Policy Map on 3550 not working

thomasD11 · ‎09-28-2012

We have a metro Ethernet service, basically our WAN connection, that we use to connect 4 sites. This MOE service has a CIR of 200 Mbps, connected to a port on a 3550-12T running Version 12.1(22)EA5 at 1000 Mbps. We are exceeding our CIR at times during the day for short bursts which is causing the MOE switch to drop packets, which I suspect I am seeing manifest itself in some choppy VoIP conversations and dropped ICMP packets from our network monitoring software. I implemented policy maps to apply an outbound service policy to the interface connected to the MOE service, but I am not seeing any matches to the access lists or the service policy. I’m not sure if I am missing something or perhaps the IOS is not capable?

Below is the config for the service policy and some command output. Notice that there are hits on a statndard access list that is used for other purposes, but the extended access lists used for the class maps have no matches.

!

class-map match-all REALTIME

match access-group name REALTIME

class-map match-all ROUTINGCONTROL

match access-group name ROUTINGCONTROL

class-map match-all RESTRICTED_BUSINESS

match access-group name RESTRICTED_BUSINESS

class-map match-all ARUBA

match access-group name ARUBA

class-map match-all INTERACTIVE

match access-group name INTERACTIVE

class-map match-all NETMANAGEMENT

match access-group name NETMANAGEMENT

!

policy-map PROTOCOLS-Q-OUT

class REALTIME

bandwidth percent 10

class INTERACTIVE

bandwidth percent 20

class NETMANAGEMENT

bandwidth percent 1

class ROUTINGCONTROL

bandwidth percent 1

class RESTRICTED_BUSINESS

bandwidth percent 20

class ARUBA

bandwidth percent 20

!

interface GigabitEthernet0/1

description MOE Connection

switchport trunk encapsulation dot1q

switchport trunk allowed vlan 1-956,958-998,1000-4094

switchport mode trunk

bandwidth 200000

load-interval 30

mls qos trust dscp

mls qos monitor dscp 0 8 24 26 32 46 48 56

mls qos monitor packets

auto qos voip trust

wrr-queue bandwidth 10 20 70 1

wrr-queue queue-limit 50 25 15 10

wrr-queue cos-map 1 0 1

wrr-queue cos-map 2 2 4

wrr-queue cos-map 3 3 6 7

wrr-queue cos-map 4 5

priority-queue out

service-policy output PROTOCOLS-Q-OUT

!

