cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Join Customer Connection to register!
317
Views
0
Helpful
7
Replies
pruthviraj
Beginner

QoS Packets not matching on 6500 with SUP720-10GE and SU2T


Hi,

 

I do not see packets matching in policy. 

output below:

Switch#sh policy-map interface vlan 2232

 

 Vlan2232 

 

  Service-policy input: HARDPHONE-VVLAN

 

    Class-map: VOICETRAFFIC (match-all)

      0 packets, 0 bytes

      5 minute offered rate 0000 bps, drop rate 0000 bps

      Match: access-group name VOICETRAFFIC

 

    Class-map: VOICESIGNALING (match-all)

      0 packets, 0 bytes

      5 minute offered rate 0000 bps, drop rate 0000 bps

      Match: access-group name VOICESIGNALING

 

    Class-map: class-default (match-any)

      0 packets, 0 bytes

      5 minute offered rate 0000 bps, drop rate 0000 bps

      Match: any 

        0 packets, 0 bytes

        5 minute rate 0 bps

 

 

I also not find packets matching ACL:

 

switch#sh access-lists

Extended IP access list VIDEOTRAFFIC

    10 permit udp any any range 16384 32767

Extended IP access list VOICESIGNALING

    10 permit tcp any 10.128.0.0 0.3.255.255 range 2000 2002

    20 permit tcp any 10.128.0.0 0.3.255.255 eq 5060

    30 permit udp any 10.128.0.0 0.3.255.255 eq 5060

    40 permit tcp any 172.20.10.0 0.0.1.255 range 2000 2002

    50 permit tcp any 172.20.10.0 0.0.1.255 eq 5060

    60 permit udp any 172.20.10.0 0.0.1.255 eq 5060

Extended IP access list VOICETRAFFIC

    10 permit udp 10.128.0.0 0.63.255.255 10.128.0.0 0.63.255.255 range 16384 32767

 

 

I checked policies, they looks applied correctly.

On SUP-720-10GE, I modified ACL to 'permit udp any any' but not found any matching packets. There are plenty of IP phones connected directly to this switch belongs to voice VLAN. I applied VLAN based QoS under voice VLAN and other VLANs too. 

I observed different thing on SUP 2T. I saw packets matching ACL statement 'permit udp any any' but when I took off this line, ACL was not showing packets matching. 

 

OUTPUT of IP phones connected to switch:

switch#sh cdp neighbors | in SEP

SEP0008308A5D7B  Gig 13/38         143             H P M  IP Phone  Port 1

SEP0008308A5DE0  Gig 10/1          121             H P M  IP Phone  Port 1

SEP0023049C6348  Gig 3/42          152             H P M  IP Phone  Port 1

SEP0021A02D64D4  Gig 9/28          120             H P M  IP Phone  Port 1

SEP1C6A7AE0588E  Gig 3/9           127             H P M  IP Phone  Port 1

SEP00229059969E  Gig 12/48         166             H P M  IP Phone  Port 1

SEP0008308AF26F  Gig 2/7           161             H P M  IP Phone  Port 1

SEP00235EB7BE0E  Gig 4/2           154             H P M  IP Phone  Port 1

SEP00229059BE5A  Gig 6/37          158             H P M  IP Phone  Port 1

SEP1CAA07115CF3  Gig 12/29         148             H P M  IP Phone  Port 1

SEP00235EB7884F  Gig 9/3           156             H P M  IP Phone  Port 1

SEP0008308B03FB  Gig 2/30          178             H P M  IP Phone  Port 1

SEP006440B42CD3  Gig 3/45          132             H P M  IP Phone  Port 1

SEP0022905991C9  Gig 11/4          145             H P M  IP Phone  Port 1

SEP0008308A5E6C  Gig 6/36          124             H P M  IP Phone  Port 1

SEP006440B427CA  Gig 13/31         170             H P M  IP Phone  Port 1

SEP006440B425FF  Gig 3/19          168             H P M  IP Phone  Port 1

SEP0008308A7AD7  Gig 2/3           159             H P M  IP Phone  Port 1

SEP0008308A3EB2  Gig 10/4          132             H P M  IP Phone  Port 1

SEP002414B45A0E  Gig 10/28         170             H P M  IP Phone  Port 1

SEP04C5A4B19C8B  Gig 2/15          162             H P M  IP Phone  Port 1

SEP006440B43DE6  Gig 9/48          162             H P M  IP Phone  Port 1

SEP006440B42B0D  Gig 9/23          179             H P M  IP Phone  Port 1

 

 

Could anyone please help, how to make sure that packets are hitting correct ACL and policy on 6500 with SUP720-10GE and SUP2T.

 

 

Thanks,

Pruthvi

7 REPLIES 7
shh5455
Participant

Can you post your configuration?


Please note that 6500 is used as L2 switch only and SVI are used for applying policies only. 


------------------------

Configuration below:

-------------------


class-map match-all VOICESIGNALING
  match access-group name VOICESIGNALING
class-map match-all VOICETRAFFIC
  match access-group name VOICETRAFFIC
class-map match-all VIDEOTRAFFIC
  match access-group name VIDEOTRAFFIC


policy-map HARDPHONE-VVLAN
  class VOICETRAFFIC
     police flow mask src-only 128000 8000 conform-action set-dscp-transmit ef exceed-action drop
  class VOICESIGNALING
     police flow mask src-only 32000 8000 conform-action set-dscp-transmit cs3 exceed-action policed-dscp-transmit
  class class-default
     police flow mask src-only 32000 8000 conform-action set-dscp-transmit default exceed-action policed-dscp-transmit
policy-map STUDENT-DVLAN
  class class-default
     police flow mask src-only 25000000 1562500 conform-action set-dscp-transmit default exceed-action policed-dscp-transmit
policy-map STAFF-DVLAN
  class VOICESIGNALING
     police flow mask src-only 32000 8000 conform-action set-dscp-transmit cs3 exceed-action policed-dscp-transmit
  class VOICETRAFFIC
     police flow mask src-only 128000 8000 conform-action set-dscp-transmit ef exceed-action drop
  class VIDEOTRAFFIC
     police flow mask src-only 2000000 150000 conform-action set-dscp-transmit ef exceed-action drop
  class class-default
     police flow mask src-only 50000000 1000000 conform-action set-dscp-transmit ef exceed-action drop


ip access-list extended VOICESIGNALING
 remark Skinny and SIP protocols From Phones to Voice Core Infrastructure
 permit tcp any 10.128.0.0 0.3.255.255 range 2000 2002
 permit tcp any 10.128.0.0 0.3.255.255 eq 5060
 permit udp any 10.128.0.0 0.3.255.255 eq 5060
 permit tcp any 172.20.10.0 0.0.1.255 range 2000 2002
 permit tcp any 172.20.10.0 0.0.1.255 eq 5060
 permit udp any 172.20.10.0 0.0.1.255 eq 5060
ip access-list extended VOICETRAFFIC
 permit udp any any dscp ef
 permit udp 10.128.0.0 0.63.255.255 10.128.0.0 0.63.255.255
 permit udp any any range 16384 32767 dscp ef
ip access-list extended VOICESIGNALING
 remark Skinny and SIP protocols From Phones to Voice Core Infrastructure 
 permit tcp any 10.128.0.0 0.3.255.255 range 2000 2002
 permit tcp any 10.128.0.0 0.3.255.255 eq 5060
 permit udp any 10.128.0.0 0.3.255.255 eq 5060
 permit tcp any 172.20.10.0 0.0.1.255 range 2000 2002
 permit tcp any 172.20.10.0 0.0.1.255 eq 5060
 permit udp any 172.20.10.0 0.0.1.255 eq 5060
ip access-list extended VIDEOTRAFFIC
 permit udp any any range 16384 32767 dscp ef


interface Vlan104
 description PolicyOnlyInt
 no ip address
 service-policy input STAFF-DVLAN
!
interface Vlan105
 description PolicyOnlyInt
 no ip address
 service-policy input STAFF-DVLAN
!
interface Vlan573
 description PolicyOnlyInt
 no ip address
 service-policy input PUBLIC-DVLAN
!
interface Vlan604
 description PolicyOnlyInt
 no ip address
 service-policy input PUBLIC-DVLAN
!
interface Vlan654
 description PolicyOnlyInt
 no ip address
 service-policy input STUDENT-DVLAN
!
interface Vlan674
 description PolicyOnlyInt
 no ip address
 service-policy input PUBLIC-DVLAN
!
interface Vlan807
 ip address 172.18.128.5 255.255.255.0
!
interface Vlan860
 description PolicyOnlyInt
 no ip address
 service-policy input PUBLIC-DVLAN
!
interface Vlan2016
 description PolicyOnlyInt
 no ip address
 service-policy input HARDPHONE-VVLAN
!
interface Vlan3124
 description PolicyOnlyInt
 no ip address
 shutdown
 service-policy input HARDPHONE-VVLAN


