06-19-2013 07:46 AM - edited 03-07-2019 01:58 PM
Hello!
I need to configure ISG with RADIUS-based shaping. There are two traffic classes: Internet (class-default) and Local Peering (PEERING-TRAFFIC). Class-default traffic must be shaped with committed rate with contract conditions (from billing via RADIUS, for example 2Mbit/sec), PEERING-TRAFFIC must be shaped with fixed commit rate 50Mbit/sec. I have tried many times and now I have this config (and it works):
policy-map type control ISG-L3-ROUTED-CONTROL
class type control UNAUTH-DISCONNECT-CONDITION event timed-policy-expiry
10 service disconnect
!
class type control always event session-start
10 authorize aaa list ISG-RADIUS-LIST password ISG identifier source-ip-address
20 service-policy type service aaa list LOCAL-SERVICES name L4-REDIRECT-SERVICE
30 service-policy type service aaa list LOCAL-SERVICES name OPENGARDEN-SERVICE
100 set-timer UNAUTH-DISCONNECT-TIMER 10
Policy Map ISG-GENERAL-POLICY-IN
Class PEERING-TRAFFIC
police cir 50000000 bc 1562500
conform-action transmit
exceed-action drop
Class class-default
service-policy ISG-CHILD-POLICY-IN
Policy Map ISG-GENERAL-POLICY-OUT
Class class-default
service-policy ISG-CHILD-POLICY-OUT
Policy Map ISG-CHILD-POLICY-OUT
Class PEERING-TRAFFIC
Average Rate Traffic Shaping
cir 50000000 (bps)
Class class-default
Policy Map ISG-CHILD-POLICY-IN
Class class-default
Attribute | Value |
---|---|
Idle-Timeout | 40 |
Session-Timeout | 180 |
Cisco-Account-Info | AISG-TRON-SERVICE-TEST |
Attribute | Value |
---|---|
Cisco-AVPair | ip:sub-qos-policy-in=ISG-GENERAL-POLICY-IN |
Cisco-AVPair | ip:sub-qos-policy-out=ISG-GENERAL-POLICY-OUT |
Cisco-AVPair | qos-policy-out=add-class(sub, (class-default), shape(100000000)) |
Cisco-AVPair | qos-policy-out=add-class(sub, (class-default, class-default), shape(2100000)) |
Cisco-AVPair | qos-policy-in=add-class(sub, (class-default), police(2000000)) |
I do not like this multiple “shape”: in parent policy and in child policy. I worry about device utilization. I can’t remove shaping with CIR 100Mbit/sec from parent out policy, because service policy installation failed in this case:
*Jun 19 14:13:00.713: Cannot attach queuing-based child policy to a non-queuing based class
*Jun 19 14:13:00.713: %QOS-6-POLICY_INST_FAILED:
Service policy installation failed
And I can’t remove all shaping to parent policy:
*Jun 19 14:14:37.708: SSS PM ERROR: Policy context is NULL or missing action in get aaa author passwd list APITraffic Shaping feature is not supported in user defined class of parent level policy
*Jun 19 14:14:37.716: %QOS-6-POLICY_INST_FAILED:
Service policy installation failed Traffic Shaping feature is not supported in user defined class of parent level policy
What is the right method in this case? May be I need to shape different traffic in different service? But I can’t define traffic class in RADIUS-attributes correctly.
Thank you!
03-06-2014 01:11 AM
have you found any solution for above query.? i do want same solution for my setup..
Thanks,
Bhumin Desai
03-06-2014 02:35 AM
Hi, bhumin.
Unfortunately I didn't found any other solution. Now I use configuration that I described in the first post. I have some problems with policng, but I think it depends on version of IOS.
03-07-2014 01:10 AM
, yesterday we have done it as below..may radius config and flow differ.
Vendor | Attribute Code | Attribute Value |
Default | Session-Timeout | 86400 |
Cisco | Cisco-SSG-Account-Info | A1mbpsInternet |
Cisco | Cisco-SSG-Account-Info | A10mbpsp2p |
Vendor | Attribute Code | Attribute Value |
Cisco | cisco-avpair | ip:traffic-class=in default drop |
Cisco | cisco-avpair | ip:traffic-class=out access-group name non-P2P-out |
Cisco | cisco-avpair | ip:traffic-class=out default drop |
Default | Service-Type | Outbound-User |
Default | Download-QoS | 1Mbps |
Default | Upload-QoS | 1Mbps |
Cisco | cisco-avpair | ip:traffic-class=in access-group name non-P2P-in |
Cisco | cisco-avpair | subscriber:accounting-list=PPP-USR |
Vendor | Attribute Code | Attribute Value |
Default | Download-QoS | 10mbps |
Cisco | cisco-avpair | ip:traffic-class=in access-group name P2P-in |
Cisco | cisco-avpair | ip:traffic-class=in default drop |
Cisco | cisco-avpair | ip:traffic-class=out access-group name P2P-out |
Cisco | cisco-avpair | ip:traffic-class=out default drop |
Default | Upload-QoS | 10mbps |
Default | Service-Type | Outbound-User |
Cisco | cisco-avpair | subscriber:accounting-list=PPP-USR |
thats all...u just need to assigh service P2P with subscriber & u good to go..this way you can account/charge subscriber for what he/she use at actual.
the only prob m facing is.. m getting 2 sessions for subscribers in AAA server while only 1 in ASR... no other prob at all.
try it..
Regards,
Bhumin.
03-18-2014 10:13 PM
Hi, Bhumin.
Sorry if I replying late.
About "Default Download-QoS 10mbps".
Is "10mbps" policy-map's name? Do you have it in your config?
Thank.
Best regards,
Konstantin.
03-19-2014 10:49 PM
10-30-2019 12:39 AM - edited 10-30-2019 05:29 AM
Hello!
I have the similar problem, so I've decided to ask it here. I'm working on ISG configuration on ASR 1001x. It works OK, but I need to add a lot of new services with DSCP policies, like this:
policy-map 50m
class class-default
police cir 51200000 conform-action set-dscp-transmit af11 exceed-action set-dscp-transmit default violate-action set-dscp-transmit default
policy-map type service 50m-SRV
service-policy input 50m
service-policy output 50m
I wonder if I can make ASR download it from RADIUS as a usual service but with parameters. I've read about pQoS in Cisco Guide:
...
qos-policy-in=add-class(target ,(class-list ),qos-actions-list ) qos-policy-out=add-class(target ,(class-list ),qos-actions-list )
...
And it seems that's what I need, but I have some questions:
1) Is it possible to "stick" qos-policy-in and qos-policy-out on service?
2) The Guide said that: "...Parameterized QoS is not supported for IP sessions...". If I send it as service and not as session, is it allowed to use it with IP sessions?
11-08-2019 06:57 AM
So, I've tried to apply QoS policy on service. it works, service has been applied:
SERVICE-TEST Auth-Type := Accept User-Password == "cisco", Cisco-AVPair += "ip:sub-qos-policy-in=isgPolicy", Cisco-AVPair += "ip:sub-qos-policy-out=isgPolicy", Cisco-AVPair += "ip:qos-policy-in=add-class(sub, (class-default), police(15000000,0,0,transmit,drop,drop))", Cisco-AVPair += "ip:qos-policy-out=add-class(sub, (class-default), police(15000000,0,0,transmit,drop,drop))", Idle-Timeout = "600"
But if I change action transmit to action set-ip-dscp(10) then error message "...wrong action set-ip-dscp(10)" appears in debug. Does anyone know how to solve this problem?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: