Designing a QoS Policy for a Cisco 4500 Supervisor 6E

Looking to increase the switching capabilities within my setup to support the Gigabit needs of my ever growing environment, I ran across a spare 4507E chassis and some line cards.  With the new platform came the opportunity to research and apply the latest QoS configurations available.

The Setup

I have had some Gigabit switches in the past, but had the opportunity to implement this monster switch.  I was ultimately a little concerned about power, but it seems it will not be as big of a concern as I initially thought.  With the current switch configuration, I am using two switches.  My 3750 has PoE for phones and access points while the Linksys Small Business SW2048 handles the servers and other Gigabit connections.  The new switch is a 4507R-E with a Supervisor 6E with a WS-X4648-RJ45-E and a WS-X4648-RJ45V+E. I am running a single supervisor and single power supply to help keep power requirements down.  With the latest Version 15.2(2)E3 software loaded, the switch was ready to go.

QoS Configuration

I like to use my environment to demonstrate and test the various components within.  When there is a new application or technology that is interesting, I like to add it.  As such, I run much more than voice and video on my setup and therefore enjoy applying QoS as needed.  A few applications I desire to prioritize are:

With my prioritizations set, off to Cisco Medianet’s Quality of Service Validated Designs.  This post is the outcome of the Catalyst 4500 IOS 15.2 Configuration Guide, and the Medianet Campus QoS Design 4.0.  Within those documents, there are great references which we will follow for the basic steps of implementing an ingress, egress, and control plane modular QoS policies.

Ingress Marking

With the Sup6E supervisor, there is no ingress queuing customization.  For the ingress QoS marking, we could select several options. We could select to trust the DSCP which would allow markings to be trusted completely, or just the IP Phone markings if present.  This tutorial will walk through the configuration of the Service Policy Model using the Modular QoS CLI (MQC) policies.  This MQC configuration will use three components to mark the traffic appropriately:

  • class-map
  • policy-map
  • service-policy

Below is an example of a section of ingress marking for identifying the traffic on the switch.

!
! Signaling lines in order: SCCP, SIP, SIP, H245, MGCP, MGCP, H323
!
ip access-list extended VVLAN-Signaling
 permit tcp 192.168.1.128 0.0.0.31 any range 2000 2002
 permit udp 192.168.1.128 0.0.0.31 any eq 5060
 permit tcp 192.168.1.128 0.0.0.31 any eq 5060
 permit tcp 192.168.1.128 0.0.0.31 any range 11000 11999
 permit udp 192.168.1.128 0.0.0.31 any eq 2427
 permit udp 192.168.1.128 0.0.0.31 any eq 2428
 permit tcp 192.168.1.128 0.0.0.31 any eq 1720
!
ip access-list extended VVLAN-Voice
 permit udp 192.168.1.128 0.0.0.31 any range 16384 32767 dscp ef
!
ip access-list extended VVLAN-Video
 permit udp 192.168.1.128 0.0.0.31 any range 16384 32767 dscp af41
!
ip access-list extended VVLAN-Signaling
 permit tcp 192.168.1.0 0.0.0.31 any range 2000 2002
 permit udp 192.168.1.0 0.0.0.31 any eq 5060
 permit tcp 192.168.1.0 0.0.0.31 any eq 5060
 permit tcp 192.168.1.0 0.0.0.31 any range 11000 11999
 permit udp 192.168.1.0 0.0.0.31 any eq 2427
 permit udp 192.168.1.0 0.0.0.31 any eq 2428
 permit tcp 192.168.1.0 0.0.0.31 any eq 1720
 permit tcp 192.168.1.32 0.0.0.31 any range 2000 2002
 permit udp 192.168.1.32 0.0.0.31 any eq 5060
 permit tcp 192.168.1.32 0.0.0.31 any eq 5060
 permit tcp 192.168.1.32 0.0.0.31 any range 11000 11999
 permit udp 192.168.1.32 0.0.0.31 any eq 2427
 permit udp 192.168.1.32 0.0.0.31 any eq 2428
 permit tcp 192.168.1.32 0.0.0.31 any eq 1720
!
ip access-list extended DVLAN-Voice
 permit udp 192.168.1.0 0.0.0.31 any range 16384 32767 dscp ef
 permit udp 192.168.1.32 0.0.0.31 any range 16384 32767 dscp ef
!
ip access-list extended DVLAN-Video
 permit udp 192.168.1.0 0.0.0.31 any range 16384 32767 dscp af41
 permit udp 192.168.1.32 0.0.0.31 any range 16384 32767 dscp af41
!
ip access-list extended ANY-CounterStrike-Competitive
 permit tcp any any range 27030 27039
 permit tcp any any eq 27015 
 permit tcp any any range 27017 27020
 permit udp any any range 27000 27015
 permit udp any any eq 1200
!
ip access-list extended ANY-CounterStrike-1v1
 permit udp any any eq 27016 
 permit tcp any any eq 27016 
!
ip access-list extended ANY-Scavenger
 permit ip 192.168.2.48 0.0.0.15 any
 permit ip 192.168.0.90 0.0.0.0 any dscp cs1
!
ip access-list extended ANY-WebBased
 permit tcp any any eq www
 permit tcp any any eq 443
 permit tcp any any eq smtp
 permit tcp any any eq pop3
 permit tcp any any eq ftp
 permit tcp any any eq 22
 permit tcp any any eq domain
 permit tcp any eq www any
 permit tcp any eq 443 any
 permit tcp any eq smtp any
 permit tcp any eq pop3 any
 permit tcp any eq ftp any
 permit tcp any eq 22 any
 permit tcp any eq domain any
 permit tcp any any eq 5223
!
class-map match-any VVLAN-Signaling
 match access-group name VVLAN-Signaling
!
class-map match-all VVLAN-Voice
 match access-group name VVLAN-Voice
!
class-map match-all VVLAN-Video
 match access-group name VVLAN-Video
!
class-map match-any DVLAN-Signaling
 match access-group name DVLAN-Signaling
!
class-map match-all DVLAN-Voice
 match access-group name DVLAN-Voice
!
class-map match-all DVLAN-Video
 match access-group name DVLAN-Video
!
class-map match-any ANY-CounterStrike-Competitive
 match access-group name ANY-CounterStrike-Competitive
!
class-map match-any ANY-CounterStrike-1v1
 match access-group name ANY-CounterStrike-1v1
!
class-map match-any ANY-WebBased
 match access-group name ANY-WebBased
!
class-map match-any ANY-Scavenger
 match access-group name ANY-Scavenger
!
policy-map Ingress-Policy
 class VVLAN-Voice
  set dscp ef
  police 128k bc 8000
   conform-action transmit
   exceed-action drop
 class VVLAN-Video
  set dscp af41
  police 5m bc 8000
   conform-action transmit
   exceed-action drop
 class VVLAN-Signaling
  set dscp cs3
  police 32k bc 8000
   conform-action transmit
   exceed-action drop
 class DVLAN-Voice
  set dscp ef
  police 128k bc 8000
   conform-action transmit
   exceed-action drop
 class DVLAN-Video
  set dscp af41
  police 5m bc 8000
   conform-action transmit
   exceed-action drop
 class DVLAN-Signaling
  set dscp cs3
  police 32k bc 8000
   conform-action transmit
   exceed-action drop
 class ANY-CounterStrike-Competitive
  set dscp af31
  police 5m bc 8000
   conform-action transmit
   exceed-action set-dscp-transmit default
 class ANY-CounterStrike-1v1
  set dscp af21
  police 5m bc 8000
   conform-action transmit
   exceed-action set-dscp-transmit default
 class ANY-WebBased
  set dscp af11
  police 25m bc 562500
   conform-action transmit
   exceed-action set-dscp-transmit default
 class ANY-Scavenger
  set dscp cs1
 class class-default
  set dscp default
!
interface range GigabitEthernet 1/1-48
 service-policy input Ingress-Policy

A few things to note about this policy.  Within the DVLAN-Voice, DVLAN-Video, and Scavenger access lists, I am matching against packets that are set to a specific DSCP value and then “remarking” them.  This original marking is being set by a Windows Group Policy that sets specific application traffic to a certain DSCP value.  This is used for Crash Plan Backups and Cisco Jabber.

Egress Queuing

The Supervisor 6E provides a 1P7Q1T+DBL queuing model.  With this, each port is capable of supporting eight transmit queues with one Priority Queue.  There is one threshold for each queue as well as the support for Dynamic Buffer Limiting (DBL) for congestion avoidance.

From the Medianet guide, it is required to use separate class maps from the ingress configuration.  Using the same class maps will cause issues with classification of the traffic.

For the egress queuing, we will be focusing on matching against DSCP values as all traffic has already been marked on ingress.  Below is an example layout from the Medianet.  My example policy will stay relatively close to this, but tailoring it as appropriate to support my traffic classes.

1P7Q1T+DBL Egress Queuing Standard Mapping

1P7Q1T+DBL Egress Queuing Standard Mapping

With that, below is the example policy created for the environment.

class-map match-any Priority-Queue
 match dscp ef
 match dscp cs5
 match dscp cs4
class-map match-any Control-Mgmt-Queue
 match dscp cs7
 match dscp cs6
 match dscp cs3
 match dscp cs2
class-map match-all Multimedia-Video-Queue
 match dscp af41
 match dscp af42
 match dscp af43
class-map match-all Multimedia-CSGO-Competitive-Queue
 match dscp af31
 match dscp af32
 match dscp af33
class-map match-all Multimedia-CSGO-1v1-Queue
 match dscp af21
 match dscp af22
 match dscp af23
class-map match-all Bulk-WebTraffic-Queue
 match dscp af11
 match dscp af12
 match dscp af13
class-map match-all Scavenger-Queue
 match dscp cs1

policy-map Engress-Policy
 class Priority-Queue
  priority
 class Control-Mgmt-Queue
  bandwidth remaining percent 10
 class Multimedia-Video-Queue
  bandwidth remaining percent 10
 class Multimedia-CSGO-Competitive-Queue
  bandwidth remaining percent 10
 class Multimedia-CSGO-1v1-Queue
  bandwidth remaining percent 10
 class Bulk-WebTraffic-Queue
  bandwidth remaining percent 10
  dbl
 class Scavenger-Queue
  bandwidth remaining percent 4
  dbl
 class class-default
  class class-default
  dbl

interface range GigabitEthernet 1/1-48
 service-policy output Engress-Policy

 

Control Plane Policing

Last but not least is configuring the Control Plane Policing.  This is intended to protect the switches processor by limiting traffic from hitting the CPU.  While it can be configured automatically, we have configured the rest of the QoS manually and will continue to be stubborn here too :).

Within the example below, not all the options are included within the Medianet design guide.  In addition, the EIGRP and Multicast configurations were added within the COPP-IGP access list.  While configuring your policy, keep in mind the class-default is a catch all and will provide anything that was missed some level of connectivity.

The CIR configuration within the policy map is indicating the amount of committed bits per second.  Notice the configuration is limiting each queue to less than 1Mbps to minimize CPU overload.  The class-default is your friend again to protect anything left out or that may be malicious.

 ip access-list extended COPP-IGP
 remark Internal Routing
  permit eigrp any host 224.0.0.10
  permit udp any any eq pim-auto-rp
!
ip access-list extended COPP-Monitoring
 remark Ping
 permit icmp any any echo
 remark Ping-Echo-Reply
 permit icmp any any echo-reply
 remark Traceroute
 permit icmp any any ttl-exceeded
 permit icmp any any port-unreachable
!
ip access-list extended COPP-Management
 remark TACACS (return traffic)
 permit tcp host 192.168.0.66 host 192.168.0.253 established
 remark SSH
 permit tcp 192.168.0.0 0.0.7.255 host 192.168.0.253 eq 22
 remark SNMP
 permit udp host 192.168.0.76 host 192.168.0.253 eq snmp
 remark NTP
 permit udp host 192.168.0.254 host 192.168.0.253 eq ntp
!
ip access-list extended COPP-Undesirable
 remark Undesirable Traffic
 permit udp any any eq 1434
!
class-map match-all COPP-IGP
 match access-group name COPP-IGP
class-map match-all COPP-Monitoring
 match access-group name COPP-Monitoring
class-map match-all COPP-Management
 match access-group name COPP-Management
class-map match-all COPP-Undesirable
 match access-group name COPP-Undesirable
!
policy-map system-cpp-policy
 class COPP-IGP
  police cir 300000 bc 3000 be 3000
   conform-action transmit
   exceed-action drop
 class COPP-Management
  police cir 500000 bc 5000 be 5000
   conform-action transmit
   exceed-action drop
 class COPP-Monitoring
  police cir 900000 bc 9000 be 9000
   conform-action transmit
   exceed-action drop
 class COPP-Undesirable
  police cir 32000 bc 3000 be 3000
   conform-action transmit
   exceed-action drop
 class class-default
  police cir 500000 bc 5000 be 5000
   conform-action transmit
   exceed-action drop
!
control-plane
 service-policy input system-cpp-policy

Conclusion

While this guide is certainly not specific to most builds, hopefully sharing the thought process and sources help you build your own modular QoS configuration.  If you have multiple switches in your environment, you will quickly learn that the exact syntax for these steps vary greatly.  This is where the configuration guides come in for the specific models. Feel free to share your experiences and configurations!

Leave a Reply

Your email address will not be published. Required fields are marked *