09-28-2012 09:00 AM - edited 03-07-2019 09:10 AM
We have a metro Ethernet service, basically our WAN connection, that we use to connect 4 sites. This MOE service has a CIR of 200 Mbps, connected to a port on a 3550-12T running Version 12.1(22)EA5 at 1000 Mbps. We are exceeding our CIR at times during the day for short bursts which is causing the MOE switch to drop packets, which I suspect I am seeing manifest itself in some choppy VoIP conversations and dropped ICMP packets from our network monitoring software. I implemented policy maps to apply an outbound service policy to the interface connected to the MOE service, but I am not seeing any matches to the access lists or the service policy. I’m not sure if I am missing something or perhaps the IOS is not capable?
Below is the config for the service policy and some command output. Notice that there are hits on a statndard access list that is used for other purposes, but the extended access lists used for the class maps have no matches.
!
class-map match-all REALTIME
match access-group name REALTIME
class-map match-all ROUTINGCONTROL
match access-group name ROUTINGCONTROL
class-map match-all RESTRICTED_BUSINESS
match access-group name RESTRICTED_BUSINESS
class-map match-all ARUBA
match access-group name ARUBA
class-map match-all INTERACTIVE
match access-group name INTERACTIVE
class-map match-all NETMANAGEMENT
match access-group name NETMANAGEMENT
!
!
policy-map PROTOCOLS-Q-OUT
class REALTIME
bandwidth percent 10
class INTERACTIVE
bandwidth percent 20
class NETMANAGEMENT
bandwidth percent 1
class ROUTINGCONTROL
bandwidth percent 1
class RESTRICTED_BUSINESS
bandwidth percent 20
class ARUBA
bandwidth percent 20
!
!
interface GigabitEthernet0/1
description MOE Connection
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1-956,958-998,1000-4094
switchport mode trunk
bandwidth 200000
load-interval 30
mls qos trust dscp
mls qos monitor dscp 0 8 24 26 32 46 48 56
mls qos monitor packets
auto qos voip trust
wrr-queue bandwidth 10 20 70 1
wrr-queue queue-limit 50 25 15 10
wrr-queue cos-map 1 0 1
wrr-queue cos-map 2 2 4
wrr-queue cos-map 3 3 6 7
wrr-queue cos-map 4 5
priority-queue out
service-policy output PROTOCOLS-Q-OUT
!
ip access-list extended ARUBA
remark Aruba Controllers
permit tcp host 172.25.64.200 any
permit tcp any host 172.25.64.200
permit tcp host 172.25.64.201 any
permit tcp any host 172.25.64.201
permit tcp host 172.25.64.202 any
permit tcp any host 172.25.64.202
ip access-list extended INTERACTIVE
remark CITRIX
permit tcp any eq 2598 any
permit tcp any any eq 2598
permit tcp any eq 1494 any
permit tcp any any eq 1494
remark MSRDP
permit tcp any eq 3389 any
permit tcp any any eq 3389
remark PROXY
permit tcp any eq 1505 any
permit tcp any any eq 1505
ip access-list extended NETMANAGEMENT
remark Statseeker
permit icmp host 10.8.0.9 any
permit udp host 10.8.0.9 eq snmp any
remark SNMP
permit udp any any range snmp snmptrap
permit udp any range snmp snmptrap any
permit udp any any eq snmp
permit udp any eq snmp any
remark TFTP
permit udp any any eq tftp
permit udp any eq tftp any
remark DHCP
permit udp any eq bootpc any
permit udp any eq bootps any
permit udp any any eq bootpc
permit udp any any eq bootps
remark TELNET
permit tcp any any eq telnet
permit tcp any eq telnet any
remark SSH
permit tcp any any eq 22
permit tcp any eq 22 any
remark NTP
permit udp any eq ntp any
permit udp any any eq ntp
remark LDAP
permit tcp any eq 389 any
permit tcp any any eq 389
ip access-list extended REALTIME
remark VOICE
permit ip any any dscp ef
permit ip any any dscp cs6
remark VOICE network in DC
permit ip 10.8.251.0 0.0.0.63 any
ip access-list extended RESTRICTED_BUSINESS
remark For important traffic to be throttled
remark dbclst PACS - 6 am daily backup
permit tcp host 10.8.234.5 any
permit tcp host 10.8.234.1 any
remark Nserv2 Image server
remark Microsoft NBT/SMB
permit tcp any eq 445 any
permit tcp any any eq 445
permit tcp any range 137 139 any
permit tcp any any range 137 139
permit udp any range netbios-ns netbios-ss any
permit udp any any range netbios-ns netbios-ss
remark Tivoli
permit tcp any eq 1500 any
permit tcp any any eq 1500
remark iSCSI
permit tcp any eq 3260 any
permit tcp any any eq 3260
remark SEP
permit tcp any eq 8014 any
permit tcp any any eq 8014
ip access-list extended ROUTINGCONTROL
permit ospf any any
!