ip access-list extended ARUBA

remark Aruba Controllers

permit tcp host 172.25.64.200 any

permit tcp any host 172.25.64.200

permit tcp host 172.25.64.201 any

permit tcp any host 172.25.64.201

permit tcp host 172.25.64.202 any

permit tcp any host 172.25.64.202

ip access-list extended INTERACTIVE

remark CITRIX

permit tcp any eq 2598 any

permit tcp any any eq 2598

permit tcp any eq 1494 any

permit tcp any any eq 1494

remark MSRDP

permit tcp any eq 3389 any

permit tcp any any eq 3389

remark PROXY

permit tcp any eq 1505 any

permit tcp any any eq 1505

ip access-list extended NETMANAGEMENT

remark Statseeker

permit icmp host 10.8.0.9 any

permit udp host 10.8.0.9 eq snmp any

remark SNMP

permit udp any any range snmp snmptrap

permit udp any range snmp snmptrap any

permit udp any any eq snmp

permit udp any eq snmp any

remark TFTP

permit udp any any eq tftp

permit udp any eq tftp any

remark DHCP

permit udp any eq bootpc any

permit udp any eq bootps any

permit udp any any eq bootpc

permit udp any any eq bootps

remark TELNET

permit tcp any any eq telnet

permit tcp any eq telnet any

remark SSH

permit tcp any any eq 22

permit tcp any eq 22 any

remark NTP

permit udp any eq ntp any

permit udp any any eq ntp

remark LDAP

permit tcp any eq 389 any

permit tcp any any eq 389

ip access-list extended REALTIME

remark VOICE

permit ip any any dscp ef

permit ip any any dscp cs6

remark VOICE network in DC

permit ip 10.8.251.0 0.0.0.63 any

ip access-list extended RESTRICTED_BUSINESS

remark For important traffic to be throttled

remark dbclst PACS - 6 am daily backup

permit tcp host 10.8.234.5 any

permit tcp host 10.8.234.1 any

remark Nserv2 Image server

remark Microsoft NBT/SMB

permit tcp any eq 445 any

permit tcp any any eq 445

permit tcp any range 137 139 any

permit tcp any any range 137 139

permit udp any range netbios-ns netbios-ss any

permit udp any any range netbios-ns netbios-ss

remark Tivoli

permit tcp any eq 1500 any

permit tcp any any eq 1500

remark iSCSI

permit tcp any eq 3260 any

permit tcp any any eq 3260

remark SEP

permit tcp any eq 8014 any

permit tcp any any eq 8014

ip access-list extended ROUTINGCONTROL

permit ospf any any

!

core-access-01#show policy-map interface gi0/1

GigabitEthernet0/1

service-policy output: PROTOCOLS-Q-OUT

class-map: REALTIME (match-all)

0 packets, 0 bytes

30 second offered rate 0 bps, drop rate 0 bps

match: access-group name REALTIME

Output Queue: Conversation 265

Bandwidth 10 (%) Packets Matched 0

Bandwidth 20000 (kbps) Max Threshold 64 (packets)

(depth/total drops/no-buffer drops) 0/0/0

class-map: INTERACTIVE (match-all)

0 packets, 0 bytes

30 second offered rate 0 bps, drop rate 0 bps

match: access-group name INTERACTIVE

Output Queue: Conversation 266

Bandwidth 20 (%) Packets Matched 0

Bandwidth 40000 (kbps) Max Threshold 64 (packets)

(depth/total drops/no-buffer drops) 0/0/0

class-map: NETMANAGEMENT (match-all)

0 packets, 0 bytes

30 second offered rate 0 bps, drop rate 0 bps

match: access-group name NETMANAGEMENT

Output Queue: Conversation 267

Bandwidth 1 (%) Packets Matched 0

Bandwidth 2000 (kbps) Max Threshold 64 (packets)

(depth/total drops/no-buffer drops) 0/0/0

class-map: ROUTINGCONTROL (match-all)

0 packets, 0 bytes

30 second offered rate 0 bps, drop rate 0 bps

match: access-group name ROUTINGCONTROL

Output Queue: Conversation 268

Bandwidth 1 (%) Packets Matched 0

Bandwidth 2000 (kbps) Max Threshold 64 (packets)

(depth/total drops/no-buffer drops) 0/0/0

class-map: RESTRICTED_BUSINESS (match-all)

0 packets, 0 bytes

30 second offered rate 0 bps, drop rate 0 bps

match: access-group name RESTRICTED_BUSINESS

Output Queue: Conversation 269

Bandwidth 20 (%) Packets Matched 0

Bandwidth 40000 (kbps) Max Threshold 64 (packets)

(depth/total drops/no-buffer drops) 0/0/0

class-map: ARUBA (match-all)

0 packets, 0 bytes

30 second offered rate 0 bps, drop rate 0 bps

match: access-group name ARUBA

Output Queue: Conversation 270

Bandwidth 20 (%) Packets Matched 0

Bandwidth 40000 (kbps) Max Threshold 64 (packets)

(depth/total drops/no-buffer drops) 0/0/0

class-map: class-default (match-any)

0 packets, 0 bytes

30 second offered rate 0 bps, drop rate 0 bps

match: any

0 packets, 0 bytes

30 second rate 0 bps

core-access-01#show access-lists

Standard IP access list 6

permit 10.8.0.9 (252494 matches)

permit 172.25.65.137 (108154 matches)

deny any log (131 matches)

