I have a QoS policy in place to trust dscp, using class map with acl to classify traffic and apply on Cisco Catalyst interface using service policy. I apply police on my traffic policy. I did a check and found QoS wasn't apply on any of my classified traffic using class map with acl.
Can someone help on this?
Below is my config:
class-map match-any Restrict
match access-group 100
police 15000000 8000 exceed-action policed-dscp-transmit
description Link to Remote_Office
service-policy input Restrict_Policy
interface GigabitEthernet0/2 - 28
service-policy input Restrict_Policy
access-list 100 permit tcp any host 172.18.204.130 eq 445
access-list 100 permit tcp any host 172.18.204.126 eq 445
access-list 100 permit tcp any any eq 445
access-list 100 permit tcp any any eq ftp-data
access-list 100 permit tcp any any eq ftp
access-list 100 permit tcp any any
When I do a show policy-map inter gi0/1, I don't see any traffic ( 0 byte )
I need to fix this issue cos we implement QoS to curb user from sending large file and clout up the bandwidth.
If you do "show policy-map int" command on 3750 or similar platform - then you indeed will get 0 counters as this command is not supported there (even if possible to run it).
In the 3750 switch, 'show policy-map interface' privileged EXEC
is not supported to display classification information for traffic. The
control-plane and interface keywords are not supported, and the
statistics shown in the display should be ignored. Although this command
is allowed on the CLI, it is not supported.
More information on this case can be found on the following link:
So you need to use show mls qos interface statistics
Hope this helps.
For 3560 it is same.
In terms of config I think it is fine. I can't elaborate on police statement becuase I don't know what you want to reach with it. For now you are remarking the traffic exceeding your average rate and burst to different DSCP as per your policed-DSCP map (should be configured) and send through. But the counters should be increasing if there is traffic on the ports matching ACLs.
BTW you can add log keyword to ACLs in test purposes to see if traffic is hitting it - then double check QoS policing with show mls command I gave above.
I try logging ACL hits but it doesn't show hit count on acl. Suspect it is either my version c3560-ipservices-mz.122-35.SE5.bin or cat 3560 feature issue.
I did sh mls qos inter gi0/1 stats, it shows traffic hitting dscp 0-4 (which I believe is the class-default) and dscp 30-34 (whcih I believe hits my Restrict class)
I clear the counter and did a show I see counters are increasing, looks like I have been using the wrong show command to show the hit rate of my QoS.
But one question, I did not indicate dscp value for traffic classification, how does the switch knows what dscp value to assign a traffic to?
Switch has defaut mappings which it is using and I guess that is map all DSCP to 0 in case of police action needed.
Just FYI policed maps are configured this way:
qos map dscp policed DSCP_To_map_from .. DSCP_TO_MAP_TO
Hope this helps,
C3560(config-pmap-c)#police 15000000 8000 ?
exceed-action action when rate is exceeded
C3560(config-pmap-c)#police 15000000 8000 exceed-action ?
drop drop packet
policed-dscp-transmit change dscp per policed-dscp map and send it
C3560(config-pmap-c)#$exceed-action policed-dscp-transmit ?
I guess you can configure policed-dscp map and change the DSCP to particular value if traffic over threshold. Then create that burst and see if those DSCP values occur with "show mls " command.
There is no other way to check policing without making a burst. Also using a default police-dscp map you are mapping to DSCP 0 - but you can already get many dscp 0 packets so you will not see if new created.