[c-nsp] QoS on 870 SVI?

Nathan have.an.email at gmail.com
Mon Jun 2 06:31:01 EDT 2008 

Hi,

I'm annoyed because after client complaints I find that a QoS
configuration I thought would work just fine actually doesn't.

I've used several versions of Enterprise / Advanced IOS on 871 / 877 /
878. QoS-wise I'm mostly setting ip dscp on packet incoming from the
LAN and LLQing them out on the WAN. I've noted some differences in the
SVI interfaces vs the real switch interfaces: sometimes you can attach
policies on any interface, sometimes not. I did some testing on one
version (12.3(8)YI3 IIRC) and I thought I found that input policies
should be on the SVI, and output policies should be on the Fa[0123],
which seemed logical and was fine with me.

Now I'm running 12.4(9)T1, where service-policy command on the SVI is
not accepted at all, so I put them on the Fa[0123], and I see packets
matching, so I thought it would be OK . . . but no. I do see packets
match the class-default on output policies, but no matches on
non-default classes even though I've sent matching packets, and
nothing at all is matched on an input policy, no packets are marked at
all.

When I attach the same policies on the "real" WAN interface everything
works as expected.

Unfortunately just using the WAN interface is problematic, not just
because I'm not sure if the set ip dscp is taken into account on
outbound policies on un-congested interfaces (is it?), but because I
have several places with two or three WAN lines and two or three LANs,
using SVI, so there are packets that should be marked but that do not
go through the "official" WAN interface.

Is packet marking on 870-series SVI unsupported, or should I be able to do it?

All I've found is the Cisco FAQ saying that the 870s with Advanced IP
do QoS, but nothing saying that they do or do not on the switchports.
Thanks for any pointers.


----------------------


Below is an example. I apply qos to all the SVI interfaces outgoing,
qos1M to the Fa4 interface outgoing, and setremote to SVI interface
incoming. When I add in the match access-group name remote to the
class-map express I get matches, otherwise not, meaning that af43 is
not set by setremote.

class-map match-any routing
 match  dscp cs6  cs7
class-map match-any remote
 match access-group name remote
class-map match-any express
 match ip dscp cs5
 match ip dscp cs4
 match ip dscp af41
 match ip dscp af42
 match ip dscp af43
 match access-group name remote     <-- should not be needed
!
!
policy-map qos
 class routing
  bandwidth 10
 class express
  priority percent 50
 class class-default
  fair-queue
policy-map qos1M
 class class-default
  shape average 1000000
  service-policy qos
policy-map setremote
 class remote
  set ip dscp af43
ip access-list extended remote
 permit tcp any any eq 3389
 permit tcp any eq 3389 any

More information about the cisco-nsp mailing list