QoS Woes

cisco_trooper · March 2009

OK. I have a VLAN that I have created for guests of the company and for certain limited users. I am trying to police their traffic in both directions, but am finding that their upload speeds do not seem to be limited at all. Here is the relevant config, with IP addresses changed:

class-map match-any ISOLATED_OUT
  match access-group name ISOLATED_QOS_OUT
 
class-map match-any ISOLATED_IN
  match access-group name ISOLATED_QOS_IN
 
policy-map ISOLATED_POLICING_IN
  class ISOLATED_IN
   police cir 512000 bc 16000 pir 1024000 be 32000 conform-action transmit exceed-action drop violate-action drop
 
policy-map ISOLATED_POLICING_OUT
  class ISOLATED_OUT
   police cir 512000 bc 16000 pir 1024000 be 32000 conform-action transmit exceed-action drop violate-action drop
 
interface Vlan60
 description VLAN 60 - ISOLATED
 ip address 192.168.100.254 255.255.255.0
 ip access-group ISOLATED_VLAN_IN in
 ip access-group ISOLATED_VLAN_OUT out
 ip helper-address 192.168.0.1
 ip helper-address 192.168.0.2
 service-policy input ISOLATED_POLICING_IN
 service-policy output ISOLATED_POLICING_OUT
 
ip access-list extended ISOLATED_QOS_IN
 permit ip 192.168.100.0 0.0.0.255 any
 deny   ip any any
 
ip access-list extended ISOLATED_QOS_OUT
 permit ip any 192.168.100.0 0.0.0.255
 deny   ip any any

What am I missing to limit VLAN 60 users's upload speeds? Download speeds are being limited just fine.

PStefanov · March 2009

What platform and code are you using?

mikej412 · March 2009

cisco_trooper wrote: »

What am I missing

You need the priority command to impose a maximum rate limit that is active even when there is NO congestion.

With your configuration, no congestion means no qos is needed.

kalebksp · March 2009

mikej412 wrote: »

You need the priority command to impose a maximum rate limit that is active even when there is NO congestion.

With your configuration, no congestion means no qos is needed.

Would you be able to elaborate or point me towards some documentation? Are you saying he needs to implement a priority queue? I've never heard that policing only takes effect when congestion occurs.

tmlerdal · March 2009

I agree..I've got a similar sort of setup using policing, and it doesn't kick in when the link is congested.

As for the original problem, try playing with the ACL. It looks right, but something in my gut is saying that is where to be looking.

cisco_trooper · March 2009

This is a 6513....s72033-ipservicesk9_wan-vz.122-18.SXF7.bin

PStefanov · March 2009

I can only guess because I don't know what platform you're using and need the rest of the config, but I think in your case only routed traffic is affected by the policies so you might not be testing the upload and download speed in the same way. Could you please post the full config?

Edit: just saw the platform, sorry.

mikej412 · March 2009

Comparing the bandwidth and priority Commands of a QoS Service Policy [QoS Packet Marking] - Cisco Systems

Using police Command to Set a Maximum

If a bandwidth or priority class should not exceed its allocated bandwidth during periods of no congestion, you can combine the priority command with the police command. This configuration imposes a maximum rate that is always active on the class. Choosing to configure a police statement in this configuration depends on the policy's objective.

kalebksp · March 2009

That says the policing is necessary to ensure that the bandwidth and priority commands can't use more than their specified bandwidth when there is no congestion. It doesn't say that the priority command is necessary for policing to work when there is no congestion.

mikej412 · March 2009

cisco_trooper wrote: »

This is a 6513....s72033-ipservicesk9_wan-vz.122-18.SXF7.bin

Um... could you be more specific about the hardware? There are pages and pages of exceptions and restrictions -- depending on your hardware.

PStefanov · March 2009

From QoS Policing on Catalyst 6500/6000 Series Switches - Cisco Systems

By default, microflow policers affect only routed traffic. To enable microflow policing of bridged traffic on specified VLANs, perform this task:

 	
Command
Purpose
Step 1 

Router(config)# interface {{vlan vlan_ID} | {type1  slot/port}}
Selects the interface to configure.

Step 2 

Router(config-if)# mls qos bridged
Enables microflow policing of bridged traffic, including bridge groups, on the VLAN.

Step 3 

Router(config-if)# end
Exits configuration mode.

Step 4 

Router# show mls qos
Verifies the configuration.

cisco_trooper · March 2009

mikej412 wrote: »

Um... could you be more specific about the hardware? There are pages and pages of exceptions and restrictions -- depending on your hardware.

Sorry....Sup720...PFC3...MSFC3

We have the following types of blades:
WS-X6148A-GE-TX
WS-X6148-GE-TX
WS-X6148A-GE-45AF
WS-X6704-10GE

Not sure what else I can provide..

networker050184 · March 2009

mikej412 wrote: »

You need the priority command to impose a maximum rate limit that is active even when there is NO congestion.

