QoS Woes

cisco_troopercisco_trooper Member Posts: 1,441 ■■■■□□□□□□
OK. I have a VLAN that I have created for guests of the company and for certain limited users. I am trying to police their traffic in both directions, but am finding that their upload speeds do not seem to be limited at all. Here is the relevant config, with IP addresses changed:
class-map match-any ISOLATED_OUT
  match access-group name ISOLATED_QOS_OUT
 
class-map match-any ISOLATED_IN
  match access-group name ISOLATED_QOS_IN
 
policy-map ISOLATED_POLICING_IN
  class ISOLATED_IN
   police cir 512000 bc 16000 pir 1024000 be 32000 conform-action transmit exceed-action drop violate-action drop
 
policy-map ISOLATED_POLICING_OUT
  class ISOLATED_OUT
   police cir 512000 bc 16000 pir 1024000 be 32000 conform-action transmit exceed-action drop violate-action drop
 
interface Vlan60
 description VLAN 60 - ISOLATED
 ip address 192.168.100.254 255.255.255.0
 ip access-group ISOLATED_VLAN_IN in
 ip access-group ISOLATED_VLAN_OUT out
 ip helper-address 192.168.0.1
 ip helper-address 192.168.0.2
 service-policy input ISOLATED_POLICING_IN
 service-policy output ISOLATED_POLICING_OUT
 
ip access-list extended ISOLATED_QOS_IN
 permit ip 192.168.100.0 0.0.0.255 any
 deny   ip any any
 
ip access-list extended ISOLATED_QOS_OUT
 permit ip any 192.168.100.0 0.0.0.255
 deny   ip any any

What am I missing to limit VLAN 60 users's upload speeds? Download speeds are being limited just fine.

Comments

  • PStefanovPStefanov Member Posts: 79 ■■□□□□□□□□
    What platform and code are you using?
  • mikej412mikej412 Member Posts: 10,086 ■■■■■■■■■■
    What am I missing

    You need the priority command to impose a maximum rate limit that is active even when there is NO congestion.

    With your configuration, no congestion means no qos is needed.
    :mike: Cisco Certifications -- Collect the Entire Set!
  • kalebkspkalebksp Member Posts: 1,033 ■■■■■□□□□□
    mikej412 wrote: »
    You need the priority command to impose a maximum rate limit that is active even when there is NO congestion.

    With your configuration, no congestion means no qos is needed.

    Would you be able to elaborate or point me towards some documentation? Are you saying he needs to implement a priority queue? I've never heard that policing only takes effect when congestion occurs.
  • tmlerdaltmlerdal Member Posts: 80 ■■□□□□□□□□
    I agree..I've got a similar sort of setup using policing, and it doesn't kick in when the link is congested.

    As for the original problem, try playing with the ACL. It looks right, but something in my gut is saying that is where to be looking.
  • cisco_troopercisco_trooper Member Posts: 1,441 ■■■■□□□□□□
    This is a 6513....s72033-ipservicesk9_wan-vz.122-18.SXF7.bin
  • PStefanovPStefanov Member Posts: 79 ■■□□□□□□□□
    I can only guess because I don't know what platform you're using and need the rest of the config, but I think in your case only routed traffic is affected by the policies so you might not be testing the upload and download speed in the same way. Could you please post the full config?

    Edit: just saw the platform, sorry.
  • mikej412mikej412 Member Posts: 10,086 ■■■■■■■■■■
    Comparing the bandwidth and priority Commands of a QoS Service Policy [QoS Packet Marking] - Cisco Systems
    Using police Command to Set a Maximum

    If a bandwidth or priority class should not exceed its allocated bandwidth during periods of no congestion, you can combine the priority command with the police command. This configuration imposes a maximum rate that is always active on the class. Choosing to configure a police statement in this configuration depends on the policy's objective.
    :mike: Cisco Certifications -- Collect the Entire Set!
  • kalebkspkalebksp Member Posts: 1,033 ■■■■■□□□□□
    That says the policing is necessary to ensure that the bandwidth and priority commands can't use more than their specified bandwidth when there is no congestion. It doesn't say that the priority command is necessary for policing to work when there is no congestion.
  • mikej412mikej412 Member Posts: 10,086 ■■■■■■■■■■
    This is a 6513....s72033-ipservicesk9_wan-vz.122-18.SXF7.bin
    Um... could you be more specific about the hardware? There are pages and pages of exceptions and restrictions -- depending on your hardware.
    :mike: Cisco Certifications -- Collect the Entire Set!
  • PStefanovPStefanov Member Posts: 79 ■■□□□□□□□□
    From QoS Policing on Catalyst 6500/6000 Series Switches - Cisco Systems
    By default, microflow policers affect only routed traffic. To enable microflow policing of bridged traffic on specified VLANs, perform this task:
    
     	
    Command
    Purpose
    Step 1 
    
    Router(config)# interface {{vlan vlan_ID} | {type1  slot/port}}
    Selects the interface to configure.
    
    Step 2 
    
    Router(config-if)# mls qos bridged
    Enables microflow policing of bridged traffic, including bridge groups, on the VLAN.
    
    Step 3 
    
    Router(config-if)# end
    Exits configuration mode.
    
    Step 4 
    
    Router# show mls qos
    Verifies the configuration.
    
  • cisco_troopercisco_trooper Member Posts: 1,441 ■■■■□□□□□□
    mikej412 wrote: »
    Um... could you be more specific about the hardware? There are pages and pages of exceptions and restrictions -- depending on your hardware.


