- On ingress it is mainly marking on egress mainly policing
- Unlike a router on switch we need to enable QOS
- Enabling MLS qos will erase existing marking
- if you want to keep existing markings in global config
- you could also at interface level choose to trust QOS markings
- We can mark packets explicitly with the MQC and policy map using access-list and class maps
- Marking g could be set using set dscp
- For non ip packet it Cos
- Cos is automatically translated from dscp
- Classification could per interface of vlan or per all forwarding ports in vlan
- For vlan We apply to the svi of the interface
- On all layer 2 device we would enable
- We can do individual Policers this are applied per port and per class so we can police different class to specfic rates
- or we can aggregate policers which shared among the classes applied to physical interface
- We can remark traffic using policy-maps matching and remarking
- We can also use policing to remark traffic
- There are four egress queue per port SRR is the queing discpline
- Packets are mapped to queues based on the QOS label (DSCP/COS)
- So we could have cos 1,2 or particular dscp vlaues mapped to que 1 then another set cos\dscp values mapped to que 2 so on
- Weighted tail drop is the dropping policy so it will tail drop of the lower ques priority ques first
- Shaped round robin is a modification of Weighted Round robins It allows weighted bandwidth allocation supports port shapping or individual que shaping
- Each que is either shared - shares availible bandwidth with each que having a relative weight or shaped- guarantees bandwidth and shapes to it.
- Every que has abosulte weight allocated Bandwidth is subtracted from availible bw
- Shaping setting override shared
srr-queue bandwidth limit " "
srr-queue bandwidth share x1 x2 x3 x4
Defines the share proportions for each of the 4 ques
srr-queue bandwidth shape x1 x2 x3 x4
shapes que to 1/x of port physical speed
guarantees amount of bandwidth to to que
- Que 1 can be enabled as PQ configured via
- PQ is not policed in anyway so has the potential to starve if high amount of traffic is in the que so be very selective what is mapped to this que
- DSCP 46 or EF map to priority que by default
- mapping to que can be done with
or
mls qos "srr-queue" output "cos value"
Cos used for non ip packets so layer 2
DSCP used for IP/IPV6 for layer 3
LAB
Now the first thing we need to think about before applying qos policy is we need to understand our layer 2 topology on how this mapping so we need to find the physical transit path from r6 to r4. There is no point applying policy on interface if they are not forwarding for the vlan
r6 is physically connected to sw2 on int fa0/6 and r4 is connected f0/4 on switch 4 they are all in vlan 146
s4#sh spanning-tree vlan 146
VLAN0146
Spanning tree enabled protocol ieee
Root ID Priority 24722
Address 001b.2bec.8380
Cost 19
Port 20 (FastEthernet0/18)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 32914 (priority 32768 sys-id-ext 146)
Address 0015.2bd9.1d80
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300
Interface Role Sts Cost Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------------
Fa0/4 Desg FWD 19 128.6 P2p
Fa0/13 Altn BLK 19 128.15 P2p
Fa0/14 Altn BLK 19 128.16 P2p
Fa0/18 Root FWD 19 128.20 P2p
Fa0/19 Desg FWD 19 128.21 P2p
OK so we can see from this the root port is fa0/18 which is connecting to sw2 directly there is the possiblilty if there are other switches topology that even if we had direct trunk link depending on how the spanning tree has worked would decide the forwarding path of the topology
s2#sh spanning-tree vlan 146
VLAN0146
Spanning tree enabled protocol ieee
Root ID Priority 24722
Address 001b.2bec.8380
This bridge is the root
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 24722 (priority 24576 sys-id-ext 146)
Address 001b.2bec.8380
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300
Interface Role Sts Cost Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------------
Fa0/6 Desg FWD 19 128.8 P2p
Fa0/13 Desg FWD 19 128.15 P2p
Fa0/16 Desg FWD 19 128.18 P2p
Fa0/21 Desg FWD 19 128.23 P2p
so s2 root bridge so it fairly straight forward there is more switches in the topology than diagrammed so i needed to make sure
r6
---
ok on r6 i want to able to generate traffic with DSCP value marked
r6(config)#policy-map AF11
r6(config-pmap)#class class-default
r6(config-pmap-c)#set dscp AF11
r6(config-pmap-c)#exit
r6(config-pmap)#int fa0/0.146
r6(config-subif)#service-policy output AF11
r6(config-subif)#
r4
---
Ok we will create an access-list to catch the traffic
r4(config)#access-list 101 permit ip any any dscp AF11
r4(config)#access-list 101 permit ip any any dscp AF13
r4(config)#access-list 101 permit ip any any
r4(config-if)#ip access-group 101 in
r6
---
ping 4.4.4.4 repeat 65143
just to generate alot of traffic
r4
---
r4#sh access-list
Extended IP access list 101
10 permit ip any any dscp af11 (97296 matches)
20 permit ip any any dscp af13
30 permit ip any any
r4#
we can see that the traffic is coming untouched via layer 2 network to r4 as AF11
sw2
----
s2(config)#mls qos
s2(config)#
r4
---
The minute we enable mls qos
r4#sh access-list 101
Extended IP access list 101
10 permit ip any any dscp af11 (210924 matches)
20 permit ip any any dscp af13
30 permit ip any any (47661 matches)
r4#
This is because s2 now automatically will overwrite the qos mark and set it to default
S2
---
s2(config)#no mls qos rewrite ip dscp
r4
--
r4#sh access-list 101
Extended IP access list 101
10 permit ip any any dscp af11 (263208 matches)
20 permit ip any any dscp af13
30 permit ip any any (269078 matches)
r4#sh access-list 101
Extended IP access list 101
10 permit ip any any dscp af11 (265407 matches)
20 permit ip any any dscp af13
30 permit ip any any (269078 matches)
we are back matching AF11 so we have disabled the rewrite
S4
---
s4(config)#mls qos
s4(config)#
r4
===
r4#sh access-list 101
Extended IP access list 101
10 permit ip any any dscp af11 (397290 matches)
20 permit ip any any dscp af13
30 permit ip any any (299878 matches)
r4#sh access-list 101
Extended IP access list 101
10 permit ip any any dscp af11 (397290 matches)
20 permit ip any any dscp af13
30 permit ip any any (302503 matches)
r4#
switch 4 is now overwriting the qos marking
sw4
----
lets tell sw4 trust the marking at interface level
s4(config)#int fa0/18
s4(config-if)#mls qos trust dscp
s4(config-if)#
r4
===
r4#sh access-list 101
Extended IP access list 101
10 permit ip any any dscp af11 (484651 matches)
20 permit ip any any dscp af13
30 permit ip any any (475538 matches)
r4#sh access-list 101
Extended IP access list 101
10 permit ip any any dscp af11 (487378 matches)
20 permit ip any any dscp af13
30 permit ip any any (475538 matches)
we are back getting the dscp af11
ok lets look on sw2 over writing the marking we will do the manual policy based then we will look at the policing based
sw2
----
First we enable qos rewrite
s2(config)#mls qos rewrite ip dscp
then
s2(config)#class-map R1
s2(config-cmap)#match ip dscp af11
s2(config-cmap)#policy-map FROMR1
s2(config-pmap)#class R1
s2(config-pmap-c)#set dscp af13
s2(config-pmap-c)#exit
s2(config-pmap)#int f0/6
s2(config-if)#service-policy input FROMR1
s2(config-if)#
r4
---
the rewrite was successful
r4#sh access-list 101
Extended IP access list 101
10 permit ip any any dscp af11 (752144 matches)
20 permit ip any any dscp af13 (22 matches)
30 permit ip any any (475538 matches)
r4#sh access-list 101
Extended IP access list 101
10 permit ip any any dscp af11 (752144 matches)
20 permit ip any any dscp af13 (25 matches)
30 permit ip any any (475538 matches)
s2
---
we will take off the service policy-input
s2(config-if)#int fa0/6
s2(config-if)#no service-policy input FROMR1
s2(config)#policy-map MARKAF13
s2(config-pmap)#class class-default
s2(config-pmap-c)#police 8000 8000 exceed-action policed-dscp-transmit
s2(config-pmap-c)#set ip dscp AF11
s2(config-pmap-c)#int f0/6
s2(config-if)#service-policy input MARKAF13
s2(config-if)#
ok so in the config we are policing to a very low just to see the change and then we are saying we want to remark with policed-dscp-transmit
the conform action is to set ip dscp to AF11
while the exceed is to check the police remark map
s2#sh mls qos map
Policed-dscp map:
d1 : d2 0 1 2 3 4 5 6 7 8 9
---------------------------------------
0 : 00 01 02 03 04 05 06 07 08 09
1 : 10 11 12 13 14 15 16 17 18 19
2 : 20 21 22 23 24 25 26 27 28 29
3 : 30 31 32 33 34 35 36 37 38 39
4 : 40 41 42 43 44 45 46 47 48 49
5 : 50 51 52 53 54 55 56 57 58 59
6 : 60 61 62 63
Dscp-cos map:
d1 : d2 0 1 2 3 4 5 6 7 8 9
---------------------------------------
0 : 00 00 00 00 00 00 00 00 01 01
1 : 01 01 01 01 01 01 02 02 02 02
2 : 02 02 02 02 03 03 03 03 03 03
3 : 03 03 04 04 04 04 04 04 04 04
4 : 05 05 05 05 05 05 05 05 06 06
5 : 06 06 06 06 06 06 07 07 07 07
6 : 07 07 07 07
the way we read this is on the left we take the value and on the top we take the value
so like o from the left and 1 on top
is 01 - this is decimal not binary
we can go in here as a way of find out from the cli the binary values
s2(config)#policy-map test
s2(config-pmap)#class class-default
s2(config-pmap-c)#set ip dscp ?
<0-63> Differentiated services codepoint value
af11 Match packets with AF11 dscp (001010)
af12 Match packets with AF12 dscp (001100)
af13 Match packets with AF13 dscp (001110)
af21 Match packets with AF21 dscp (010010)
af22 Match packets with AF22 dscp (010100)
af23 Match packets with AF23 dscp (010110)
af31 Match packets with AF31 dscp (011010)
af32 Match packets with AF32 dscp (011100)
af33 Match packets with AF33 dscp (011110)
af41 Match packets with AF41 dscp (100010)
af42 Match packets with AF42 dscp (100100)
af43 Match packets with AF43 dscp (100110)
cs1 Match packets with CS1(precedence 1) dscp (001000)
cs2 Match packets with CS2(precedence 2) dscp (010000)
cs3 Match packets with CS3(precedence 3) dscp (011000)
cs4 Match packets with CS4(precedence 4) dscp (100000)
cs5 Match packets with CS5(precedence 5) dscp (101000)
cs6 Match packets with CS6(precedence 6) dscp (110000)
cs7 Match packets with CS7(precedence 7) dscp (111000)
default Match packets with default dscp (000000)
ef Match packets with EF dscp (101110)
so af11 is 001010 which is equal to 10 in decimal
af13 is 001110 which is equal to 14 in binary
so if we look back at this
s2#sh mls qos map
Policed-dscp map:
d1 : d2 0 1 2 3 4 5 6 7 8 9
---------------------------------------
0 : 00 01 02 03 04 05 06 07 08 09
1 : 10 11 12 13 14 15 16 17 18 19
2 : 20 21 22 23 24 25 26 27 28 29
3 : 30 31 32 33 34 35 36 37 38 39
4 : 40 41 42 43 44 45 46 47 48 49
5 : 50 51 52 53 54 55 56 57 58 59
6 : 60 61 62 63
so 10 get mapped to 10 so it basically it stays the same we will need to override this behaviour
s2(config)#mls qos map policed-dscp 10 to 14
we edit the map to edit the values so we can see now the qos map has changed
s2#sh mls qos map
Policed-dscp map:
d1 : d2 0 1 2 3 4 5 6 7 8 9
---------------------------------------
0 : 00 01 02 03 04 05 06 07 08 09
1 : 14 11 12 13 14 15 16 17 18 19
2 : 20 21 22 23 24 25 26 27 28 29
3 : 30 31 32 33 34 35 36 37 38 39
4 : 40 41 42 43 44 45 46 47 48 49
5 : 50 51 52 53 54 55 56 57 58 59
6 : 60 61 62 63
r4
---
r4#sh access-list
Extended IP access list 101
10 permit ip any any dscp af11 (4731 matches)
20 permit ip any any dscp af13 (24425 matches)
30 permit ip any any (109610 matches)
r4#sh access-list
Extended IP access list 101
10 permit ip any any dscp af11 (4764 matches)
20 permit ip any any dscp af13 (27012 matches)
30 permit ip any any (109610 matches)
r4#sh access-list
Extended IP access list 101
10 permit ip any any dscp af11 (4800 matches)
20 permit ip any any dscp af13 (29871 matches)
30 permit ip any any (109610 matches)
r4#
ok we can see that we are getting some matches on af11 or the conform but the majority of the traffic is exeeding an been sent as AF13
S4
---
SO i am just creating a class map to remark
s4(config)#class-map AF11
s4(config-cmap)#match ip dscp AF11
s4(config-cmap)#policy-map REMARK
s4(config-pmap)#class AF11
s4(config-pmap-c)#set ip dscp AF42
s4(config-pmap-c)#exit
I applied to int vlan 146
s4(config-pmap)#int vlan 146
s4(config-if)#service-policy input REMARK
this is not the default gateway
s4#sh run int vlan 146
Building configuration...
Current configuration : 69 bytes
!
interface Vlan146
no ip address
service-policy input REMARK
end
s4#
s4(config)#interface range fa0/1 - 24
s4(config-if-range)#mls qos vlan-based
r4
---
r4(config)#access-list 101 permit ip any any dscp AF42
r4#sh access-list 101
Extended IP access list 101
10 permit ip any any dscp af11
20 permit ip any any dscp af13
30 permit ip any any dscp af42 (12 matches)
40 permit ip any any
r4#
we are getting matches on AF42 so it is working
s2
---
s2(config-if)#srr-queue bandwidth shape ?
<0-65535> enter bandwidth weight for queue id 1
s2(config-if)#srr-queue bandwidth shape 10 ?
<0-65535> enter bandwidth weight for queue id 2
s2(config-if)#srr-queue bandwidth shape 10 5 ?
<0-65535> enter bandwidth weight for queue id 3
s2(config-if)#srr-queue bandwidth shape 10 5 5 ?
<0-65535> enter bandwidth weight for queue id 4
s2(config-if)#srr-queue bandwidth shape 10 5 5 1?
<0-65535>
No comments:
Post a Comment