core-access-01#show policy-map interface gi0/1
GigabitEthernet0/1
service-policy output: PROTOCOLS-Q-OUT
class-map: REALTIME (match-all)
0 packets, 0 bytes
30 second offered rate 0 bps, drop rate 0 bps
match: access-group name REALTIME
Output Queue: Conversation 265
Bandwidth 10 (%) Packets Matched 0
Bandwidth 20000 (kbps) Max Threshold 64 (packets)
(depth/total drops/no-buffer drops) 0/0/0
class-map: INTERACTIVE (match-all)
0 packets, 0 bytes
30 second offered rate 0 bps, drop rate 0 bps
match: access-group name INTERACTIVE
Output Queue: Conversation 266
Bandwidth 20 (%) Packets Matched 0
Bandwidth 40000 (kbps) Max Threshold 64 (packets)
(depth/total drops/no-buffer drops) 0/0/0
class-map: NETMANAGEMENT (match-all)
0 packets, 0 bytes
30 second offered rate 0 bps, drop rate 0 bps
match: access-group name NETMANAGEMENT
Output Queue: Conversation 267
Bandwidth 1 (%) Packets Matched 0
Bandwidth 2000 (kbps) Max Threshold 64 (packets)
(depth/total drops/no-buffer drops) 0/0/0
class-map: ROUTINGCONTROL (match-all)
0 packets, 0 bytes
30 second offered rate 0 bps, drop rate 0 bps
match: access-group name ROUTINGCONTROL
Output Queue: Conversation 268
Bandwidth 1 (%) Packets Matched 0
Bandwidth 2000 (kbps) Max Threshold 64 (packets)
(depth/total drops/no-buffer drops) 0/0/0
class-map: RESTRICTED_BUSINESS (match-all)
0 packets, 0 bytes
30 second offered rate 0 bps, drop rate 0 bps
match: access-group name RESTRICTED_BUSINESS
Output Queue: Conversation 269
Bandwidth 20 (%) Packets Matched 0
Bandwidth 40000 (kbps) Max Threshold 64 (packets)
(depth/total drops/no-buffer drops) 0/0/0
class-map: ARUBA (match-all)
0 packets, 0 bytes
30 second offered rate 0 bps, drop rate 0 bps
match: access-group name ARUBA
Output Queue: Conversation 270
Bandwidth 20 (%) Packets Matched 0
Bandwidth 40000 (kbps) Max Threshold 64 (packets)
(depth/total drops/no-buffer drops) 0/0/0
class-map: class-default (match-any)
0 packets, 0 bytes
30 second offered rate 0 bps, drop rate 0 bps
match: any
0 packets, 0 bytes
30 second rate 0 bps
core-access-01#show access-lists
Standard IP access list 6
permit 10.8.0.9 (252494 matches)
permit 172.25.65.137 (108154 matches)
deny any log (131 matches)
Extended IP access list ARUBA
permit tcp host 172.25.64.200 any
permit tcp any host 172.25.64.200
permit tcp host 172.25.64.201 any
permit tcp any host 172.25.64.201
permit tcp host 172.25.64.202 any
permit tcp any host 172.25.64.202
Extended IP access list INTERACTIVE
permit tcp any eq 2598 any
permit tcp any any eq 2598
permit tcp any eq 1494 any
permit tcp any any eq 1494
permit tcp any eq 3389 any
permit tcp any any eq 3389
permit tcp any eq 1505 any
permit tcp any any eq 1505
Extended IP access list NETMANAGEMENT
permit icmp host 10.8.0.9 any
permit udp host 10.8.0.9 eq snmp any
permit udp any any range snmp snmptrap
permit udp any range snmp snmptrap any
permit udp any any eq snmp
permit udp any eq snmp any
permit udp any any eq tftp
permit udp any eq tftp any
permit udp any eq bootpc any
permit udp any eq bootps any
permit udp any any eq bootpc
permit udp any any eq bootps
