Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2396
Views
0
Helpful
7
Replies

Cisco ASR1004 + ISG + RADIUS-based shaping

Konstantin Vinogradov
Level 1
Level 1

‎06-19-2013 07:46 AM - edited ‎03-07-2019 01:58 PM

Hello!

I need to configure ISG with RADIUS-based shaping. There are two traffic classes: Internet (class-default) and Local Peering (PEERING-TRAFFIC). Class-default traffic must be shaped with committed rate with contract conditions (from billing via RADIUS, for example 2Mbit/sec), PEERING-TRAFFIC must be shaped with fixed commit rate 50Mbit/sec. I have tried many times and now I have this config (and it works):

Conprol Policy-Map

policy-map type control ISG-L3-ROUTED-CONTROL

class type control UNAUTH-DISCONNECT-CONDITION event timed-policy-expiry

  10 service disconnect

!

class type control always event session-start

  10 authorize aaa list ISG-RADIUS-LIST password ISG identifier source-ip-address

  20 service-policy type service aaa list LOCAL-SERVICES name L4-REDIRECT-SERVICE

  30 service-policy type service aaa list LOCAL-SERVICES name OPENGARDEN-SERVICE

  100 set-timer UNAUTH-DISCONNECT-TIMER 10

QOS Policy-Maps

Policy Map ISG-GENERAL-POLICY-IN

  Class PEERING-TRAFFIC

   police cir 50000000 bc 1562500

     conform-action transmit

     exceed-action drop

  Class class-default

    service-policy ISG-CHILD-POLICY-IN


Policy Map ISG-GENERAL-POLICY-OUT

  Class class-default

    service-policy ISG-CHILD-POLICY-OUT


Policy Map ISG-CHILD-POLICY-OUT

  Class PEERING-TRAFFIC

    Average Rate Traffic Shaping

    cir 50000000 (bps)

  Class class-default


Policy Map ISG-CHILD-POLICY-IN

  Class class-default

User-Authen RADIUS-Attributes
AttributeValue

Idle-Timeout

40

Session-Timeout

180

Cisco-Account-Info

AISG-TRON-SERVICE-TEST

Service-Authen RADIUS-Attributes
AttributeValue
Cisco-AVPairip:sub-qos-policy-in=ISG-GENERAL-POLICY-IN
Cisco-AVPairip:sub-qos-policy-out=ISG-GENERAL-POLICY-OUT
Cisco-AVPairqos-policy-out=add-class(sub, (class-default), shape(100000000))
Cisco-AVPairqos-policy-out=add-class(sub, (class-default, class-default), shape(2100000))
Cisco-AVPairqos-policy-in=add-class(sub, (class-default), police(2000000))

I do not like this multiple “shape”: in parent policy and in child policy. I worry about device utilization. I can’t remove shaping with CIR 100Mbit/sec from parent out policy, because service policy installation failed in this case:

*Jun 19 14:13:00.713:  Cannot attach queuing-based child policy to a non-queuing based class
*Jun 19 14:13:00.713: %QOS-6-POLICY_INST_FAILED:
  Service policy installation failed

And I can’t remove all shaping to parent policy:

*Jun 19 14:14:37.708: SSS PM ERROR: Policy context is NULL or missing action in get aaa author passwd list APITraffic Shaping feature is not supported in user defined class of parent level policy
*Jun 19 14:14:37.716: %QOS-6-POLICY_INST_FAILED:
  Service policy installation failed Traffic Shaping feature is not supported in user defined class of parent level policy

What is the right method in this case? May be I need to shape different traffic in different service? But I can’t define traffic class in RADIUS-attributes correctly.

Thank you!

1 person had this problem
Labels:
0 Helpful
7 Replies 7

bhumindesai
Level 1
Level 1

‎03-06-2014 01:11 AM

hi Konstantin Vinogradov ,

have you found any solution for above query.? i do want same solution for my setup..

Thanks,

Bhumin Desai

0 Helpful

Konstantin Vinogradov
Level 1
Level 1
In response to bhumindesai

‎03-06-2014 02:35 AM

Hi, bhumin.

Unfortunately I didn't found any other solution. Now I use configuration that I described in the first post. I have some problems with policng, but I think it depends on version of IOS.

