Policy-maps do indeed have the ability to be nested inside other policy maps. When we engage in this nesting behavior, we refer to the policy as a hierarchical policy. This is typically done to configure multiple treatments to QoS. For example – we might want to traffic-shape all traffic to 3 MB; and then inside that 3 MB shaped traffic, guarantee Web traffic at least 1 MB of bandwidth.
Remember, we use a service-policy (normally done with interfaces) to assign the QoS policies that we define inside the policy-map.
With the nesting of policy maps, there are some restrictions that you should be aware of. For example:
set command is not supported on the child policy
priority command can be used in either the parent or the child policy, but not both
fair-queue command cannot be used in the parent
Here is an example of nesting policy maps:
match protocol http
Verifying your policy-map, is very simple thanks to the following show commands:
show policy-map interface int_name
How to block cisco.com/go/support using QoS matching DNS name, while allowing the web access to the host like cisco.com:
class-map match-all TEST
match protocol http host "*cisco.com\/support*"
service-policy output NBAR
How to read the output of CoS-DSCP map
Switch# show mls qos maps dscp-cos
d1 : d2 9
0 : 00 00 00 00 00 00 00 00 01 01
1 : 01 01 01 01 01 01 02 02 02 02
2 : 02 02 02 02 03 03 03 03 03 03
3 : 03 03 04 04 04 04 04 04 04 04
4 : 05 05 05 05 05 05 05 05 06 06
5 : 06 06 06 06 06 06 07 07 07 07
6 : 07 07 07 07
d1 is digit-one of the dscp, d2 is digit-two of the dscp. The intersection of the two digits gives the cos value for that particular dscp value.
e.g. for dscp 46, we can see the cos value is 05, while dscp 48 has cos 06 and dscp 64 is not shown as it is invalid.
Q: When I set
priority-list 1 queue-limit 5 45 66 80 (I am setting the priority queue to 5 packets) I would think I would want this to be my highest #. In short I don’t think I understand this concept. If I set the priority queue to 80, then my priority traffic could accept 80 packets before it moves to the next queue. I would think this would be a good thing. I am sure I am not seeing this the right way. Can somebody explain please?
A: The queue-limit is simply how many packets each queue will hold. That is, the size of the queue.
With priority queuing, the scheduler will always try to empty the higher queues first before moving to the next-highest.
Ex. empty the high queue first, then medium queue, then normal queue and then finally low queue.
That’s why texts often mention the possibility of queue starvation.
When you have congestion on the interface, (which is the only situation you would engage the software queues) you would want your high priority traffic sent first.
You can set the limit (size) to whatever you want, but if you classify your traffic incorrectly, or rather too “loose”, putting too much into the high priority queue, you would end up servicing this queue all the time.
Tail drop should occur when you can’t “buffer” any more data, yes.
PQ is a double edged sword in my opinion.
Here are the main points to keep in mind:
- The configuration requires a nested policy-map
- The policy-map applied to the SVI references another policy map that actually does the policing
- Do not forget to enable vlan-based QoS on the appropriate range of ports
- In the parent policy-map, you must perform some action (besides calling another policy map)
In order to configure policing on a Switched Virtual Interface (SVI or VLAN interface), here is a sample configuration:
CAT2(config)#int range fa0/1 – 5
CAT2(config-if-range)#mls qos vlan-based
CAT2(config)#access-list 100 permit udp any any range 16384 32767
CAT2(config-cmap)#match access-group 100
CAT2(config-cmap)#match input-interface fa0/1 - fa0/5
CAT2(config-pmap-c)#police 256000 8000 exceed-action drop
CAT2(config-pmap-c)#set dscp 46
CAT2(config)#int vlan 100
CAT2(config-if)#service-policy input VLAN
Notice we set the DSCP value in the parent policy map in order to meet the requirement of “performing some action!” Also remember, both of the sample configurations above require mls qos configured globally on the device.