Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2762
Views
10
Helpful
9
Replies

Catalyst 6506 vlan-based qos configuration

Go to solution
Eugene Khabarov
Level 7
Level 7

‎02-13-2012 03:10 AM - edited ‎03-07-2019 04:53 AM

Hi All!

I was unable to configure vlan-based qos on

Cisco IOS Software, s72033_rp Software (s72033_rp-IPSERVICESK9-M), Version 12.2(33)SXH6, RELEASE SOFTWARE (fc1)

Seems to me my configuration is not working. Here is the output of the interface:

sh int G1/6 | i rate
  Queueing strategy: fifo
  30 second input rate 25231000 bits/sec, 4282 packets/sec
  30 second output rate 46940000 bits/sec, 9257 packets/sec

And here is my configuration:

interface Vlan3
 ip address 192.168.1.1 255.255.252.0
 service-policy input TEST_IN_PMAP
 service-policy output TEST_OUT_PMAP
interface GigabitEthernet1/6
 switchport
 switchport access vlan 3
 load-interval 30
 mls qos vlan-based
 mls qos trust dscp
#sh class-map 
 Class Map match-any class-default (id 0)
   Match any 
 Class Map match-all TEST_IN_CMAP (id 2)
   Match access-group  119 
 Class Map match-all TEST_OUT_CMAP (id 1)
   Match access-group  118 
#sh policy-map
  Policy Map TEST_IN_PMAP
    Class TEST_IN_CMAP
     police cir 30000000 bc 937500
       conform-action transmit 
       exceed-action drop 
  Policy Map TEST_OUT_PMAP
    Class TEST_OUT_CMAP
     police cir 30000000 bc 937500
       conform-action transmit 
       exceed-action drop 
#sh ip access-lists 118
Extended IP access list 118
    30 permit ip any host 192.168.1.168
#sh ip access-lists 119
Extended IP access list 119
    30 permit ip host 192.168.1.168 any

The questions are:

Why I can't see matches in ACLs? I've double checked the direction and seems to me it is correct. I can't see matches even I configure something like this:

10 permit ip host 192.168.1.168 any

20 permit ip any host 192.168.1.168

Why my output rate is higher than 30M? Is it bacause there is no matching traffic here in ACLs? 
I'm absolutely shure that this host with such ip connected to this interface:

#sh arp | i 192.168.1.168
Internet  192.168.1.168           0   feed.beef.f00d  ARPA   Vlan3
#sh mac address-table |  i feed.beef.f00d
*    3  feed.beef.f00d   dynamic  Yes          0   Gi1/6
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Edison Ortiz
Hall of Fame
Hall of Fame
In response to Eugene Khabarov

‎02-14-2012 05:09 AM

In your current design, how much traffic is leaving Vlan3 and how much traffic is remaining within Vlan3?

Only traffic leaving Vlan3 will be policed. Intra-Vlan traffic won't be policed.

Regards,

Edison

View solution in original post

0 Helpful
9 Replies 9

Go to solution
Edison Ortiz
Hall of Fame
Hall of Fame

‎02-13-2012 08:30 AM

Post the output from

show mls qos

and

show mls qos ip g1/6

0 Helpful

Go to solution
Eugene Khabarov
Level 7
Level 7
In response to Edison Ortiz

‎02-13-2012 08:32 AM

Hi! Thank you for reply. Here is output:

#sh mls qos 
  QoS is enabled globally
  Policy marking depends on port_trust
  QoS ip packet dscp rewrite enabled globally
  Input mode for GRE Tunnel is Pipe mode
  Input mode for MPLS is Pipe mode
  QoS is vlan-based on the following interfaces:
    Gi1/6 
 QoS Trust state is CoS on the following interface:
Gi2/27 
 QoS Trust state is DSCP on the following interface:
Gi1/1 Gi1/2 Gi1/3 Gi1/4 Gi1/5 Gi1/6 Gi1/7 Gi1/9 Gi1/10 Gi1/11 
Gi1/12 Gi1/13 Gi1/14 Gi1/15 Gi1/16 Gi1/17 Gi1/18 Gi1/19 Gi1/20 Gi1/21 
Gi1/22 Gi1/23 Gi1/24 Gi1/25 Gi1/26 Gi1/27 Gi1/28 Gi1/29 Gi1/30 Gi1/32 
Gi1/33 Gi1/34 Gi1/35 Gi1/37 Gi1/38 Gi1/39 Gi1/40 Gi1/41 Gi1/42 Gi1/47 
Gi1/48 Gi2/5 Gi2/6 Gi2/7 Gi2/8 Gi2/9 Gi2/10 Gi2/11 Gi2/12 Gi2/13 
Gi2/14 Gi2/15 Gi2/16 Gi2/17 Gi2/18 Gi2/19 Gi2/21 Gi2/22 Gi2/23 Gi2/24 
Gi2/25 Gi2/26 Gi2/33 Gi2/35 Gi2/36 Gi2/37 Gi2/38 Gi2/39 Gi2/40 Gi2/41 
Gi2/43 Gi2/45 Gi2/46 Gi2/48 
  Vlan or Portchannel(Multi-Earl) policies supported: Yes
  Egress policies supported: Yes
 ----- Module [3] -----
  QoS global counters:
    Total packets: 21897742423
    IP shortcut packets: 0
    Packets dropped by policing: 0
    IP packets with TOS changed by policing: 486575146
    IP packets with COS changed by policing: 2
    Non-IP packets with COS changed by policing: 0
    MPLS packets with EXP changed by policing: 0
 ----- Module [4] -----
  QoS global counters:
    Total packets: 533654
    IP shortcut packets: 0
    Packets dropped by policing: 0
    IP packets with TOS changed by policing: 2
    IP packets with COS changed by policing: 2
    Non-IP packets with COS changed by policing: 0
    MPLS packets with EXP changed by policing: 0
 ----- Module [5] -----
  QoS global counters:
    Total packets: 3557578797757
    IP shortcut packets: 0
    Packets dropped by policing: 12390896
    IP packets with TOS changed by policing: 2
    IP packets with COS changed by policing: 69251809858
    Non-IP packets with COS changed by policing: 0
    MPLS packets with EXP changed by policing: 0
#sh mls qos ip G1/6
   [In] Default.   [Out] Default.
 QoS Summary [IPv4]:      (* - shared aggregates, Mod - switch module)
          Int Mod Dir  Class-map DSCP  Agg  Trust Fl   AgForward-By   AgPoliced-By
                                       Id         Id                              
-----------------------------------------------------------------------------------
         Gi1/6  5  In    Default    0    0*    No  0   426590389744              0
0 Helpful

Go to solution
Edison Ortiz
Hall of Fame
Hall of Fame
In response to Eugene Khabarov

‎02-13-2012 08:50 AM

That interface is associated to the Supervisor PFC (Module 5) and if you see the MLS QOS counters on module 5, packets were dropped by policing.

The mls qos ip output also indicates the 'direction' which is inbound.

Your inbound counter does not exceed 30Mbps.

I believe your outbound ACL needs some work. Can you try any/any on the outbound and see if the policer takes effect?

Also, you won't get matches on ACL since this is done in hardware.

Go to solution
Eugene Khabarov
Level 7
Level 7
In response to Edison Ortiz

‎02-13-2012 08:55 AM

I think "any any" is not good idea since there is many servers operational. Maybe I can lower the policing rate and try it on another server?

0 Helpful

Go to solution
Edison Ortiz
Hall of Fame
Hall of Fame
In response to Eugene Khabarov

‎02-13-2012 10:35 AM

According to the documentation:

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/qos.html#wp1547950

"Note that PFC QoS performs egress policing decisions at the ingress interface, on the PFC or ingress DFC"

0 Helpful

Go to solution
Eugene Khabarov
Level 7
Level 7
In response to Edison Ortiz

‎02-13-2012 11:29 AM

Hi, Edison. Thank you for reply, but I don't understand your post. Sorry. Can you please rephrase? Do you mean that incoming traffic to the 192.168.1.168 should flow througth another physical inerface in vlan 3 to be matched by policer? So what about traffic coming from another vlan to this host?

0 Helpful

Go to solution
Edison Ortiz
Hall of Fame
Hall of Fame
In response to Eugene Khabarov

‎02-14-2012 05:09 AM

In your current design, how much traffic is leaving Vlan3 and how much traffic is remaining within Vlan3?

Only traffic leaving Vlan3 will be policed. Intra-Vlan traffic won't be policed.

Regards,

Edison

0 Helpful

Go to solution
Edison Ortiz
Hall of Fame
Hall of Fame
In response to Eugene Khabarov

‎02-14-2012 06:03 AM

I did some testing here with a couple of 6500s ...

Configure Vlan 100 on both and assigned 192.168.100.0/24 to their respective SVIs.

Initiate a ping with large packets from one box and applied mls qos vlan-based on the other box.

Before the policer the ping was not dropping...

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

Once I applied a policer, the interface througput on the policed device dropped and the the device doing the ping was getting drops:

!.!!.!!.!!.!!.!!.!!.!!.!!.!!.!!.!!.!!.!!.!!.!!.!!.!!.!!.!!.!!.!!.!!.!!

.!!.!!.!!.!!.!!.!!.!!.!!.!!.!!.!!.!!.!!.!!.!!.!!.!!.!!.!!.!!.!!.!!.!!.

!!.!!.!!.!!.!!.!!.!!.!!.!!.!!.!!.!!.!!.!!.!!.!!.!!.!!.!!.!!.!!.!!.!!.!

Here are some verification outputs:

show mls qos ip ingress

QoS Summary [IPv4]:      (* - shared aggregates, Mod - switch module)

          Int Mod Dir  Class-map DSCP  Agg  Trust Fl   AgForward-By   AgPoliced-By

                                       Id         Id                             

-----------------------------------------------------------------------------------

         Vl100  6  In   CISCO-IN    0    3   dscp  0          73736          18652

           All  6   -    Default    0    0*    No  0    21114275690              0

show mls qos ip ingress

QoS Summary [IPv4]:      (* - shared aggregates, Mod - switch module)

          Int Mod Dir  Class-map DSCP  Agg  Trust Fl   AgForward-By   AgPoliced-By

                                       Id         Id                             

-----------------------------------------------------------------------------------

         Vl100  6  In   CISCO-IN    0    3   dscp  0         998546         248766

Notice how the ingress is incrementing.

While on egress:

show mls qos ip egress   

QoS Summary [IPv4]:      (* - shared aggregates, Mod - switch module)

          Int Mod Dir  Class-map DSCP  Agg  Trust Fl   AgForward-By   AgPoliced-By

                                       Id         Id                             

-----------------------------------------------------------------------------------

         Vl100  6 Out  CISCO-OUT    0    2     --  0       13383612        1737988

           All  6   -    Default    0    0*    No  0    21114466322              0

show mls qos ip egress

QoS Summary [IPv4]:      (* - shared aggregates, Mod - switch module)

          Int Mod Dir  Class-map DSCP  Agg  Trust Fl   AgForward-By   AgPoliced-By

                                       Id         Id                             

-----------------------------------------------------------------------------------

         Vl100  6 Out  CISCO-OUT    0    2     --  0       13420480        1747314

           All  6   -    Default    0    0*    No  0    21114512516              0

_______________________________

Portion of the config:

ip access-list extended OUTBOUND

permit ip host 192.168.100.1 any

ip access-list extended INBOUND

permit ip any host 192.168.100.1

class-map match-all CISCO-OUT

  match access-group name OUTBOUND

!

class-map match-all CISCO-IN

  match access-group name INBOUND

!

!

policy-map CISCO-OUT

  class CISCO-OUT

   police 1000000

policy-map CISCO

  class CISCO-IN

   police 1000000

interface Vlan100

ip address 192.168.100.1 255.255.255.0

service-policy output CISCO-OUT

service-policy input CISCO

Go to solution
Eugene Khabarov
Level 7
Level 7
In response to Edison Ortiz

‎02-14-2012 06:27 AM

Oh, thank you, Edison! It make sense now.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card