    Sorry....Sup720...PFC3...MSFC3

    We have the following types of blades:
    WS-X6148A-GE-TX
    WS-X6148-GE-TX
    WS-X6148A-GE-45AF
    WS-X6704-10GE

    Not sure what else I can provide..
  • networker050184networker050184 Mod Posts: 11,962 Mod
    mikej412 wrote: »
    You need the priority command to impose a maximum rate limit that is active even when there is NO congestion.

    With your configuration, no congestion means no qos is needed.

    I agree here. We use this in our environment for this particular reason.
    An expert is a man who has made all the mistakes which can be made.
  • kalebkspkalebksp Member Posts: 1,033 ■■■■■□□□□□
    Sorry for going off topic, but could you explain that to me? My understanding of a priority queue is that during congestion no other packets will be sent while there are packets in the priority queues. Policing ensures that the send rate or receive rate does not go above a specified value. Why would you be limited to only having policing on the priority queue?
  • tim100tim100 Member Posts: 162
    OK. I have a VLAN that I have created for guests of the company and for certain limited users. I am trying to police their traffic in both directions, but am finding that their upload speeds do not seem to be limited at all. Here is the relevant config, with IP addresses changed:
    class-map match-any ISOLATED_OUT
      match access-group name ISOLATED_QOS_OUT
     
    class-map match-any ISOLATED_IN
      match access-group name ISOLATED_QOS_IN
     
    policy-map ISOLATED_POLICING_IN
      class ISOLATED_IN
       police cir 512000 bc 16000 pir 1024000 be 32000 conform-action transmit exceed-action drop violate-action drop
     
    policy-map ISOLATED_POLICING_OUT
      class ISOLATED_OUT
       police cir 512000 bc 16000 pir 1024000 be 32000 conform-action transmit exceed-action drop violate-action drop
     
    interface Vlan60
     description VLAN 60 - ISOLATED
     ip address 192.168.100.254 255.255.255.0
     ip access-group ISOLATED_VLAN_IN in
     ip access-group ISOLATED_VLAN_OUT out
     ip helper-address 192.168.0.1
     ip helper-address 192.168.0.2
     service-policy input ISOLATED_POLICING_IN
     service-policy output ISOLATED_POLICING_OUT
     
    ip access-list extended ISOLATED_QOS_IN
     permit ip 192.168.100.0 0.0.0.255 any
     deny   ip any any
     
    ip access-list extended ISOLATED_QOS_OUT
     permit ip any 192.168.100.0 0.0.0.255
     deny   ip any any
    

    What am I missing to limit VLAN 60 users's upload speeds? Download speeds are being limited just fine.

    Do you have "mls qos vlan-based" configured on the relative ports?
  • cisco_troopercisco_trooper Member Posts: 1,441 ■■■■□□□□□□
    tim100 wrote: »
    Do you have "mls qos vlan-based" configured on the relative ports?

    That did it. Applied it to the interface trunked to the access switch where the host is located. Uploads are now throttled. :)

    Thanks everyone.
  • cisco_troopercisco_trooper Member Posts: 1,441 ■■■■□□□□□□
    mikej412 wrote: »
    You need the priority command to impose a maximum rate limit that is active even when there is NO congestion.

    With your configuration, no congestion means no qos is needed.


    I can't add a priority to my policy map in either direction. It says it isn't allowed.
    priority command is not supported in input direction for this interface
     
    
    priority command is not supported in output direction for this interface
    


    Probably because it is an SVI...
  • cisco_troopercisco_trooper Member Posts: 1,441 ■■■■□□□□□□
    PStefanov wrote: »
    From QoS Policing on Catalyst 6500/6000 Series Switches - Cisco Systems
    By default, microflow policers affect only routed traffic. To enable microflow policing of bridged traffic on specified VLANs, perform this task:
     
     
    Command
    Purpose
    Step 1 
     
    Router(config)# interface {{vlan vlan_ID} | {type1  slot/port}}
    Selects the interface to configure.
     
    Step 2 
     
    Router(config-if)# mls qos bridged
    Enables microflow policing of bridged traffic, including bridge groups, on the VLAN.
     
    Step 3 
     
    Router(config-if)# end
    Exits configuration mode.
     
    Step 4 
     
    Router# show mls qos
    Verifies the configuration.
    


    Not quite what I was looking for, but this is certainly good to know. I didn't know you could do per flow policing like that.
  • PStefanovPStefanov Member Posts: 79 ■■□□□□□□□□
    To set up policing, you define the policers and apply them to ports (port-based QoS) or to VLANs (VLAN-based QoS). Each policer defines a name, type, rate, burst, and actions for in-profile and out-of-profile traffic. Policers on Supervisor Engine II also support excess rate parameters. There are two types of policers: microflow and aggregate.

    Microflow—police traffic for each applied port/VLAN separately on a per-flow basis.

    Aggregate—police traffic across all of the applied ports/VLANs.

    I was actually referring to something else. When you're testing the dl speed and the ul speed, are you testing them between different vlans/subnets because if you're testing them within the same vlan, then those policies are ineffective.
  • cisco_troopercisco_trooper Member Posts: 1,441 ■■■■□□□□□□
    PStefanov wrote: »
    I was actually referring to something else. When you're testing the dl speed and the ul speed, are you testing them between different vlans/subnets because if you're testing them within the same vlan, then those policies are ineffective.

    Testing was not done within the VLAN itself. This policy's basic purpose is to limit a really retarded user's internet browsing, so this is routed traffic. It is working now the way I like, but I don't know if I will come up with a better long term implementation as I learn more about QoS and the options available to me.
Sign In or Register to comment.