Cisco – Enabling MLS QoS on a production 7600

ciscocisco-7600policingqos

I am looking at a 7609-S with a RSP720-3CXL running 12.2(33)SRE3.

I have been asked to help with rate limiting some servers attached to a couple of ports running as L2 ports (switchport mode access), so this requires me to apply a policy-map to the L3 SVI that is the default gateway in this VLAN. When enabling the service policy under the SVI interface configuration I received the following error;

router(config-if)#service-policy input PM-LIMIT-100M
Warning (QoS): MLS QoS is disabled, marking/policing will be done after 
enabling MLS QoS globally

I have a looked through the config and sure enough, there is no "mls qos" in the global configuration. What potential issues can happen from enabling this global config command on this production device? I can obviously perform this during scheduled maintenance period for safety, but should it even be attempted at all?

If it makes any difference, there were no class maps or policy maps defined on this router until I logged in, to make one to rate limit the previously mentioned server ports (all ports are Gig, I have been tasked with limiting this SVI to 100Mps for a short period). I trying to use the following configuration;

class-map match-any CM-LIMIT-100M
  match access-group name ACL-SERVERS
!
policy-map PM-LIMIT-100M
  class CM-LIMIT-100M
    police 100000000 18750000 31250000 conform-action transmit exceed-action drop violate-action drop
!
int vlan 123
service-policy input PM-LIMIT-100M
service-policy output PM-LIMIT-100M

I would like to think there is no potential issues that will occur if I enable this, but you never know so I'm all ears!

Best Answer

You definitely should enable MLS QoS. It is also prerequisite for CoPP, which you should add in your TODO list to implement.

Enabling 'mls qos' without other config is extremely bad idea in low-end cats, like 3560/3750, due to unexpected default scheduling and due to heavily reduced buffers causing more microbursting.

On 7600/6500 it's comparatively safe to enable, but of course you can crash your router with 'show run'. I would feel comfortable enough to enable it during production hours.

You should monitor 'show queueing interface X' after enabling to see that you're not dropping anything. Long term, you should design QoS policy and implement it, I recommend using as few queues as possible (and assign 100% of buffer to those few queues). Example of possible QoS policy in WS-X6704-10GE:

interface TenGigabitEthernet4/1
 wrr-queue bandwidth percent 30 40 30 0 0 0 0  ## allocate 3 queues (+implied strictpriority) share buffer 30% 40% 30% on thos three queues
 wrr-queue cos-map 1 1 0 7 # map cos values to queues
 wrr-queue cos-map 2 2 3 
 wrr-queue cos-map 3 1 4 
 wrr-queue cos-map 3 2 6

For advanced config, you may want to supplement that with 'wrr-queue random-detect' with RED curve per queue+threshold. Be sure to mark your traffic correctly when it enters your network.

Related Solutions

Cisco – How to reasonably verify the QoS configuration is working

Your question's pretty broad. There's a lot of different commands you can use to troubleshoot and monitor QoS, so I'll focus on the primary question you have, which is how to reasonably verify your QoS configuration is working and how to read the policy-map interface output.

The only true way to verify that QoS is working is to hook up a traffic generator and monitor your drop rate in various queues. Since that isn't typically feasible, particularly in a production environment, all you can really do is verify that the traffic is being marked and classified properly.

What you're really looking for, when it comes to verifying if your QoS configuration is working, is for the counters in the policy-map interface command to increment.

So, for example, in the output your provided:

Class-map: VOICE (match-any)
  3860628 packets, 1070196895 bytes
  5 minute offered rate 0 bps, drop rate 0 bps
  Match: protocol sip
    97348 packets, 49867304 bytes
    5 minute rate 0 bps
  Match: protocol rtp
    3763280 packets, 1020329591 bytes
    5 minute rate 0 bps
  Match: access-group name NEC-PBX
    0 packets, 0 bytes
    5 minute rate 0 bps
  Priority: 40% (340 kbps), burst bytes 8500, b/w exceed drops: 5

You can see that you're seeing packets under SIP and RTP, but not NEC-PBX. If you know you're getting SIP and RTP traffic across a link, you should see the packet counts increment and that's a reasonable way to know that your configuration is basically working.

Cisco ME3x00 – QoS for layer 2 trunks

It seems I knew the answer to my own question already essentially;

To aggregate layer 2 links and QoS them I must define the service insances to match each VLAN (rather than one VLAN per cusomer the same set of VLANs are being trunked down to all customers so they all fall under one class-map);

class-map match-any tripple-play
 match service instance ethernet  10
 match service instance ethernet  20
 match service instance ethernet  30


policy-map PE-QOS-CPE-OUT-PARENT
 class tripple-play
 service-policy PE-QOS-CPE-OUT



interface gi0/1
 switchport trunk allowed vlan none
 switchport mode trunk
 service-policy input PE-QOS-CPE-IN
 service-policy output PE-QOS-CPE-OUT-PARENT

 service instance 10 ethernet
   description voice
   encapsulation dot1q 10
   rewrite ingress tag pop 1 symmetric
   bridge-domain 10

 service instance 20 ethernet
   description video
   encapsulation dot1q 20
   rewrite ingress tag pop 1 symmetric
   bridge-domain 20

 service instance 30 ethernet
   description data
   encapsulation dot1q 30
   rewrite ingress tag pop 1 symmetric
   bridge-domain 30

Best Answer

Related Solutions

Cisco – How to reasonably verify the QoS configuration is working

Cisco ME3x00 – QoS for layer 2 trunks

Related Topic