0 Helpful

bhumindesai
Level 1
Level 1
In response to Konstantin Vinogradov

‎03-07-2014 01:10 AM

hi Konstantin Vinogradov

, yesterday we have done it as below..may radius config and flow differ.

  • user service = P2P
VendorAttribute   CodeAttribute   Value
DefaultSession-Timeout86400
CiscoCisco-SSG-Account-InfoA1mbpsInternet
CiscoCisco-SSG-Account-InfoA10mbpsp2p

  • service 1 =A1mbpsInternet
VendorAttribute   CodeAttribute   Value
Ciscocisco-avpairip:traffic-class=in   default drop
Ciscocisco-avpairip:traffic-class=out   access-group name non-P2P-out
Ciscocisco-avpairip:traffic-class=out   default drop
DefaultService-TypeOutbound-User
DefaultDownload-QoS1Mbps
DefaultUpload-QoS1Mbps
Ciscocisco-avpairip:traffic-class=in   access-group name non-P2P-in
Ciscocisco-avpairsubscriber:accounting-list=PPP-USR

  • service 1 = A10mbpsp2p
VendorAttribute   CodeAttribute   Value
DefaultDownload-QoS10mbps
Ciscocisco-avpairip:traffic-class=in   access-group name P2P-in
Ciscocisco-avpairip:traffic-class=in   default drop
Ciscocisco-avpairip:traffic-class=out   access-group name P2P-out
Ciscocisco-avpairip:traffic-class=out   default drop
DefaultUpload-QoS10mbps
DefaultService-TypeOutbound-User
Ciscocisco-avpairsubscriber:accounting-list=PPP-USR

thats all...u just need to assigh service P2P with subscriber & u good to go..this way you can account/charge subscriber for what he/she use at actual.

the only prob m facing is.. m getting 2 sessions for subscribers in AAA server while only 1 in ASR... no other prob at all.

try it..

Regards,

Bhumin.

0 Helpful

Konstantin Vinogradov
Level 1
Level 1
In response to bhumindesai

‎03-18-2014 10:13 PM

Hi, Bhumin.

Sorry if I replying late.

About "Default Download-QoS 10mbps".

Is "10mbps" policy-map's name? Do you have it in your config?

Thank.

Best regards,

Konstantin.

0 Helpful

bhumindesai
Level 1
Level 1

‎03-19-2014 10:49 PM

Dear 

 

N/A

0 Helpful

Alex M
Level 1
Level 1

‎10-30-2019 12:39 AM - edited ‎10-30-2019 05:29 AM

Hello!

I have the similar problem, so I've decided to ask it here. I'm working on ISG configuration on ASR 1001x. It works OK, but I need to add a lot of new services with DSCP policies, like this:

policy-map 50m
 class class-default
  police cir 51200000 conform-action set-dscp-transmit af11 exceed-action set-dscp-transmit default violate-action set-dscp-transmit default

policy-map type service 50m-SRV
  service-policy input 50m
  service-policy output 50m

I wonder if I can make ASR download it from RADIUS as a usual service but with parameters. I've read about pQoS in Cisco Guide:

...
qos-policy-in=add-class(target ,(class-list ),qos-actions-list )
qos-policy-out=add-class(target ,(class-list ),qos-actions-list )
...

 And it seems that's what I need, but I have some questions:

1) Is it possible to "stick" qos-policy-in and qos-policy-out on service?

2) The Guide said that: "...Parameterized QoS is not supported for IP sessions...". If I send it as service and not as session, is it allowed to use it with IP sessions?

0 Helpful

Alex M
Level 1
Level 1
In response to Alex M

‎11-08-2019 06:57 AM

So, I've tried to apply QoS policy on service. it works, service has been applied:

SERVICE-TEST    Auth-Type := Accept
    User-Password == "cisco",
    Cisco-AVPair += "ip:sub-qos-policy-in=isgPolicy",
    Cisco-AVPair += "ip:sub-qos-policy-out=isgPolicy",
    Cisco-AVPair += "ip:qos-policy-in=add-class(sub, (class-default), police(15000000,0,0,transmit,drop,drop))",
    Cisco-AVPair += "ip:qos-policy-out=add-class(sub, (class-default), police(15000000,0,0,transmit,drop,drop))",
    Idle-Timeout =  "600"

But if I change action transmit to action set-ip-dscp(10) then error message "...wrong action set-ip-dscp(10)" appears in debug. Does anyone know how to solve this problem?

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card