[QoS] policy-map VS priority 1

[marsss]

Hello, here litle exemple of the config i m running:

[...]
class-map match-all cl_640_down
  match access-group 110
class-map match-all cl_1500_down
  match access-group 130
[...]
policy-map po_down
  class cl_640_down
    police 640000 80000 exceed-action drop
  class cl_1500_down
    police 1496000 187500 exceed-action drop
[...]
interface FastEthernet0/3
 no ip address
 service-policy input po_down
[...]
access-list 110 remark Download for Client 1500
access-list 110 deny   ip any host w.x.y.z
access-list 110 permit ip any any
access-list 130 remark Download unlock
access-list 130 permit ip any any

So I'm using police-map to control trafic on my network.

The problem is pretty weird.

Lets say I have few client connecting to Internet at 640kbps, and few at 1.5mbps.

My total bandwith to Internet is a dedicate 3mbps. Using snmp or checking my interface in the router show me i m using average 2mbps.

When I do a download test to see what speed my client go, if he is set in the 640kbps class, he can go as slow at 100-300kbps instead 640. If I block his IP in Access-list 110 (to give him a 1.5mbps connexion) he go at 1.5mbps.

During whole process I check carefully the total bandwith I use and i never cap to 3mbps.

So why my client at 640kbps isn t going to 640 and stick around 100-300? I know i have enought bandwith but look like the router slow him down.

Any idea?

 

[marsss]

forgot to say i named this topic : policy-map VS priority

Is using different speed police-map introduce a kinda priority?

lets say i put someone with 500kbps limit and one 1000kbps into a 1mbps pipe, is the bandwith shared good?

Such 333kbps for client 1 and 666kbps for client 2?

Or bout nothing for client 1 and around 1000kbps for client2?

 

[lambent]

he can go as slow at 100-300kbps instead 640"
How do you measure the traffic? Using SNMP? Using IOS "show" commands? Or by reading the NIC status on the PC/server?

 

[marsss]

Well, for my Client I do a download test on :

http://www.testmy.net

For the trafic on my router i check with SNMP (which seem to give over rathed value), on show interface on my router, and from report gived by people selling us bandwidth.

 

[lambent]

Then how long is the poll time? 1 min? 5 mins? 30 secs? If the poll time is too long then the result will be an average only.

Btw did you try to use the "show policy-map interface" command to show the statistics?

 

[BuckWeet]

for a quicker poll do 'load-interval 30'

 

[marsss]

Interval is already set to 30sec

Btw did you try to use the "show policy-map interface" command to show the statistics?

Humm, not sure what i should get there, but on every Interface on every router i m using policing, i have 0 value everywhere, like this (Even when i m generating traffic on a Client):

 FastEthernet0/3

  service-policy input: po_down

    class-map: cl_640_down (match-all)
      0 packets, 0 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      match: access-group 110qm_police_inform_feature: CLASS_SHOW


    class-map: cl_1500_down (match-all)
      0 packets, 0 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      match: access-group 130qm_police_inform_feature: CLASS_SHOW


    class-map: cl_3000_down (match-all)
      0 packets, 0 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      match: access-group 150qm_police_inform_feature: CLASS_SHOW


    class-map: class-default (match-any)
      0 packets, 0 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      match: any
        0 packets, 0 bytes
        5 minute rate 0 bps

 

[marsss]

Here a screeny of the traffic on the router before my internet connexion that show i m not loaded to max :

