class TEST_IN_CMAP

police cir 30000000 bc 937500

conform-action transmit

exceed-action drop

Policy Map TEST_OUT_PMAP

Class TEST_OUT_CMAP

police cir 30000000 bc 937500

conform-action transmit

exceed-action drop

#sh ip access-lists 118

Extended IP access list 118

30 permit ip any host 192.168.1.168

#sh ip access-lists 119

Extended IP access list 119

30 permit ip host 192.168.1.168 any

The questions are:

Why I can't see matches in ACLs? I've double checked the direction and seems to me it is correct. I can't see matches even I configure something like this:

10 permit ip host 192.168.1.168 any

20 permit ip any host 192.168.1.168

Why my output rate is higher than 30M? Is it bacause there is no matching traffic here in ACLs? 
I'm absolutely shure that this host with such ip connected to this interface:

#sh arp | i 192.168.1.168
Internet  192.168.1.168           0   feed.beef.f00d  ARPA   Vlan3
#sh mac address-table |  i feed.beef.f00d
*    3  feed.beef.f00d   dynamic  Yes          0   Gi1/6

Edison Ortiz · ‎02-14-2012

In your current design, how much traffic is leaving Vlan3 and how much traffic is remaining within Vlan3?

Only traffic leaving Vlan3 will be policed. Intra-Vlan traffic won't be policed.

Regards,

Edison

View solution in original post

Edison Ortiz · ‎02-13-2012

Post the output from

show mls qos

and

show mls qos ip g1/6

Eugene Khabarov · ‎02-13-2012

Hi! Thank you for reply. Here is output:

#sh mls qos

QoS is enabled globally

Policy marking depends on port_trust

QoS ip packet dscp rewrite enabled globally

Input mode for GRE Tunnel is Pipe mode

Input mode for MPLS is Pipe mode

QoS is vlan-based on the following interfaces:

Gi1/6

QoS Trust state is CoS on the following interface:

Gi2/27

QoS Trust state is DSCP on the following interface:

Gi1/1 Gi1/2 Gi1/3 Gi1/4 Gi1/5 Gi1/6 Gi1/7 Gi1/9 Gi1/10 Gi1/11

Gi1/12 Gi1/13 Gi1/14 Gi1/15 Gi1/16 Gi1/17 Gi1/18 Gi1/19 Gi1/20 Gi1/21

Gi1/22 Gi1/23 Gi1/24 Gi1/25 Gi1/26 Gi1/27 Gi1/28 Gi1/29 Gi1/30 Gi1/32

Gi1/33 Gi1/34 Gi1/35 Gi1/37 Gi1/38 Gi1/39 Gi1/40 Gi1/41 Gi1/42 Gi1/47

Gi1/48 Gi2/5 Gi2/6 Gi2/7 Gi2/8 Gi2/9 Gi2/10 Gi2/11 Gi2/12 Gi2/13

Gi2/14 Gi2/15 Gi2/16 Gi2/17 Gi2/18 Gi2/19 Gi2/21 Gi2/22 Gi2/23 Gi2/24

Gi2/25 Gi2/26 Gi2/33 Gi2/35 Gi2/36 Gi2/37 Gi2/38 Gi2/39 Gi2/40 Gi2/41

Gi2/43 Gi2/45 Gi2/46 Gi2/48

Vlan or Portchannel(Multi-Earl) policies supported: Yes

Egress policies supported: Yes

----- Module [3] -----

QoS global counters:

Total packets: 21897742423

IP shortcut packets: 0

Packets dropped by policing: 0

IP packets with TOS changed by policing: 486575146

IP packets with COS changed by policing: 2

Non-IP packets with COS changed by policing: 0

MPLS packets with EXP changed by policing: 0

----- Module [4] -----

QoS global counters:

Total packets: 533654

IP shortcut packets: 0

Packets dropped by policing: 0

IP packets with TOS changed by policing: 2

IP packets with COS changed by policing: 2

Non-IP packets with COS changed by policing: 0

MPLS packets with EXP changed by policing: 0

----- Module [5] -----

QoS global counters:

Total packets: 3557578797757

IP shortcut packets: 0

Packets dropped by policing: 12390896

IP packets with TOS changed by policing: 2

IP packets with COS changed by policing: 69251809858

Non-IP packets with COS changed by policing: 0

MPLS packets with EXP changed by policing: 0

#sh mls qos ip G1/6

[In] Default. [Out] Default.

QoS Summary [IPv4]: (* - shared aggregates, Mod - switch module)

Int Mod Dir Class-map DSCP Agg Trust Fl AgForward-By AgPoliced-By

Id Id

-----------------------------------------------------------------------------------

Gi1/6 5 In Default 0 0* No 0 426590389744 0

Edison Ortiz · ‎02-13-2012

That interface is associated to the Supervisor PFC (Module 5) and if you see the MLS QOS counters on module 5, packets were dropped by policing.

The mls qos ip output also indicates the 'direction' which is inbound.

Your inbound counter does not exceed 30Mbps.

I believe your outbound ACL needs some work. Can you try any/any on the outbound and see if the policer takes effect?

Also, you won't get matches on ACL since this is done in hardware.

Eugene Khabarov · ‎02-13-2012

I think "any any" is not good idea since there is many servers operational. Maybe I can lower the policing rate and try it on another server?

Edison Ortiz · ‎02-13-2012

According to the documentation:

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/qos.html#wp1547950

"Note that PFC QoS performs egress policing decisions at the ingress interface, on the PFC or ingress DFC"

Eugene Khabarov · ‎02-13-2012

Hi, Edison. Thank you for reply, but I don't understand your post. Sorry. Can you please rephrase? Do you mean that incoming traffic to the 192.168.1.168 should flow througth another physical inerface in vlan 3 to be matched by policer? So what about traffic coming from another vlan to this host?

Edison Ortiz · ‎02-14-2012

In your current design, how much traffic is leaving Vlan3 and how much traffic is remaining within Vlan3?

Only traffic leaving Vlan3 will be policed. Intra-Vlan traffic won't be policed.

Regards,

Edison

Edison Ortiz · ‎02-14-2012

I did some testing here with a couple of 6500s ...

Configure Vlan 100 on both and assigned 192.168.100.0/24 to their respective SVIs.

Initiate a ping with large packets from one box and applied mls qos vlan-based on the other box.

Before the policer the ping was not dropping...

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

Once I applied a policer, the interface througput on the policed device dropped and the the device doing the ping was getting drops:

!.!!.!!.!!.!!.!!.!!.!!.!!.!!.!!.!!.!!.!!.!!.!!.!!.!!.!!.!!.!!.!!.!!.!!

.!!.!!.!!.!!.!!.!!.!!.!!.!!.!!.!!.!!.!!.!!.!!.!!.!!.!!.!!.!!.!!.!!.!!.

!!.!!.!!.!!.!!.!!.!!.!!.!!.!!.!!.!!.!!.!!.!!.!!.!!.!!.!!.!!.!!.!!.!!.!

Here are some verification outputs:

show mls qos ip ingress

QoS Summary [IPv4]: (* - shared aggregates, Mod - switch module)

Int Mod Dir Class-map DSCP Agg Trust Fl AgForward-By AgPoliced-By

Id Id

-----------------------------------------------------------------------------------

Vl100 6 In CISCO-IN 0 3 dscp 0 73736 18652

All 6 - Default 0 0* No 0 21114275690 0

show mls qos ip ingress

QoS Summary [IPv4]: (* - shared aggregates, Mod - switch module)

Int Mod Dir Class-map DSCP Agg Trust Fl AgForward-By AgPoliced-By

Id Id

-----------------------------------------------------------------------------------

Vl100 6 In CISCO-IN 0 3 dscp 0 998546 248766

Notice how the ingress is incrementing.

While on egress:

show mls qos ip egress

QoS Summary [IPv4]: (* - shared aggregates, Mod - switch module)

Int Mod Dir Class-map DSCP Agg Trust Fl AgForward-By AgPoliced-By

Id Id

-----------------------------------------------------------------------------------

Vl100 6 Out CISCO-OUT 0 2 -- 0 13383612 1737988

All 6 - Default 0 0* No 0 21114466322 0

show mls qos ip egress

QoS Summary [IPv4]: (* - shared aggregates, Mod - switch module)

Int Mod Dir Class-map DSCP Agg Trust Fl AgForward-By AgPoliced-By

Id Id

-----------------------------------------------------------------------------------

Vl100 6 Out CISCO-OUT 0 2 -- 0 13420480 1747314

All 6 - Default 0 0* No 0 21114512516 0

_______________________________

Portion of the config:

ip access-list extended OUTBOUND

permit ip host 192.168.100.1 any

ip access-list extended INBOUND

permit ip any host 192.168.100.1

class-map match-all CISCO-OUT

match access-group name OUTBOUND

!

class-map match-all CISCO-IN

match access-group name INBOUND

!

policy-map CISCO-OUT

class CISCO-OUT

police 1000000

policy-map CISCO

class CISCO-IN

police 1000000

interface Vlan100

ip address 192.168.100.1 255.255.255.0

service-policy output CISCO-OUT

service-policy input CISCO

Eugene Khabarov · ‎02-14-2012

Oh, thank you, Edison! It make sense now.