permit tcp any any eq telnet
permit tcp any eq telnet any
permit tcp any any eq 22
permit tcp any eq 22 any
permit udp any eq ntp any
permit udp any any eq ntp
permit tcp any eq 389 any
permit tcp any any eq 389
Extended IP access list REALTIME
permit ip any any dscp ef
permit ip any any dscp cs6
permit ip 10.8.251.0 0.0.0.63 any
Extended IP access list RESTRICTED_BUSINESS
permit tcp host 10.8.234.5 any
permit tcp host 10.8.234.1 any
permit tcp any eq 445 any
permit tcp any any eq 445
permit tcp any range 137 139 any
permit tcp any any range 137 139
permit udp any range netbios-ns netbios-ss any
permit udp any any range netbios-ns netbios-ss
permit tcp any eq 1500 any
permit tcp any any eq 1500
permit tcp any eq 3260 any
permit tcp any any eq 3260
permit tcp any eq 8014 any
permit tcp any any eq 8014
Extended IP access list ROUTINGCONTROL
permit ospf any any
09-28-2012 09:18 AM
Hello Levn,
I hope you have enalbed mls qos globally ( Sorry to suspect )..
Can you do enable the following on the interface where you have policy map
mls qos monitor dscp 0 8 24 26 32 46 48 56
mls qos monitor packets
and try show mls qos interface
regards
Harish.
09-28-2012 09:33 AM
Hello Harish, and thank you for the reply.
mls qos is enabled globally, and those commands are on the interface.
core-access-01#show mls qos interface gigabitEthernet 0/1 statistics
GigabitEthernet0/1
Ingress
dscp: incoming no_change classified policed dropped (in pkts)
0 : 3232999584 3232999584 0 0 0
8 : 0 0 0 0 0
24: 629 629 0 0 0
26: 0 0 0 0 0
32: 0 0 0 0 0
46: 249331758 249331758 0 0 0
48: 129234309 129234309 0 0 0
56: 10711658 10711658 0 0 0
Others: 22170455 22170455 0 0 0
Egress
dscp: incoming no_change classified policed dropped (in pkts)
0 : 3001282923 n/a n/a 0 0
8 : 0 n/a n/a 0 0
24: 0 n/a n/a 0 0
26: 0 n/a n/a 0 0
32: 541 n/a n/a 0 0
46: 427585011 n/a n/a 0 0
48: 140476844 n/a n/a 0 0
56: 4961510 n/a n/a 0 0
Others: 21479692 n/a n/a 0 0
WRED drop counts:
qid thresh1 thresh2 FreeQ
1 : 0 0 2049
2 : 0 0 1024
3 : 0 0 614
4 : 0 0 409
core-access-01#show mls qos interface gigabitEthernet 0/1
GigabitEthernet0/1
trust state: trust dscp
trust mode: trust dscp
COS override: dis
Attached policy-map for Egress: PROTOCOLS-Q-OUT
default COS: 0
DSCP Mutation Map: Default DSCP Mutation Map
trust device: none
09-28-2012 09:40 AM
HI Levin,
match-any rather than match-all is a suspect of mine....
Alessio
09-28-2012 09:50 AM
Hello Levin,
Thanks for the output.
The statistics shows that all the incoming packets are being forwarded without any change. Are you that the the entries in the ACL are actually matching the traffic being generated from the site. ( I hope they are not doing a NAT before forwarding the traffic to your end )
coupld of things can be done test
1. please disable flow control on the interface
flowcontrol receive off
flowcontrol send off
2. just for a testing purpose create numbered acl to match the traffic and try with that ( eventhough named work as per doc just taking a chance)
let me know that result
Harish.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide