QoS not classifying anything 2

[insureme]

I'm trying to configure QOS on our 3750 switches to prioritize VOIP and teleconference traffic between our two sites across a Metro Ethernet Mesh. I thought i was understanding this but i seem to be hitting some fundamental part of this process that I'm either missing entirely, or misunderstanding. my configuration is as follows.

mls qos
class-map qos
match access-list name qos1

policy-map qos
class qos
set dscp cs5

ip access-list ext qos1
10 permit ip 172.16.0.0 0.0.255.255 any <--VOIP device range
20 permit ip host 172.17.1.25 any <--vid/conf device
30 deny ip any any <-- i like to add this so i can see what hits it

int g1/0/2
service-policy input qos
no switchport
ip address x.x.x.x x.x.x.x

the above interface is my metro mesh port. what i'm finding is nothing is getting classified, and i'm not sure why. should i be applying the qos service policy to all the ports except the WAN port? any ideas would be greatly appreciated as i've been pouring over every QOS setup doc i' ve been able to find.

if i issue a "show policy-map int g1/0/2" it reveals that nothing have been classified. if i do a show ip access-lists i can see that only the deny statement on the ACL shows any hits. i know the traffic i'm specifying is there though.

Thanks,

 

[ADB100]

The lack of policy statistics is a know 'feature' of the 2960/3560/3750 series switches.... If you have the real 'Metro' version of the 3750 then the 'metro' uplink ports do display these statistics. The regular 3750 just doesn't.
You can verify the behaviour by checking the packet counts per DSCP value with the 'show mls qos interface statistics'. Check the incoming port for the packets that will typically be marked with DSCP 0 and then the output port where they should have been marked by your ingress policy. It can be tricky if this is a working switch because trying to tally counters up will be difficult. You can always mirror your ingress and egress ports to a sniffer and look at the packets as they will appear on the wire to verify.

Andy

 

[insureme]

wow. that seems like a huge disservice on Ciscos part. So let me just verify my thoughts on this so I can make sure things are working correctly. i should be able to clear my entire QoS configuration, and clear the queue stats to in effect zero out everything. then if i do a "show mlos qos int g1/0/2 stat" i should see nothing on queue 40 inbound or outbound. put my qos config, back on, and then if i see numbers appearing in queue 40 inbound or outbound it means it's working?

I was really hoping to not need to go sniff the network and rip apart packet headers aside from all that my config looks solid though?

Thanks,

 

[insureme]

so I took a look, and my stats are not changing for dscp queue 40. so then i put a packet sniffer on the service policy port, and checked. in fact the DSCP value's are not being re-written. they all are 0x00. even on a device that is clearly in that source address range. Any other Ideas?

 

[dgrizzard]

Are you trying to set the dscp bit at this switch before you send it on across the link? If you so need to change your service-policy to output. This tells the mlswitch to process the service-policy as it is outputting packets on this routed port.

 

[insureme]

I am trying to set the dscp bit on this switch before hitting the WAN, however this device does not support setting the service policy to output. so that in mind would I want to be setting the service policy inbound on all other switch interfaces?

My understanding of this process is the packet will hit the interface, be processed by the policy, and have the DSCP bit set before outputting it on the Wan interface. this does not seem to be the case however.

 

[dgrizzard]

Think of the input/output in relation to the cable. If the cable is coming into the switch from the metro service, then packets coming IN on that cable would apply to the input policy, and packets going OUT of the switch on that cable to the metro service would be output packets.

Let me look and see what you would need to do in this case...

 

[insureme]

So basically, i'm not getting any hits on my classification map because it's analyzing traffic going the wrong way. it sounds like the way I have it setup it would only process like this...

Remote-->-->WAN-->Switch g1/0/2-->set DSCP bit = cs5 -->internal LAN

But if that is the case i'd want it going the other way as you said, to be applied on the output side, so that not being supported...i'd have to set the dscp bit as the packets enter the switch from the IP PHone. but then how do I qos the data going from site to site?

 

[dgrizzard]

Ok, this seems like the best solution.

This is assuming the 3750 is also the router for these VLANs (it has the SVIs on it), take the service policy command and apply it to these VLAN interfaces. You can break it up and make two policies, one for voice and one for vid, but it should work how it is. The policy on the SVI should mark the traffic and then output it over the metro connection.

 

[dgrizzard]

Should have said...keep it as an input policy on the VLAN interfaces.

 

[insureme]

ouch. that isn't supporter until 12.2(25) and we are on 12.2(22) guess it may be time for an IOS upgrade.

 

[dgrizzard]

Yay, upgrade time

 

[insureme]

so interestingly enough, these WAN ports are not configured as switch ports, they have been issued the no switchport command, and have an IP address configured on them...

interface GigabitEthernet1/0/2
description ***6MB site to Site***
no switchport
ip address 192.168.0.2 255.255.255.248
speed 10
duplex full
service-policy input inland-qos
end

So i don' think there would be an SVI related to them, or would I want to apply the service policy to the vlan interface that serves my IP phones?

 

[insureme]

oh yeah, i noticed my remote site switch is running 12.2(35) one less upgrade to do.

 

[dgrizzard]

Correct, you would place it on the VLAN interface (SVI) that serves as the router for your IP phones and video conf equipment.

 

[insureme]

so that didn't help. i tried to apply the service policy to the SVI, and the SVI will only allow me to apply it on the outbound. I'm planning to upgrade the IOS on the switches during our monthly downtime in a few weeks, but I'm not sure that's going to help. i think I'm going to try and apply the service policy to the trunk ports on the switch where all the VOIP traffic would be entering from. the one question I've got is about the ingress and egress queues. are these queues for the entire switch, or is there a set of queues for each switchport?

 

[VinceWhirlwind]

Personally, I almost always use my switchports as switchports and use SVIs for routing.

Here is an example QoS I did on a network of 3750s:
Basically, it identifies voice traffic and forces the appropriate tag on it.

ip access-list extended voice.traffic
permit ip 10.16.0.0 0.15.255.255 any
class-map match-all voice
match access-group name voice.traffic
policy-map Assign.DSCP
class voice
set dscp ef
int ran f1/0/2-48
service-policy input Assign.DSCP

 

[dgrizzard]

i tried to apply the service policy to the SVI, and the SVI will only allow me to apply it on the outbound.

Very weird as I have a 3750 stack with some service-policy input commands on the SVIs. You can also do as you/Vince suggested and place it on the physical ports with the same effect.

 

[insureme]

AR-CORE(config-if)#service-policy in inland-qos
Master SVI send all failed for interface Vlan300, cmd = 38

Service Policy attachment failed

Yeah that's strange alright. above is the clip from when I issue the command to my SVI. either way, i think i should be fine applying to the physical ports as there are not any phones actually connected to the core switch, so i can just apply the policy on the uplink trunks.

 

[insureme]

Step one. Check. I've got my traffic classifying as it should by applying the policy across the board on all switch ports. i can narrow this down later.

now what I'm finding is that I've got more than just the two classifications I'm going for passing through (0 = default, 5,CS5=priority) my understanding is that by default outbound queue 5 or 40 if using DSCP as I am, will get precedence over all other egress queue's. for good measure i added priority-Queue out to the wan port. but I'm seeing classifications for 0,5,4,and 7 now. i only expected to see classifications of 5 and 0.

Alongside this the queues to my understanding should allocate 10% to queue 5/40 and process first, then the remainder would go to the other queues for non-priority traffic. however my WAN link is only 6mb, and the port is a 1GB port. so do I need to setup policing to limit the output on the port to match my actual bandwidth?

Appreciate all the help I've been given and advice so far.

Thanks in advance again.