Extended IP access list ARUBA

permit tcp host 172.25.64.200 any

permit tcp any host 172.25.64.200

permit tcp host 172.25.64.201 any

permit tcp any host 172.25.64.201

permit tcp host 172.25.64.202 any

permit tcp any host 172.25.64.202

Extended IP access list INTERACTIVE

permit tcp any eq 2598 any

permit tcp any any eq 2598

permit tcp any eq 1494 any

permit tcp any any eq 1494

permit tcp any eq 3389 any

permit tcp any any eq 3389

permit tcp any eq 1505 any

permit tcp any any eq 1505

Extended IP access list NETMANAGEMENT

permit icmp host 10.8.0.9 any

permit udp host 10.8.0.9 eq snmp any

permit udp any any range snmp snmptrap

permit udp any range snmp snmptrap any

permit udp any any eq snmp

permit udp any eq snmp any

permit udp any any eq tftp

permit udp any eq tftp any

permit udp any eq bootpc any

permit udp any eq bootps any

permit udp any any eq bootpc

permit udp any any eq bootps

permit tcp any any eq telnet

permit tcp any eq telnet any

permit tcp any any eq 22

permit tcp any eq 22 any

permit udp any eq ntp any

permit udp any any eq ntp

permit tcp any eq 389 any

permit tcp any any eq 389

Extended IP access list REALTIME

permit ip any any dscp ef

permit ip any any dscp cs6

permit ip 10.8.251.0 0.0.0.63 any

Extended IP access list RESTRICTED_BUSINESS

permit tcp host 10.8.234.5 any

permit tcp host 10.8.234.1 any

permit tcp any eq 445 any

permit tcp any any eq 445

permit tcp any range 137 139 any

permit tcp any any range 137 139

permit udp any range netbios-ns netbios-ss any

permit udp any any range netbios-ns netbios-ss

permit tcp any eq 1500 any

permit tcp any any eq 1500

permit tcp any eq 3260 any

permit tcp any any eq 3260

permit tcp any eq 8014 any

permit tcp any any eq 8014

Extended IP access list ROUTINGCONTROL

permit ospf any any

Harish Balakrishnan · ‎09-28-2012

Hello Levn,

I hope you have enalbed mls qos globally ( Sorry to suspect )..

Can you do enable the following on the interface where you have policy map

mls qos monitor dscp 0 8 24 26 32 46 48 56

mls qos monitor packets

and try show mls qos interface statistics to see any packets getting matched

regards

Harish.

thomasD11 · ‎09-28-2012

Hello Harish, and thank you for the reply.

mls qos is enabled globally, and those commands are on the interface.

core-access-01#show mls qos interface gigabitEthernet 0/1 statistics
GigabitEthernet0/1
Ingress
dscp: incoming   no_change classified policed    dropped (in pkts)
    0 : 3232999584 3232999584 0          0          0
    8 : 0          0          0          0          0
    24: 629        629        0          0          0
    26: 0          0          0          0          0
    32: 0          0          0          0          0
    46: 249331758 249331758 0          0          0
    48: 129234309 129234309 0          0          0
    56: 10711658   10711658   0          0          0
Others: 22170455   22170455   0          0          0
Egress
dscp: incoming   no_change classified policed    dropped (in pkts)
    0 : 3001282923    n/a       n/a      0          0
    8 : 0             n/a       n/a      0          0
    24: 0             n/a       n/a      0          0
    26: 0             n/a       n/a      0          0
    32: 541           n/a       n/a      0          0
    46: 427585011     n/a       n/a      0          0
    48: 140476844     n/a       n/a      0          0
    56: 4961510       n/a       n/a      0          0
Others: 21479692      n/a       n/a      0          0

WRED drop counts:
qid thresh1    thresh2   FreeQ
   1 : 0          0         2049
   2 : 0          0         1024
   3 : 0          0         614
   4 : 0          0         409

core-access-01#show mls qos interface gigabitEthernet 0/1
GigabitEthernet0/1
trust state: trust dscp
trust mode: trust dscp
COS override: dis
Attached policy-map for Egress: PROTOCOLS-Q-OUT
default COS: 0
DSCP Mutation Map: Default DSCP Mutation Map
trust device: none

Alessio Andreoli · ‎09-28-2012

HI Levin,

match-any rather than match-all is a suspect of mine....

Alessio

Harish Balakrishnan · ‎09-28-2012

Hello Levin,

Thanks for the output.

The statistics shows that all the incoming packets are being forwarded without any change. Are you that the the entries in the ACL are actually matching the traffic being generated from the site. ( I hope they are not doing a NAT before forwarding the traffic to your end )

coupld of things can be done test

1. please disable flow control on the interface

flowcontrol receive off

flowcontrol send off

2. just for a testing purpose create numbered acl to match the traffic and try with that ( eventhough named work as per doc just taking a chance)

let me know that result

Harish.