Cisco 10000 Series Router Quality of Service Configuration Guide
Regulating Subscriber Traffic
Downloads: This chapterpdf (PDF - 826.0KB) The complete bookPDF (PDF - 21.32MB) | Feedback

Regulating and Shaping Subscriber Traffic

Table Of Contents

Regulating and Shaping Subscriber Traffic

Subscriber-Based IP Quality of Service

Per Session Rate Limiting

Feature History for Per Session Rate Limiting

Restrictions and Limitations for Per Session Rate Limiting

Per User Multiservice Rate Limiting

Feature History for Per User Multiservice Rate Limiting

System Limits for Per User Multiservice Rate Limiting

Restrictions and Limitations for Per User Multiservice Rate Limiting

Per Session Service Policy Using RADIUS

Feature History for Per Session Service Policy Using RADIUS

Restrictions and Limitations for per Session Service Policy Using RADIUS

Input and Output Policy Actions

Configuring IP Quality of Service for Subscribers

Configuring per Session Rate Limiting

Configuring per User Multiservice Rate Limiting

Configuring per Session Service Policy Using RADIUS

Configuration Examples for Subscriber-Based IP QoS

Configuration Example for Per Session Rate Limiting

Configuration Example for Per User Multiservice Rate Limiting

Configuration Example for Per Session Service Policy Using RADIUS

Verifying a Subscriber-Based IP QoS Configuration

Verification Examples for Subscriber-Based IP QoS Configurations

MQC Support for IP Sessions

Feature History for MQC Support for IP Sessions

QoS Actions Supported in IP Session Policy Maps

Interface Support for MQC on IP Sessions

Policies and Queues Inheritance Rules

Service Policy Maps and Service Profiles

Restrictions and Limitations for MQC Support for IP Sessions

Configuring MQC on IP Sessions

Configuring QoS on Service Policy Maps Without Traffic Classes

Configuring QoS on Service Policy Maps With Traffic Classes

Configuration Examples for MQC on IP Sessions

Verifying Service Policies on IP Sessions

Shaping and Queuing Per-Session Traffic on LNS

Feature History for Per Session Shaping and Queuing on LNS

Prerequisites for Per Session Shaping and Queuing on LNS

Restrictions and Limitations for Per Session Shaping and Queuing on LNS

Configuring Per Session Shaping and Queuing on LNS

Queuing PPP Sessions on ATM VCs

Feature History for PPP Session Queuing on ATM VCs

Dynamically Applying QoS Policies to PPP Sessions on ATM VCs

PPP Session Queuing Inheritance

Interfaces Supporting PPP Session Queuing

Mixed Configurations and Queuing

Bandwidth Sharing and ATM Port Oversubscription

Oversubscription at the Session Level

Prerequisites for PPP Session Queuing on ATM VCs

Restrictions and Limitations for PPP Session Queuing on ATM VCs

Configuring PPP Session Queuing on ATM VCs

Configuring PPP Session Queuing Using a Virtual Template

Configuring PPP Session Queuing Using RADIUS

Configuration Examples for PPP Session Queuing on ATM VCs

Example of Configuring PPP Session Queuing on ATM VCs

Example of Configuring and Applying an Hierarchical Policy Map

Example of Setting Up RADIUS for PPP Session Queuing on ATM VCs

Verifying PPP Session Queuing on ATM VCs

Verification Examples for PPP Session Queuing on ATM VCs

Per-Session Shaping for ATM Interfaces

Feature History for Per-Session Shaping for ATM Interfaces

Restrictions and Limitations for Per-Session Shaping for ATM Interfaces

Configuring Per-Session Shaping for ATM Interfaces

Configuration Example for Per-Session Shaping on ATM Interfaces

Verifying Per-Session Shaping on ATM Interfaces

Related Documentation


Regulating and Shaping Subscriber Traffic


With the increasing demand for Internet services, service providers must ensure that network resources are available to all subscribers as contracted in their Service License Agreements (SLAs). Service providers must determine which traffic enters the network, how to distribute shared resources, and how to manage the volume and rate of traffic entering the network. Without such management, providing basic services to subscribers can become difficult.

Rate limiting and shaping subscriber traffic are two tools critical to ensuring successful network operation. Using these tools to regulate subscriber traffic, service providers can protect shared network resources and ensure that subscribers use only their fair share of bandwidth.

This chapter describes the following subscriber-based traffic regulating and shaping features:

Subscriber-Based IP Quality of Service

Per Session Rate Limiting

Per User Multiservice Rate Limiting

Per Session Service Policy Using RADIUS

Configuring IP Quality of Service for Subscribers

Configuration Examples for Subscriber-Based IP QoS

Verifying a Subscriber-Based IP QoS Configuration

MQC Support for IP Sessions

Feature History for MQC Support for IP Sessions

QoS Actions Supported in IP Session Policy Maps

Interface Support for MQC on IP Sessions

Service Policy Maps and Service Profiles

Restrictions and Limitations for MQC Support for IP Sessions

Configuring MQC on IP Sessions

Configuration Examples for MQC on IP Sessions

Verifying Service Policies on IP Sessions

Shaping and Queuing Per-Session Traffic on LNS

Feature History for Per Session Shaping and Queuing on LNS

Prerequisites for Per Session Shaping and Queuing on LNS

Restrictions and Limitations for Per Session Shaping and Queuing on LNS

Configuring Per Session Shaping and Queuing on LNS

Queuing PPP Sessions on ATM VCs

Feature History for PPP Session Queuing on ATM VCs

Dynamically Applying QoS Policies to PPP Sessions on ATM VCs

PPP Session Queuing Inheritance

Interfaces Supporting PPP Session Queuing

Mixed Configurations and Queuing

Bandwidth Sharing and ATM Port Oversubscription

Oversubscription at the Session Level

Prerequisites for PPP Session Queuing on ATM VCs

Restrictions and Limitations for PPP Session Queuing on ATM VCs

Configuring PPP Session Queuing on ATM VCs

Configuration Examples for PPP Session Queuing on ATM VCs

Verifying PPP Session Queuing on ATM VCs

Per-Session Shaping for ATM Interfaces

Feature History for Per-Session Shaping for ATM Interfaces

Restrictions and Limitations for Per-Session Shaping for ATM Interfaces

Configuring Per-Session Shaping for ATM Interfaces

Configuration Example for Per-Session Shaping on ATM Interfaces

Verifying Per-Session Shaping on ATM Interfaces

Related Documentation

Subscriber-Based IP Quality of Service

The Cisco 10000 series router supports the following IP quality of service features for subscribers:

Per Session Rate Limiting

Per User Multiservice Rate Limiting

Per Session Service Policy Using RADIUS

Differential marking of the IP ToS bits (see the "IP Differentiated Services Code Point Marking" section)

Per User QoS Selection (see the "Applying Traffic Shaping Parameters Using RADIUS Profiles" section in Chapter 17 "Configuring Dynamic Subscriber Services.")

Per Session Rate Limiting

The per session rate limiting feature is a traffic regulation mechanism that allows you to control the maximum rate of traffic sent or received on an interface for a session. The feature is configured on interfaces at the edge of a network to limit traffic into or out of the network. The rate limiting feature uses the modular QoS CLI to provide input and output policing rates for each session.

The Cisco 10000 series router uses policing to manage the access bandwidth policy for the following subscriber-based sessions:

PPPoA

PPPoE

PPP in L2TP (LNS only)

RBE

The configuration of per session rate limiting involves the following components:

Class map—Classifies the traffic on an interface. The class map uses the match statements that you define to classify subscriber traffic.

Policy map—Defines QoS actions and rules and associates these to a class map. The policy map specifies the class map for a session and also indicates the policing actions to perform.

Service policy—Attaches a policy map to an interface and specifies the direction (inbound or outbound) that the policy should be applied.

QoS configuration typically involves applying the service policies to interfaces. For PPPoA, PPPoE, and PPP in L2TP sessions, however, you apply the service policy to a predefined configuration template known as the virtual template interface. The virtual template interface is a logical entity that is applied dynamically as needed to a connection. It is used to create and configure a virtual access interface (VAI). The VAI uses the virtual template interface to create a session, which results in a VAI that is uniquely configured for a specific user. All of the VAIs that use the virtual template interface inherit the service policy applied to the template.


Note Not all of the QoS actions available through the modular QoS CLI are available to the virtual access interface. For information about the available actions, see the "Input and Output Policy Actions" section.


For CBWFQ on the Cisco 10000 series router, when you apply a service policy to a virtual circuit (VC), the VAIs that use that VC inherit the service policy of the VC. Any VAI that uses that VC is subject to the queuing, policing, and marking actions defined in the VC service policy.


Note Do not apply service policies with CBWFQ actions to a VAI using a virtual template. The Cisco 10000 series router supports queuing only when you apply the service policy to a VC.


You can also configure per session rate limiting using a Cisco vendor specific attribute (VSA) in a RADIUS user profile. For more information, see the "Per Session Service Policy Using RADIUS" section.

For RBE sessions, apply the service policy to the ATM VC or subinterface.

Feature History for Per Session Rate Limiting

Cisco IOS Release
Description
Required PRE

Release 12.2(16)BX

The per session rate limiting feature was introduced on the PRE2.

PRE2

Release 12.2(28)SB

This feature was integrated in Cisco IOS Release 12.2(28)SB for the PRE2.

PRE2


Restrictions and Limitations for Per Session Rate Limiting

Do not apply service policies with CBWFQ actions to a VAI using a virtual template. The Cisco 10000 series router supports queuing only when you apply the service policy to a VC.

Per User Multiservice Rate Limiting

The per user multiservice rate limiting feature allows you to control the maximum rate of traffic for each user behind a multiservice subscriber. This rate limiting feature uses the modular QoS CLI to provide input and output policing rates for each user.

The configuration of per user multiservice rate limiting involves the following components:

Access Control Lists (ACLs)—Create a unique ACL for each user behind the subscriber. The criteria you specify, such as a user IP address, is used to filter the traffic coming into or leaving the Cisco 10000 series router interface.

Class map—Classifies the traffic on an inbound or outbound interface. The class map uses the match statements that you define to classify subscriber traffic.

Policy map—Defines QoS actions and rules and associates these to a class map. The policy map specifies the class map for a session and also indicates the policing actions to perform.

Service policy—Attaches a policy map to an interface and specifies the direction (inbound or outbound) that the policy should be applied.

For PPPoA, PPPoE, and PPP in L2TP sessions, apply the service policy to a virtual template interface, which is used to create and configure a VAI. The VAI uses the virtual template interface to create a uniquely configured user session. All of the VAIs that use the virtual template interface inherit the service policy applied to it.

For RBE sessions, apply the service policy to the ATM virtual circuit (VC) or subinterface.


Note Do not apply service policies with CBWFQ actions to a VAI using a virtual template. The Cisco 10000 series router supports queuing only when you apply the service policy to a VC.


Feature History for Per User Multiservice Rate Limiting

Cisco IOS Release
Description
Required PRE

Release 12.2(16)BX

The per user multiservice rate limiting feature was introduced on the PRE2.

PRE2

Release 12.2(28)SB

This feature was integrated in Cisco IOS Release 12.2(28)SB for the PRE2.

PRE2


System Limits for Per User Multiservice Rate Limiting

Table 18-1 lists the system limits for the components used to configure per user multiservice rate limiting.

Table 18-1 System Limits for Per User Multiservice Rate Limiting Components

Component
Maximum Number Supported

Access Lists

30,000 per system

Class Maps

256 per system (including the class-default class)

Policy Maps

4096 per system

Classes

127 per policy map

Match Statements

16 per class map


Depending on the complexity of your configuration, the Cisco 10000 series router supports up to 4,096 policy maps. In complex configurations the maximum number of policy maps can be as small as a few hundred. Additionally, when you use percent-based policing in a service policy, the system may convert a single customer-configured service to multiple service policies (which count against the 4096 limit). The system uses one such service policy for each different speed interface that uses a service policy with percent-based policing

Each policy-map command counts as one policy map and applying the same policy map on different speed interfaces also counts as an extra policy map. The policy-map command syntax is unchanged.

Restrictions and Limitations for Per User Multiservice Rate Limiting

Do not apply service policies with CBWFQ actions to a VAI using a virtual template. The Cisco 10000 series router supports queuing only when you apply the service policy to a VC.

Per Session Service Policy Using RADIUS

The per session service policy using RADIUS feature enables a subscriber management server (SMS), typically a RADIUS server, to dynamically change the traffic policing parameters for a user session.

The RADIUS server maintains user profiles to define subscriber parameters. The per session rate limiting parameter is defined in the RADIUS authentication, authorization, and accounting (AAA) user profiles. When a user logs into the network, the Cisco 10000 series router sends an authorization request to the RADIUS server. If the user is a registered user, RADIUS sends the user profile to the router. The user profile might include a per session service policy. If parameter values in the user profile change, RADIUS sends the changed parameters when the user logs in to the system again.


Note The RADIUS server authenticates a user before the server downloads the VSA that is in the user profile. The RADIUS server does not communicate changes to the Cisco 10000 series router until user authentication occurs.


The configuration of per session service policy involves the following:

1. Configure traffic classes and the classification policy.

Configure the classification policy to define how the Cisco 10000 series router differentiates packets from each other. Create a class map on the Cisco 10000 series router (see the "Per Session Rate Limiting" section) using the match command to match and classify packets based on selected criteria.

2. Associate class characteristics with each class of traffic.

After you define the classification policy, define the class characteristics to be applied to packets belonging to a particular class. Create a policy map on the Cisco 10000 series router in which you associate class characteristics with each class of traffic (see the "Per Session Rate Limiting" section).

3. Download the name of the service policy from the RADIUS server.

You can use a VSA to make the configuration scalable. The service to which the user belongs (the policy map name) resides on the RADIUS server. The Cisco 10000 series router downloads the name of the policy map from the RADIUS server using the VSA in the user profile. The Cisco-Policy-Up VSA 37 is used for upstream traffic coming from a subscriber and the Cisco-Policy-Down VSA 38 is used for downstream traffic going toward a subscriber. The PPP/VPDN client processes these VSA attributes.

4. Attach policies to the interface.

Feature History for Per Session Service Policy Using RADIUS

Cisco IOS Release
Description
Required PRE

Release 12.2(15)BX

The per session service policy using RADIUS feature was introduced on the PRE2.

PRE2

Release 12.2(28)SB

This feature was integrated in Cisco IOS Release 12.2(28)SB for the PRE2.

PRE2


Restrictions and Limitations for per Session Service Policy Using RADIUS

The Cisco 10000 series router routes IP packets for PPPoA, PPPoE, and RBE sessions. Apply input rate limiting to the packets coming from the client device to the Cisco 10000 series router. Apply output rate limiting to the packets going to the client device from the Cisco 10000 series router.

You can also apply IP QoS to the PPP tunneled sessions at the L2TP network server (LNS). Apply input rate limiting to the packets coming out of the L2TP tunnel and output rate limiting to the packets going into the tunnel.

For PPPoA, PPPoE, PPP in L2TP, and RBE sessions, the Cisco 10000 series router supports the following QoS features when no atm pxf queuing is enabled or the virtual circuit (VC) is a UBR VC:

Rate limiting on each session in the input, output, or both input and output directions

The set qos-group (input only), set ip precedence, and set ip dscp policy map actions

The Cisco 10000 series router does not support the following QoS features when no atm pxf queuing is enabled or the VC is a UBR VC:

Weighted fair queuing (WFQ)

Weighted random early detection (WRED)

Class-based weighted fair queuing (CBWFQ)

Traffic shaping for IP and PPP

For RBE sessions and VAIs that inherit the service policy of the VC, the Cisco 10000 series router supports the following QoS features when atm pxf queuing is enabled and the VC is a VBR VC:

Rate limiting on each session in the input, output, or in both the input and output directions

The set qos-group (input only), set ip precedence, and set ip dscp policy map actions

Weighted fair queuing (WFQ)

Weighted random early detection (WRED)

Class-based weighted fair queuing (CBWFQ)

Traffic shaping


Note The Cisco 10000 series router has been verified to support a VC count up to 8000 VCs when atm pxf queuing is enabled. The router supports ATM level QoS, affecting traffic on the ATM VCs. Both UBR (PCR specified) and VBR (PCR and SCR specified) VCs are available.


The Cisco 10000 series router does not impose any restrictions on the classification definitions you include in the class map. However, it does limit the input and output policy actions that you can define in a policy map. These limitations are based on the type of interface on which you apply the service policy. As indicated in Table 18-2 and Table 18-3, the interface types are:

Normal interface, including VBR VCs on ports configured in pxf queuing mode

Tag interface (MPLS VPN)

Virtual access interface (VAI)

ATM UBR VCs and VCs configured on ports in no atm pxf queuing mode

Input and Output Policy Actions

Table 18-2 lists the input policy actions that you can define in a policy map for specific interface types.

Table 18-2 Input Policy Map Actions

Policy Map
Actions
Interface Type
Normal
Tag (MPLS VPN)
Virtual Access
ATM UBR VCs

bandwidth

Not Applicable

Not Applicable

Not Applicable

Not Applicable

queue-limit

Not Applicable

Not Applicable

Not Applicable

Not Applicable

priority

Not Applicable

Not Applicable

Not Applicable

Not Applicable

shape

Not Available

Not Available

Not Available

Not Available

random-detect

Not Applicable

Not Applicable

Not Applicable

Not Applicable

set ip prec/dscp

Valid

Not Applicable

Valid

Valid

set qos-group

Valid

Valid

Valid

Valid

set atm-clp

Not Applicable

Not Applicable

Not Applicable

Not Applicable

set cos

Not Applicable

Not Applicable

Not Applicable

Not Applicable

police

Valid

Valid

Valid

Valid

set mpls-exp

Not Available

Not Available

Not Available

Not Available



Note In Table 18-2 and Table 18-3, "Not Applicable" indicates that you cannot do the action on a Cisco product or that it has no meaning in the context indicated. "Not Available" means the action is not supported. When configuring an input policy map for a VAI, be careful that you do not include the "Not Applicable" or "Not Available" policy actions indicated. If you do, an error message appears.


Table 18-3 lists the output policy actions that you can define in a policy map for specific interface types.

Table 18-3 Output Policy Map Actions

Policy Map
Actions
Interface Type
Normal
Tag (MPLS VPN)
Virtual Access
ATM UBR VCs

bandwidth

Valid

Valid

Valid

(Applied to the VC, not the VAI)

Not Applicable

queue-limit

Valid

Valid

Not Available

Not Available

priority

Valid

Valid

Valid

(Applied to the VC, not the VAI)

Not Applicable

shape

Valid

Valid

Valid

(Applied to the VC, not the VAI)

Not Applicable

random-detect

Valid

Valid

Not Available

Not Available

set ip prec/dscp

Valid

Not Applicable

Valid

Valid

set qos-group

Not Applicable

Not Applicable

Not Applicable

Not Applicable

set atm-clp

Valid

Not Available

Not Available

Not Available

set cos

Valid

Not Available

Valid

Not Applicable

police

Valid

Valid

Valid

Valid

set mpls-exp

Not Applicable

Not Available

Not Applicable

Not Applicable


Configuring IP Quality of Service for Subscribers

To configure IP QoS for subscribers, perform the following configuration tasks:

Configuring per Session Rate Limiting

Configuring per User Multiservice Rate Limiting

Configuring per Session Service Policy Using RADIUS


Note If the policing action applies to all traffic through the interface, you can use the predefined class named class-default. Using one class in the policy map requires less process memory in the Cisco 10000 series router.


Configuring per Session Rate Limiting

To configure per session rate limiting for PPPoA and PPPoE sessions, enter the following commands beginning in global configuration mode:

 
Command
Purpose

Step 1 

Router(config)# class-map match [any | all] class-map-name

Creates a class map with the name you specify and enters class-map configuration mode.

class-map-name is the name of the class map.

Step 2 

Router(config-cmap)# match parameters

Classifies traffic based on the parameters you specify.

parameters define the classification criteria for the class map.

Step 3 

Router(config-cmap)# exit

Exits class-map configuration mode.

Step 4 

Router(config)# policy-map policy-map-name

Creates a policy map with the name you specify and enters policy-map configuration mode.

policy-map-name is the name of the policy map.

Step 5 

Router(config-pmap)# class class-map-name

Specifies the class to which the policy map applies.

class-map-name is the name of a previously configured class map. This is the name of the class map you specified in Step 1.

Step 6 

Router(config-pmap)# police parameters

Specifies the actions to be taken.

parameters defines the way in which you want the traffic class to be policed (see Chapter 6 "Policing Traffic").

Step 7 

Router(config)# interface virtual-template number

Creates and configures the virtual template interface you specify. Enters interface configuration mode.

number identifies the virtual template.

Step 8 

Router(config-if)# service-policy {input | output} policy-map-name

Attaches the policy map to the virtual template interface. All VAIs using the virtual template interface inherit the IP QoS parameters defined in the policy map.

policy-map-name is the name of the policy map you want to apply to the virtual template.


Note Do not apply service policies with Class-Based Weighted Fair Queuing (CBWFQ) actions to a virtual access interface (VAI) using a virtual template. The Cisco 10000 series router supports queuing only when you apply the service policy to a VC. For RBE sessions, apply the service policy to the ATM VC or subinterface.


Configuring per User Multiservice Rate Limiting

To configure per user multiservice rate limiting for PPPoA and PPPoE sessions, enter the following commands beginning in global configuration mode:

 
Command
Purpose

Step 1 

Router(config)# access-list access-list-number {permit | deny} protocol [source-address] [destination-address] port

Creates an access control list (ACL) to filter user traffic.

Note Create an ACL for each user behind a multiservice subscriber.

Step 2 

Router(config)# class-map class-map-name

Creates a class map to classify user traffic. Enters class-map configuration mode.

class-map-name is the name of the class map.

Step 3 

Router(config-cmap)# match access-group access-list-number

Defines the classification criteria for the class map. In this case, the filtering criteria you defined in the ACL is used to classify the user traffic.

access-list-number identifies the access control list.

Step 4 

Router(config-cmap)# exit

Exits class-map configuration mode.

Step 5 

Router(config)# policy-map policy-map-name

Creates a policy map with the name you specify and enters policy-map configuration mode.

Step 6 

Router(config-pmap)# class class-map-name

Specifies the traffic class to which the policy map applies.

class-map-name is the name of a previously configured class map. This is the name of the class map you specified in Step 2.

Step 7 

Router(config-pmap)# police parameters

Specifies the actions to be taken on the traffic.

For more information, see Chapter 6 "Policing Traffic."

Note Repeat Steps 2 through 6 for each user behind a multiservice subscriber.

Step 8 

Router(config)# interface virtual-template number

Creates and configures the virtual template you specify. Enters interface configuration mode.

number identifies the virtual template.

Step 9 

Router(config-if)# service-policy {input | output} policy-map-name

Attaches the policy map to the virtual template. All VAIs using the virtual template interface inherit the IP QoS parameters defined in the policy map.

policy-map-name is the name of a previously configured policy map. In this case, it is the name of the policy map you specified in Step 5.


Note Do not apply service policies with CBWFQ actions to a VAI using a virtual template. The Cisco 10000 series router supports queuing only when you apply the service policy to a VC. For RBE sessions, apply the service policy to the ATM VC or ATM subinterface.


Configuring per Session Service Policy Using RADIUS

To configure per session service policy, do the following:

Configure the RADIUS server on the router.

Create a class map.

Create a policy map.

Apply the service policy to the RADIUS AAA user profile.


Note For information on creating a class map and policy map, see the "Configuring per Session Rate Limiting" section.


You must configure the RADIUS server on the Cisco 10000 series router. The "Configuring RADIUS" chapter in the Cisco IOS Security Configuration Guide, Release 12.2 describes how to set up RADIUS for authentication, authorization, and accounting (AAA). It includes the following sections that are relevant to configuring RADIUS on the Cisco 10000 series router:

Configuring the Router to RADIUS Server Communication (Required)

Configuring the Router to Use Vendor-Specific RADIUS Attributes (Required)

Configuring the Router for Vendor-Proprietary RADIUS Server Communication (Optional)

Configuring the Router to Query RADIUS Server for Static Routes and IP Addresses (Optional)

Configuring the Router to Expand Network Access Server Port Information (Optional)

Configuring AAA Server Groups (Optional)

Configuring AAA Server Groups with Deadtime (Optional)

Configuring AAA Preauthentication

Specifying RADIUS Authentication

Specifying RADIUS Authorization (Optional)

Specifying RADIUS Accounting (Optional)

Configuring RADIUS Login-IP-Host (Optional)

Configuring RADIUS Prompt (Optional)

Configuring Suffix and Password in RADIUS Access Requests (Optional)

Configuration Examples for Subscriber-Based IP QoS

This section provides the following configuration examples:

Configuration Example for Per Session Rate Limiting

Configuration Example for Per User Multiservice Rate Limiting

Configuration Example for Per Session Service Policy Using RADIUS

Configuration Example for Per Session Rate Limiting

Example 18-1 creates a class map named voice and a policy map named map1. The voice class map is used to classify packets. The policing statement defined in the map1 policy map acts on all traffic of the class voice. The service policy is applied to the virtual template interface (Virtual-Template 1). Output traffic on all virtual access interfaces (VAIs) cloned from this virtual template interface is rate-limited to 120,000 bps.

Example 18-1 Configuring Per Session Rate Limiting

Router(config)# policy-map map1
Router(config-pmap)# class voice
Router(config-pmap)# priority
Router(config-pmap-c)# police 120000 16000 32000 conform-action transmit exceed-action 
set-precedence-transmit 4 
Router(config-pmap-c)# exit
Router(config-pmap)# exit
Router(config)# interface Virtual-Template 1
Router(config-if)# service-policy output map1

NoteUse access control lists (ACLs), protocols, or input interface names to define how to classify traffic.

If the policing action applies to all traffic through the interface, use the predefined class named class-default. Using one class in the policy map requires less process memory in the Cisco 10000 series router.

The preceding configuration example defines an output policing policy. You can also define an input policy in a similar way.

Configuration Example for Per User Multiservice Rate Limiting

Example 18-2 creates two access control lists (ACL 120 and ACL 130) and two class maps (map1 and map2). Each class map includes a match statement in which the previously configured ACL is used to classify the traffic through the interface. The map1 class classifies traffic based on the parameters defined in ACL 130 and the map2 class classifies traffic based on ACL 120.

In the policy map mypolicy, the policing statement defined for each class acts on all traffic that corresponds to the class. Packets with the destination address 172.16.1.1 are policed at a rate of 8000 bps and packets with the destination address 172.16.1.2 are policed at a rate of 120,000 bps.

The service policy is applied to the virtual template interface named Virtual-Template 2. Input traffic on all virtual access interfaces (VAIs) cloned from this virtual template interface is policed.

Example 18-2 Configuring Per User Multiservice Rate Limiting Configuration Example

Router(config)# access-list 120 permit ip any host 172.16.1.1
Router(config)# access-list 130 permit ip any host 172.16.1.2
Router(config)# class-map map1
Router(config-cmap)# match access-group 130
Router(config-cmap)# exit
Router(config)# class-map map2
Router(config-cmap)# match access-group 120
Router(config-cmap)# exit
Router(config)# policy-map mypolicy
Router(config-pmap)# class map1
Router(config-pmap)# priority
Router(config-pmap-c)# police 120000 16000 32000 conform-action transmit exceed-action 
drop
Router(config-pmap-c)# exit
Router(config-pmap)# class map2
Router(config-pmap-c)# police 8000 16000 32000 conform-action transmit exceed-action drop
Router(config-pmap-c)# exit
Router(config-pmap)# exit
Router(config)# interface Virtual-Template 2
Router(config-if)# service-policy input mypolicy
Router(config-if)# ip unnumbered ethernet 0
Router(config-if)# no peer default ip address
Router(config-if)# ppp authentication chap 

Configuration Example for Per Session Service Policy Using RADIUS

To configure per session service policy, perform the following configuration tasks:

Configure the RADIUS server on the Cisco 10000 series router as described in the "Configuring RADIUS" chapter in the Cisco IOS Security Configuration Guide, Release 12.2.

Create the class map and policy map as described in the "Configuring per Session Rate Limiting" section.

Apply the service policy to the RADIUS AAA user profile.

In the RADIUS AAA user profile, the lcp:interface-config AV-pair is used to configure class-based policing or marking. In Example 18-3, the service policy named rad_input_policy is applied to the user's virtual access interface. You create the service policy on the router.


Note Using the lcp:interface-config AV-pair forces the Cisco 10000 series router to use full access virtual interfaces, which decreases scaling. We recommend that you do not use this configuration. In Release 12.2(15)BZ and later releases, you can use a VSA to make the configuration scalable. The router downloads the name of the policy map to which the user belongs from the RADIUS server using the VSA in the user profile. The Cisco-Policy-Up VSA 37 is used for upstream traffic coming from a subscriber (input service policy) and the Cisco-Policy-Down VSA 38 is used for downstream traffic going toward a subscriber (output service policy). The PPP/VPDN client processes these VSA attributes.


Example 18-3 Sample RADIUS User Profile for Configuring Per Session Service Policy

!Creates the RADIUS user profile.
user1005 Password = "user1"
Service-Type = Framed-User,
Framed-Protocol = PPP
av-pair = "ip:addr-pool=pool4",
cisco-av-pair = "lcp:interface-config=service-policy input rad_input_policy"
 
   
........
virtual-profile aaa
!Creates the service policy on the Cisco 10000 series router.
policy-map rad_input_policy
class class-default
  priority
police 256000 1500 1500 conform-action transmit exceed-action drop
 
   
vpdn enable
.....
interface Virtual-Template 1
ppp authentication chap
........
 
   
 
   

To use the Cisco-Policy-Up VSA to download the name of the policy from RADIUS and apply the QoS policy to an interface, configure the following in the user profile on the RADIUS server:

Cisco:Cisco-Policy-Up=rad_input_policy
 
   

Example 18-4, Example 18-5, and Example 18-6 are sample configurations for the Merit RADIUS server and the associated LNS device.

Example 18-4 Merit RADIUS User File

AV Pair Example For Input Service-Policy

abc@hello1.com  Password = "cisco123"
av-pair = "lcp:interface-config=service-policy input rad_input_policy",
Service-Type = Framed-User,
Framed-Protocol = PPP

VSA Example For Input and Output Service-Policy

abc@hello1.com Password = "cisco123"
Service-Type = Framed-User,
Framed-Protocol = PPP,
Cisco:Cisco-Policy-Up = rad_input_policy
 
   
abc@hello1.com Password = "cisco123"
Service-Type = Framed-User,
Framed-Protocol = PPP,
Cisco:Cisco-Policy-Down = rad_output_policy

Example 18-5 Merit RADIUS Dictionary File

Cisco.attr      Cisco-Policy-Up                 37      string  (*, *) 
Cisco.attr      Cisco-Policy-Down               38      string  (*, *)
 
   

Example 18-6 Associated LNS Configuration

VSA

aaa new-model
!
aaa authentication ppp default group radius
aaa authorization exec default group radius 
aaa authorization configuration default group radius 
aaa session-id common
!
policy-map rad_input_policy
class class-default
  priority
police 8000 8000 16000 conform-action transmit exceed-action drop
!
policy-map rad_output_policy
class class-default
  priority
police 8000 8000 16000 conform-action transmit exceed-action drop
!
radius-server host 100.1.1.2 auth-port 1645 acct-port 1646
radius-server key cisco
radius-server authorization permit missing Service-Type

AV-Pair

aaa new-model
!
aaa authentication ppp default group radius
aaa authorization exec default group radius 
aaa authorization network default group radius 
aaa authorization configuration default group radius 
aaa session-id common
!
policy-map rad_input_policy
class class-default
  priority
police 8000 8000 16000 conform-action transmit exceed-action drop
!
radius-server host 100.1.1.2 auth-port 1645 acct-port 1646 non-standard
radius-server key cisco
radius-server authorization permit missing Service-Type

Verifying a Subscriber-Based IP QoS Configuration

To verify a subscriber-based IP QoS configuration, enter any of the following commands in privileged EXEC mode:

Command
Purpose

Router# show class-map

Displays all traffic class information.

Router# show class-map class-name

Displays the traffic class information for the user-specified traffic class.

class-name is the name of the traffic class.

Router# show policy-map

Displays all configured service policies and associated traffic classes.

Router# show policy-map policy-map-name

Displays the service policy information for the specified policy map.

policy-map-name is the name of the policy map.

Router# show policy-map interface interface

Displays configuration information and statistics for the policies attached to a specific interface.

interface interface is the type and number of the interface.

Router# show policy-map interface interface input

Displays configuration information and statistics for the input policy attached to a specific interface.

interface interface is the type and number of the interface.

input indicates the inbound service policy.

Router# show policy-map interface interface output

Displays configuration information and statistics for the output policy attached to a specific interface.

interface interface is the type and number of the interface.

output indicates the outbound service policy.

Router# show policy-map [interface interface] [input | output] [class class-name]

Displays configuration information and statistics for the class you specify. This class is included in the policy map attached to the interface you specify.

interface interface is the type and number of the interface.

input indicates the inbound service policy.

output indicates the outbound service policy.

class class-name is the name of the traffic class previously configured in a class map.

Router# show caller

Displays information about callers on the PPP termination aggregation (PTA) device or on the LNS.

Note The show caller command does not display information about callers on the LAC.


Verification Examples for Subscriber-Based IP QoS Configurations

This section provides the following verification examples:

Verification Example for the show policy-map interface Command

Verification Example for the show caller Command

Verification Example for the show policy-map interface Command

Example 18-7 shows sample output from the show policy-map interface command. In the example, the Gold policy map, attached to ATM interface 3/0/0, contains three traffic classes: Business, Non-Business, and class-default.

Example 18-7 Displaying Service Policies Using the show policy-map interface Command

Router# show policy-map interface atm 3/0/0
ATM3/0/0 
 
   
  Service-policy output: Gold
 
   
    Class-map: Business (match-all)
      0 packets, 0 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: ip precedence 4 
      Output queue: 0/128; 0/0 packets/bytes output, 0/0 drops
      Bandwidth : 4999 kbps (Weight 3)
 
   
    Class-map: Non-Business (match-all)
      0 packets, 0 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: ip precedence 3  5 
      Output queue: 0/64; 0/0 packets/bytes output, 0/0 drops
      Bandwidth : 2001 kbps (Weight 1)
 
   
    Class-map: class-default (match-any)
      134 packets, 2760 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: any 
      Output queue: 0/4096; 3046242/75866271 packets/bytes output, 0/0 drops

Verification Example for the show caller Command

Example 18-8 shows sample output from the show caller command.

Example 18-8 Displaying Caller Information Using the show caller Command

Router# show caller

Line
User
Service
Active Time
Idle Time
con0
TTY
00:14:31
00:12:14
vty2
VTY
00:16:45
00:00:00
Vi1.1
abc@hello1
PPPoE
00:12:10
Vi1.2
abc@hello1
PPPoE
00:12:10
Vi1.3
abc@hello1
PPPoE
00:12:10
Vi1.4
abc@hello1
PPPoE
00:12:10

MQC Support for IP Sessions

The Modular QoS CLI (MQC) Support for IP Sessions feature extends the router's QoS functionality to support per-user QoS on IP sessions. Using this feature, you can configure queuing and non-queuing features on IP sessions, either locally on the router or remotely using a authentication, authorization, and accounting (AAA) server such as RADIUS. This feature also supports dynamic interface association (interface redundancy) for IP sessions, L2TP Network Server (LNS) sessions, and L2TP Access Concentrator (LAC) sessions.

IP sessions provide a way to create subscriber sessions for hosts and subscribers based on an IP source address or subnet. MQC for IP sessions supports the following session categories:

IP single-host session—An IP session that represents a single host. This session is based on an IP source address.

IP subnet session—An IP session that represents a set of end users. This session is based on an IP subnet.

IP interface session—A single session that is created for one subscriber interface. The router applies all MQC features attached to the interface to all traffic arriving and leaving through that interface.

MQC for IP sessions supports policing on an IP session, whether the policing action is configured on one or more traffic classes of the session or directly on the session. For example, you can configure shaping on an IP session and configure policing on one or more traffic classes of the IP session. You can also configure policing statically on an IP session.

MQC for IP sessions supports the dynamic configuration of IP sessions using a RADIUS user or service profile. The router applies the incoming dynamic policy to the IP session if no policy map exists on the IP session or the existing policy map is configured from a lower priority source.


Note The router removes the existing, lower-priority sourced policy map before adding the incoming dynamic policy.


The router ignores the incoming dynamic policy if a policy map exists on the IP session and it is configured from a higher priority source.

The following sections describe MQC on IP sessions:

Feature History for MQC Support for IP Sessions

QoS Actions Supported in IP Session Policy Maps

Interface Support for MQC on IP Sessions

Service Policy Maps and Service Profiles

Restrictions and Limitations for MQC Support for IP Sessions

Configuring MQC on IP Sessions

Configuration Examples for MQC on IP Sessions

Verifying Service Policies on IP Sessions

For more information, see the ISG: Flow Control: QoS Control: MQC Support for IP Sessions, Release 12.2(33)SB feature guide.

Feature History for MQC Support for IP Sessions

Cisco IOS Release
Description
Required PRE

Release 12.2(33)SB

This feature was introduced on the PRE2, PRE3, and PRE4.

PRE2, PRE3, PRE4


QoS Actions Supported in IP Session Policy Maps

Table 18-4 describes the QoS actions supported in inbound and outbound policy maps for IP sessions.

Table 18-4 QoS Actions Supported in IP Session Policy Maps

Policy Map Direction
QoS Actions Supported

Inbound (upstream direction)

Marking
Policing

Outbound (downstream direction)

Queuing
Policing
Marking


Interface Support for MQC on IP Sessions

The router supports the following interfaces for MQC on IP sessions:

Physical Ethernet

IEEE 802.1Q VLAN

QinQ (only unambiguous)

Nonqueuing MQC over ATM

Policies and Queues Inheritance Rules

The following inheritance rules apply to policies and queues from the parent interface:

When a sessions that does not have a policy map starts, it inherits the policy and queues from the immediate parent that has a policy (for example, a subinterface or main interface).

When a session with an inherited policy receives a policy from the RADIUS server, it first removes the inherited policy and then applies the policy from the RADIUS server.

When a session without a policy starts and its parent interfaces also do not have a policy, but a policy is later attached to the parent, one of the following actions occurs:

The policy is attached to the main interface and sessions directly on that interface inherit it. Sessions on subinterfaces under the main interface that do not have a policy of their own also inherit it.

The policy is attached to the subinterface and sessions under that subinterface inherit it.

When you remove a policy from the parent interface, one of the following actions occurs:

The policy is removed from a subinterface and is uninherited from any sessions on the subinterface that inherited the policy from it. If the main interface has a policy, sessions on the subinterface from which the policy was removed inherit that.

The policy is removed from the main interface and is uninherited from the main interface and also from any sessions under its subinterfaces that inherited this policy.

When a session without a policy receives one from the RADIUS server, you only need to install the new policy. However, when a session with an inherited policy from the parent receives a new policy from the RADIUS server, you must first uninherit the parent policy and then install the new one.

When a session policy is removed, the session inherits the policy from its nearest parent, subinterface, or main interface that has a policy.

Service Policy Maps and Service Profiles

An Intelligent Service Gateway (ISG) service is a collection of policies that may be applied to a subscriber session. Services are defined in service policy maps and service profiles.

Service policy maps and service profiles contain a collection of traffic policies and other functionality. Traffic policies determine which functionality is applied to which session traffic. A service policy map or service profile may also contain a network-forwarding policy, a specific type of traffic policy that determines how session data packets are forwarded to the network.

Service policy maps and service profiles serve the same purpose; the only difference between them is that a service policy map is defined on the local device using the policy-map type service command, and a service profile is configured on an external device, such as an authentication, authorization, and accounting (AAA) server (for example, RADIUS).

Restrictions and Limitations for MQC Support for IP Sessions

Interface redundancy is not supported on the Cisco 10000 series router.

IP session QoS and PPP session QoS are two separate features. IP session QoS does not include PPP session QoS.

IP sessions over ATM VCs do not support queuing policy maps.

Only the marking and policing features work in upstream traffic. All queuing, policing, and marking MQC features work in downstream traffic.

The behavior of session and interface oversubscription for the PRE2 and PRE3 is unchanged from the usual QoS oversubscription behavior on the PRE2 and PRE3.

IP sessions over Gigabit EtherChannel (GEC) is not supported.

The PRE2 does not support three-level hierarchical MQC policies. Therefore, MQC policies applied to IP sessions on PRE2-based routers must conform to this PRE2 limitation. For example, a shaping policy that is applied to a session can have just two levels, where one level has all class queues and the next level is the default queue that does aggregate shaping.

The PRE3 supports three levels of hierarchies. Any limitations of PRE3 hierarchies also apply to the MQC policies on IP sessions.

The router cannot map IP sessions to an interface. However, the router can map LNS and LAC sessions to an interface.

The router does not support QoS on IP sessions over other sessions. For example, consider a configuration in which a virtual template terminates a PPP session and routes IP traffic, and the router creates an IP session from the traffic flow. In this case, the router does not support the configuration because policy maps are attached to the virtual template and applied to the IP session, too.

The router does not support loadbalancing of IP session traffic.

Currently, the router allows class-level queues only at the top level in session policy maps. All other levels must have a single-level policy and use the default queues.

The router does not support MQC on IP sessions over the following interfaces:

Bridge-Group Virtual Interface (BVI)

Gigabit EtherChannel (GEC)

PPP sessions (PPPoE and PPPoA)

L2TP sessions on the LNS

Ethernet over MPLS (EoMPLS) termination

MQC on IP sessions does not provide full high availability (HA) functionality. After a switchover operation, the router recreates the sessions and reapplies the configurations.

Per use ACL is not supported for traffic class on IP sessions on the Cisco 10000 series router.

Configuring MQC on IP Sessions

MQC on IP sessions provides QoS support for local subscriber profiles. To configure the MQC on IP Sessions feature, perform the following configuration tasks:

Configuring QoS on Service Policy Maps Without Traffic Classes

Configuring QoS on Service Policy Maps With Traffic Classes

Configuring QoS on Service Policy Maps Without Traffic Classes

To configure QoS policy maps on service profiles, enter the following commands beginning in global configuration mode:

 
Command
Purpose

Step 1 

Router(config)# policy-map policy-map-name

Creates a policy map with the name you specify and enters policy-map configuration mode.

policy-map-name is the name of the policy map.

Step 2 

Router(config-pmap)# class class-map-name

Specifies the class of traffic to which the policy map applies.

class-map-name is the name of a previously configured class map.

Step 3 

Router(config-pmap-c)# police parameters

(Optional) Specifies the policing actions to implement on the traffic.

parameters defines the way in which you want the traffic class to be policed. For more information, see the police command in the command reference documentation for Cisco IOS 12.2 SB.

Note Configure additional queuing and non-queuing actions as required. For more information, see the "Types of QoS Actions" section.

Step 4 

Router(config-pmap-c)# exit

Exits policy-map class configuration mode.

Step 1 

Router(config-pmap)# policy-map type service policy-map-name

Creates or modifies a service policy map, which is used to define an Intelligent Service Gateway (ISG) subscriber service.

policy-map-name is the name of the service policy map.

Step 2 

Router(config-pmap)# service-policy {input | output} policy-map-name

Attaches the specified policy map to the service profile.

input indicates to apply the policy map to inbound traffic.

output indicates to apply the policy map to outbound traffic.

policy-map-name is the name of the policy map you specified in Step 1.

Configuring QoS on Service Policy Maps With Traffic Classes

To configure QoS on service policy maps with traffic classes, enter the following commands beginning in global configuration mode:

 
Command
Purpose

Step 1 

Router(config)# policy-map policy-map-name

Creates a policy map with the name you specify and enters policy-map configuration mode.

policy-map-name is the name of the policy map.

Step 2 

Router(config-pmap)# class class-map-name

Specifies the class of traffic to which the policy map applies.

class-map-name is the name of a previously configured class map.

Step 3 

Router(config-pmap-c)# police parameters

(Optional) Specifies the policing actions to implement on the traffic.

parameters defines the way in which you want the traffic class to be policed. For more information, see the police command in the command reference documentation for Cisco IOS 12.2 SB.

Note Configure additional queuing and non-queuing actions as required. For more information, see the "Types of QoS Actions" section.

Step 4 

Router(config-pmap-c)# exit

Exits policy-map class configuration mode.

Step 5 

Router(config-pmap)# policy-map type service policy-map-name

Creates or modifies a service policy map, which is used to define an Intelligent Service Gateway (ISG) subscriber service.

policy-map-name is the name of the service policy map.

Step 6 

Router(config-pmap)# class type traffic {class-map-name | default {in-out | input | output}}

Associates a previously configured traffic class with the policy map.

class-map-name is the name of a previously configured class map.

default specifies the default traffic class.

in-out specifies the default traffic class for inbound and outbound traffic.

input specifies the default traffic class for inbound traffic.

output specifies the default traffic class for outbound traffic.

Step 7 

Router(config-pmap-c)# service-policy {input | output} policy-map-name

Attaches the specified policy map to the service profile.

input indicates to apply the policy map to inbound traffic.

output indicates to apply the policy map to outbound traffic.

policy-map-name is the name of the policy map you specified in Step 1.

Configuration Examples for MQC on IP Sessions

The following example shows how to configure a service policy map named redirect-profile. This service policy redirects Gold traffic to the redirect-sg group.

policy-map type service redirect-profile
class type traffic Gold
redirect to group redirect-sg
 
   

The following example shows how to configure a service policy named Unauthorized_Redirect_PVC. This service policy redirects Unauthorized_Traffic to IP address 10.0.0.148 using port 8080.

class-map type traffic Unauthorized_Traffic
match access-group input 100
!
policy-map type service Unauthorized_Redirect_PVC
class type traffic Unauthorized_Traffic
redirect to ip 10.0.0.148 port 8080
 
   

The following example shows how to configure a service policy named Service1. This policy has two traffic classes configured: class1 and the default traffic class. Default traffic is dropped for both inbound and outbound traffic.

policy-map type service Service1
class type traffic class1
prepaid-config PREPAID
class type traffic default in-out
drop

Verifying Service Policies on IP Sessions

To verify service policies on IP sessions, enter any of the following commands in privileged EXEC mode:

Command
Purpose

show class-map type traffic

Displays traffic class maps and their matching criteria.

show policy-map type service

Displays the contents of Intelligent Service Gateway (ISG) service policy maps and service profiles and session-related attributes.


Shaping and Queuing Per-Session Traffic on LNS

The Per Session Shaping and Queuing on LNS feature provides the ability to shape (for example, transmit or drop) or queue (for transmission later) the traffic from an Internet service provider (ISP) to an ISP subscriber over a Layer 2 Tunneling Protocol (L2TP) Network Server (LNS). The outgoing traffic is shaped or queued on a per-session basis.

Shaping and queueing traffic on a per-session basis:

Helps to avoid traffic congestion and allows the ISP to adhere to the Service Level Agreement (SLA) established for managing traffic.

Provides a high degree of granularity for managing traffic on the network. Figure 18-1 is a sample topology for per-session shaping and queuing on an LNS.

Figure 18-1 Per-Session Shaping and Queuing Topology—PPP Sessions Forwarded

In this simplified topology example:

1. Downstream traffic is forwarded from the ISP (the source) to an ISP subscriber (the destination) during a PPP session.

2. From an LNS at the ISP, the traffic is transmitted over an L2TP tunnel to an L2TP Access Concentrator (LAC) and then to the subscriber.

3. Shaping and queuing the per-session traffic on an LNS can take into account the overhead between the LNS, LAC, or E-DSLAM-to-CPE by using the user-defined overhead in the shape or bandwidth command.

4. To specify the overhead offset in child and parent policies, use the bandwidth and shape commands. The offset values and encapsulation types must match in the child and parent policies.

Feature History for Per Session Shaping and Queuing on LNS

Cisco IOS Release
Description
Required PRE

Release 12.2(31)SB6

The Per Session Shaping and Queuing on LNS feature was introduced on the PRE3.

PRE3


Prerequisites for Per Session Shaping and Queuing on LNS

Verify that the PPPoE (or PPPoA) sessions are enabled.

Verify that L2TP resequencing is disabled.

This feature uses policy maps in which queuing mechanisms (such as class-based weighted fair queuing [CBWFQ]) are configured.

Restrictions and Limitations for Per Session Shaping and Queuing on LNS

Cisco IOS Release 12.2(31)SB8 does not support load balancing when per session shaping and queuing is configured. However, this release does support load balancing if no output QoS is applied to the session. Cisco IOS Release 12.2(31)SB6 does not support load balancing at all on the LNS.

Cisco IOS Release 12.2(31)SB10 supports load balancing for all QoS configurations, except those containing a queuing action that is applied to a session. For example, the router does not support load balancing for a session if the policy map applied to the session contains the shape, bandwidth, or priority command.

This feature does not support L2TP sequencing.

This feature only applies when the LAC and LNS are connected by Ethernet and ATM point-to-point subinterfaces.

Configuring Per Session Shaping and Queuing on LNS

To configure per session shaping and queuing on an LNS policy, enter the following commands beginning in global configuration mode:

 
Command
Purpose

Step 1 

Router(config)# policy-map policy-map-name

Creates or modifies the bottom-level child policy.

policy-map-name is the name of the child policy map. The name can be a maximum of 40 alphanumeric characters.

Step 2 

Router(config-pmap)# class class-map-name

Assigns the traffic class you specify to the policy map. Enters policy-map class configuration mode.

class-map-name is the name of a previously configured class map and is the traffic class for which you want to define QoS actions.

Step 3 

Router(config-pmap-c)# bandwidth {bandwidth-kbps | percent percentage | remaining percent percentage} account {{{qinq | dot1q} {aal5 | aal3} {subscriber-encap}} | {user-defined offset [atm]}}

Enables class-based fair queuing.

bandwidth-kbps specifies or modifies the minimum bandwidth allocated for a class belonging to a policy map. Valid values are from 8 to 2,488,320, which represents from 1 to 99 percent of the link bandwidth.

percent percentage specifies or modifies the minimum percentage of the link bandwidth allocated for a class belonging to a policy map. Valid values are from 1 to 99.

remaining percent percentage specifies or modifies the minimum percentage of unused link bandwidth allocated for a class belonging to a policy map. Valid values are from 1 to 99.

account enables ATM overhead accounting. For more information, see the "ATM Overhead Accounting" section.

qinq specifies queue-in-queue encapsulation as the broadband aggregation system-DSLAM encapsulation type.

dot1q specifies IEEE 802.1Q VLAN encapsulation as the broadband aggregation system-DSLAM encapsulation type.

aal5 specifies the ATM Adaptation Layer 5 that supports connection-oriented variable bit rate (VBR) services. You must specify either aal5 or aal3.

aal3 specifies the ATM Adaptation Layer 5 that supports both connectionless and connection-oriented links. You must specify either aal3 or aal5.

subscriber-encap specifies the encapsulation type at the subscriber line. For more information, see the "Overhead Accounting and Hierarchical Policies" section.

Step 3 

(cont.)

Router(config-pmap-c)# bandwidth {bandwidth-kbps | percent percentage | remaining percent percentage} account {{{qinq | dot1q} {aal5 | aal3} {subscriber-encap}} | {user-defined offset [atm]}}

user-defined indicates that the router is to use the offset you specify when calculating ATM overhead.

offset specifies the offset size the router is to use when calculating ATM overhead. Valid values are from -63 to 63 bytes.

Note The router configures the offset size if you do not specify the offset option.

atm applies ATM cell tax in the ATM overhead calculation.

Note Configuring both the offset and atm options adjusts the packet size to the offset size and then adds ATM cell tax.

Step 4 

Router(config-pmap-c)# exit

Exits policy-map class configuration mode.

Step 5 

Router(config-pmap)# policy-map policy-map-name

Creates or modifies the parent policy.

policy-map-name is the name of the parent policy map. The name can be a maximum of 40 alphanumeric characters.

Step 6 

Router(config-pmap)# class class-default

Configures or modifies the parent class-default class.

Note You can configure only the class-default class in a parent policy. Do not configure any other traffic class.

Step 7 

Router(config-pmap-c)# shape rate account {{{qinq | dot1q} {aal5 | aal3} {subscriber-encap}} | {user-defined offset [atm]}}

Shapes traffic to the indicated bit rate and enables ATM overhead accounting.

rate is the bit-rate used to shape the traffic, expressed in kilobits per second.

account enables ATM overhead accounting. For more information, see the "ATM Overhead Accounting" section.

qinq specifies queue-in-queue encapsulation as the broadband aggregation system-DSLAM encapsulation type.

dot1q specifies IEEE 802.1Q VLAN encapsulation as the broadband aggregation system-DSLAM encapsulation type.

aal5 specifies the ATM Adaptation Layer 5 that supports connection-oriented variable bit rate (VBR) services. You must specify either aal5 or aal3.

aal3 specifies the ATM Adaptation Layer 5 that supports both connectionless and connection-oriented links. You must specify either aal3 or aal5.

subscriber-encap specifies the encapsulation type at the subscriber line. For more information, see the "Overhead Accounting and Hierarchical Policies" section.

Step 7 

(cont.)

Router(config-pmap-c)# shape rate account {{{qinq | dot1q} {aal5 | aal3} {subscriber-encap}} | {user-defined offset [atm]}}

user-defined indicates that the router is to use the offset you specify when calculating ATM overhead.

offset specifies the offset size the router is to use when calculating ATM overhead. Valid values are from -63 to 63 bytes.

Note The router configures the offset size if you do not specify the user-defined offset option.

atm applies ATM cell tax in the ATM overhead calculation.

Note Configuring both the offset and atm options adjusts the packet size to the offset size and then adds ATM cell tax.

Step 8 

Router(config-pmap-c)# service-policy policy-map-name

Applies a bottom-level child policy to the top-level parent class-default class.

policy-map-name is the name of the previously configured child policy map.

Step 9 

Router(config-pmap-c)# exit

Exits policy-map class configuration mode.

Step 10 

Router(config)# interface virtual-template number

(Optional) Creates a virtual template interface and enters interface configuration mode.

number identifies the virtual template.

Step 11 

Router(config-if)# service-policy policy-map-name

(Optional) Attaches the parent policy to the virtual template interface.

policy-map-name is the name of the previously configured parent policy map.

Configuration Example for Configuring a Per Session Shaping and Queuing on LNS Policy

Example 18-9 shows how to configure a per session shaping and queuing on LNS policy. In this example, the router uses 20 overhead bytes and ATM cell tax in calculating ATM overhead. The child and parent policies contain the required matching offset values. The parent policy is attached to virtual template 1.

Example 18-9 Configuring Per Session Shaping and Queuing on LNS Policy on the Router

policy-map child
class class1
bandwidth 500 account user-defined 20 atm
class class2 
shape average 30000 account user-defined 20 atm
policy-map parent
    class class-default
        shape average 30000 account user-defined 20 atm
        service-policy child
interface virtual-template 1
        service-policy output parent

Verifying Per Session Shaping and Queuing on LNS Policies

To display the configuration of per session shaping and queuing on LNS policies, enter the following commands in privileged EXEC mode:

Command
Purpose

Router# show policy-map [policy-map]

Displays the configuration of all classes for a specified service policy map or all classes for all existing policy maps.

policy-map specifies the name of the policy map.

Router# show running-config

Displays the running configuration on the router. The output shows the configuration of the policy maps.


Verification Examples for Per Session Shaping and Queuing on LNS Policies

Example 18-10 shows sample output for the show policy-map command. In the example, the router uses 20 overhead bytes in calculating ATM overhead.

Example 18-10 Sample Output—show policy-map Command

Router# show policy-map child 
 
   
Policy Map child 
Class Class1
Average Rate Traffic Shaping
cir 20% account user-defined 20
 
   

Example 18-11 shows sample output for the show running-config command. In the example, the output modifier starts the display at the Parent policy map line.

Example 18-11 Sample Output—show running-config Command

Router# show running-config | begin Parent 
 
   
Policy Map Parent
class class1 
shape average percent 20 account user-defined 20 atm 
policy-map child 
class class2 
shape average percent 20 account user-defined 20 atm
!

Queuing PPP Sessions on ATM VCs

PPP Session Queuing on ATM Virtual Circuits (VCs) enables you to shape and queue PPP over ATM (PPPoA) and PPP over Ethernet over ATM (PPPoEoA) sessions to a user specified rate. Multiple sessions can exist on any ATM VC and have QoS policies applied, or some of the sessions might have QoS policies while others do not. The router shapes the sum of all PPPoA or PPPoEoA traffic on a VC so that the subscriber's connection to the DSLAM does not become congested. Queuing-related functionality provides different levels of service to the various applications that execute over the PPPoA or PPPoEoA session.

A nested, 2-level hierarchical service policy is used to configure session shaping directly on the router using the modular quality of service command-line interface (MQC). The hierarchical policy consists of the following:

Child policy—Defines QoS actions using QoS commands such as the priority, bandwidth, and police commands.

Parent policy—Contains only the class-default class with the shape or bandwidth remaining ratio command configured, or with both commands configured:

shape command—Shapes the session traffic to the specified bit rate, according to a specific algorithm.

bandwidth remaining ratio command—Specifies a ratio value that the router uses to determine how much unused bandwidth to allocate to the session during congestion.

For more information about nested hierarchical policies, see the "Nested Hierarchical Policies" section.


Note The PPP Session Queuing on ATM VCs feature applies to both PPP terminated aggregation (PTA) and L2TP access concentrator (LAC) configurations.


Figure 18-2 illustrates PPP session queuing on ATM VCs.

Figure 18-2 PPP Session Queuing on ATM VCs

Feature History for PPP Session Queuing on ATM VCs

Cisco IOS Release
Description
Required PRE

Release 12.2(31)SB6

The PPP Session Queuing on ATM VCs feature was introduced on the Cisco 10000 series router and implemented on the PRE3.

PRE3


Dynamically Applying QoS Policies to PPP Sessions on ATM VCs

The router allows you to dynamically apply QoS policy maps to PPPoA and PPPoEoA sessions using RADIUS. Although the actual configuration of the QoS policies occurs on the router, you can configure the following attribute-value (AV) pairs on RADIUS to specify the name of the policy map to dynamically apply to the session:

"ip:sub-qos-policy-in=<name of the QoS policy in ingress direction>"
 
   
"ip:sub-qos-policy-out=<name of egress policy>"
 
   

You define the AV-pairs in one of the following RADIUS profiles:

User Profile—The user profile on the RADIUS server contains an entry that identifies the policy map name applicable to the user. The policy map name is the service that RADIUS downloads to the router after a session is authorized.

Service Profile—The service profile on the RADIUS server specifies a session identifier and an attribute-value (AV) pair. The session identifier might be, for example, the IP address of the session. The AV-pair defines the service (policy map name) to which the user belongs.

After receiving a service-logon request from the policy server, RADIUS sends a change of authorization (CoA) request to the router to activate the service for the subscriber, who is already logged in. If the authorization succeeds, the router downloads the name of the policy map from RADIUS using the ip:sub-qos-policy-in[out]= AV-pair and applies the QoS policy to the PPPoA or PPPoEoA session. Because the service policy contains queuing-related actions, the router sets up the appropriate class queues.


Note Although the router also supports the RADIUS vendor specific attribute (VSA) 38, Cisco-Policy-Down and Cisco-Policy-Up, we recommend that you use the ip:sub-qos-policy-in[out]= AV-pairs for QoS policy definitions.


PPP Session Queuing Inheritance

Sessions either inherit queues from their parent interface or they have their own queues. Each PPPoA or PPPoEoA session for which session queuing is configured has its own set of queues.

Table 18-5 describes the queues to which the router directs session traffic.

Table 18-5 Queue Inheritance

Queuing Policy
Queue Used for Session Traffic

No policy

VC default queue

Applied to the VC

VC queues

Applied to the session

Session queues


Interfaces Supporting PPP Session Queuing

The router supports PPP session queuing on shaped ATM virtual circuits (VCs) for outbound traffic only.

The router does not support PPP session queuing on inbound ATM interfaces.

Mixed Configurations and Queuing

A mixed configuration is one in which all sessions do not have QoS applied to them. On some VCs, the queuing policy is applied at the VC level, while on other VCs the queuing policies are applied on the sessions. Some sessions have no policy applied at all. As a result, the router uses the hierarchical queuing framework (HQF) to direct traffic in the following ways:

If no queuing policy is applied at the VC or session level, the router sends all traffic on the VC to the default queue, including traffic from sessions on the VC that have a policing-only policy applied or no policy applied.

If a queuing policy is applied at the VC level, but not at the session level, the router sends traffic to the queues associated with the queuing policy on the VC.

If queuing policies are applied to some sessions on a VC but not to other sessions, the router sends the traffic with a policing-only policy or with no policy applied to the VC's default queue. The router sends traffic with queuing policies to the queues associated with the queuing policy applied to the session.

Bandwidth Sharing and ATM Port Oversubscription

An ATM port can operate in reserved bandwidth mode or shared bandwidth mode.

When a port is not oversubscribed (the sum of the bandwidths of all VCs on the port is less than the port bandwidth), the port operates in reserved bandwidth mode—a specific amount of bandwidth is reserved for each VC on the port. If a VC does not use all of its allocated bandwidth, the unused bandwidth is not shared among the VCs on the port.

When the ATM port is oversubscribed (the sum of the bandwidths of all VCs on the port is greater than the port bandwidth), the port operates in shared bandwidth mode. In this mode, any unused bandwidth is available for re-use by the other VCs on the port, up to the VC's respective shape rate—traffic on a VC cannot exceed the shape rate of that VC.

Oversubscription at the Session Level

Oversubscription at the session level occurs after session traffic shaping and when the aggregate session traffic exceeds the subinterface shape rate. After all priority traffic is accounted, the router distributes the remaining bandwidth on the VC to the sessions according to the value specified in the bandwidth remaining ratio command configured in the parent policy of the policy applied to the sessions. If the bandwidth remaining ratio command is not specified in the parent policy, the router uses a default ratio of 1.

Prerequisites for PPP Session Queuing on ATM VCs

PPPoA or PPPoEoA sessions must be enabled.

Create traffic classes using the class-map command and specify the match criteria used to classify traffic.

For dynamic PPPoA or PPPoEoA session queuing using RADIUS, you must:

Enable authentication, authorization, and accounting (AAA) on the router

Configure the RADIUS server for dynamic QoS

Create the subscriber's user profile on the RADIUS server

Restrictions and Limitations for PPP Session Queuing on ATM VCs

You cannot configure PPP session queuing on unshaped VCs—VCs without a specified peak cell rate (PCR) or sustained cell rate (SCR).

Although you can configure oversubscription at the VC level, the router does not guarantee priority queuing (PQ) and fair treatment among VCs during congestion.

VCs with session queuing polices cannot be part of a shaped virtual path (VP).

PPP session queuing does not allow you to simultaneously configure queuing policies on a VC and on a session of that VC, although the router permits the configuration.

The maximum number of VCs with PPP session queuing policies cannot exceed 16,000 VCs system wide.

If the same ATM category (for example, shaped unspecified bit rate (UBR)) contains both high and low bandwidth VCs, the SAR mechanism can cause low throughput for high bandwidth VCs. The workaround for this issue is to use different ATM classes for low and high bandwidth VCs. For example, configure low bandwidth VCs as shaped UBR and high bandwidth VCs as variable bit rate-nonreal-time (VBR-nrt) or constant bit rate (CBR).

When you apply queuing policies to sessions, do not apply a policy at the VC level on the same VC.

The CLASS-BASED QOS MIB does not include statistics for service policies applied to sessions.

RADIUS accounting does not include queuing statistics.

The router ignores the VC weight when it is configured on a VC with PPP session queuing configured.

Configuring PPP Session Queuing on ATM VCs

You can apply hierarchical shaping policies to sessions using a virtual template or RADIUS. When you apply shaping policies to sessions, do not apply a policy at the VC level on the same VC.

To configure PPP session queuing on ATM VCs, perform one of the following configuration tasks:

Configuring PPP Session Queuing Using a Virtual Template

Configuring PPP Session Queuing Using RADIUS

Configuring PPP Session Queuing Using a Virtual Template

To configure PPPoA or PPPoEoA session queuing using a virtual template, perform the following configuration tasks:

Configuring an Hierarchical QoS Policy

Associating the Hierarchical Policy Map with a Virtual Template

Applying the Virtual Template to an ATM Subinterface

Configuring an Hierarchical QoS Policy

To configure a hierarchical QoS policy, enter the following commands, beginning in global configuration mode:

 
Command
Purpose

Step 1 

Router(config)# policy-map policy-map-name

Creates or modifies the child policy. Enters policy-map configuration mode.

policy-map-name is the name of the child policy map. The name can be a maximum of 40 alphanumeric characters.

Step 2 

Router(config-pmap)# class class-map-name

Assigns the traffic class you specify to the policy map. Enters policy-map class configuration mode.

class-map-name is the name of a previously configured class map and is the traffic class for which you want to define QoS actions.

Note Repeat Steps 2 through 6 for each traffic class you want to include in the child policy map. For information about other QoS actions you can specify for the traffic classes, see the "Input and Output Policy Actions" section in the "Configuring QoS Policy Actions and Rules" chapter of the Cisco 10000 Series Router Quality of Service Configuration Guide.

Step 3 

Router(config-pmap-c)# priority level level

(Optional) Defines multiple levels of a strict priority service model. When you enable a traffic class with a specific level of priority service, the implication is a single priority queue associated with all traffic enabled with the specified level of priority service.

level is a number that indicates a specific priority level. Valid values are from 1 (high priority) to 4 (low priority). Default: 1

Step 4 

Router(config-pmap-c)# police bps [burst-normal] [burst-max] [conform-action action] [exceed-action action] [violate-action  action]

(Optional) Configures traffic policing.

bps is the average rate in bits per second. Valid values are 8000 to 200000000.

(Optional) burst-normal is the normal burst size in bytes. Valid values are 1000 to 51200000. The default normal burst size is 1500 bytes.

(Optional) burst-max is the excess burst size in bytes. Valid values are 1000 to 51200000.

(Optional) conform-action action indicates the action to take on packets that conform to the rate limit.

(Optional) exceed-action action indicates the action to take on packets that exceed the rate limit.

(Optional) violate-action action indicates the action to take on packets that violate the normal and maximum burst sizes.

Step 5 

Router(config-pmap-c)# set cos value

(Optional) Sets the Layer 2 class of service (CoS) value of an outgoing packet.

value is a specific IEEE 802.1Q CoS value from 0 to 7.

Step 6 

Router(config-pmap-c)# bandwidth remaining ratio

(Optional) Specifies a bandwidth-remaining ratio for class-level or subinterface-level queues to be used during congestion to determine the amount of excess bandwidth (unused by priority traffic) to allocate to non-priority queues.

ratio specifies the relative weight of this subinterface or queue with respect to other subinterfaces or queues. Valid values are from 1 to 1000.

Step 7 

Router(config-pmap-c)# exit

Exits policy-map class configuration mode.

Step 8 

Router(config-pmap)# policy-map policy-map-name

Creates or modifies the parent policy.

policy-map-name is the name of the parent policy map. The name can be a maximum of 40 alphanumeric characters.

Step 9 

Router(config-pmap)# class class-default

Configures or modifies the parent class-default class.

Note You can configure only the class-default class in a parent policy. Do not configure any other traffic class.

Step 10 

Router(config-pmap-c)# bandwidth remaining ratio

(Optional) Specifies a bandwidth-remaining ratio for class-level or subinterface-level queues to be used during congestion to determine the amount of excess bandwidth (unused by priority traffic) to allocate to non-priority queues.

ratio specifies the relative weight of this subinterface or queue with respect to other subinterfaces or queues. Valid values are from 1 to 1000.

Step 11 

Router(config-pmap-c)# shape [average] mean-rate [burst-size] [excess-burst-size]

Shapes traffic to the indicated bit rate and enables ATM overhead accounting.

(Optional) average is the committed burst (Bc) that specifies the maximum number of bits sent out in each interval. This option is only supported on the PRE3.

mean-rate is also called committed information rate (CIR). Indicates the bit rate used to shape the traffic, in bits per second. When this command is used with backward explicit congestion notification (BECN) approximation, the bit rate is the upper bound of the range of bit rates that are permitted.

(Optional) burst-size is the number of bits in a measurement interval (Bc).

(Optional) excess-burst-size is the acceptable number of bits permitted to go over the Be.

Step 12 

Router(config-pmap-c)# service-policy policy-map-name

Applies the child policy to the parent class-default class.

policy-map-name is the name of the child policy map configured in step 1.

The following example shows how to configure a hierarchical QoS policy. In the example, the child-policy configures QoS features for two traffic classes: Premium and Silver. Premium traffic has priority and is policed at 40 percent. The router sets the IP precedence of Premium traffic to precedence level 3. Silver traffic is policed at 80000 bps and IP precedence level 3 is set. The child-policy is applied to the Parent policy class-default class, which shapes traffic to 200,000 Kbps.

Router(config)# policy-map child-policy
Router(config-pmap)# class Premium
Router(config-pmap-c)# priority
Router(config-pmap-c)# police percent 40
Router(config-pmap-c)# set ip precedence 3
Router(config-pmap-c)# class Silver
Router(config-pmap-c)# police 80000 10000 conform-action transmit exceed-action drop
Router(config-pmap-c)# set ip precedence 5
Router(config-pmap-c)# exit
Router(config-pmap)# policy-map Parent
Router(config-pmap)# class class-default
Router(config-pmap-c)# shape 200000
Router(config-pmap-c)# service-policy output child-policy
Router(config-pmap-c)# exit
Router(config-pmap)# exit
Router(config)#

Associating the Hierarchical Policy Map with a Virtual Template

A virtual template is a logical interface whose configuration can specify generic configuration information for a specific purpose, user-specific configuration information, and router-dependent information. You configure a virtual template on an interface and apply QoS policy maps to the virtual template. The virtual template inherits the QoS features specified in the policy map. When the router establishes sessions on an interface, the router applies the QoS features specified in the virtual template configuration to the virtual access interfaces (VAIs) created for the sessions, including the QoS features specified in the policy map attached to the virtual template.

To associate the hierarchical policy map with a virtual template, enter the following commands beginning in global configuration mode:

 
Command
Purpose

Step 1 

Router(config)# interface virtual-template template-number

Creates a virtual template and enters interface configuration mode.

template-number is the number you assign to the virtual template interface to identify it. Valid values are from 1 to 200.

Note You can configure up to 200 virtual template interfaces on the router.

Step 2 

Router(config-if)# service-policy {input | output} policy-map-name

Attaches the policy map you specify to the virtual template interface in the inbound or outbound direction that you specify.

input specifies to apply the policy map to inbound traffic.

output specifies to apply the policy map to outbound traffic.

policy-map-name is the name of a previously configured policy map.

Step 3 

Router(config-if)# exit

Exits interface configuration mode.

The following example shows how to associate a policy map with a virtual template. In this example, the policy map named Parent is associated with the virtual template named VirtualTemplate1.

Router(config)# interface virtual-template1
Router(config-if)# service-policy output Parent
Router(config-if)# exit
Router(config)#

Applying the Virtual Template to an ATM Subinterface

A broadband aggregation group (bba-group) configured on an ATM interface points to the virtual template the router uses to apply QoS policies to sessions. When a session arrives on an ATM interface, the router creates a virtual access interface (VAI) for the session and applies the policies associated with the virtual template to the sessions.

To apply the virtual template with its associated hierarchical policy to an ATM subinterface, enter the following commands beginning in global configuration mode:

 
Command
Purpose

Step 1 

Router(config)# bba-group pppoe group-name

Creates a PPP over Ethernet (PPPoE) profile. Enters BBA group configuration mode.

group-name is the name of the PPPoE profile.

Step 2 

Router(config-bba-grp)# virtual-template template-number

Associates a BBA group to the virtual template to be used for cloning virtual access interfaces.

template-number is the identifying number of the virtual template.

Step 3 

Router(config-bba-grp)# exit

Exits BBA group configuration mode.

Step 4 

Router(config)# interface atm number.subinterface [point-to-point]

Creates or modifies a subinterface. Enters subinterface configuration mode.

atm is the interface type.

number is the slot, module, and port number of the interface (for example 1/0/0).

.subinterface is the number of the subinterface (for example, 1/0/0.1).

(Optional) point-to-point indicates that the subinterface connects directly with another subinterface.

Step 5 

Router(config-subif) pvc [name] vpi/vci

Creates or modifies an ATM permanent virtual circuit (PVC). Enters ATM virtual circuit configuration mode.

(Optional) name identifies the PVC and can contain up to 15 characters.

vpi/ specifies the ATM network virtual path identifier (VPI) for this PVC. You must specify the slash. Valid values are from 0 to 255. The router treats a value that is outside the range of valid values as the connection ID. The default value is 0.

Note The arguments vpi and vci cannot both be set to 0; if one is 0, the other cannot be 0.

vci specifies the ATM network virtual channel identifier (VCI) for this PVC. Valid values are from 0 to 1 less than the maximum value set for this interface by the atm vc-per-vp command. A value that is out of range causes an "unrecognized command" error message.

Note The VCI value has local significance only and, therefore, is unique only on a single link, not throughout the ATM network. Typically, lower values from 0 to 31 are reserved for specific traffic (for example, F4 OAM, SVC signaling, ILMI, and so on) and should not be used.

Step 6 

Router(config-atm-vc)# protocol pppoe group group-name

Enables PPP over Ethernet (PPPoE) sessions to be established on permanent virtual circuits (PVCs).

group specifies a PPPoE profile (bba-group) to be used by PPPoE sessions on the interface.

group-name is the name of the PPPoE profile (bba-group) to be used by PPPoE sessions on the interface.

Note The group group-name points to the bba-group to be used for applying a virtual template interface with QoS policies to sessions.

Step 7 

Router(config-atm-vc)# exit

Exits ATM virtual circuit configuration mode.

Step 8 

Router(config-subif)# exit

Exits subinterface configuration mode.

The following example shows how to associate a virtual template interface with an ATM interface and apply the policies in the virtual template to the sessions on the interface. In the example, the service policy named Parent is applied to the Virtual-Template 8, which is associated with the bba-group named pppoeoa-group. The bba-group is applied to PVC 101/210 on ATM subinterface 4/0/1.10.

bba-group pppoe pppoeoa-group
Virtual-Template 8
 
   
interface ATM4/0/1.10 point-to-point
pvc 101/210
vbr-nrt 4000 2000 50
no dbs enable
encapsulation aal5snap
protocol pppoe group pppoeoa-group
!
interface Virtual-Template8
ip unnumbered Loopback5555
no logging event link-status
peer default ip address pool pool-1
ppp authentication chap
service-policy output Parent

Configuring PPP Session Queuing Using RADIUS

To configure PPPoA or PPPoEoA session queuing using RADIUS, perform the following configuration tasks:

Configuring the Policy Map

Adding the Cisco QoS AV Pairs to the RADIUS Profile

Configuring the Policy Map

The router allows you to use RADIUS to apply QoS policy maps to PPPoA or PPPoEoA sessions. The actual configuration of the policy map, however, occurs on the router using the modular QoS CLI (MQC).

To configure QoS policy maps and apply them to virtual template interfaces, see the "Configuring an Hierarchical QoS Policy" section and the "Associating the Hierarchical Policy Map with a Virtual Template" section.

Adding the Cisco QoS AV Pairs to the RADIUS Profile

Cisco attribute-value (AV) pairs are vendor-specific attributes (VSAs) that allow vendors such as Cisco to support their own extended attributes. RADIUS attribute 26 is a Cisco VSA used to communicate vendor-specific information between the router and the RADIUS server.

The RADIUS user profile contains an entry for each user that the RADIUS server authenticates. Each entry establishes an attribute the user can access. When configuring PPPoA or PPPoEoA session queuing using RADIUS, enter the following Cisco AV-pair in the appropriate user profile:

Cisco-AVPair = "ip:sub-qos-policy-out=<name of egress policy>"
 
   

The Cisco AV-pair identifies the policy map the router is to use when applying QoS features to a PPPoA or PPPoEoA session. After receiving a service-logon request from the policy server, RADIUS sends a change of authorization (CoA) request to the router to activate the service for the user, who is already logged in. If the authorization succeeds, the router downloads the name of the policy map from RADIUS using the Cisco AV-pair and applies the QoS policy to the session.


Note Although the router also supports the RADIUS vendor specific attribute (VSA) 38, Cisco-Policy-Down and Cisco-Policy-Up, we recommend that you use the above attribute for QoS policy definitions.


Configuration Examples for PPP Session Queuing on ATM VCs

This section provides the following configuration examples:

Example of Configuring PPP Session Queuing on ATM VCs

Example of Configuring and Applying an Hierarchical Policy Map

Example of Setting Up RADIUS for PPP Session Queuing on ATM VCs

Example of Configuring PPP Session Queuing on ATM VCs

The following example shows how to configure PPPoA or PPPoEoA session queuing. In the example, a hierarchical QoS policy named pm_hier2_0_2 is associated with Virtual-Template555, which is applied to the broadband aggregation group named pppoeoa-group.

Example 18-12 Configuring PPP Session Queuing on ATM VCs

bba-group pppoe pppoeoa-group
Virtual-Template 555
!
policy-map pm_hier2_child_0_2
class cm_0
priority level 1
police percent 5 2 ms 0 ms conform-action transmit exceed-action drop 
violate-action drop
queue-limit 77 packets
class cm_1
shape average percent 80
bandwidth remaining ratio 80
class class-default
shape average percent 50
bandwidth remaining ratio 20
 
   
policy-map pm_hier2_0_2
class class-default
shape average percent 100
bandwidth remaining ratio 100
service-policy pm_hier_child_0_2
 
   
interface ATM2/0/7.5555 point-to-point
pvc 1/5555
vbr-nrt 4000 2000 50
no dbs enable
encapsulation aal5snap
protocol pppoe group pppoeoa-group
!
!
interface Virtual-Template555
ip unnumbered Loopback5555
no logging event link-status
peer default ip address pool pool-1
ppp authentication chap
service-policy output pm_hier2_0_2

Example of Configuring and Applying an Hierarchical Policy Map

Example 18-13 shows how to configure a hierarchical policy and apply it to a virtual template. The example contains a child policy map named child1 with QoS features defined for the gold and bronze traffic classes. The child1 policy is applied to the parent policy map, which is shaped to 512000 bps. The hierarchical policy is applied to the virtual template named virtual-template 1.

Example 18-13 Configuring an Hierarchical Policy Map

Router(config)# policy-map child1
Router(config-pmap)# class gold
Router(config-pmap-c)# priority
Router(config-pmap-c)# police percent 40
Router(config-pmap-c)# class bronze
Router(config-pmap-c)# police 8000
Router(config-pmap-c)# exit
Router(config-pmap)# policy-map parent
Router(config-pmap)# class class-default
Router(config-pmap-c)# shape 512000
Router(config-pmap-c)# service-policy child1
Router(config-pmap-c)# exit
Router(config-pmap)# exit
Router(config)# interface virtual-template 1
Router(config-if)# service-policy output parent

Example of Setting Up RADIUS for PPP Session Queuing on ATM VCs

Example 18-14 shows how to define the Cisco AV-pairs used to download the policy map name to the router. The first three lines of a subscriber's sample user profile contain the user password, service type, and protocol type. This information is entered into the subscriber's user profile when the user profile is first created. The last line is an example of the Cisco QoS AV-pair added to the user profile. The policy map name downloaded to the router is p23.

Example 18-14 Setting Up RADIUS for PPP Session Queuing on ATM VCs

userid	Password = "cisco"
Service-Type = Framed,
Framed-Protocol = PPP,
cisco-avpair = "sub-qos-policy-out=p23"

Verifying PPP Session Queuing on ATM VCs

To verify PPPoA or PPPoEoA session queuing, use any of the following commands in privileged EXEC mode:

Command
Purpose

Router# show policy-map [interface interface]

Displays information about the policy map attached to the interface you specify. If you do not specify an interface, it displays information about all of the policy maps configured on the router.

interface interface is the interface type and number (for example, atm 4/0/0).

Router# show policy-map session [uid uid-number] [input | output [class class-name]]

Displays the QoS policy map in effect for subscriber sessions.

(Optional) uid defines a unique session ID.

(Optional) uid-number is a unique session ID. Valid values are from 1 to 65535.

(Optional) input displays the upstream traffic of the unique session.

(Optional) output displays the downstream traffic of the unique session.

(Optional) class identifies the class that is part of the QoS policy-map definition.

(Optional) class-name provides a class name that is part of the QoS policy-map definition.

Router# show pxf cpu queue [interface | QID | summary]

Displays parallel express forwarding (PXF) queuing statistics.

(Optional) interface is the interface for which you want to display PXF queuing statistics. This displays PXF queuing statistics for the main interface and all subinterfaces and permanent virtual circuits (PVCs). It also displays packets intentionally dropped due to queue lengths.

(Optional) QID is the queue identifier.

(Optional) summary displays queue scaling information such as:

Number of queues and recycled queues.

Number of available queue IDs (QIDs).

Number of packet buffers, recycled packet buffers, and free packet buffers.

Note In Cisco IOS Release 12.2(33)SB and later releases, the output from the show pxf cpu queue interface summary command displays only the physical interface and the number of logical links. The output does not display the number of priority queues, class queues, and so on. This modification applies to the PRE3 and PRE4.

Router# show pxf cpu queue session [sid sid-value]

Displays PXF queuing statistics for sessions.

(Optional) sid displays queuing statistics for a specific session identifier.

sid-value is a number that represents a specific session ID. Valid values are from 1 to 65,535.

Router# show running-config

Displays the running configuration on the router. The output shows the AAA setup and the configuration of the policy map, ATM VC, PPPoA or PPPoEoA, dynamic bandwidth selection, virtual template, and RADIUS server.


Verification Examples for PPP Session Queuing on ATM VCs

Example 18-15 shows the type of information displayed when you enter the show pxf cpu queue session command. In the example, the show pppoe session command is used to display the sessions established on the router. In this case, one session is active with a session ID (SID) of 6. The example then displays configuration and statistical information for that specific session using the show pxf cpu queue session command.

Example 18-15 Displaying PPP Session Information—show pxf cpu queue session Command

Router# show pppoe session 
1 session in LOCALLY_TERMINATED (PTA) State 
1 session total 
 
Uniq ID	PPPoE	RemMAC	Port	VT	VA	State
	SID	LocMAC	VA-st	Type
	14	6	0009.b68d.bb37	ATM2/0/7.5555	555	Vi3.1	PTA
			0009.b68d.bc37	VC: 1/5555 			UP
 
   
Router#
Router#
Router# show pxf cpu queue session sid 6
 
   
ATM2/0/7.5555: PVC 1/5555 
	VCCI/ClassID	ClassName	QID	Length/Avg	Max	Dequeues	Drops(Tail/Random)
	2623/0	class-default	1858	0/0	77	0	0/0
	2623/1	cm_0	1856	0/0	77	0	0/0
	2623/2	cm_1	1859	0/0	40	0	0/0
	2623/31	net-control	591	0/1	1105	335137	0/0
 
   
 
   
Legend: 
$x: Priority Queue level x 
b: PQ Activation and Dequeue Blocked 
~: RED Queue 
P: MLP Pkt Queue 
F: MFR Pkt Queue 
M1:MLP , M5:MLPFR , MA:MLPOA , M6:FRF12 , M7:MLFR, M8:FRF12_16
 
   

Example 18-16 uses the show policy-map session command to display QoS policy map statistics for traffic in the downstream direction. The example also shows the policy map configurations.

Example 18-16 Displaying PPP Session Information—show policy-map session Command

Router# show pppoe session
 
1 session in LOCALLY_TERMINATED (PTA) State
1 session total
 
   
Uniq ID	PPPoE	RemMAC	Port	VT	VA	State
	SID	LocMAC	VA-st	Type
	14	6	0009.b68d.bb37	ATM2/0/7.5555	555	 Vi3.1 	PTA 
	0009.b68d.bc37 VC: 1/5555	UP 
Router#
Router#
Router# show policy-map session uid 14
 
   
SSS session identifier 14 -
 
   
	Service-policy output: pm_hier2_0_2
 
   
Class-map: class-default (match-any)
0 packets, 0 bytes
30 second offered rate 0 bps, drop rate 0 bps
Match: any 
0 packets, 0 bytes
30 second rate 0 bps
Queueing
queue limit 50 packets
(queue depth/total drops/no-buffer drops) 0/0/0
(pkts output/bytes output) 0/0
shape (average) cir 2000000, bc 8000, be 8000
target shape rate 2000000
bandwidth remaining ratio 100
 
   
	Service-policy : pm_hier2_child_0_2
 
   
queue stats for all priority classes:
Queueing
priority level 1
queue limit 77 packets
(queue depth/total drops/no-buffer drops) 0/0/0
(pkts output/bytes output) 0/0
 
   
Class-map: cm_0 (match-any)
0 packets, 0 bytes
30 second offered rate 0 bps, drop rate 0 bps
Match: ip precedence 0 
0 packets, 0 bytes
30 second rate 0 bps
Priority: 0% (0 kbps), burst bytes 4470, b/w exceed drops: 0
Priority Level: 1 
Police:
104000 bps, 1536 limit, 0 extended limit
conformed 0 packets, 0 bytes; action: transmit
exceeded 0 packets, 0 bytes; action: drop
violated 0 packets, 0 bytes; action: drop
 
   
Class-map: cm_1 (match-any)
0 packets, 0 bytes
30 second offered rate 0 bps, drop rate 0 bps
Match: ip precedence 1 
0 packets, 0 bytes
30 second rate 0 bps
Queueing
queue limit 237 packets
(queue depth/total drops/no-buffer drops) 0/0/0
(pkts output/bytes output) 0/0
shape (average) cir 1600000, bc 6400, be 6400
target shape rate 1600000
bandwidth remaining ratio 80 
 
   
Class-map: class-default (match-any)
0 packets, 0 bytes
30 second offered rate 0 bps, drop rate 0 bps
Match: any 
0 packets, 0 bytes
30 second rate 0 bps
Queueing
queue limit 77 packets
(queue depth/total drops/no-buffer drops) 0/0/0
(pkts output/bytes output) 0/0
shape (average) cir 1000000, bc 4000, be 4000
target shape rate 1000000
bandwidth remaining ratio 20 
 
   
Router# show policy-map pm_hier2_0_2
 
   
Policy Map pm_hier2_0_2
Class class-default
Average Rate Traffic Shaping
cir 100%
bandwidth remaining ratio 100 
service-policy pm_hier2_child_0_2
 
   
Router# show policy-map pm_hier2_child_0_2
 
   
Policy Map pm_hier2_child_0_2
 
   
Class cm_0
priority level 1
police percent 5 2 ms 0 ms conform-action transmit exceed-action drop 
violate-action drop
queue-limit 77 packets
 
   
Class cm_1
Average Rate Traffic Shaping
cir 80%
bandwidth remaining ratio 80 
 
   
Class class-default
Average Rate Traffic Shaping
cir 50%
bandwidth remaining ratio 20 

Per-Session Shaping for ATM Interfaces

The Per-Session Shaping for ATM Interfaces feature enables the router to shape session traffic on L2TP network server (LNS) outbound ATM interfaces. Using this feature, you can apply a hierarchical QoS policy to an ATM interface and manage the traffic belonging to a session. The shaping feature configured in the parent policy map shapes the classes of traffic that comprise the session traffic and the queuing features configured in the child policies enables the router to queue the session packets, rather than drop them.

When policing is configured to manage session traffic, the policer might drop traffic that is within a reasonable rate (for example, traffic bursts), which can affect the quality of end applications such as TCP applications. Instead, queuing packets enables you to avoid packet drops.

When a QoS policy with shaping is attached to an outbound ATM interface, the shaper applied to the ATM VC shapes the downstream traffic as it passes over the VC. Shaping enables you to apply QoS services to the classes of session traffic. For example, one class of a session might require low latency while another session class might require a guaranteed bandwidth.

Per-session shaping on ATM interfaces supports the following functionality:

Hierarchical scheduling—The hierarchical queuing framework (HQF) defines a QoS architecture for implementing hierarchical packet scheduling and queuing on the PRE3 and PRE4. The HQF enables service providers to manage their QoS at three layers of hierarchy:

Physical layer—Used for shaping the physical interface such as the OC-3 port.

Logical layer—Used to schedule subinterfaces such as a VLAN or PPP sessions.

Class layer—Used for class queues, defined using the modular QoS command line interface (MQC) policy map.

The parallel express forwarding (PXF) engine performs all packet-level scheduling using the HQF.

For more information, see Chapter 22 "Hierarchical Scheduling and Queuing."

Interface oversubscription—Interface oversubscription enables service providers to assign a total committed information rate (CIR) to a given port that is greater than the speed of the port. In this way, the router can statistically guarantee bandwidth to the VCs, thus improving network utilization. For more information, see Chapter 15 "Oversubscribing Physical and Virtual Links."

Scalability up to 61,500 sessions

Feature History for Per-Session Shaping for ATM Interfaces

Cisco IOS Release
Description
Required PRE

Release 12.2(33)SB

The Per-Session Shaping for ATM Interfaces feature was introduced on Cisco 10000 series router and implemented on the PRE3 and PRE4.

PRE3
PRE4


Restrictions and Limitations for Per-Session Shaping for ATM Interfaces

If you configure child classes with a guaranteed bandwidth, do not oversubscribe the sessions. If you do oversubscribe the sessions and the hierarchical policy shapes session traffic, any bandwidth guarantees configured for the child policies might not be guaranteed. Oversubscription occurs when the aggregate configured shape rate for all active sessions exceeds the bandwidth of the physical link through which the session traffic passes when leaving the router.

Per-session shaping for ATM interfaces does not support load-balancing on an L2TP tunnel (for example, on the LNS). Therefore, if you enable per-session shaping in a service policy, do not configure load-balancing on the tunnel.

This feature does not support overhead accounting.

Configuring Per-Session Shaping for ATM Interfaces

To configure per-session shaping for ATM interfaces, enter the following commands beginning in global configuration mode:

 
Command
Purpose

Step 1 

Router(config)# policy-map policy-map-name

Creates or modifies a child policy. Enters policy-map configuration mode.

policy-map-name is the name of the child policy map. The name can be a maximum of 40 alphanumeric characters.

Step 2 

Router(config-pmap)# class class-map-name

Assigns the traffic class you specify to the policy map. Enters policy-map class configuration mode.

class-map-name is the name of a previously configured class map.

Step 3 

Router(config-pmap-c)# bandwidth {bandwidth-kbps | percent percentage | remaining percent percentage}

Enables class-based fair queuing and overhead accounting.

bandwidth-kbps specifies or modifies the minimum bandwidth allocated for a class belonging to a policy map. Valid values are from 8 to 2,488,320, which represents from 1 to 99 percent of the link bandwidth.

percentage specifies or modifies the maximum percentage of the link bandwidth allocated for a class belonging to a policy map. Valid values are from 1 to 99.

remaining percentage specifies or modifies the minimum percentage of unused link bandwidth allocated for a class belonging to a policy map. Valid values are from 1 to 99.

Step 4 

Router(config-pmap-c)# class class-map-name

Assigns the traffic class you specify to the policy map.

class-map-name is the name of a previously configured class map.

Step 5 

Router(config-pmap-c)# shape [average] rate

Shapes session traffic to the indicated bit rate.

(Optional) average is the committed burst (Bc) that specifies the maximum number of bits sent out in each interval. This option is only supported on the PRE3.

rate indicates the bit rate used to shape the traffic, in bits per second.

Step 6 

Router(config-pmap-c)# exit

Exits policy-map class configuration mode.

Step 7 

Router(config-pmap)# policy-map policy-map-name

Creates or modifies the parent policy.

policy-map-name is the name of the parent policy map. The name can be a maximum of 40 alphanumeric characters.

Step 8 

Router(config-pmap)# class class-default

Configures or modifies the parent class-default class.

Step 9 

Router(config-pmap-c)# shape [average] rate

Shapes traffic to the indicated bit rate and enables overhead accounting.

(Optional) average is the committed burst (Bc) that specifies the maximum number of bits sent out in each interval. This option is only supported on the PRE3.

rate indicates the bit rate used to shape the traffic, in bits per second. When this command is used with backward explicit congestion notification (BECN) approximation, the bit rate is the upper bound of the range of bit rates that are permitted.

Step 10 

Router(config-pmap-c)# service-policy policy-map-name

Applies a child policy to the parent class-default class.

policy-map-name is the name of a previously configured child policy map. In this case, the child policy is the policy map you configured in step 1.

Note Do not specify the input or output keywords when applying a child policy to a parent class-default class.

Step 11 

Router(config-pmap-c)# exit

Exits policy-map class configuration mode.

Step 12 

Router(config-pmap)# exit

Exits policy-map configuration mode.

Step 13 

Router(config)# interface virtual-template template-number

Creates a virtual template and enters interface configuration mode.

template-number is the number you assign to the virtual template interface to identify it. Valid values are from 1 to 200.

Note You can configure up to 200 virtual template interfaces on the router.

Step 14 

Router(config-if)# service-policy {input | output} policy-map-name

Attaches the policy map you specify to the virtual template interface in the inbound or outbound direction that you specify.

input specifies to apply the policy map to inbound traffic.

output specifies to apply the policy map to outbound traffic.

policy-map-name is the name of a previously configured policy map.

Step 15 

Router(config-if)# exit

Exits interface configuration mode.

Step 16 

Router(config)# bba-group pppoe group-name

Creates a PPP over Ethernet (PPPoE) profile. Enters BBA group configuration mode.

group-name is the name of the PPPoE profile.

Step 17 

Router(config-bba-grp)# virtual-template template-number

Associates a BBA group to the virtual template to be used for cloning virtual access interfaces.

template-number is the identifying number of the virtual template.

Step 18 

Router(config-bba-grp)# exit

Exits BBA group configuration mode.

Step 19 

Router(config)# interface atm number.subinterface [point-to-point]

Creates or modifies a subinterface. Enters subinterface configuration mode.

atm is the interface type.

number is the slot, module, and port number of the interface (for example 1/0/0).

.subinterface is the number of the subinterface (for example, 1/0/0.1).

(Optional) point-to-point indicates that the subinterface connects directly with another subinterface.

Step 20 

Router(config-subif) pvc [name] vpi/vci

Creates or modifies an ATM permanent virtual circuit (PVC). Enters ATM virtual circuit configuration mode.

(Optional) name identifies the PVC and can contain up to 15 characters.

vpi/ specifies the ATM network virtual path identifier (VPI) for this PVC. You must specify the slash. Valid values are from 0 to 255. The router treats a value that is outside the range of valid values as the connection ID. The default value is 0.

Note The arguments vpi and vci cannot both be set to 0; if one is 0, the other cannot be 0.

vci specifies the ATM network virtual channel identifier (VCI) for this PVC. Valid values are from 0 to 1 less than the maximum value set for this interface by the atm vc-per-vp command. A value that is out of range causes an "unrecognized command" error message.

Note The VCI value has local significance only and, therefore, is unique only on a single link, not throughout the ATM network. Typically, lower values from 0 to 31 are reserved for specific traffic (for example, F4 OAM, SVC signaling, ILMI, and so on) and should not be used.

Step 21 

Router(config-atm-vc)# protocol pppoe group group-name

Enables PPP over Ethernet (PPPoE) sessions to be established on permanent virtual circuits (PVCs).

group specifies a PPPoE profile (bba-group) to be used by PPPoE sessions on the interface.

group-name is the name of the PPPoE profile (bba-group) to be used by PPPoE sessions on the interface.

Note The group group-name points to the bba-group to be used for applying a virtual template interface with QoS policies to sessions.

Step 22 

Router(config-atm-vc)# exit

Exits ATM virtual circuit configuration mode.

Step 23 

Router(config-subif)# exit

Exits subinterface configuration mode.

Configuration Example for Per-Session Shaping on ATM Interfaces

The following configuration example shows how to configure per-session shaping. The example shows how to create two traffic classes named class1 and class2, both of which are defined in the policy map named child. The class-default class in the Parent policy map has shaping configured. The Child policy is applied to the Parent policy and this service policy is attached to the virtual template named VTemplate1, which is associated with the BBA group named East-Region. The BBA group is then attached to PVC 101/250 on the ATM subinterface 1/0/0.10.

class-map match-all class1
match ip prec 3
!
class-map match-all class2
match access-group 101
!
policy-map Child
class class1
bandwidth 500
class class2
shape average 300000
!
policy-map Parent
class class-default
shape average 500000 
service-policy child
!
interface virtual-template Vtemplate1
service-policy output Parent
!
bba-group pppoe East-Region
virtual-template Vtemplate1
!
interface atm1/0/0.10
pvc 101/250
protocol pppoe group East-Region

Verifying Per-Session Shaping on ATM Interfaces

To verify per-session shaping on ATM interfaces, use any of the following commands in privileged EXEC mode:

Command
Purpose

Router# show policy-map [interface interface]

Displays information about the policy map attached to the interface you specify. If you do not specify an interface, it displays information about all of the policy maps configured on the router.

interface interface is the interface type and number (for example, atm 4/0/0).

Router# show policy-map session [uid uid-number] [input | output [class class-name]]

Displays the QoS policy map in effect for subscriber sessions.

(Optional) uid defines a unique session ID.

(Optional) uid-number is a unique session ID. Valid values are from 1 to 65535.

(Optional) input displays the upstream traffic of the unique session.

(Optional) output displays the downstream traffic of the unique session.

(Optional) class identifies the class that is part of the QoS policy-map definition.

(Optional) class-name provides a class name that is part of the QoS policy-map definition.

Router# show running-config

Displays the running configuration on the router. The output shows the AAA setup and the configuration of the policy map, ATM VC, PPPoA or PPPoEoA, dynamic bandwidth selection, virtual template, and RADIUS server.


Related Documentation

This section provides hyperlinks to additional Cisco documentation for the features discussed in this chapter. To display the documentation, click the document title or a section of the document highlighted in blue. When appropriate, paths to applicable sections are listed below the documentation title.

Feature
Related Documentation

Class maps

Cisco IOS Quality of Service Solutions Configuration Guide, Release 12.2

Part 8: Modular Quality of Service Command-Line Interface > Configuring the Modular Quality of Service Command-Line Interface > Modular QoS CLI Configuration Task List > Creating a Traffic Class

Cisco IOS Quality of Service Solutions Command Reference, Release 12.2

access-list rate-limit -- fair-queue (WFQ) > class-map command

ISG commands

Cisco IOS ISG Command Reference

ISG Control Policies

Cisco IOS Intelligent Services Gateway Configuration Guide, Release 12.2SB.

Configuring ISG Control Policies

Per session service policy
using RADIUS

Cisco IOS Security Configuration Guide, Release 12.2

Part 2: Security Server Protocols > Configuring RADIUS

Policing

Comparing Traffic Shaping and Traffic Policing for Bandwidth Limiting

Policy maps

Cisco IOS Quality of Service Solutions Configuration Guide, Release 12.2

Part 8: Modular Quality of Service Command-Line Interface > Configuring the Modular Quality of Service Command-Line Interface > Modular QoS CLI Configuration Task List > Creating a Traffic Policy

Cisco IOS Quality of Service Solutions Command Reference, Release 12.2

policy map - qos preclassify > policy-map command

QoS service policies

QoS Configuration and Monitoring, Creating Time-of-Day QoS Service Policies tech note

QoS Configuration and Monitoring, Monitoring Voice over IP Quality of Service tech note

Site-to-Site MPLS VPN Solution for Service Providers, Service Provider Quality-of-Service Overview tech note