- Cisco Community
- Technology and Support
- Security
- VPN
- Trying to apply QoS policy to a dynamic virtual template interface
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Trying to apply QoS policy to a dynamic virtual template interface
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-23-2010 12:55 AM
Hi,
I have two cisco router 871 and I set up a VPN between them. In particular one router acts as a SERVER and the other one as a CLIENT. All the traffic coming from the hosts (192.168.16.0) connected to the CLIENT-router is sent over the VPN (no split tunnel). Everything works perfectly.
Now If it is possible I would like to apply a QoS policy to the virtual template interface.
In particular I’ve tried to apply the policy to the udp traffic from any hosts to 192.168.14.3 and 192.168.14.4 (which are two hosts of the SERVER-router internal LAN).
I have configured the policy map and applied to the virtual template interface (as you can see from the configuration posted in the following). But the show policy-map interface command doesn’t give any policy map detail, even though the policy seems to be applied to the virtual-Access.
Moreover I performed some tests with iperf and the configured QoS policy seems to not exist.
Can QoS policy be applied to the virtual template interface?
Could anybody tell me if the QoS configuration is correct?
Why does not the QoS policy work?
Thank you for your help.
CONFIGURATIONS:
CLIENT-CONFIG
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname tshegress2
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable secret 5 $1$8IgF$LXbX1yhiqYNdd81XEi9d61
!
no aaa new-model
!
!
crypto pki trustpoint TP-self-signed-3934571194
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3934571194
revocation-check none
rsakeypair TP-self-signed-3934571194
!
!
crypto pki certificate chain TP-self-signed-3934571194
certificate self-signed 01 nvram:IOS-Self-Sig#1D.cer
dot11 syslog
!
dot11 ssid tshegress2
vlan 1
authentication open
authentication key-management wpa
guest-mode
wpa-psk ascii 7 15021903122B79343A3C23234117040C17570B
!
ip cef
no ip dhcp use vrf connected
!
ip dhcp pool internal
import all
network 192.168.16.0 255.255.255.0
default-router 192.168.16.1
dns-server 192.168.16.1
!
!
!
!
!
username admin privilege 15 secret 5 $1$CbCF$zz3EfqLRbXeZ44CLlXtBT/
username guest privilege 0 secret 5 $1$b7fL$r9d1mBAv0V7SBmqmc03.i/
!
!
!
!
!
!
crypto ipsec client ezvpn CLIENT
connect auto
group PREMIUM key XXXX
mode client
peer 150.217.8.21
virtual-interface 1
username tshegress2client password XXXXXXX
xauth userid mode local
!
!
archive
log config
hidekeys
!
!
!
class-map match-all EF
match access-group 188
class-map match-all AF22
match access-group 189
!
!
policy-map QOS
class EF
bandwidth 800
class AF22
bandwidth 100
shape average 150000
!
!
bridge irb
!
!
interface Loopback0
ip address 192.168.161.1 255.255.255.255
!
interface FastEthernet0
switchport access vlan 2
!
interface FastEthernet1
switchport access vlan 2
!
interface FastEthernet2
switchport access vlan 2
!
interface FastEthernet3
switchport access vlan 2
!
interface FastEthernet4
ip address dhcp
duplex auto
speed auto
crypto ipsec client ezvpn CLIENT
!
interface Virtual-Template1 type tunnel
ip unnumbered Loopback0
service-policy output QOS
!
interface Dot11Radio0
no ip address
!
encryption vlan 1 mode ciphers tkip
!
ssid tshegress2
!
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
!
interface Dot11Radio0.1
encapsulation dot1Q 1 native
no cdp enable
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Vlan1
no ip address
bridge-group 1
bridge-group 1 spanning-disabled
!
interface Vlan2
no ip address
bridge-group 1
bridge-group 1 spanning-disabled
!
interface BVI1
ip address 192.168.16.1 255.255.255.0
crypto ipsec client ezvpn CLIENT inside
!
router rip
version 2
network 192.168.16.0
network 192.168.160.0
no auto-summary
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 dhcp
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip dns server
!
access-list 23 permit 192.168.16.0 0.0.0.255
access-list 188 permit udp any host 192.168.14.3
access-list 189 permit udp any host 192.168.14.4
no cdp run
!
!
!
control-plane
!
bridge 1 route ip
!
line con 0
exec-timeout 120 0
logging synchronous
no modem enable
line aux 0
line vty 0 4
privilege level 0
login
transport input telnet ssh
!
scheduler max-task-time 5000
end
SERVER-CONFIG
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname tshingress
!
boot-start-marker
boot-end-marker
!
no logging on
enable secret 5 $1$enp6$nEmOr1OMMKM6ykK6OhmTc1
!
aaa new-model
!
!
aaa authentication login local_list local
aaa authorization network local_list local
!
!
aaa session-id common
!
crypto pki trustpoint TP-self-signed-4082951837
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-4082951837
revocation-check none
rsakeypair TP-self-signed-4082951837
!
!
crypto pki certificate chain TP-self-signed-4082951837
certificate self-signed 01 nvram:IOS-Self-Sig#3.cer
dot11 syslog
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.14.1
!
ip dhcp pool internal
import all
network 192.168.14.0 255.255.255.0
default-router 192.168.14.1
dns-server 192.168.14.1
!
!
ip domain name yourdomain.com
vlan ifdescr detail
!
!
!
username admin privilege 15 secret 5 $1$YGs9$LklOxr3Y9XEYm1Q9YAJHe0
username guest privilege 0 secret 5 $1$9doz$PJmFTc/xjUAF34spKVDeU.
username tshegress1client password 0 clientegress1
username tshegress2client password 0 clientegress2
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group BASIC
key XXXXXX
pool BASICpool
save-password
!
crypto isakmp client configuration group PREMIUM
key XXXXXXXXXXXXX
pool PREMIUMpool
save-password
crypto isakmp profile vpn-BASIC
match identity group BASIC
client authentication list local_list
isakmp authorization list local_list
client configuration address respond
no keepalive
qos-group 2
virtual-template 1
crypto isakmp profile vpn-PREMIUM
match identity group PREMIUM
client authentication list local_list
isakmp authorization list local_list
client configuration address respond
no keepalive
qos-group 1
virtual-template 1
!
!
crypto ipsec transform-set VTI-VPN esp-3des esp-sha-hmac
!
crypto ipsec profile VPN-profile
set security-association lifetime kilobytes 536870912
set security-association lifetime seconds 86400
set transform-set VTI-VPN
!
!
archive
log config
hidekeys
!
!
!
!
interface Loopback0
ip address 192.168.141.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
ip address 150.217.8.21 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface Virtual-Template1 type tunnel
ip unnumbered FastEthernet4
ip virtual-reassembly
ip policy route-map VPN
tunnel mode ipsec ipv4
tunnel protection ipsec profile VPN-profile
!
interface Dot11Radio0
no ip address
shutdown
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
ip address 192.168.14.1 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
router rip
version 2
network 150.217.0.0
network 192.168.14.0
network 192.168.150.0
network 192.168.160.0
!
ip local pool BASICpool 192.168.150.10 192.168.150.40
ip local pool PREMIUMpool 192.168.160.10 192.168.160.40
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 150.217.8.1
!
ip http server
ip http access-class 1
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip dns server
ip nat inside source list 102 interface FastEthernet4 overload
!
access-list 101 deny ip 192.168.150.0 0.0.0.255 192.168.14.0 0.0.0.255
access-list 101 permit ip 192.168.150.0 0.0.0.255 any
access-list 101 deny ip 192.168.160.0 0.0.0.255 192.168.14.0 0.0.0.255
access-list 101 permit ip 192.18.160.0 0.0.0.155 any
access-list 101 permit ip 192.168.160.0 0.0.0.255 any
access-list 102 deny ip 192.168.14.0 0.0.0.255 192.168.150.0 0.0.0.255
access-list 102 deny ip 192.168.150.0 0.0.0.255 192.168.14.0 0.0.0.255
access-list 102 permit ip 192.168.14.0 0.0.0.255 any
access-list 102 permit ip 192.168.150.0 0.0.0.255 any
access-list 102 deny ip 192.168.14.0 0.0.0.255 192.168.160.0 0.0.0.255
access-list 102 deny ip 192.168.160.0 0.0.0.255 192.168.14.0 0.0.0.255
access-list 102 permit ip 192.168.160.0 0.0.0.255 any
access-list 103 permit ip any 192.168.150.0 0.0.0.255
access-list 103 permit ip any 192.168.160.0 0.0.0.255
no cdp run
!
!
route-map VPN permit 10
match ip address 101
set interface Loopback0
!
route-map VPN permit 20
match ip address 103
set interface Loopback0
!
!
control-plane
!
!
line con 0
exec-timeout 120 0
no modem enable
line aux 0
line vty 0 4
privilege level 0
logging synchronous
transport input telnet ssh
!
scheduler max-task-time 5000
end
- Labels:
-
VPN
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-23-2010 01:56 AM
Hi,
QoS can indeed by applied to a virtual template interface, however, I can see that you have some configuration needs to be corrected in your QoS config.
1- You need to classify and mark your LAN traffic at the ingress , you need to apply a policy map at the ingress with classification and marking.
2- The last step is to apply your QoS policy at the egress which is your virtual template interface.
* You are not classifying your traffic here, let me know if this answered your question,
Regards,
Mohamed
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-26-2010 11:30 AM
Hi Mohamed,
just a few questions to better understand your comments.
I am sorry for missing some important details about the performed iperf tests.
In particular I’ve just classified the udp traffic at the egress from anyone to the hosts 192.168.14.3 and 192.168.14.4.
In order to test these configurations, the following steps were performed:
- Both the hosts 192.168.14.3 and 192.168.14.4 were in listening mode:
iperf –s -u –t90 –i10 - udp traffic was sent from a host (connected to the egress) both to 192.168.14.3 and 192.168.14.4:
iperf -c 192.168.14.3 –u –b600k –t90 –i10
iperf -c 192.168.14.4 –u –b600k –t90 –i10
Since, the available bandwidth from the egress node and the ingress node was limited to 1Mbit/s,
I expected that the traffic directed to 192.168.14.4 would be shaped, but it did not happen.
In these tests I only verified the unidirectional link from the egress to the ingress, so can the missed classification at the ingress be responsible for the unexpected results?
The egress configuration is ok?
Thank you for your help.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-26-2010 11:42 PM
Hi,
You Should classify and mark as close to the source as possible. and surely incorrect classification/marking can result in inaccurate QoS result.
You shouldnt classify at the Virtual-template interface, you should classify here at the BVI interface: ie:
class-map match-any EF
match access-group 100
class-map match-any AF22
match access-group 101
access-list 100 permit udp any host 192.168.14.3
access-list 101 permit udp any host 192.168.14.4
policy-map udp
class EF
set ip dscp ef
class AF22
set ip dscp af22
Interface BVI
ip address x.x.x.x y.y.y.y.y
service-policy input udp
-------------------------------------------------------------------------------
Now, you need to match what you have cMarked and apply your QoS policy to the virtual interface; ie:
class-map match-any ef
match ip dscp ef
class-map match-any AF22
match ip dscp af22
policy map QoS
class ef
bandwidth 800
class af22
bandwidth 100
shape average 150000
*Apply your QoS Policy here:
Interface virtual-template 1
service-policy output QoS
Now, run your test again , and let us know about the result.
Regards,
Mohamed
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-03-2011 08:40 AM
Hi,
Thank you for the explanation.
I still have some problems.
I can set only ip precedence, I can not set ip dscp (no command available). So I modified the configurations as you suggested. The only difference is represented by the ip precedence setting instead of the dscp setting.
The new configurations are:
SERVER-CONFIG (ingress)
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname tshingress
!
boot-start-marker
boot-end-marker
!
no logging on
enable secret 5 $1$enp6$nEmOr1OMMKM6ykK6OhmTc1
!
aaa new-model
!
!
aaa authentication login local_list local
aaa authorization network local_list local
!
!
aaa session-id common
!
crypto pki trustpoint TP-self-signed-4082951837
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-4082951837
revocation-check none
rsakeypair TP-self-signed-4082951837
!
!
crypto pki certificate chain TP-self-signed-4082951837
certificate self-signed 01 nvram:IOS-Self-Sig#3.cer
dot11 syslog
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.14.1
!
ip dhcp pool internal
import all
network 192.168.14.0 255.255.255.0
default-router 192.168.14.1
dns-server 192.168.14.1
!
!
ip domain name yourdomain.com
vlan ifdescr detail
!
!
!
username admin privilege 15 secret 5 $1$YGs9$LklOxr3Y9XEYm1Q9YAJHe0
username guest privilege 0 secret 5 $1$9doz$PJmFTc/xjUAF34spKVDeU.
username tshegress1client password 0 XXXXXXXXXX
username tshegress2client password 0 XXXXXXXXXXX
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group BASIC
key XXXXXXXXXXXXXX
pool BASICpool
save-password
!
crypto isakmp client configuration group PREMIUM
key XXXXXXXXXXXXXXXXXXXX
pool PREMIUMpool
save-password
crypto isakmp profile vpn-BASIC
match identity group BASIC
client authentication list local_list
isakmp authorization list local_list
client configuration address respond
no keepalive
qos-group 2
virtual-template 1
crypto isakmp profile vpn-PREMIUM
match identity group PREMIUM
client authentication list local_list
isakmp authorization list local_list
client configuration address respond
no keepalive
qos-group 1
virtual-template 1
!
!
crypto ipsec transform-set VTI-VPN esp-3des esp-sha-hmac
!
crypto ipsec profile VPN-profile
set security-association lifetime kilobytes 536870912
set security-association lifetime seconds 86400
set transform-set VTI-VPN
!
!
archive
log config
hidekeys
!
!
!
class-map match-any EF
match ip precedence 5
match access-group 148
class-map match-any AF22
match ip precedence 0
match access-group 149
!
!
policy-map QOS
class EF
bandwidth 800
class AF22
bandwidth 100
shape average 150000
policy-map udp
class EF
set ip precedence 5
class AF22
set ip precedence 0
!
!
!
!
interface Loopback0
ip address 192.168.141.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
ip address 150.217.8.21 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface Virtual-Template1 type tunnel
ip unnumbered FastEthernet4
ip virtual-reassembly
ip policy route-map VPN
tunnel mode ipsec ipv4
tunnel protection ipsec profile VPN-profile
service-policy output QOS
!
interface Dot11Radio0
no ip address
shutdown
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
ip address 192.168.14.1 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
service-policy input udp
!
router rip
version 2
network 150.217.0.0
network 192.168.14.0
network 192.168.150.0
network 192.168.160.0
!
ip local pool BASICpool 192.168.150.10 192.168.150.40
ip local pool PREMIUMpool 192.168.160.10 192.168.160.40
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 150.217.8.1
!
ip http server
ip http access-class 1
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip dns server
ip nat inside source list 102 interface FastEthernet4 overload
!
access-list 101 deny ip 192.168.150.0 0.0.0.255 192.168.14.0 0.0.0.255
access-list 101 permit ip 192.168.150.0 0.0.0.255 any
access-list 101 deny ip 192.168.160.0 0.0.0.255 192.168.14.0 0.0.0.255
access-list 101 permit ip 192.18.160.0 0.0.0.155 any
access-list 101 permit ip 192.168.160.0 0.0.0.255 any
access-list 102 deny ip 192.168.14.0 0.0.0.255 192.168.150.0 0.0.0.255
access-list 102 deny ip 192.168.150.0 0.0.0.255 192.168.14.0 0.0.0.255
access-list 102 permit ip 192.168.14.0 0.0.0.255 any
access-list 102 permit ip 192.168.150.0 0.0.0.255 any
access-list 102 deny ip 192.168.14.0 0.0.0.255 192.168.160.0 0.0.0.255
access-list 102 deny ip 192.168.160.0 0.0.0.255 192.168.14.0 0.0.0.255
access-list 102 permit ip 192.168.160.0 0.0.0.255 any
access-list 103 permit ip any 192.168.150.0 0.0.0.255
access-list 103 permit ip any 192.168.160.0 0.0.0.255
access-list 148 permit udp any 192.168.16.0 0.0.0.255
access-list 149 permit udp any 192.168.15.0 0.0.0.255
no cdp run
!
!
route-map VPN permit 10
match ip address 101
set interface Loopback0
!
route-map VPN permit 20
match ip address 103
set interface Loopback0
!
!
control-plane
!
!
line con 0
exec-timeout 120 0
no modem enable
line aux 0
line vty 0 4
privilege level 0
logging synchronous
transport input telnet ssh
!
scheduler max-task-time 5000
end
CLIENT-CONFIG (egress)
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname tshegress2
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable secret 5 $1$8IgF$LXbX1yhiqYNdd81XEi9d61
!
no aaa new-model
!
resource policy
policy QOS global
system
!
!
!
!
crypto pki trustpoint TP-self-signed-3934571194
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3934571194
revocation-check none
rsakeypair TP-self-signed-3934571194
!
!
crypto pki certificate chain TP-self-signed-3934571194
certificate self-signed 01 nvram:IOS-Self-Sig#20.cer
dot11 syslog
!
dot11 ssid tshegress2
vlan 1
authentication open
authentication key-management wpa
guest-mode
wpa-psk ascii 7 15021903122B79343A3C23234117040C17570B
!
ip cef
no ip dhcp use vrf connected
!
ip dhcp pool internal
import all
network 192.168.16.0 255.255.255.0
default-router 192.168.16.1
dns-server 192.168.16.1
!
!
!
!
!
username admin privilege 15 secret 5 $1$CbCF$zz3EfqLRbXeZ44CLlXtBT/
username guest privilege 0 secret 5 $1$b7fL$r9d1mBAv0V7SBmqmc03.i/
!
!
!
!
!
!
crypto ipsec client ezvpn CLIENT
connect auto
group PREMIUM key XXXXXXXXXXXXX
mode client
peer 150.217.8.21
virtual-interface 1
username tshegress2client password XXXXXXXXXXXXXXXX
xauth userid mode local
!
!
archive
log config
hidekeys
!
!
!
class-map match-any EF
match access-group 188
match ip precedence 5
class-map match-any AF22
match access-group 189
match ip precedence 0
!
!
policy-map QOS
class EF
bandwidth 800
class AF22
bandwidth 100
shape average 150000
policy-map udp
class EF
set ip precedence 5
class AF22
set ip precedence 0
!
!
bridge irb
!
!
interface Loopback0
ip address 192.168.161.1 255.255.255.255
!
interface FastEthernet0
switchport access vlan 2
!
interface FastEthernet1
switchport access vlan 2
!
interface FastEthernet2
switchport access vlan 2
!
interface FastEthernet3
switchport access vlan 2
!
interface FastEthernet4
ip address dhcp
duplex auto
speed auto
crypto ipsec client ezvpn CLIENT
!
interface Virtual-Template1 type tunnel
ip unnumbered Loopback0
traffic-shape rate 1000000 25000 25000 1000
service-policy output QOS
!
interface Dot11Radio0
no ip address
!
encryption vlan 1 mode ciphers tkip
!
ssid tshegress2
!
