QoS fails to police traffic - Help needed urgently

bernardkwok73 · ‎11-22-2011

Hi All,

I have a QoS policy in place to trust dscp, using class map with acl to classify traffic and apply on Cisco Catalyst interface using service policy. I apply police on my traffic policy. I did a check and found QoS wasn't apply on any of my classified traffic using class map with acl.

Can someone help on this?

Below is my config:

mls qos

!

class-map match-any Restrict

match access-group 100

!

policy-map Restrict_Policy

class Restrict

police 15000000 8000 exceed-action policed-dscp-transmit

trust dscp

class class-default

trust dscp

interface GigabitEthernet0/1

description Link to Remote_Office

bandwidth 50000

service-policy input Restrict_Policy

!

interface GigabitEthernet0/2 - 28

service-policy input Restrict_Policy

access-list 100 permit tcp any host 172.18.204.130 eq 445

access-list 100 permit tcp any host 172.18.204.126 eq 445

access-list 100 permit tcp any any eq 445

access-list 100 permit tcp any any eq ftp-data

access-list 100 permit tcp any any eq ftp

access-list 100 permit tcp any any

When I do a show policy-map inter gi0/1, I don't see any traffic ( 0 byte )

I need to fix this issue cos we implement QoS to curb user from sending large file and clout up the bandwidth.

Thanks.

nkarpysh · ‎11-22-2011

Hi Bernard,

If you do "show policy-map int" command on 3750 or similar platform - then you indeed will get 0 counters as this command is not supported there (even if possible to run it).

In the 3750 switch, 'show policy-map interface' privileged EXEC

command

is not supported to display classification information for traffic. The

control-plane and interface keywords are not supported, and the

statistics shown in the display should be ignored. Although this command

is allowed on the CLI, it is not supported.

More information on this case can be found on the following link:

https://supportforums.cisco.com/docs/DOC-3949

So you need to use show mls qos interface statistics

Hope this helps.

Nik

HTH,
Niko

bernardkwok73 · ‎11-22-2011

u mean there's nothing wrong in my config?

bernardkwok73 · ‎11-22-2011

I am using cat 3560 and not cat 3750.

nkarpysh · ‎11-22-2011

For 3560 it is same.

In terms of config I think it is fine. I can't elaborate on police statement becuase I don't know what you want to reach with it. For now you are remarking the traffic exceeding your average rate and burst to different DSCP as per your policed-DSCP map (should be configured) and send through. But the counters should be increasing if there is traffic on the ports matching ACLs.

BTW you can add log keyword to ACLs in test purposes to see if traffic is hitting it - then double check QoS policing with show mls command I gave above.

Nik

HTH,
Niko

bernardkwok73 · ‎11-22-2011

I try logging ACL hits but it doesn't show hit count on acl. Suspect it is either my version c3560-ipservices-mz.122-35.SE5.bin or cat 3560 feature issue.

I did sh mls qos inter gi0/1 stats, it shows traffic hitting dscp 0-4 (which I believe is the class-default) and dscp 30-34 (whcih I believe hits my Restrict class)

I clear the counter and did a show I see counters are increasing, looks like I have been using the wrong show command to show the hit rate of my QoS.

bernardkwok73 · ‎11-22-2011

But one question, I did not indicate dscp value for traffic classification, how does the switch knows what dscp value to assign a traffic to?

nkarpysh · ‎11-22-2011

Hello,

Switch has defaut mappings which it is using and I guess that is map all DSCP to 0 in case of police action needed.

Just FYI policed maps are configured this way:

qos map dscp policed DSCP_To_map_from .. DSCP_TO_MAP_TO

Hope this helps,

Nik

HTH,
Niko

bernardkwok73 · ‎11-22-2011

C3560(config-pmap-c)#police 15000000 8000 ?
exceed-action action when rate is exceeded

C3560(config-pmap-c)#police 15000000 8000 exceed-action ?
drop drop packet
policed-dscp-transmit change dscp per policed-dscp map and send it

C3560(config-pmap-c)#$exceed-action policed-dscp-transmit ?

C3560(config-pmap-c)#$exceed-action policed-dscp-transmit

nkarpysh · ‎11-22-2011

Hi Bernard,

Did not get your last update. Any question you have on it?

Nik

HTH,
Niko

bernardkwok73 · ‎11-23-2011

No question

bernardkwok73 · ‎11-23-2011

How do I verify if my QoS is running fine?

nkarpysh · ‎11-23-2011

I guess you can configure policed-dscp map and change the DSCP to particular value if traffic over threshold. Then create that burst and see if those DSCP values occur with "show mls " command.

There is no other way to check policing without making a burst. Also using a default police-dscp map you are mapping to DSCP 0 - but you can already get many dscp 0 packets so you will not see if new created.

Nik

HTH,
Niko