CThis post represents the solution and explanation for quiz-23.
Have a look at the quiz and test your knowledge before reading this solution.
Quiz Review
The quiz shows a scenario where the network engineer has to configure Low Latency Queuing (LLQ) for some traffic that will be encrypted into an IPsec tunnel.
The configuration of the policy-map is given but it has not been applied yet anywhere, as shown below:
The final question is "what is missing to finish this task ?" giving the impression that the answer to the quiz is very simple: apply the policy-map...
Where to Apply the Service Policy
Unfortunately, the answer is not that simple...
1. applying the policy-map onto the physical interface
R2#conf t R2(config-if)#int s0/0 R2(config-if)#service-policy output LLQ R2(config-if)#end
This configuration does not have the effect that we want because the ACL searches for traffic between host 192.168.1.1 and host 192.168.5.5 (
See the zero counters (after sending 100 pings from 192.168.1.1 to 192.168.5.5 via the tunnel):
R2#sh policy-map int
Serial0/0
Service-policy output: LLQ
Class-map: IMPORTANT_TRAFFIC (match-all)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: access-group name ACL_IMPORTANT_TRAFFIC
Queueing
Strict Priority
Output Queue: Conversation 264
Bandwidth 33 (%)
Bandwidth 509 (kbps) Burst 12725 (Bytes)
(pkts matched/bytes matched) 0/0
(total drops/bytes drops) 0/0
Class-map: class-default (match-any)
101 packets, 15624 bytes
5 minute offered rate 2000 bps, drop rate 0 bps
Match: any
R2#
2. applying the policy-map onto the tunnel interface
At first look, this would represent the correct solution and it might work with a different type of policy-map, but not with a Class Based Weighted Fair Queueing (CBWFQ):
R2(config)#int tun0 R2(config-if)#service-policy output LLQ *Mar 1 00:02:08.547:Class Based Weighted Fair Queueing not supported on interface Tunnel0 R2(config-if)#end
As you can see, the IOS parser does not accept the LLQ policy-map to be applied directly onto the VTI (Tunnel0) interface.
On Cisco, logical interfaces (tunnel interfaces, sub-interfaces, etc) do not understand the state of concestion (since they are logical) and as a result you cannot apply a queueing mechanism. There is a workaround as described later on.
Solutions
There is a workaround for each of the two situations described above:
1. QoS Pre-Classify - applying the policy-map onto the physical interface
The recommended solution for this quiz is to use the QoS Pre-Classify feature and apply the policy-map to the physical interface.
This features tells the router to keep a temporary copy of the packet's header in its memory (the inner header, before encapsulation and/or encryption) and use it to make QoS decisions such as priority queueing or classification.
R2#conf t R2(config-if)#int s0/0 R2(config-if)#service-policy output LLQ ! ! R2(config)#int tun0 R2(config-if)#qos ? pre-classify Enable QOS classification before packets are tunnel encapsulated R2(config-if)#qos pre-classify
R2#sh policy-map interface Serial0/0 Service-policy output: LLQ Class-map: IMPORTANT_TRAFFIC (match-all)100 packets, 15600 bytes 5 minute offered rate 2000 bps, drop rate 0 bps Match: access-group name ACL_IMPORTANT_TRAFFIC Queueing Strict Priority Output Queue: Conversation 264 Bandwidth 33 (%) Bandwidth 509 (kbps) Burst 12725 (Bytes) (pkts matched/bytes matched) 0/0 (total drops/bytes drops) 0/0 Class-map: class-default (match-any) 1 packets, 24 bytes 5 minute offered rate 0 bps, drop rate 0 bps Match: any R2#
|
NOTE
|
|
2. Hierarchical Queueing Framework (HQF) - applying the policy-map onto the tunnel interface
The workaround mentioned for the above scenario #2 is to configure a hierarchical QoS (HQF) service policy that will can be applied to the logical (Tunnel0) interface.
R2#conf t R2(config)#policy-map HQF R2(config-pmap)#class class-default R2(config-pmap-c)#shape average 1544000 R2(config-pmap-c)#service-policy LLQ R2(config-pmap-c)#exit R2(config-pmap)#exit R2(config)#int tun0 R2(config-if)#service-policy output HQF R2(config-if)#exit
R2#sh policy-map interface Tunnel0 Service-policy output: HQF Class-map: class-default (match-any) 102 packets, 10499 bytes 5 minute offered rate 2000 bps, drop rate 0 bps Match: any Traffic Shaping Target/Average Byte Sustain Excess Interval Increment Rate Limit bits/int bits/int (ms) (bytes) 1544000/1544000 9650 38600 38600 25 4825 Adapt Queue Packets Bytes Packets Bytes Shaping Active Depth Delayed Delayed Active - 0 102 10099 0 0 no Service-policy : LLQClass-map: IMPORTANT_TRAFFIC (match-all) 100 packets, 10400 bytes 5 minute offered rate 2000 bps, drop rate 0 bps Match: access-group name ACL_IMPORTANT_TRAFFIC Queueing Strict Priority Output Queue: Conversation 72 Bandwidth 33 (%) Bandwidth 509 (kbps) Burst 12725 (Bytes) (pkts matched/bytes matched) 0/0 (total drops/bytes drops) 0/0 Class-map: class-default (match-any) 2 packets, 99 bytes 5 minute offered rate 0 bps, drop rate 0 bps Match: any
Some final notes:
- each of the above solutions have pro's and con's in specific scenarios and you may need to evaluate them before choosing the right solution
- be aware that on some platforms (low end ones, usually) using shape command on the tunnel interfaces might cause high CPU problems
- applying the service policy on the physical interface does account for the tunnel overhead
Thanks again for all your comments in the quiz !
Subscribe to this blog to get more interesting quizzes and detailed solutions.
Costi is a network and security engineer with over 10 years of experience in multi-vendor environments. He holds a CCIE Routing and Switching certification and is currently pursuing same expert-level certifications in other areas. He believes that the best way to learn and understand networking topics is to challenge yourself to fix different problems, production-wise or lab-type exams. He also enjoys teaching networking and security technologies, whevever there is an opportunity for it.
Comments
comments powered by Disqus