With your configuration, no congestion means no qos is needed.

I agree here. We use this in our environment for this particular reason.

kalebksp · March 2009

Sorry for going off topic, but could you explain that to me? My understanding of a priority queue is that during congestion no other packets will be sent while there are packets in the priority queues. Policing ensures that the send rate or receive rate does not go above a specified value. Why would you be limited to only having policing on the priority queue?

tim100 · March 2009

cisco_trooper wrote: »

OK. I have a VLAN that I have created for guests of the company and for certain limited users. I am trying to police their traffic in both directions, but am finding that their upload speeds do not seem to be limited at all. Here is the relevant config, with IP addresses changed:

class-map match-any ISOLATED_OUT
  match access-group name ISOLATED_QOS_OUT
 
class-map match-any ISOLATED_IN
  match access-group name ISOLATED_QOS_IN
 
policy-map ISOLATED_POLICING_IN
  class ISOLATED_IN
   police cir 512000 bc 16000 pir 1024000 be 32000 conform-action transmit exceed-action drop violate-action drop
 
policy-map ISOLATED_POLICING_OUT
  class ISOLATED_OUT
   police cir 512000 bc 16000 pir 1024000 be 32000 conform-action transmit exceed-action drop violate-action drop
 
interface Vlan60
 description VLAN 60 - ISOLATED
 ip address 192.168.100.254 255.255.255.0
 ip access-group ISOLATED_VLAN_IN in
 ip access-group ISOLATED_VLAN_OUT out
 ip helper-address 192.168.0.1
 ip helper-address 192.168.0.2
 service-policy input ISOLATED_POLICING_IN
 service-policy output ISOLATED_POLICING_OUT
 
ip access-list extended ISOLATED_QOS_IN
 permit ip 192.168.100.0 0.0.0.255 any
 deny   ip any any
 
ip access-list extended ISOLATED_QOS_OUT
 permit ip any 192.168.100.0 0.0.0.255
 deny   ip any any

What am I missing to limit VLAN 60 users's upload speeds? Download speeds are being limited just fine.

Do you have "mls qos vlan-based" configured on the relative ports?

cisco_trooper · March 2009

tim100 wrote: »

Do you have "mls qos vlan-based" configured on the relative ports?

That did it. Applied it to the interface trunked to the access switch where the host is located. Uploads are now throttled.

Thanks everyone.

cisco_trooper · March 2009

mikej412 wrote: »

You need the priority command to impose a maximum rate limit that is active even when there is NO congestion.

With your configuration, no congestion means no qos is needed.

I can't add a priority to my policy map in either direction. It says it isn't allowed.

priority command is not supported in input direction for this interface

priority command is not supported in output direction for this interface

Probably because it is an SVI...

cisco_trooper · March 2009

PStefanov wrote: »

From QoS Policing on Catalyst 6500/6000 Series Switches - Cisco Systems

By default, microflow policers affect only routed traffic. To enable microflow policing of bridged traffic on specified VLANs, perform this task:
 
 
Command
Purpose
Step 1 
 
Router(config)# interface {{vlan vlan_ID} | {type1  slot/port}}
Selects the interface to configure.
 
Step 2 
 
Router(config-if)# mls qos bridged
Enables microflow policing of bridged traffic, including bridge groups, on the VLAN.
 
Step 3 
 
Router(config-if)# end
Exits configuration mode.
 
Step 4 
 
Router# show mls qos
Verifies the configuration.

Not quite what I was looking for, but this is certainly good to know. I didn't know you could do per flow policing like that.

PStefanov · March 2009

To set up policing, you define the policers and apply them to ports (port-based QoS) or to VLANs (VLAN-based QoS). Each policer defines a name, type, rate, burst, and actions for in-profile and out-of-profile traffic. Policers on Supervisor Engine II also support excess rate parameters. There are two types of policers: microflow and aggregate.

Microflow—police traffic for each applied port/VLAN separately on a per-flow basis.

Aggregate—police traffic across all of the applied ports/VLANs.

I was actually referring to something else. When you're testing the dl speed and the ul speed, are you testing them between different vlans/subnets because if you're testing them within the same vlan, then those policies are ineffective.

cisco_trooper · March 2009

PStefanov wrote: »

I was actually referring to something else. When you're testing the dl speed and the ul speed, are you testing them between different vlans/subnets because if you're testing them within the same vlan, then those policies are ineffective.

Testing was not done within the VLAN itself. This policy's basic purpose is to limit a really retarded user's internet browsing, so this is routed traffic. It is working now the way I like, but I don't know if I will come up with a better long term implementation as I learn more about QoS and the options available to me.

QoS Woes

Comments