----------------------------------------

switch#sh access-lists
Extended IP access list VOICESIGNALING
    10 permit tcp any 10.128.0.0 0.3.255.255 range 2000 2002
    20 permit tcp any 10.128.0.0 0.3.255.255 eq 5060
    30 permit udp any 10.128.0.0 0.3.255.255 eq 5060
    40 permit tcp any 172.20.10.0 0.0.1.255 range 2000 2002
    50 permit tcp any 172.20.10.0 0.0.1.255 eq 5060
    60 permit udp any 172.20.10.0 0.0.1.255 eq 5060
Extended IP access list VOICETRAFFIC
    10 permit udp any any dscp ef <----- not showing any match
    11 permit udp 10.128.0.0 0.63.255.255 10.128.0.0 0.63.255.255 <----not shwoing any match
    12 permit udp any any range 16384 32767 dscp ef<----not shwoing any match

-----------------------------

If I user "permit udp any any ", acl is showing match.

switch#sh access-lists
Extended IP access list VOICETRAFFIC
    10 permit udp any any dscp ef
    11 permit udp 10.128.0.0 0.63.255.255 10.128.0.0 0.63.255.255
    12 permit udp any any range 16384 32767 dscp ef
    13 permit udp any any (527055 matches)
______________________________________

 

You say you are only using it as an L2 switch, but you have multiple SVIs.  Do you route between them?  If so, you are doing L3 switching.  These policies only come into play when you cross the SVI (L3 switching).  Otherwise just the L2 QOS on the port will be used.  

 

Also, I don't see VLAN 2232.  Can you post the port configuration for the port you're testing?

Hi,

We are using SVI as an interface to apply QoS policy only. Not using it for L-3 or routing.  You may see there is no IP address on SVIs and the QoS policy is applied on SVI. 

 

interface Vlan2016
 description PolicyOnlyInt
 no ip address
 service-policy input HARDPHONE-VVLAN

 

interface Vlan2232
 description PolicyOnlyInt
 no ip address
 service-policy input HARDPHONE-VVLAN

 

Port config:

interface GigabitEthernet1/4
 switchport
 switchport access vlan 159
 switchport mode access
 switchport nonegotiate
 switchport voice vlan 2232
 switchport port-security
 switchport port-security maximum 10
 switchport port-security aging time 5
 switchport port-security violation restrict
 wrr-queue bandwidth percent 5 25 70
 priority-queue queue-limit 25
 wrr-queue queue-limit 5 25 40
 wrr-queue threshold 1 100 100 100 100 100 100 100 100
 wrr-queue threshold 2 100 100 100 100 100 100 100 100
 wrr-queue random-detect min-threshold 1 80 100 100 100 100 100 100 100
 wrr-queue random-detect min-threshold 2 100 100 100 100 100 100 100 100
 wrr-queue random-detect min-threshold 3 60 70 80 90 100 100 100 100
 wrr-queue random-detect max-threshold 1 100 100 100 100 100 100 100 100
 wrr-queue random-detect max-threshold 2 100 100 100 100 100 100 100 100
 wrr-queue random-detect max-threshold 3 70 80 90 100 100 100 100 100
 wrr-queue cos-map 1 1 1
 wrr-queue cos-map 2 1 0
 wrr-queue cos-map 3 2 2
 wrr-queue cos-map 3 3 3
 wrr-queue cos-map 3 4 6
 wrr-queue cos-map 3 5 7
 priority-queue cos-map 1 4 5
 mls qos vlan-based
end

 

Ok, if you are not talking between subnets then you are not using the SVIs.  There is no reason for the switch to send the traffic to an SVI as it will know (based on subnet mask) that the destination is on its subnet.  The MAC address for the destination will be known in the CAM table on the switch.  Therefore only the L2 QOS on the ports will be used.

In that case you will not see anything in "show policy-map..."

Hi,

 

Thanks for your answer. 

We are using VLAN based QoS. As per my knowledge, to apply VLAN based QoS, policy must be applied on SVI. 

 

What about the traffic going out of SVI ? i.e the signalling traffic to call manager. We also have phone call between VLANs and also between two different L-3 zones. Will all such traffic be seen on show policy-map ? 

 

 

Thanks,

Pruthvi

 

Any traffic that uses the SVI to L3 route will use your L3 QOS.  What you are saying about routing vs. a non-routing network is inconsistent, so I'm not sure how to answer.  If the traffic uses the SVI then you should be able to see the statistics change on the policy map.