Ethernet0 is up, line protocol is up
  Hardware is PQUICC Ethernet, address is 0004.dd0c.3d33 (bia 0004.dd0c.3d33)
  Internet address is w.x.y.z/30
  MTU 1500 bytes, BW 10000 Kbit, DLY 1000 usec,
     reliability 255/255, txload 34/255, rxload 23/255
  Encapsulation ARPA, loopback not set
  Keepalive set (10 sec)
  Full-duplex, 10BaseT
  ARP type: ARPA, ARP Timeout 04:00:00
  Last input 00:00:00, output 00:00:00, output hang never
  Last clearing of "show interface" counters never
  Input queue: 0/75/704/0 (size/max/drops/flushes); Total output drops: 117
  Queueing strategy: fifo
  Output queue :0/40 (size/max)
  30 second input rate 932000 bits/sec, 283 packets/sec
  30 second output rate 1344000 bits/sec, 251 packets/sec
     3653301405 packets input, 2296537035 bytes, 15 no buffer
     Received 171109 broadcasts, 0 runts, 0 giants, 0 throttles
     31 input errors, 0 CRC, 0 frame, 31 overrun, 0 ignored
     0 input packets with dribble condition detected
     1198899 packets output, 123635123 bytes, 0 underruns
     0 output errors, 0 collisions, 2 interface resets
     0 babbles, 0 late collision, 0 deferred
     0 lost carrier, 0 no carrier
     0 output buffer failures, 0 output buffers swapped out

the 704 drop is pretty old, haven t reset router over 3-4month. Adding 932000 and 1344000 make a overall 2.3mbps on a maxium of 3mbps

 

[marsss]

I got a idea this morning that could be the source of my problem

how it work at the moment, is

3x CAT3550 <-> cisco switch 2950 <-> cisco 1700 <-> Internet

My policing is done on each 3550, and I think if i got lot client at 1.5mbps and 3mbps on one 3550, and only 640kbps client on another 3550, it s doesn t keep all user even.

I ll try to redo policing on my 1700. I have to keep policing on each 3550 to not overload my backbone.

 

[marsss]

Well, if i do same policing from each 3550 into my 1700, i can t find how to set a fixed maximum for all my bandwidth...

 

[marsss]

Ok, in all 3 case, I have alway the same problem

with policy only on 3550, with policy on 3550 and 1700, and with policy only on 1700.

I realy have no clue why my Client plug on these 3550 can t reach the max limit when the bandwidth is available...

 

[marsss]

i can se though some information from show police interface on my 1700 :

 Ethernet0

  Service-policy input: po_down

    Class-map: cl_640_down (match-all)
      749354 packets, 303448207 bytes
      30 second offered rate 743000 bps, drop rate 18000 bps
      Match: access-group 110
     police:
         cir 1000000 bps, bc 125000 bytes
       conformed 734838 packets, 287463771 bytes; actions:
         transmit
       exceeded 12335 packets, 15960702 bytes; actions:
         drop
       conformed 726000 bps, exceed 18000 bps,

    Class-map: cl_1500_down (match-all)
      4929 packets, 3891946 bytes
      30 second offered rate 14000 bps, drop rate 0 bps
      Match: access-group 130
     police:
         cir 1496000 bps, bc 187500 bytes
       conformed 4921 packets, 3902737 bytes; actions:
         transmit
       exceeded 0 packets, 0 bytes; actions:
         drop
       conformed 14000 bps, exceed 0 bps,

    Class-map: cl_3000_down (match-all)
      3383 packets, 2814018 bytes
      30 second offered rate 7000 bps, drop rate 0 bps
      Match: access-group 150
     police:
         cir 3000000 bps, bc 375000 bytes
       conformed 3359 packets, 2833699 bytes; actions:
         transmit
       exceeded 0 packets, 0 bytes; actions:
         drop
       conformed 7000 bps, exceed 0 bps,

    Class-map: class-default (match-any)
      103617 packets, 141677266 bytes
      30 second offered rate 52000 bps, drop rate 0 bps
      Match: any
 FastEthernet0

 

[lambent]

interface FastEthernet0/3
no ip address
service-policy input po_down

Is this port connected to client PC or to 2950 switch? If you're policing downstream traffic, then the service-policy should be output if connected to client PC, and input if connected to the 2950 switch.

And as my understanding, the class in the policy map doesn't work like access-list or route-map in which it works from top to bottom. Since in your class-map you use permit any at the end, an IP address may belong to both classes which seems quite confusing. I didn't try to use permit any in defining class maps so I'm not sure about the actual impact.

 

[marsss]

interface FastEthernet0/3
no ip address
service-policy input po_down

Is this port connected to client PC or to 2950 switch? If you're policing downstream traffic, then the service-policy should be output if connected to client PC, and input if connected to the 2950 switch.

And as my understanding, the class in the policy map doesn't work like access-list or route-map in which it works from top to bottom. Since in your class-map you use permit any at the end, an IP address may belong to both classes which seems quite confusing. I didn't try to use permit any in defining class maps so I'm not sure about the actual impact.

Thx lambent for support.

Yeah, i did figure on which interface i had to put the download limit and upload limit.
I did completly redo my policy map caus ei figured people in 640 class was goig trough all 3 policy ACL.

Class-map and policy-map still same, but ACL look like this now :

access-list 110 remark Down Client 640
access-list 110 deny   ip any host w.x.y.z  <-- I put adresse i want to unlock to highter speed here (download)
access-list 110 permit ip any any

access-list 120 remark Up Client 640
access-list 120 deny   ip host w.x.y.z any <-- I put adresse i want to unlock to highter speed here (upload)
access-list 120 permit ip any any

access-list 130 remark Down Client 1500
access-list 130 permit ip any host w.x.y.z <-- Here people at 1500kbps (download)
access-list 130 deny   ip any any

access-list 140 remark Up Client 1500
access-list 140 permit ip host w.x.y.z any <-- Here people at 1500kbps (upload)
access-list 140 deny   ip any any

access-list 150 remark Down Client 3000
access-list 150 permit ip any host w.x.y.z <-- Here people at 3000kbps (download)
access-list 150 deny   ip any any

access-list 160 remark Up Client 3000
access-list 160 permit ip host w.x.y.z any <-- Here people at 3000kbps (upload)
access-list 160 deny   ip any any

I know the deny ip any any at end isn t usefull, just for understanding.

That way, each adresse use only one policy. As so far, it look to be much better. I can fill up my bandwidth with 3mbps client, and my client at 640kbps still get a decent speed.

Policy are put on each 3550.

and i did set a policy to limit my total bandwidth on the 1700 to 3mbps (what my ISP sell to me)

 

[marsss]

Well look like it didn t last long enought, i having same problem this afternoon.

I did remove all kind policy on my 1700, and removing download policy on one of my 3550 and i go up to 1.5mbps. Once i put back service-policy, on a 640kbps user class, i go aroun 200kbps instead 640...

I do a show policy-map interface, and i see absolutly nothing:

  service-policy input: po_down

    class-map: cl_640_down (match-all)
      0 packets, 0 bytes
      30 second offered rate 0 bps, drop rate 0 bps
      match: access-group 110qm_police_inform_feature: CLASS_SHOW


    class-map: cl_1500_down (match-all)
      0 packets, 0 bytes
      30 second offered rate 0 bps, drop rate 0 bps
      match: access-group 130qm_police_inform_feature: CLASS_SHOW


    class-map: cl_3000_down (match-all)
      0 packets, 0 bytes
      30 second offered rate 0 bps, drop rate 0 bps
      match: access-group 150qm_police_inform_feature: CLASS_SHOW


    class-map: class-default (match-any)
      0 packets, 0 bytes
      30 second offered rate 0 bps, drop rate 0 bps
      match: any
        0 packets, 0 bytes
        30 second rate 0 bps

I m so damn tired trying to make it work and it never want to...

 

[lambent]

Hmm nearly forgot that you're using 3550. Did you use "mls qos"?

For showing mls qos statistics, use "show mls qos interface" instead.

 

[marsss]

yeah, I got mls qos in all 3 3550

 

[lambent]

http://www.cisco.com/en/US/products/hw/switches/ps646/products_tech_note09186a00800feff5.shtml

In the section "The following table show the supported ingress QoS policies matrix:", "match ACL" + "police" must also be used with either "trust class" or "set DSCP". If this is really true for 3550, then you may want to try to add the "trust class"/"set DSCP" in each class in your policy-map.

Give it a try, then "show mls qos interface

 

[marsss]

I ll give it a try at benning of next week.

Might try to put priority 1 on traffic for 0-640kbps for all class.

Then priority 2 on traffic for 640-1.5mbos for last 2 class

and finaly, priority 3 for 1.5-3mbps.


That way, maybe i ll be able to garanty at least the first 640kbps for everyone...

I still have to figure how to do that