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
!
interface Dot11Radio0.1
encapsulation dot1Q 1 native
no cdp enable
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Vlan1
no ip address
bridge-group 1
bridge-group 1 spanning-disabled
!
interface Vlan2
no ip address
bridge-group 1
bridge-group 1 spanning-disabled
!
interface BVI1
ip address 192.168.16.1 255.255.255.0
crypto ipsec client ezvpn CLIENT inside
service-policy input udp
!
router rip
version 2
network 192.168.16.0
network 192.168.160.0
no auto-summary
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 dhcp
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip dns server
!
access-list 23 permit 192.168.16.0 0.0.0.255
access-list 188 permit udp any host 192.168.14.3
access-list 189 permit udp any host 192.168.14.4
no cdp run
!
!
!
control-plane
!
bridge 1 route ip
!
line con 0
exec-timeout 120 0
logging synchronous
no modem enable
line aux 0
line vty 0 4
privilege level 0
login
transport input telnet ssh
!
scheduler max-task-time 5000
end
____________________________________________
In the following, I collected some troubleshooting command outputs (egress node):
tshegress2#show policy-map
Policy Map QOS
Class EF
Bandwidth 800 (kbps) Max Threshold 64 (packets)
Class AF22
Bandwidth 100 (kbps) Max Threshold 64 (packets)
Traffic Shaping
Average Rate Traffic Shaping
CIR 150000 (bps) Max. Buffers Limit 1000 (Packets)
Policy Map udp
Class EF
set ip precedence 5
Class AF22
set ip precedence 0
tshegress2#show policy-map interface
BVI1
Service-policy input: udp
Class-map: EF (match-any)
28724 packets, 22205130 bytes
5 minute offered rate 41000 bps, drop rate 0 bps
Match: access-group 188
28724 packets, 22205130 bytes
5 minute rate 41000 bps
Match: ip precedence 5
0 packets, 0 bytes
5 minute rate 0 bps
QoS Set
precedence 5
Packets marked 28724
Class-map: AF22 (match-any)
38760 packets, 29963020 bytes
5 minute offered rate 227000 bps, drop rate 0 bps
Match: access-group 189
38759 packets, 29962924 bytes
5 minute rate 227000 bps
Match: ip precedence 0
1 packets, 96 bytes
5 minute rate 0 bps
QoS Set
precedence 0
Packets marked 38760
Class-map: class-default (match-any)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: any
Virtual-Template1
Service-policy output: QOS
Service policy content is displayed for cloned interfaces only such as vaccss and sessions
What does the text highlighted in blue mean? No policy content is displayed by show policy-map interface virtual-access 2 command.
Then I performed the iperf tests (see description in my previous post).
As you can see in the following, the available bandwidth from the egress node to the ingress node was limited to 1Mbit/s.
tshegress2#show traffic-shape virtual-template 1
Interface Vt1
Access Target Byte Sustain Excess Interval Increment Adapt
VC List Rate Limit bits/int bits/int (ms) (bytes) Active
- 1000000 6250 25000 25000 25 3125 -
tshegress2#show traffic-shape virtual-access 2
Interface Vi2
Access Target Byte Sustain Excess Interval Increment Adapt
VC List Rate Limit bits/int bits/int (ms) (bytes) Active
- 1000000 6250 25000 25000 25 3125 -
__________________________________________________________________
These are the test-results:
Iperf –c 192.168.14.3 –u –b500k –t90 –i5
[ 3] Server Report:
[ 3] 0.0-90.0 sec 642 KBytes 58.4 Kbits/sec 0.079 ms 3381/ 3828 (88%)
Iperf –c 192.168.14.4 –u –b550k –t90 –i5
[ 3] Server Report:
[ 3] 0.0-91.0 sec 584 KBytes 52.6 Kbits/sec 33.602 ms 4033/ 4440 (91%)
The performance degrades as the bandwidth limit is exceeded. According to the QoS policy, the expected results should be different. Are the new configurations correct? Did I miss out something?
Thank you for helping me.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide