Cisco ME 3800x and ME 3600x Switches Software Configuration Guide, Cisco IOS Release 15.4(1)S

Modular QoS CLI Configuration

With the modular QoS CLI, you create traffic policies and attach these policies to physical interfaces or EFP service instances. A traffic policy contains a traffic class and one or more QoS features. You define a traffic class to classify traffic, use a traffic policy to define how to treat the classified traffic, and attach the policy to a port or service instance to create a service policy.

Step 1 Define a traffic class.

Use the class-map global configuration command to define a traffic flow or class and to enter class-map configuration mode. A traffic class contains:

• A name—You name the traffic class in the class-map command line to enter class-map configuration mode.
• (Optional) Keywords to evaluate the match commands, either class-map match-any or class-map match-all. By default, match-all is supported with a class map is defined and match-any is not specified. Only one match statement is allowed for match-all, except for outer VLAN and inner VLAN, or outer CoS and inner CoS matches for 802.1Q tunneling (QinQ) packets.
• For match-input vlan feature you must use class-map match all command. It must contain one match input-interface and at lease one match input vlan.
• A series of match class-map configuration commands to specify criteria for classifying packets. Criteria can include matching an access group defined by an ACL or matching a specific list of COS, DSCP, IP precedence, or MPLS EXP values. If a packet matches the specified criteria, that packet is considered a member of the class and is forwarded according to the QoS specifications set in the traffic policy. Packets that do not meet any of the matching criteria are classified as members of the default traffic class.

Note For exceptions to the list of match statements, see the “Classification” section.

Step 2 Associate policies and actions with each traffic class.

Use the policy-map global configuration command to create a traffic policy and to enter policy-map configuration mode. A traffic policy specifies the traffic class to act on and defines the QoS features to associate with the specified traffic class. A traffic policy contains a name, a traffic class (specified with the class policy-map configuration command), and the QoS policies configured in the class.

• A name—You name the traffic policy in the policy-map command line to enter policy-map configuration mode.
• A traffic class—Use the class policy-map configuration command to enter the name of the traffic class used to classify traffic to the specified policy, and enter policy-map class configuration mode.
• The QoS features to apply to the classified traffic. These include the set or police commands for input policy maps or the bandwidth , priority , queue-limit or shape average commands for output policy maps.

Note A packet can match only one traffic class within a traffic policy. If a packet matches more than one traffic class in the traffic policy, the first traffic class defined in the policy is used. To configure more than one match criterion for packets, you can associate multiple traffic classes with a single traffic policy.

Step 3 Attach the traffic policy to a target, which can be an interface or an EFP service instance.

Use the service-policy interface configuration command to attach the policy map to a target and to specify if the policy should be applied to packets that enter or leave the target. For example, entering the service-policy output policy1 interface configuration command attaches all the characteristics of the traffic policy named class1 to the interface. Entering the service-policy output policy1 service instance configuration command attaches all the characteristics of the traffic policy named class1 to the EFP service policy. All packets leaving the target are evaluated according to the criteria specified in the traffic policy class1 .

Note If you enter the no policy-map policy-map-name global configuration command to delete a policy map that is attached to an interface or service instance, a warning message appears that lists any interfaces from which the policy map is being detached. The policy map is then detached and deleted. For example:
Warning: Detaching Policy test1 from Interface GigabitEthernet0/1

Hierarchical QoS

Hierarchical QoS configuration involves traffic classification, policing, queuing, and scheduling. You can create a hierarchy by associating a class-level policy map with a VLAN-level policy map, by associating that VLAN-level policy map with a physical-level policy map, and by attaching the physical-level policy map to a port or EFP. You can omit hierarchical levels, but the order of levels (class level, VLAN level, and then physical level) must be preserved.

You can configure three QoS levels in the hierarchy:

• Class level—You configure this level of the hierarchy by matching CoS, DSCP, IP precedence, MAC ACLs, IP ACLs, QoS groups, discard-class, or MPLS EXP bits in the packet by using the match { access-group name | cos [ inner ] cos-list | discard-class value | dscp dscp-list | ip precedence ip-precedence-list | mpls experimental exp-list } | qos-group value class-map configuration command.

At the class level, you can use policy-map class configuration commands to:

– Configure policer drops by using the police cir or police cir percent command.

– Configure tail drop policies by using the queue-limit command.

– Modify the traffic class by setting Layer 2 and Layer 3 QoS fields by using the set commands.

– Configure scheduling by using the bandwidth or the priority command.

– Configure traffic shaping by using the shape command.

• VLAN level—You configure per-VLAN QoS by entering the match vlan vlan-id for one or more VLANs. You can also configure per-VLAN QoS using a class-map with both match i nput-interface and match i nput vlan commands configured.

At the VLAN level, for VLAN classification in ingress, you can:

– Police ingress traffic by using the police cir or police cir percent command.

– Configure unconditional marking on ingress traffic by using the set command.

At the VLAN level, for VLAN classification in egress, you can:

– Configure the queue to share the available port bandwidth and enable CBWFQ by using the bandwidth command.

– Configure traffic shaping by using the shape command.

You can also associate a previously defined child policy at the class level with a new service policy by using the service-policy policy-map class configuration command to apply the class-level policy only to traffic that matches the VLAN class. You cannot mix VLAN-level and class-level matches within a class map.

• Physical level—You can shape or police only the class-default class at the physical level of the hierarchy by using the shape , police cir , or police cir percent policy-map class configuration command. Within a policy map, the class-default applies to all traffic that is not explicitly matched within the policy map but that does match the parent policy. If no parent policy is configured, the parent policy represents the physical port.

– Configure unconditional marking by using the set command.

– In a physical-level policy map, class-default is the only class that you can configure. You use the service-policy { input | output } policy-map-name interface configuration command to attach a hierarchical policy to a physical port or to an EFP.

Classification

Classification distinguishes one kind of traffic from another by examining the fields in the packet header. When a packet is received, the switch examines the header and identifies all key packet fields. A packet can be classified based on an ACL, on the DSCP, the CoS, IP precedence, or MPLS EXP value in the packet, or by the VLAN ID. Figure 1-2 has examples of classification information carried in a Layer 2 or a Layer 3 IP packet header, using six bits from the deprecated IP type of service (ToS) field to carry the classification information.

• Layer 2 frame headers have a 2-byte Tag Control Information field that carries the CoS value, called the User Priority bits, in the 3 most-significant bits, and the VLAN ID value in the 12 least-significant bits. Layer 2 CoS values range from 0 to 7.
• Layer 3 IP packets can carry either an IP precedence value or a DSCP value. QoS supports the use of either value because DSCP values are backward-compatible with IP precedence values. IP precedence values range from 0 to 7. DSCP values range from 0 to 63. MPLS EXP values range from 0 to 7.

Figure 1-2 QoS Classification Layers in Frames and Packets

• “The match Command” section
• “Classification Based on Layer 2 Class of Service” section
• “Classification Based on IP Precedence” section
• “Classification Based on IP DSCP” section
• “CoS Mapping” section
• “Ingress Classification Based on QoS ACLs” section
• “Classification Based on QoS Groups” section
• “Classification Based on Discard Class” section
• “Classification Based on VLAN IDs” section
• “QoS-Context Manager” section
• “Classification for MPLS and EoMPLS” section

The match Command

In class-map configuration mode, you use the match class-map configuration command to define the match criterion for the traffic. You can also create a class map that requires that all matching criteria in the class map be in the packet header by using the class map match-all class-map name global configuration command.

Note The match-all keyword is supported only for outer and inner VLAN, or outer and inner CoS matches for QinQ packets and is rejected for all other mutually exclusive match criteria. You can configure only one match entry in a match-all class map

You can use the class map match-any class-map name global configuration command to define a classification with any of the listed criteria.

In class-map configuration mode, you use the match command to specify the classification criteria. If a packet matches the configured criteria, it belongs to a specific class and is forwarded according to the specified policy. For example, you can use the match class-map command with CoS, IP DSCP, IP precedence, or MPLS EXP values.You can also match an access group, a QoS group, a VLAN ID or inner VLAN ID or VLAN ID range for per-port, per-VLAN QoS.

You can also match packets based on input vlan and input interface for egress policies only.

For an input policy map, you cannot configure both an IP classification ( match ip dscp , match ip precedence , match ip acl ) and a non-IP classification ( match mac acl ) in the same policy map or class map.

This example shows how to create a class map example to define a class that matches any of the listed criteria. In this example, if a packet is received with the DSCP equal to 32 or 40, the packet is identified (classified) by the class map.

This example shows how to create a class map example to define a class that matches all of the listed criteria. In this example, if a packet is received from interface gigabitethernet 0/1 and VlAN 10, the packet is classified by the class map.

VLAN Match Support

The VLAN Match support feature allows classification based on VLAN on the main interface, which has EVC service instances configured on that interface.

Support VLAN-based policy on an EVC physical-port with the following EFP configuration:

• EFP VLAN encapsulation = Bridge-domain ID
• EFP rewrite = pop-1 ingress symmetric
• VLAN match in the class-map must be same as the Bridge-domain ID

Restrictions and Guidelines

The following restrictions apply to VLAN match support:

• The feature is only supported on main interfaces where the EVC Bridge Domain is configured.
• VLAN classification based policy-map, applied on the main interface where QoS on EVC is also configured, is not supported.
• VLAN-based classification is not supported on the xconnect EVC.
• The VLAN match feature is supported on egress only.

The following example shows classification based on VLAN on the main interface, where an EVC is configured.

Match Input Interface and Vlan Support

The match input interface and vlan feature is used to classify the ingress vlan tag and ingress interface on the egress ports.

Configration Guidelines and Restrictions

The following restrictions and configuration guidelines confirugations are not spported on the switch:

• Egress classification of ‘match input’ statements on EVC interfaces is not supported. Instead you must configure policies on the physical port containing the EVC.
• An egress policy attached to an interface cannot have both match input-interface / match input-vlan and match vlan class in the same class-map.

For the classes where VLAN classification must be supported in the presence of match input statements, match the input interface/vlan for the other regular VLAN classes.

• An egress policy attached to an interface matching on ‘match input’ statements won’t work unless a policy is configured on the input port.

Please refer the examples mentioned below. In order to match dscp 1 in egress, user has to ingress mark dscp 1 or classify on dscp 1 in the input interface.

• Configuring standalone match input interface OR match input vlan is not supported. Therefore you can only configure match input interface and match input vlan together in match-all class-maps.

Classification Based on EFP

Use the match service instance ethernet command to classify traffic based on the service instance value, which ranges from 1 to 4000.

Configuration Guidelines and Restrictions

• The egress policy-map on the EVC in presence of egress match EFP based policy on the main inerface or port is not supported.
• Only PHB based policies(COS, DSCP and so on.) under the class-efp are supported; match VLAN policy cannot be a child of the match service instance.
• match vlan and match service-instance are not supported in the same policy map

Two Unsupported configurations:

Supported configuration:

This example, shows a policy-map with match service instance is attached to the egress port. The class-map is based on multiple match service instance statements.

This example, shows a policy-map with match service instance is attached and a particular action is applied.

Classification Based on Layer 2 Class of Service

Use the match cos command to classify layer 2 traffic based on the CoS value, which ranges from 0 to 7.

This example shows how to create a class map to match a CoS value of 5:

Classification Based on IP Precedence

You can classify IPv4 traffic based on the packet IP precedence values, which range from 0 to 7. This example shows how to create a class map to match an IP precedence value of 4:

Classification Based on IP DSCP

When you classify IPv4 traffic based on the IP DSCP value and enter the match ip dscp class-map configuration command, you have several classification options:

• Entering a specific DSCP value (0 to 63).
• Using the Default service, which corresponds to an IP precedence and DSCP value of 0. The default per-hop behavior (PHB) is usually best-effort service.
• Using Assured Forwarding (AF) by entering the binary representation of the DSCP value. AF sets the relative probability that a specific class of packets is forwarded when congestion occurs and the traffic does not exceed the maximum permitted rate. AF per-hop behavior delivers IP packets in four different AF classes: AF11-13 (the highest), AF21-23, AF31-33, and AF41-43 (the lowest). Each AF class could be allocated a specific amount of buffer space and drop probabilities, specified by the binary form of the DSCP number. When congestion occurs, the drop precedence of a packet determines the relative importance of the packet within the class. An AF41 class provides the highest probability of a packet being forwarded from one end of the network to the other.
• Entering Class Selector (CS) service values of 1 to 7, corresponding to IP precedence bits in the ToS field of the packet.
• Using Expedited Forwarding (EF) to specify a low-latency path. This corresponds to a DSCP value of 46. EF services use priority queuing to preempt lower priority traffic classes.

This display shows the available classification options:

For more information on DSCP prioritization, see RFC-2597 (AF per-hop behavior), RFC-2598 (EF), or RFC-2475 (DSCP).

CoS Mapping

The switch uses EVC and EFPs to support VLAN mapping from the customer VLAN-ID (C-VLAN) to a service-provider VLAN-ID (S-VLAN). See the “Configuring IEEE 802.1Q Tunneling and Layer 2 Protocol Tunneling Using EFPs” section.

For QoS, you can set the service-provider CoS (S-CoS) from either the customer CoS (C-CoS) or the customer DSCP (C-DSCP) value. You can map the inner CoS to the outer CoS for any traffic with traditional 802.1Q tunneling (QinQ). This allows copying the customer CoS into the service provider network.

By default, the switch supports C-CoS to S-CoS propagation for QinQ. When you configure QinQ, you can also set the S-CoS from C-DSCP.

Configuring CoS matching on EFPs configured for tunneling:

• On service instances configured for 802.1Q tunneling, the CoS value of the VLAN tag (inner VLAN or C-VLAN) received on the interface (C-CoS) is automatically reflected in the tunnel VLAN tag (outer VLAN or S-VLAN) by default.
• The set cos policy-map class configuration commands always apply to the outer-most VLAN tag after processing is complete, that is the S-VLAN-ID. For example, in 802.1Q tunnels, entering a set cos command changes only the CoS value of the outer tag of the encapsulated packet.

Note Although you configure the command at input, because the switch supports only egress push, this affects only the CoS value of the tag imposed on egress.

• When you configure a policy by entering the match dscp class map configuration command and you enter the set cos policy-map class configuration command for QinQ EFPs, a DSCP match sets the outer CoS of the encapsulated value.

Note As in the previous case, the command configured at input affects only the CoS value of the tag imposed at egress.

• You can set DSCP based on matching the outer VLAN.
• If you enter the match cos command on EFPs configured for QinQ, the match is to the incoming CoS (C-CoS).

The same CoS mapping rules also apply to EFP rewrite operations (see the “Rewrite Operations” section) when you use the rewrite ingress tag pop symmetric service instance command for VLAN translation.

You can also configure outgoing CoS on an 802.1Q trunk port to simulate CoS mapping.

Ingress Classification Based on QoS ACLs

You can use IP standard, IP extended, or Layer 2 MAC ACLs to define a group of packets with the same characteristics (class). In the QoS context, the permit and deny actions in the access control entries (ACEs) have different meanings than do security ACLs. QoS policies do not match ACLs that use the deny keyword.

• If a match with a permit action is encountered (first-match principle), the specified QoS-related action is taken.
• If a match with a deny action is encountered, the ACL being processed is omitted, and the next ACL is processed.
• If no match with a permit action is encountered and all the ACEs have been examined, no QoS processing occurs on the packet, and the switch offers best-effort service to the packet.
• If multiple ACLs are configured on an interface, the lookup stops after the packet matches the first ACL with a permit action, and QoS processing begins.

Note When you create an access list, remember that the end of the access list contains an implicit deny statement for everything if it did not find a match before reaching the list end.

You implement IP ACLs to classify IP traffic by using the access-list global configuration command. You implement Layer 2 MAC ACLs to classify non-IP traffic by using the mac access-list extended global configuration command. The switch supports MAC ACLs only with destination addresses.

Not all IP ACL options are supported in QoS ACLs. Only these protocols are supported for permit actions in an IP ACL: TCP, and UDP. Within a protocol, for IP source and destination, the switch supports only the source or destination IP address, host, or any. For matching criteria, the switch supports only DSCP, time-range, and ToS. See the “Using ACLs to Classify Traffic” section for more specific information. When you define a class map with the ACL, you can add the class to a policy.

You can attach a policy that includes unsupported QoS IP ACL options to the target, but QoS ignores the unsupported options. If you modify an IP ACL in a policy map that is already attached to a target and the modification causes the policy to become invalid, the policy is detached from the target.

Classification Based on QoS Groups

A QoS group is an internal label used by the switch to identify packets as a members of a specific class. The label is not part of the packet header and is restricted to the switch that sets the label and not communicated between devices. QoS groups provide a way to tag a packet for subsequent QoS action without explicitly marking (changing) the packet.

A QoS group is identified at ingress and used at egress. It is assigned in an input policy to identify packets in an output policy. See Figure 1-3.

Figure 1-3 QoS Groups

You use QoS groups to aggregate different classes of input traffic for a specific action in an output policy. For example, you can classify an ACL on ingress by using the set qos-group command and then use the match qos-group command in an output policy.

Input policy map:

Output policy map:

You can use QoS groups to aggregate multiple input streams across input classes and policy maps to have the same QoS treatment on the egress port. Assign the same QoS group number in the input policy map to all streams that require the same egress treatment, and match the QoS group number in the output policy map to specify the required queuing and scheduling actions.

You can also use QoS groups to implement MPLS tunnel mode. In this mode, the output per-hop behavior of a packet is determined by the input EXP bits, but the packet remains unmodified. You match the EXP bits on input, set a QoS group, and then match that QoS group on output to obtain the required QoS behavior.

To communicate an ACL classification to an output policy, you assign a QoS number to specify packets at ingress. This example identifies specific packets as part of QoS group 1 for later processing in an output policy:

You use the set qos-group command only in an input policy. The assigned QoS group identification is then used in an output policy with no mark or change to the packet. You use the match qos-group in the output policy. You cannot configure match qos-group for an input policy map.

This example creates an output policy to match the QoS group created in the input policy map in-gold-policy . Traffic internally tagged as qos-group 1 is identified and processed by the output policy.

The switch supports a maximum of 127 QoS groups.

The Cisco ME3600x switch uses labels to handle QoS. The following example explains the calculation of the labels and the QoS groups:

Labels consumed with the policy-map child_T: 118. Hence, the QoS label exhaustion error is valid.

• Labels consumed by cos match: Two labels for every CoS match (for two re-write types) = 6.
• Precedence labels: Each precedence label breaks down into eight DSCP labels.

Every DSCP has match labels on CoS 2, 3, and 7 for two rewrite types. That is,

3 (cos_match) x 2 (re-write) + one exact DSCP match = 16 x 7 = 112 QoS labels.

Classification Based on Discard Class

A discard class is very similar to a QoS group in that it is a virtual packet marking that is carried in the packet within a single device. The difference is that a QoS group defines the complete QoS behavior for a packet, while a discard class only communicates the drop precedence of the packet during congestion management. For example, a packet could be classified on input into one QoS group, but within that QoS group, a policer could mark one of three discard classes, depending on whether the packet was determined to conform to, exceed, or violate the configured specifications. On output, a class would match the QoS group. but you could configure three different drop curves, one for each of the discard classes. The discard class value ranges from 0 to 7.

Classification Based on VLAN IDs

With classification based on VLAN IDs, you can apply QoS policies to frames carried on a user-specified VLAN for a given interface. You can use hierarchical policy maps for per-VLAN classification on trunk ports. Per-VLAN classification is not required on access ports because access ports carry traffic for a single VLAN.

You use the match vlan vlan-id class-map configuration command to classify based on the outer VLAN. Use the match vlan inner vlan-id class-map configuration command to classify based on the inner VLAN

QoS-Context Manager

QoS-Contest Manager allocates QoS-context for s-vlan and c-vlan matches. To display qos-context manager information use the show platform qos context struct bridge domain command.

QOS-contexts are allocated only for intersecting combinations of a configured class-map vlans and the vlans present in encapsulation

Packets can come from

• Multiple ingress rewrite encapsulation types (pop 0, pop 1 and pop 2)
• With and without Ingress Service policies

For every egress vlan combination, qos-context is allocated in the ingress tcam based on the ingress rewrite type

Restrictions and limitations

QoS-context manager has the following limitations:

• There are 63 qos-contexts available per bridge-domain.
• QoS-Context manager is fixed and cannot be changed

QoS-context depends on the following:

• Presence of ingress service policy.
• Presence of ingress rewrite type (pop 0, pop 1, pop 2)#
• Bridge-domain or xconnect must be configured on the service instance
• Applies to both ME3600X and ME 3800X

Note Where ingress service policy is not configured the ingress rewrite type is used to allocate qos-contexts.

Working Configuration

The following is an example of a working configuration for allocation of qos-context:

Policy Used:

Configuration:

Based on the class-maps in the applied policy, 31 vlans in the class-maps intersecting with the encap vlans "encapsulation dot1q 1-1080" (match vlan 1050-1099)

2 Qos-contexts are allocated for every vlan match in the egress side of this evc, total qos-contexts 31*2=62

Policy is accepted as 63 qos-contexts are supported per bridge-domain

Failed Configuration:

The following is an example of a failed configuration for allocation of qos-contexts:

Based on the class-maps in the applied policy, 32 vlans in the class-maps intersecting with the encap vlans "encapsulation dot1q 1-1081" (match vlan 1050-1099)

2 Qos-contexts are allocated for every vlan match in the egress side of this evc, total qos-contexts 32*2=64

Policy is rejected as only 63 qos-contexts are supported per bridge-domain

Classification for MPLS and EoMPLS

In an MPLS network, QoS can be specified in different ways. For example, the IP precedence field (the first 3 bits of the DSCP field in the header of an IP packet) can specify the QoS value to give the packet. If the network is an MPLS network, the IP precedence bits are copied into the MPLS EXP field at the edge of the network. If a service provider wants to set a QoS value for an MPLS packet to a different value, instead of overwriting the value in the IP precedence field that belongs to a customer, the service provider can set the MPLS experimental field. The IP header remains available for the customer’s use, and the QoS of an IP packet is not changed as the packet travels through the MPLS network.

By choosing different values for the MPLS experimental field, you can mark packets based on their characteristics, such as rate or type, so that packets have the priority that they require during periods of congestion.

Figure 1-4 shows an MPLS network that connects two sites of an IP network that belongs to a customer.

Figure 1-4 MPLS Network Connecting Two Customer Sites

PE1 and PE2 are customer-located routers at the boundaries between the MPLS network and the IP network and are the ingress and egress provider-edge devices. CE1 and CE2 are customer edge devices. P1 and P2 are service provider routers within the core of the service-provider network.

Packets arrive as IP packets at PE1, the ingress provider-edge router, and PE1 sends the packets to the MPLS network as MPLS packets. Within the service-provider network, there is no IP precedence field for the queuing mechanism to look at because the packets are MPLS packets. The packets remain as MPLS packets until they arrive at PE2, the egress provider-edge router. PE2 removes the label from each packet and forwards the packets as IP packets.

Service providers can use MPLS QoS to classify packets according to the type, and other factors by setting (marking) each packet within the MPLS experimental field without changing the IP precedence or DSCP field. You can use the IP precedence or DSCP bits to specify the QoS for an IP packet and use the MPLS experimental bits to specify the QoS for an MPLS packet. In an MPLS network, configure the MPLS experimental field value at PE1 (the ingress router) to set the QoS value in the MPLS packet.

It is important to assign the correct priority to a packet. The packet priority affects how the packet is treated during periods of congestion. For example, service providers have service-level agreements with customers that specify how much traffic the service provider has agreed to deliver. To comply with the agreement, the customer must not send more than the agreed-upon rate. Packets are considered to be in-rate or out-of-rate. If there is congestion in the network, out-of-rate packets might be dropped more aggressively.

MPLS QoS matches only valid MPLS packets. On input, the match is performed before any label processing on the packet. On output, the match is performed on the final packet after all label operations are performed. See the “Configuring MPLS and EoMPLS QoS” section.

EoMPLS and QoS

EoMPLS supports QoS by using three experimental bits in a label to determine the priority of packets. To support QoS between label edge routers (LERs), you set the experimental bits in both the virtual connection and the tunnel labels. EoMPLS QoS classification occurs on ingress, and you can match on Layer 3 parameters (such as IP or DSCP), and Layer 2 parameters (CoS). Mapping does not occur by default and you must set MPLS experimental bits at ingress. See the “Configuring MPLS and EoMPLS QoS” section for more information about EoMPLS and QoS.

Table Maps

You can use table maps to manage a large number of traffic flows with a single command. You can specify table maps in set commands and use them as mark-down mapping for the policers. You can also use table maps to map an incoming QoS marking to a replacement marking without having to configure a large number of explicit matches and sets. Table maps are used only in input policy maps.

Table maps are not supported under class-default.

Table maps can be used to:

• Correlate specific CoS, DSCP, or IP precedence values to specific CoS, DSCP, or IP precedence values
• Mark down a CoS, DSCP, or IP precedence value
• Assign defaults for unmapped values

A table map includes one of these default actions:

• default default-value —applies a specific default value (0 to 63) for all unmapped values
• default copy —maps all unmapped values to the equivalent value in another qualifier
• default ignore —makes no changes for unmapped values

This example creates a table to map specific CoS values to DSCP values. The default command maps all unmapped CoS values to a DSCP value of 63.

The switch supports a maximum of 256 unique table maps. You can enter up to 64 different map from – to entries in a table map. These table maps are supported on the switch:

• DSCP to CoS
• DSCP to precedence
• DSCP to DSCP
• CoS to DSCP
• CoS to precedence
• CoS to CoS
• Precedence to CoS
• Precedence to DSCP
• Precedence to precedence

Table maps modify only one parameter (CoS, IP precedence, or DSCP, whichever is configured) and are only effective when configured with a with a conform-action or exceed-action command in a police function. Individual policers also support the violate-action command.

Table maps are not supported in output policy maps. For more information, see the “Configuring Table Maps” section.

Policing

After a packet is classified and assigned a QoS label, you can use policing, as shown in Figure 1-5, to regulate the class of traffic. The policing function limits the amount of bandwidth available to a specific traffic flow or prevents a traffic type from using excessive bandwidth and system resources. A policer identifies a packet as in or out of profile by comparing the rate of the inbound traffic to the configuration profile of the policer and traffic class. Packets that exceed the permitted average rate or burst rate are out of profile or nonconforming . These packets are dropped or modified (marked for further processing), depending on the policer configuration.

Policing is used primarily on receiving interfaces. You can attach a policy map with a policer only in an input service policy. The only policing allowed in an output policy map is in priority queues.

All traffic, whether it is bridged or routed, is subjected to a configured policer. As a result, packets might be dropped or might have the DSCP or CoS fields modified when they are policed and marked.

Note Input hierarchical service policies are applied to a traffic stream before any other services act on that traffic. For example, an input hierarchical service policy applied to traffic could change the traffic rate from above a storm-control threshold to below the storm-control threshold, preventing storm control from acting on the traffic stream.

Figure 1-5 Policing of Classified Packets

You can attach a policy map with a policer only in a service policy. The switch supports 1-rate, 2-color and 2-rate, 3-color ingress policing. Only 1-rate, 2-color policing is supported in egress policies.

For 1-rate, 2-color policing, use the police policy map class configuration command to define the policer, the committed rate limitations of the traffic, committed burst size limitations of the traffic, and the action to take for a class of traffic that is below the limits ( conform-action ) and above the limits ( exceed-action ). If you do not specify burst size ( bc ), the system calculates an appropriate burst size value. The calculated value is appropriate for most applications.

When you configure a 2-rate policer, you configure the committed information rate (CIR) for updating the first token bucket, and also the peak information rate (PIR) at which the second token bucket is updated. If you do not configure a PIR, the policer is a standard 1-rate, 2-color policer.

For 2-rate, 3-color policing, you can then choose to set actions to perform on packets that conform to the specified CIR and PIR ( conform-action ), packets that conform to the PIR, but not the CIR ( exceed-action ), and packets that exceed the PIR value ( violate-action ).

• If you set the CIR value equal to the PIR, a traffic rate that is less than or equal to the CIR is in the conform range. Traffic that exceeds the CIR is in the violate range.
• If you set the PIR greater than the CIR, a traffic rate less than the CIR is in the conform range. A traffic rate that exceeds the CIR but is less than or equal to the PIR is in the exceed range. A traffic rate that exceeds the PIR is in the violate range.
• If you do not configure a PIR, the policer is configured as a 1-rate, 2-color policer.

Setting the burst sizes too low can reduce throughput in situations with bursty traffic. Setting burst sizes too high can allow too high a traffic rate.

Note The switch supports byte counters for byte-level statistics for conform, exceed, and violate classes in the show policy-map interface privileged EXEC command output.

Use the service-policy input interface configuration command to attach the policy map to a physical port or EFP service instance to make it effective. For more information, see the “Attaching a Service Policy to an Interface or EFP” section. Policing is done only on received traffic, so you can only attach a policer to an input service policy.

See the “Configuring a Policy Map with 1-Rate, 2-Color Policing” section for configuration examples.

You can use the conform-action , exceed-action , and violate-action policy-map class configuration commands or the conform-action , exceed-action , and violate-action policy-map class police configuration commands to specify an action when the packet conforms to or exceeds the specified traffic rates. Conform, exceed, and violate actions are to drop the packet, to send the packet without modifications, to set a new CoS, DSCP, or IP precedence value, or to set a QoS group value for classification at the egress.

You can simultaneously configure multiple conform, exceed, and violate actions for each service class.

Priority Policing

Priority policing applies only to output policy maps. You can use the priority policy map class configuration command in an output policy map to designate a low-latency path or class-based priority queuing for a specific traffic class. With strict priority queuing, the packets in the priority queue are scheduled and sent until the queue is empty. Excessive use of high-priority queuing can create congestion for low priority traffic.

Restriction and Usage Guidelines

• Apply egress policer on priority queues.
• Egress policer is not supported on vlan classes.
• Egress policer is supported at 3rd level or PHB level only on priority queues.
• Conditional marking is not supported in egress policer.
• Policing at Logical or Physical Level and aggregate policing is not supported.
• Strict-priority cannot be configured without a policer, if BW is configured on the same level classes.
• Strict priority cannot co-exist with bandwidth kbps/percent in any other class. For strict priority, configure policer first and then configure bandwidth on the same level classes.

To eliminate this congestion, you can use the Priority with Police feature (priority policing) to reduce the bandwidth used by the priority queue, and allocate traffic rates on other queues. Priority with police is the only form of policing supported in output policy maps.

This example shows how to use the priority command with police command to configure out-class1 as the priority queue, with traffic going to the queue that is limited to 20,000,000 bps. so that the priority queue never uses more than that. Traffic above that rate is dropped. This allows other traffic queues to receive some port bandwidth, in this case a minimum bandwidth guarantee of 500,000 and 200,000 kbps. The class-default, queue gets the remaining port bandwidth.

Packet Marking

You can use packet marking in input policy maps to set or modify the attributes for traffic belonging to a specific class. For example, you can change the CoS value in a class or set IP DSCP or IP precedence values for a specific type of traffic. These new values are then used to determine how the traffic should be treated. You can also use marking to assign traffic to a QoS group within the switch.

Traffic marking is typically performed on a specific traffic type at the ingress port. The marking action can cause the CoS, DSCP, or precedence bits to be rewritten or left unchanged, depending on the configuration. This can increase or decrease the priority of a packet in accordance with the policy used in the QoS domain so that other QoS functions can use the marking information to judge the relative and absolute importance of the packet. The marking function can use information from the policing function or directly from the classification function.

Restrictions and Usage Guidelines

• Outer Cos, ipv4 dscp, ipv4 precedence, MPLS EXP marking at egress is supported.
• Multiple marking actions for the same class at egress is supported.
• Egress marking of set cos inner is not supported.
• DEI, IPv6 dscp and inner dscp in tunnel is not supported.
• Hierarchical Marking and Enhanced Marking using table-maps is not supported.
• Egress marking cannot be applied to physical classes and vlan classes.
• Qos-group and discard-class marking is not supported at egress, only classification is supported at egress.
• In the case of layer 2 to layer 3 propagation, EXP value is set to 0 by default

Specify and mark traffic by using the set commands in a policy map for all supported QoS markings. CoS, IP DSCP, and IP precedence markings are supported in both ingress and egress policies. The task of setting QoS groups is supported only in ingress policies.

Note The task of setting QoS-groups, discard classes, and imposed EXPs is not supported in egress policies.

A set command unconditionally marks the packets that match a specific class. You can then attach the policy map to an interface or service instance as an input policy map or output policy map.

You can simultaneously configure the actions to modify the DSCP, precedence, and CoS markings in the packet for the same service along with the QoS group marking actions. You can use the QoS group number defined in the marking action for egress classification. Figure 1-6 shows the steps involved in marking traffic.

Figure 1-6 Marking Classified Traffic

This example uses a policy map to remark a packet. The first marking (the set command) applies to the QoS default class map that matches all traffic not matched by class AF31-AF33 and sets all traffic to an IP DSCP value of 1. The second marking sets the traffic in classes AF31 to AF33 to an IP DSCP of 3.

Note Only the cos of the outer vlan is written by the egress 'set cos' command in EVC POP1-POP2.

If the egress class match criteria is a part of ingress marking set actions, the egress packet will have both ingress and egress marking action applied on it. If ingress and egress set actions act on the same PHB, the egress set action will take precedence over ingress set action.

In this example, the egress packet is set to both DSCP 20 and CoS 3:

Congestion Avoidance and Queuing

The Congestion Avoidance feature uses algorithms such as tail drop to control the number of packets entering the queuing and scheduling stage to avoid congestion and network bottlenecks. The switch uses WTD and Weighted Random Early Detection (WRED) to manage the queue sizes and provide a drop precedence for traffic classifications.

These sections contain additional information on congestion avoidance and queuing:

• Weighted Tail Drop
• Weighted Random Early Detection (WRED)

Weighted Tail Drop

You set the queue size limits depending on the markings of the packets in the queue. You can assign each packet that travels through the switch to a specific queue and threshold. For example, you can map specific DSCP or CoS values to a specific egress queue and threshold. If the total destination queue size is greater than the threshold of any classified traffic, the next frame of that traffic is dropped.

Figure 1-7 shows an example of WTD operating on a queue with 1000 microseconds worth of data. Three drop percentages are configured: 40 percent (400 microseconds), 60 percent (600 microseconds), and 100 percent (1000 microseconds). These percentages mean that traffic classified to the 40-percent threshold is dropped when the queue depth exceeds 400 microseconds, traffic classified to 60 percent is dropped when the queue depth exceeds 600 microseconds. Traffic up to 400 microseconds can be queued at the 40-percent threshold, up to 600 microseconds at the 60-percent threshold, and up to 1000 microseconds at the 100-percent threshold.

Figure 1-7 WTD and Queue Operation

In this example, CoS values 6 and 7 have a greater importance than the other CoS values, and they are assigned to the 100-percent drop threshold (queue-full state). CoS values 4 and 5 are assigned to the 60-percent threshold, and CoS values 0 to 3 are assigned to the 40-percent threshold.

If the queue is already filled with 600 microseconds worth of data, and a new frame arrives containing CoS values 4 or 5, the frame is subjected to the 60-percent threshold. When this frame is added to the queue, the threshold would be exceeded, so the switch drops it.

You configure WTD by using the queue-limit policy-map class command to adjust the queue size (buffer size) associated with a particular class of traffic.

Note Queue-limit is supported only in leaf-level (per-hop behavior) classes.

You specify the maximum threshold in bytes, microseconds, percent or packets. You can specify different queue sizes for different classes of traffic (CoS, DSCP, MPLS EXP, precedence, discard-class, or QoS group) in the same queue. Setting a queue limit establishes a drop threshold for the associated traffic when congestion occurs.

Note You cannot configure queue size by using the queue-limit policy map class command without first configuring a scheduling action (bandwidth, shape average, or priority). The only exception to this is when you configure queue-limit for the class-default of an output policy map.

The switch supports up to three unique queue-limit configurations (including the default) across all output policy maps. Within an output policy map, four or eight queues (classes) are allowed, including the class default. Each queue can have three defined thresholds. Only three unique threshold value configurations are allowed per class. Multiple policy maps can share the same queue-limits. Each class-map in a policy-map can either share the same threshold or can have its own unique values.

You can use these same queue-limit values in multiple output policy maps on the switch. However, changing one of the queue-limit values in a class creates a new, unique queue-limit configuration. At any one time, you can attach only three unique queue-limit configurations in output policy maps to targets. If you attempt to attach an output policy map with a fourth unique queue-limit configuration, you see this error message:

By default, queues have unique thresholds based on the speed of the interface. You can decrease the queue size for latency-sensitive traffic or increase the queue size for bursty traffic.

Queue bandwidth and queue size (queue limit) are configured separately and are not interdependent. You should consider the type of traffic being sent when you configure bandwidth and queue-limit:

• A large buffer (queue limit) can better accommodate bursty traffic without packet loss, but at the cost of increased latency.
• A small buffer reduces latency but is more appropriate for steady traffic flows than for bursty traffic.
• Very small buffers are typically used to optimize priority queuing. For traffic that is priority queued, the buffer size usually needs to accommodate only a few packets; large buffer sizes that increase latency are not usually necessary. For high-priority latency-sensitive packets, configure a relatively large bandwidth and relatively small queue size.

WTD thresholds:

• You cannot use the queue-limit command to configure more than two threshold values for WTD qualifiers ( cos , dscp , precedence , qos-group, discard-class , or mpls experimental ). However, there is no limit to the number of qualifiers that you can map to these thresholds.
• You can configure a third threshold value to set the maximum queue by using the queue-limit command with no qualifiers.
• You can configure many more WTD thresholds, provided their threshold values are equal to the maximum threshold of the queue provided by the queue-limit command.

See the “Configuring Weighted Tail Drop” section.

Weighted Random Early Detection (WRED)

WRED combines the capabilities of the RED algorithm with the IP Precedence feature to enable preferential traffic handling of high-priority packets. WRED can selectively discard low-priority traffic when the switch begins to get congested, and provide differentiated egress drop thresholds based on the DSCP, IP precedence, CoS values, or MPLS EXP bits.

You can configure WRED to ignore IP precedence when making drop decisions so that non weighted RED behavior is achieved.

WRED attempts to anticipate and avoid congestion rather than control congestion after it occurs.

WRED works with ipv6 dscp/class of service.

Why Use WRED?

WRED facilitates early detection of congestion and enables multiple classes of traffic. It also protects against global synchronization. For these reasons, WRED is useful on any output interface on which you expect congestion to occur.

However, WRED is usually used in the core routers of a network rather than at the edge of a network. Edge routers assign IP precedences to packets as they enter the network. WRED uses these precedences to determine how to treat different types of traffic.

WRED provides separate thresholds and weights for different IP precedences, allowing you to provide different qualities of service with regard to packet dropping for different traffic types. Standard traffic can be dropped more frequently than premium traffic during periods of congestion.

How It Works

By randomly dropping packets prior to periods of high congestion, WRED communicates with the packet source to decrease its transmission rate. If the packet source is using TCP, it will decrease its transmission rate until all the packets reach their destination, which indicates that the congestion is cleared.

WRED generally drops packets selectively, based on IP precedence. Packets with a higher IP precedence are less likely to be dropped than packets with a lower precedence. Thus, the higher the priority of a packet, the higher the probability that the packet will be delivered.

WRED reduces the chances of tail drop by selectively dropping packets when the output policy maps begin to show signs of congestion. By dropping some packets early rather than waiting until the queue is full, WRED avoids dropping large numbers of packets at once and minimizes the chances of global synchronization. Thus, WRED allows the transmission line to be used fully at all times.

In addition, WRED statistically drops more packets from large users than from small users. Therefore, traffic sources that generate the most traffic are more likely to be slowed down than traffic sources that generate less traffic.

WRED avoids the globalization problems that occur when tail drop is used as the congestion avoidance mechanism. Global synchronization manifests when multiple TCP hosts reduce their transmission rates in response to packet dropping, and increase their transmission rates once again when the congestion is reduced.

WRED is useful only when the bulk of the traffic is TCP/IP traffic. With TCP, dropped packets indicate congestion. Therefore the packet source will reduce its transmission rate. With other protocols, packet sources may not respond or may resend dropped packets at the same rate. Thus, dropping packets does not decrease congestion.

WRED treats non-IP traffic as precedence 0, the lowest precedence. Therefore, non-IP traffic, in general, is more likely to be dropped than IP traffic.

Figure 1-8 illustrates how WRED works.

Figure 1-8 How WRED works.

Average Queue Size

The router automatically determines the parameters to be used in WRED calculations. The average queue size is based on the previous average and the current size of the queue. The formula is:

here n is the exponential weight factor, a user-configurable value. The default value of the exponential weight factor is 9. We recommend that you use only the default value for the exponential weight factor. Change this value from the default value only if you have determined that your scenario will benefit from using a different value.

For high values of n , the previous average becomes more important. A large factor smooths out the peaks and lows in queue length. The average queue size is unlikely to change very quickly, avoiding drastic swings in size. The WRED process will be slow to start dropping packets, but it may continue dropping packets for a time after the actual queue size has fallen below the minimum threshold. The slow-moving average will accommodate temporary bursts in traffic.

Note If the value of n gets too high, WRED will not react to congestion. Packets will be sent or dropped as if WRED were not in effect.

For low values of n , the average queue size closely tracks the current queue size. The resulting average may fluctuate with changes in the traffic levels. In this case, the WRED process responds quickly to long queues. After the queue falls below the minimum threshold, the process will stop dropping packets.

If the value of n gets too low, WRED will overreact to temporary traffic bursts and drop traffic unnecessarily.

See the “Configuring Weighted Random Early Detection” section.

Congestion Management and Scheduling

MQC provides several related mechanisms in output policy maps to control outgoing traffic flow. The scheduling stage holds packets until the appropriate time to send them to one of the four or eight traffic queues. Queuing assigns a packet to a particular queue based on the packet class and is enhanced by the WTD algorithm for congestion avoidance. You can use different scheduling mechanisms to provide a guaranteed bandwidth to a particular class of traffic while also serving other traffic in a fair way. You can limit the maximum bandwidth that can be consumed by a particular class of traffic and ensure that delay-sensitive traffic in a low-latency queue is sent before traffic in other queues.

The switch supports these scheduling mechanisms:

• Traffic shaping

You use the shape average policy map class configuration command to specify that a class of traffic should have a maximum permitted average rate. You specify the maximum rate in bits per second.

• Class-based-weighted-fair-queuing (CBWFQ)

You can use the bandwidth policy-map class configuration command to control the bandwidth allocated to a specific class. Minimum bandwidth can be specified as a bit rate, or as a percentage of total bandwidth, or as remaining bandwidth.

• Priority queuing or class-based low-latency scheduling

You use the priority policy-map class configuration command to specify the that a class of traffic has low latency requirements with respect to other classes. When you configure this command in a class, you cannot configure bandwidth in any other child class associated with the same parent.

These sections contain additional information about scheduling:

• Traffic Shaping
• Class-Based Weighted Fair Queuing
• Priority Queuing

Traffic Shaping

Traffic shaping or class-based peak rate scheduling is used to specify the maximum transmission rate for a traffic class. Unlike traffic policing, where nonconforming packets are dropped or marked right away, packets exceeding the rate specified in the shape command are usually buffered and can be sent later when bandwidth is available. While policing propagates traffic bursts, shaping smooths bursts by sending the packets later. Traffic policing is used in input policy maps, and traffic shaping occurs as traffic leaves an interface or service instance.

Configuring a queue for traffic shaping sets the maximum bandwidth or PIR of the queue. You can set the PIR from 1 Kb/s to 10 Gb/s. You can also configure the PIR as a percentage of the PIR of a parent level.

Note You cannot configure traffic shaping (shape average) and or priority queuing (priority) for the same class in an output policy map. However, you can configure CIR, PIR, and EIR bandwidth independently for a class and use the bandwidth, bandwidth remaining, and shape average commands at the same time within a class.

Class-Based Shaping

Class-based shaping uses the shape average policy-map class configuration command to limit the rate of data transmission in bits per second to be used for the committed information rate for a class of traffic. The switch supports separate queues for four or eight classes of traffic, including the default queue for class class-default , unclassified traffic.

See the “Configuring Class-Based Shaping” section.

Port Shaping

Port shaping is applied to all the traffic leaving a target. It uses a policy map with only class default when you specify the maximum bandwidth for a port using the shape average command. You can attach a child policy to the class default in a hierarchical policy map format to specify class-based and VLAN-based actions.

Where EFPs are configured to aggregately shape the EFPs in a port, configure a port policy using a class-default shaper configuration.

See the “Configuring Port Shaping” section.

Restriction and Usage Guidelines

• To allow coexistence, apply policy-map on the main interface before applying the policy-map on the sub targets.
• You can configure port level shaping with these policy-maps:

– Flat policy-map on the service instance.

– HQoS policy-map on the service instance.

• Port level shaping is supported in the egress direction on the main interface.
• Only Class-default is supported on the port-shaper policy-map.
• EVC QoS is not allowed for user defined classes on the main interface policy-map, or if there is a HQoS policy-map on the main interface.
• Summation of Bandwidth configured on the polices applied on service instances should not exceed the port-shaper value.
• Shape configured on the polices applied on service instance should not exceed the port-shaper value.
• It is recommended to remove the policy-map on the main interface only after removing policy-maps on the service instances.
• It is recommended to apply the policy-map on the main interface before adding the policy-maps on the service instances.
• It is recommended not to change the port-shaper values dynamically when QoS policy-maps are applied.
• Below are the list of unsupported configuration.

– Port policy(class-default shaper + PHB classes) and policies on EFPs

– Port policy(class-default shaper + Vlan classes) and policies on EFPs

– Port policy(class-default shaper + Vlan + PHB classes) and policies on EFPs

– Port policy(PHB classes) and policies on EFPs

– Port policy(Vlan classes) and policies on EFPs

– Port policy(Vlan + PHB classes) and policies on EFPs

– Port policy(class based policies) to handle LLQ across EFPs + EFP policies

– Match efp-id on the port policy

Parent-Child Hierarchy

The switch also supports parent policy levels and child policy levels for traffic shaping. The QoS parent-child structure is used for specific purposes when a child policy is referenced in a parent policy to provide additional control of a specific traffic type.

Note The total of the minimum bandwidth guarantees (CIR) for each queue of the child policy cannot exceed the total port-shape rate.

This is an example of a parent-child configuration:

You can also configure the PIR in a child policy to be an absolute rate calculated as a percentage of the PIR of the parent level policy. You can configure the child PIR from 0 percent to 100 percent of the parent policy.

Class-Based Weighted Fair Queuing

You can configure class-based weighted fair queuing (CBWFQ) to set the relative precedence of a queue by allocating a portion of the total bandwidth that is available for the port. You use the bandwidth policy-map class configuration command to set the minimum guaranteed output bandwidth or CIR for a class of traffic as a rate (kilobits per second), a percentage of total bandwidth, or a percentage of remaining bandwidth.

Note When you configure bandwidth in a policy map, you must configure all rates in the same format, either a configured rate or a percentage. The total of the minimum bandwidth guarantees (CIR) for each queue of the policy cannot exceed the total speed of the parent.

• Configuring bandwidth for a class of traffic as an absolute rate (kilobits per second) or a percentage of total bandwidth represents the minimum bandwidth guarantee (the CIR) for that traffic class. This means that the traffic class gets at least the bandwidth indicated by the command, but is not limited to that bandwidth. Any excess bandwidth on the port is allocated to each class in the same ratio in which the CIR rates are configured. The CIR range is from 1 Kb/s to 10 Gb/s or 1 to 100 percent. You configure the bandwidth percent command mainly in hierarchical policy maps where a child CIR guarantee is tied to the parent CIR guarantee.

The sum of all CIR commitments for a set of peer classes cannot exceed the PIR (shape) of the parent level. A queue without a configured CIR commitment does not receive any committed bandwidth in the scheduler and can be entirely superseded other classes. If CIR bandwidth is required for any class, including class-default, you must configure it.

Note You cannot configure bandwidth as an absolute rate or a percentage of total bandwidth when priority is configured for another class in the output policy. However, you can configure CIR, EIR, and PIR independently for a class and use the bandwidth, bandwidth remaining, and shape average commands, respectively, at the same time within a class.

• Configuring bandwidth as a percentage of remaining bandwidth determines the portion of the excess bandwidth of the target that is allocated to the class. This means that the class is allocated bandwidth only if there is excess bandwidth on the target and if there is no minimum bandwidth guarantee for this traffic class. By default, the total excess bandwidth is divided equally among the classes. You can configure bandwidth as remaining percentage to configure an unequal distribution for prioritizing classes. The total bandwidth that you can allocate between peer classes is 100 percent.

Note You cannot configure bandwidth as percentage of remaining bandwidth when priority is configured for another class in the output policy map.

For more information, see the “Configuring Class-Based-Weighted Fair Queuing” section.

Priority Queuing

You can use the priority policy-map class configuration command to ensure that a particular class of traffic is given preferential treatment with respect to other classes associated with the same parent entity. With priority queuing, the priority queue is constantly serviced until the queue is empty. With priority queuing, traffic for the associated class is sent before packets in other queues are sent.

When you configure priority in a class, you cannot configure the bandwidth command in any other sibling class associated with the same parent.

Note You should exercise care when using the priority command. Excessive use of strict priority queuing might cause congestion in other queues.

Priority queuing has these restrictions:

• You can associate the priority command with a a single unique class for each policy map.
• You cannot configure priority and any other scheduling action ( shape average or bandwidth ) in the same class.
• You cannot configure priority queuing for the class-default of an output policy map.

For more information, see the “Configuring Class-Based Priority Queuing” section.

Input and Output Policy Maps

Policy maps are either input policy maps or output policy maps applied to packets as they enter or leave the switch by service policies attached to targets. Input policy maps perform policing and marking on received traffic. Policed packets are dropped or reduced in priority (marked down) if they exceed the maximum permitted rates. Output policy maps perform scheduling and queuing on traffic as it leaves the switch.

Input policies and output policies have the same basic structure but differ in the characteristics that they regulate. Figure 1-9 shows the relationship of input and output policies.

Figure 1-9 Input and Output Policy Relationship

Input Policy Maps

Input policy map classification criteria include matching CoS, DSCP, IP precedence, or MPLS EXP values or matching an ACL or VLAN ID (for per-port, per-VLAN QoS). Input policy maps support two actions: marking and policing. You can specify these actions in any one level of the hierarchical policy map, but actions cannot be nested. That is, if a child policy has a policer, then the parent policy map cannot have a policer. Likewise, if there is marking in a child policy, there cannot be marking in a parent policy.

Only input policies provide matching on access groups, and only output policies provide matching on QoS groups and discard classes. The class class-default is used in a policy map for any traffic that does not explicitly match any other class in the policy map. Input policy maps do not support queuing and scheduling keywords, such as bandwidth , queue-limit , priority , and shape average .

Output Policy Maps

Output policy map classification criteria include matching CoS, DSCP, an IP precedence, MPLS EXP, or QoS groups. or a discard-class value. Output policy maps can have any of these actions:

• Queuing ( queue-limit )
• Scheduling ( bandwidth , priority , and shape average )

Policies attached to an EFP support only 2-level scheduling. Although you can attach a 3-level hierarchical policy to an EFP, the policy should conform to these rules:

• Only two or the three levels can have a scheduling action (bandwidth, priority, or shape).
• One of the two levels must be the class (bottom-most) level.

Output policy maps do not support matching of access groups. You can use QoS groups as an alternative by matching the appropriate access group in the input policy map and setting a QoS group. In the output policy map, you can then match the QoS group. See the “Classification Based on QoS Groups” section for more information.

• A class-level policy (a child policy with class maps matching CoS, DSCP, IP precedence, MPLS EXP, QoS group, or discard-class) can have a maximum of eight classes including class default.
• A VLAN-level policy (a parent policy that has classes matching VLANs) can have a maximum of 4000 classes, including class default.
• A physical-level policy can have only class-default in the entire policy map.

You can attach an output policy map to any or all targets on the switch. The switch supports configuration and attachment of a unique output policy map for each port or service instance.

However, these output policy maps can contain only three unique configurations of queue limits. These three unique queue-limit configurations can be included in as many output policy maps as there are switch ports. There are no limitations on the configurations of bandwidth, priority, or shaping.

QoS Treatment for Performance-Monitoring Protocols

QoS is not configurable for Cisco IP service level agreements (IP SLA) probes or for traffic to the CPU. QoS treatment is set by default.

• Cisco IP-SLAs Probes
• CPU Traffic

Cisco IP-SLAs Probes

For information about Cisco IP service level agreements (IP SLAs), see the “Understanding Cisco IOS IP SLAs” section.

The QoS treatment for IP-SLA probes exactly reflects effects that occur to the normal data traffic crossing the device. The generating device does not change the probe markings. It queues these probes based on the configured queueing policies for normal traffic.

• Marking

By default, the CoS marking of CFM traffic (including IP SLAs using CFM probes) is not changed. QoS configuration cannot change this behavior.

By default, IP traffic marking and the CoS marking of all other Layer 2 non-IP traffic is not changed. The QoS marking feature can change this behavior.

• Queuing

IP SLAs traffic is queued according to its ToS or DSCP value and the output policy map configured on the egress target, similarly to normal traffic. QoS cannot change this behavior.

By default, all other Layer 2 non-IP traffic and all IP traffic is statically mapped to a queue on the egress target.

CPU Traffic

By default, the switch assigns a separate classifier, CPU-traffic classifier , for all traffic destined to the CPU. For traffic from the CPU, the switch uses a default classifier for high-priority control protocol traffic. These protocols are considered high priority:

• Protocols with the PAK_PRIORITY flag set in Cisco IOS software. These include EIGHT, HSPR, GRD, LDP, OSPF, RIP, WCCP, BFD, CFM, SAA, CDP, ISIS, DTP, IGRP, Ethernet OAM, LACP, LLDP, PAgP, and STP.
• IP protocols with IP precedence set to 6 or 7.

All other traffic from the CPU is classified with a normal classifier.

Default QoS Configuration

There are no policy maps, class maps, table maps, or policers configured. At the egress target, all traffic goes through a single default queue that is given the full operational bandwidth.

The packets are not modified. The CoS, DSCP, IP precedence, and MPLS EXP values in the packet are not changed. Traffic is switched in pass-through mode without any rewrites and classified as best effort without any policing.

Configuration Guidelines and Limitations

The ME 3800X and ME 3600X switches support the same QoS functionality. All switches support a total of 4,000 QoS instances, where a QoS instance is any target on which a QoS per-hop behavior policy is attached. A target can be a port, a VLAN class, or an EFP service instance.

• You can configure a maximum of 1000 policy maps.
• You can apply one input policy map and one output policy map to an interface or service instance.
• The maximum number of classification criteria per class map is 64.
• The maximum number of classes per policy map is:

– 1000 for ME3600X metro access and advanced metro access licensed switches.

– 2000 for ME3800X metro services, metro IP Services and metro aggregation services licensed switches.

– 4000 for ME3800X Scaled metro services, scaled metro IP services and scaled metro aggregation services licensed switches.

• Policy configurations are validated as they are configured. When invalid configurations are detected, they are rejected. In some cases the configuration cannot be validated until it is associated with an interface.
• If you modify a feature characteristic on a port or EFP that has a policy map attached and the new configuration makes the policy map invalid, the attached policy is automatically detached.
• You can attach ingress service policies to switchports, routed ports, or EFPs and physical port in which EFP is configured. However, you cannot attach a service policy to a physical port that has ingress service-policy configured with service instances (EFPs) and you cannot attach service policies to switch virtual interfaces (SVIs).
• You cannot attach a service policy to an EtherChannel. You can only attach service policies to individual ports in the port channel. You cannot attach a service policy to an EFP that belongs to a port channel interface.
• When a configured policer rate, policer burst-size, or queue-rate cannot be achieved in hardware within 1 percent, the configuration is rejected.
• Egress classification for a class of traffic that has been acted on by an input policy-map can take place only on the per-hop behavior criteria and value established by the input policy-map.

– If a class in an input policy-map is classifying based on per-hop behavior criteria and is configured for policing but not marking, then the per-hop behavior established by the input policy-map for that class of traffic is the classification criteria and value in the associated class-map.

– If a class in an input policy-map is not classifying on per-hop behavior criteria, but is classifying on flow criteria by using a MAC ACL or IP ACL, and it is configured for policing, a default best-effort per-hop behavior is established for that class of traffic. Traffic in this class is not eligible for egress classification based on per-hop behavior criteria.

– If a class in an input policy-map is configured for marking, the per-hop behavior established by the input policy-map for that class of traffic is the marked per-hop behavior criteria and value.

– If a class in an input policy-map is not configured for any action (class-default), a default best-effort per-hop behavior is established for that class of traffic. Traffic in this class is not eligible for egress classification based on PHB-criteria.

For example: if the per-hop behavior established for a class of traffic by an input policy-map is DSCP ef , you can classify that class of traffic on the egress based only on DSCP ef and not on any other mutually exclusive per-hop behavior such as outer CoS or inner CoS.

• Egress classification on a target with no input policy map attached can use any classification criteria specified in the egress policy. When an input policy map is attached to a target, even if traffic does not match any classes in the input policy, it cannot be egress-classified. Egress-classification based on match input Vlan will not work if there is no ingress policy on the input interface.
• When configuring both MPLS VPN and QoS, you can apply most QoS functions to MPLS VPN traffic. However, for a hierarchical QoS function, you cannot apply a service policy that would match traffic on a per-VRF basis because VRFs are dynamically assigned to an MPLS label. For MPLS VPN traffic, you can apply a service-policy on egress traffic that matches traffic based on DSCP or MPLS. For information about configuring QoS with MPLS and EoMPLS, see the “Configuring MPLS and EoMPLS QoS” section.
• There is a limitation per bridge-domain on the number of unique flows classified on inner or outer VLANs that you can configure for egress classification. An error message appears when this limitation is exceeded.
• Hierarchical marking and policing are not supported. You can configure marking and policing for any number of classes on any one of the three levels of the policy-map hierarchy. If you configure marking on one level, you can configure policing without marking (transmit, drop) on another level.
• An EFP can support only 2-level egress scheduling policies. If you attach a 3-level hierarchical policy to an EFP, only two of the three levels can have scheduling actions (bandwidth, shape, or priority)
• There is a limitation on the maximum number of unique per-hop behavior-criteria combinations that can be configured on the system. The limit is internally calculated and is a function of input classification, marking, and egress classification based on per-hop behavior. An error message appears when this limit is reached.

Configuring Input Policy Maps

• Configuring Input Class Maps
• Using ACLs to Classify Traffic
• Configuring Class-Based Marking
• Configuring Policing

Configuring Input Class Maps

Use the class-map command to name and to isolate a specific traffic flow (or class) from all other traffic. A class map defines the criteria to use to match against a specific traffic flow to further classify it. You define match criteria with one or more match statements entered in the class-map configuration mode. Match statements can include criteria such as an ACL, inner or outer CoS value, DSCP value, IP precedence values, MPLS experimental labels, or inner or outer VLAN IDs.

In an input policy, the match criteria acts on the packet on the wire before any VLAN-mapping rewrite operations on ingress.

Beginning in privileged EXEC mode, complete these steps to create a class map and to define the match criterion to classify traffic:

Use the no form of the appropriate command to delete an existing class map or remove a match criterion.

This example shows how to create access list 103 and configure the class map called class1 . The class1 has one match criterion, which is access list 103. It permits traffic from any host to any destination that matches a DSCP value of 10.

This example shows how to create a class map called class2 , which matches incoming traffic with DSCP values of 10, 11, and 12.

This example shows how to create a class map called class3 , which matches incoming traffic with IP-precedence values of 5, 6, and 7:

This example shows how to create a class-map called parent-class , which matches incoming traffic with VLAN IDs in the range from 30 to 40.

Using ACLs to Classify Traffic

You can classify IP traffic by using IP standard or IP extended ACLs. You can classify IP and non-IP traffic by using Layer 2 MAC ACLs. For more information about configuring ACLs, see the chapter on Configuring Network Security with ACLs in the software configuration guide.

Limitations and Usage Guidelines

The following limitations and usage guidelines apply when classifying traffic using an ACL:

• QoS ACLs are supported only for IPv4 traffic
• QoS ACLs are supported only for ingress traffic
• You can use QoS ACLs to classify traffic based on the following criteria:

– Source and destination host

– Source and destination subnet

– TCP source and destination

– UDP source and destination

• Named and numbered ACLs are supported.
• You can apply QoS ACLs only to the third level class (bottom-most).
• The following rage of numbered access lists are supported:

– 1-99—IP standard access list

– 100-199—IP extended access list

– 1300-1999—IP standard access list (expanded range)

– 2000-2699—IP extended access list (expanded range)

• You must create an ACL before referencing it within a QoS policy.
• Deny statements within an ACL are ignored for the purposes of classification.
• Classifying traffic based on TCP flags using an ACL is not supported.
• Classifying traffic using multiple mutually exclusive ACLs within a match-all class-map is not supported.
• Classifying traffic on a logical or physical level using an ACL is not supported.
• Applying QoS ACLs to MAC addresses is not supported.
• The neq keyword is not supported with the access-list permit and IP access-list extended commands.
• This release does not support matching on multiple port numbers in a single ACE, as in the following command: permit tcp any eq 23 45 80 any
• A given command can consume multiple matching operations if you specify a source and destination port, as shown in the following examples:

– permit tcp any lt 1000 any —Uses one port matching operation

– permit tcp any lt 1000 any gt 2000 —Uses two port matching operations

– permit tcp any range 1000 2000 any 400 500 —Uses two port matching operations

QoS policies match only the permit keyword. Not all ACL criteria are supported for QoS classification. Note the available keywords in the procedures.

Layer 4 port matching

To enable layer 4 port matching on the switch use the platform qos enable layer4-port-match command.

Extended access lists can be used to evaluate fields of layer 4 headers of an IP packet. This gives a more granular way to control traffic.

ACLs have to be defined before being matched in ingress QOS policies. Both Extended and Named ACLs support layer 4 port matches. See “Creating IP Extended ACLs” section

In order for the ACLs to take effect in QOS policies they must be configured under a class. See “Classification Based on QoS Groups” section.

You can attach a policy that includes unsupported QoS IP ACL options to the target, but QoS ignores the unsupported options. If you modify an IP ACL in a policy map that is already attached to a target and the modification causes the attached policy to become invalid, the policy is detached from the target.

• “Creating IP Standard ACLs” section
• “Creating IP Extended ACLs” section
• “Creating Layer 2 MAC ACLs” section

Creating IP Standard ACLs

Beginning in privileged EXEC mode, follow these steps to create an IP standard ACL for IP traffic:

To delete an access list, use the no access-list access-list-number global configuration command.

This example shows how to allow access for only those hosts on the three specified networks. The wildcard bits apply to the host portions of the network addresses.

Creating IP Extended ACLs

Although you can configure many options in ACLs, only some are supported for QoS ACLs.

• For permit protocol , the supported keywords are: tcp , and udp .
• For source and destination address, the supported entries are i p-address , any , or host .
• For match criteria, the supported keywords are dscp or tos . You can also specify a time-range .

Beginning in privileged EXEC mode, follow these steps to create an IP extended ACL for IP traffic:

To delete an access list, use the no access-list access-list-number global configuration command.

This example shows how to create an ACL that permits IP traffic from any source to any destination that has the DSCP value set to 32:

This example shows how to create an ACL that permits IP traffic from a source host at 10.1.1.1 to a destination host at 10.1.1.2 with a ToS value of 5:

Creating Layer 2 MAC ACLs

Beginning in privileged EXEC mode, follow these steps to create a Layer 2 MAC ACL for non-IP traffic:

To delete an access list, use the no mac access-list extended access-list-name global configuration command.

This example shows how to create a Layer 2 MAC ACL with a permit statement that allows traffic from the host with MAC address 0001.0000.0001 to the host with MAC address 0002.0000.0001.

Configuring Class-Based Marking

You use the set policy-map class configuration command to set or modify the attributes for traffic belonging to a specific class.

Follow these guidelines when configuring class-based marking:

• Hierarchical marking is not supported.
• You can configure marking for any number of classes on any of the three levels of policy map hierarchy. If you configure marking on one level, you can configure policing without marking (transmit, drop) on another level.

In the privileged EXEC mode, perform these steps to create an input policy map that marks traffic,

After you create the input policy map, attach it to a target. See the “Attaching a Service Policy to an Interface or EFP” section. Use the no form of the appropriate command to delete a policy map or remove an assigned CoS, DSCP, MPLS, precedence, or QoS-group value.

This example uses a policy map to remark a packet. The first marking (the set command) applies to the QoS default class map that matches all traffic not matched by class AF31-AF33 and sets all traffic to an IP DSCP value of 1. The second marking sets the traffic in classes AF31 to AF33 to an IP DSCP of 3.

Configuring Policing

Policing is used to enforce a traffic-metering profile. A policer meters a particular traffic flow and determines if a packet in the given flow conforms to the specified rate. Use the police policy-map class configuration command to configure individual policers to define the committed rate limitations, committed burst size limitations of the traffic, and the action to take for a class of traffic.

The switch supports 1-rate policing with a 2-color marker, or 2-rate policing with a 3-color marker. Mapped packets can be sent without modification, dropped, or marked to the options specified by the set command. Note that traffic rates are configured in bits per second and burst size is entered in bytes.

Follow these guidelines when configuring policing.

• Hierarchical policing is not supported.
• You can configure policing for any number of classes on any one of the three levels of the policy-map hierarchy. If you configure marking on one level, you can configure policing without marking (transmit, drop) on another level.

Configuring a Policy Map with 1-Rate, 2-Color Policing

Beginning in privileged EXEC mode, follow these steps to create a 1-rate, 2- color input policy map with individual policing:

After you create the policy map, attach it to an interface or an EFP. See the “Attaching a Service Policy to an Interface or EFP” section.

This example shows how to create a traffic classification with a CoS value of 4, create a policy map, and attach it to an ingress port. The average traffic rate is limited to 10000000 b/s with a burst size of 10000 bytes:

This example shows how to create policy map with a conform action of set dscp and a default exceed action, and attach it to an EFP.

This example shows how to use policy-map class police configuration mode to set multiple conform actions and an exceed action. The policy map sets a committed information rate of 23000 bits per second (b/s) and a conform burst size of 10000 bytes. The policy map includes multiple conform actions (for DSCP and for Layer 2 CoS) and an exceed action.

Configuring a Policy Map with 2-Rate, 3-Color Policing

A 2-rate, 3-color policer uses both the committed information rate (CIR) and the peak information rate (PIR) and includes three profiles (colors) for packets that conform, exceed, or violate the specified rates. You can configure actions to take on each of these profiles.

Beginning in privileged EXEC mode, follow these steps to create an input policy map with individual 2-rate, 3-color policing:

After you create the policy map, attach it to an interface or an EFP. See the “Attaching a Service Policy to an Interface or EFP” section.

Use the no form of the appropriate command to delete an existing policy map, class map, or policer.

This example shows how to configure 2-rate, 3-color policing using policy-map configuration mode.

This example shows how to create the same configuration using policy-map class police configuration mode.

Configuring Output Policy Maps

• Configuring Output Class Maps
• Configuring Class-Based-Weighted Fair Queuing
• Configuring Class-Based Shaping
• Configuring Port Shaping
• Configuring Class-Based Priority Queuing
• Configuring Policing
• Configuring Marking
• Configuring Weighted Tail Drop

Configuring Output Class Maps

Use the class-map global configuration command to name and to isolate a specific traffic flow (or class) from all other traffic. A class map defines the criteria to use to match against a specific traffic flow to further classify it. Match statements can include criteria such as an inner or outer CoS value, DSCP value, IP precedence values, QoS group values, discard class, MPLS experimental labels, or inner or outer VLAN IDs. Define a match criterion with one or more match statements entered in the class-map configuration mode.

In an output policy, the match criteria acts on the packet on the wire after any VLAN rewrite mapping operations on egress.

Beginning in privileged EXEC mode, follow these steps to create a class map and to define the match criterion to classify traffic:

Use the no form of the appropriate command to delete an existing class map or remove a match criterion.

This example shows how to create a class map called class2 , which matches traffic with DSCP values of 10, 11, and 12.

This example shows how to create a class map called class3 , which matches traffic with IP-precedence values of 5, 6, and 7:

This example shows how to create a class-map called parent-class , which matches traffic with VLAN IDs in the range from 30 to 40.

Configuring Class-Based-Weighted Fair Queuing

You use the bandwidth policy-map class configuration command to configure class-based weighted fair queuing (CBWFQ). CBWFQ sets the explicit minimum guaranteed rate (CIR) of a class by reserving the configured bandwidth for that class.

Follow these guidelines:

• You can configure CBWFQ at the class level and at the VLAN level.
• The total of the minimum bandwidth guaranteed for each queue of the policy cannot exceed the total speed of the parent.
• You cannot configure bandwidth as an absolute rate or a percentage of total bandwidth when strict priority is configured for another class in the output policy.
• You can configure bandwidth as percentage of remaining bandwidth when strict priority is configured for another class in the output policy map.
• You cannot configure bandwidth and priority or bandwidth and traffic shaping for the same class in an output policy map.

Beginning in privileged EXEC mode, follow these steps to use CBWFQ to control bandwidth allocated to a traffic class by specifying a minimum bandwidth as a bit rate or a percentage:

After you create the policy map, attach it to an interface or an EFP. See the “Attaching a Service Policy to an Interface or EFP” section. Use the no form of the appropriate command to delete an existing policy map, class map, or bandwidth configuration.

Note If you enter the no policy-map configuration command or the no policy-map policy-map-name global configuration command to delete a policy map that is attached to an interface, a warning message appears that lists any interfaces from which the policy map is being detached. The policy map is then detached and deleted. For example:
Warning: Detaching Policy test1 from Interface GigabitEthernet0/1

This example shows how to allocate 25 percent of the total available bandwidth to the traffic class defined by the class map:

Note When you configure CIR bandwidth for a class as an absolute rate or percentage of the total bandwidth, any excess bandwidth remaining after servicing the CIR of all the classes in the policy map is divided among the classes in the same proportion as the CIR rates. If the CIR rate of a class is configured as 0, that class is not eligible for any excess bandwidth and, as a result, receives no bandwidth.

This example shows how to set the precedence of output queues by setting bandwidth in kilobits per second. The classes outclass1 , outclass2 , and outclass3 and class-default get a minimum of 40000, 20000, 10000, and 10000 kb/s. Any excess bandwidth is divided among the classes in the same proportion as the CIR rate.

This example shows how to allocate the excess bandwidth among queues by configuring bandwidth for a traffic class as a percentage of remaining bandwidth. The class outclass1 is given priority queue treatment. The other classes are configured to get percentages of the excess bandwidth if any remains after servicing the priority queue: outclass2 is configured to get 50 percent, outclass3 to get 20 percent, and the class class-default to get the remaining 30 percent.

This example shows how to match VLAN and CoS in the same policy. When you attach the service policy vlan to an interface, packets with the outer VLAN of 2 and an outer CoS of 2 are included in class map phb .

Configuring Class-Based Shaping

You use the shape average policy-map class configuration command to configure traffic shaping. Class-based shaping sets the explicit maximum peak information rate (PIR) for the class by limiting it to the configured bandwidth. You can configure class-based shaping at the class level and at the VLAN level.

Beginning in privileged EXEC mode, follow these steps to use class-based shaping to configure the maximum permitted average rate for a class of traffic:

After you create the policy map, attach it to an interface or an EFP. See the “Attaching a Service Policy to an Interface or EFP” section. Use the no form of the appropriate command to delete an existing policy map or class map or to delete a class-based shaping configuration.

This example shows how to configure traffic shaping for outgoing traffic on a Gigabit Ethernet port so that outclass1 , outclass2 , and outclass3 get a maximum of 50, 20, and 10 Mb/s of the available port bandwidth.

Configuring Port Shaping

Port shaping is applied to all traffic leaving an interface. It uses a policy map with only class default when the maximum bandwidth for the port is specified by using the shape average command. A child policy can be attached to the class-default in a hierarchical policy map format to specify class-based and VLAN-based actions.

Beginning in privileged EXEC mode, follow these steps to use port shaping to configure the maximum permitted average rate for a class of traffic:

After you create the policy map, attach it to an interface or an EFP. See the “Attaching a Service Policy to an Interface or EFP” section.

Use the no form of the appropriate command to delete an existing hierarchical policy map, to delete a port shaping configuration, or to remove the policy map from the hierarchical policy map.

This example shows how to configure port shaping by configuring a hierarchical policy map that shapes a port to 90 Mb/s, allocated according to the out-policy policy map configured in the previous example.

Configuring Marking

Use the set policy-map class configuration command to set or modify the attributes for traffic belonging to a specific class.

Follow these guidelines when configuring class-based marking:

• Hierarchical marking is not supported.
• You can only configure egress marking for classes on the third level of the policy map hierarchy.

In the privileged EXEC mode, perform these steps to create an output policy map that marks traffic.

After you create the input policy map, attach it to a target. See the “Attaching a Service Policy to an Interface or EFP” section. Use the no form of the appropriate command to delete a policy map or remove an assigned CoS, DSCP, MPLS, or precedence value.

This example uses a policy map to re-mark a packet. The first marking (the set command) applies to the QoS default class map that matches all the traffic not matched by class AF31-AF33 and sets all the traffic to an IP DSCP value of 1. The second marking sets the traffic in classes AF31 to AF33 to an IP DSCP of 3.

Configuring Policing

Policing is used to enforce a traffic-metering profile. A policer meters a particular traffic flow and determines if a packet in the given flow conforms to the specified rate. Use the police policy map class configuration command to configure individual policers to define the committed rate limitations, committed burst size limitations of the traffic, and the action to take for a class of traffic.

The switch supports 1-rate policing with a 2-color marker. Mapped packets can be sent without modification, dropped, or marked to the options specified by the set command. Note that traffic rates are configured in bits per second and burst size is entered in bytes.

Follow these guidelines when configuring policing:

• Hierarchical policing is not supported.

Configuring a Policy Map with 1-Rate, 2-Color Policing

In the privileged EXEC mode, perform these steps to create a 1-rate, 2 color output policy map with individual policing.

After you create the policy map, attach it to an interface or an EFP. See the “Attaching a Service Policy to an Interface or EFP” section.

This example shows how to create a traffic classification with a CoS value of 4, create a policy map, and attach it to an egress port. The average traffic rate is limited to 10000000 b/s with a burst size of 10000 bytes.

This example shows how to create a policy map with a conform action of set dscp and a default exceed action, and attach it to an EFP.

This example shows how to configure port shaping when EFP policies are present, by configuring a hierarchical policy map that shapes a port to 50 percent, allocated according to the out-policy policy map configured in the previous example.

This example shows how to use the policy-map class police configuration mode to set multiple conform actions and an exceed action. The policy map sets a committed information rate of 23000 bits per second (b/s) and a conform burst size of 10000 bytes. The policy map includes multiple conform actions (for DSCP and Layer 2 CoS) and an exceed action.

Configuring Class-Based Priority Queuing

You can use the priority policy-map class configuration command to ensure that a particular class of traffic is given preferential treatment. Strict priority queuing provides low-latency service to the class.

• When a priority is configured in an output policy map without the police command, you can only configure the other queues for sharing by using the bandwidth remaining percent policy-map command to allocate excess bandwidth.
• You can apply priority at the class level and to the VLAN level.
• You can associate the priority command with a single class at the class level and a single class at the VLAN level.

Beginning in privileged EXEC mode, follow these steps to configure a strict priority queue:

After you create an output policy map, attach it to an egress port or EFP. See the “Attaching a Service Policy to an Interface or EFP” section.

Use the no form of the appropriate command to delete an existing policy map, class map or to cancel strict priority queuing for the priority class or the bandwidth setting for the other classes.

This example shows how to configure the class out-class1 as a strict priority queue so that all packets in that class are sent before any other class of traffic. Other traffic queues are configured so that out-class-2 gets 50 percent of the remaining bandwidth and out-class3 gets 20 percent of the remaining bandwidth. The class class-default receives the remaining 30 percent with no guarantees.

Configuring Weighted Tail Drop

Weighted tail drop (WTD) adjusts the queue size associated with a traffic class in terms of time and bytes. You configure WTD by using the queue-limit policy-map class configuration command. The queue-limit command is allowed only after you have configured a scheduling action ( bandwidth , shape average , or priority ).

Beginning in privileged EXEC mode, follow these steps to use WTD to adjust the queue size for a traffic class:

After you have created an output policy map, you attach it to an egress port. See the “Attaching a Service Policy to an Interface or EFP” section.

Use the no form of the appropriate command to delete an existing policy map or class map or to delete a WTD configuration.

Note If the device connected to a 10/100/1000 Mb/s interface starts bursting the traffic more than the 1 Gigabit line rate because of multicast replication, you should increase the queue-limit for the policy map class applied to the interface to 48000 (48 K) bytes because the interface cannot handle the excess burst.

This example shows a policy map with a specified bandwidth and queue size. Traffic that is not DSCP 30 or 10 is assigned a queue-limit of 2000 bytes. Traffic with a DSCP value of 30 is assigned a queue-limit of 1000 bytes, and traffic with a DSCP value of 10 is assigned a queue-limit of 1500 bytes. All traffic not belonging to the class traffic is classified into class-default, which is configured with 10 percent of the total available bandwidth and a large queue size of 3000 bytes.

There can be only three unique qualified queue-limit thresholds. In this example, there are four unique thresholds, so the configuration is rejected:

In the next example, although there appear to be only three unique thresholds, in reality there are four threshold configurations, including an implied default threshold. The configuration is rejected.

In this last example, there are only three unique thresholds and the configuration is allowed.

Configuring Weighted Random Early Detection

This section describes the tasks involved in configuring Weighted Random Early Detection (WRED).

Restrictions and Usage Guidelines

• Supported Commands:

– WRED based on Outer COS (random-detect cos-based)

– WRED based on IPv4 DSCP (random-detect dscp-based)

– WRED based on IPv4 Precedence (random-detect precedence-based)

– WRED based on discard class (random-detect discard-class-based)

– WRED based on EXP

• WRED polices are supported on these targets:

– L3 Main interface

– Switchport interface

– Service instance

– Port-channel Member-link interface.

• Maximum of two WRED curves are supported.
• WRED configuration is supported only in the egress policy-map.
• Default value for exponential-weighting-constant is 9.
• Default value for mark-probability is 10.
• Minimum-threshold and maximum-threshold can be specified in terms of packets only.
• WRED command is supported either with shape or CBWFQ command.
• WRED is supported in PHB level. Not supported in logical or physical level classes.
• MQC based WRED counters are not supported.
• WRED Non-aggregate mode is not supported.
• WRED is not supported in priority queues.

When a packet arrives, the following events occur:

1. The average queue size is calculated.

2. If the average is less than the minimum queue threshold, the arriving packet is queued.

3. If the average is between the minimum queue threshold for that type of traffic and the maximum threshold for the interface, the packet is either dropped or queued, depending on the packet drop probability for that type of traffic.

4. If the average queue size is greater than the maximum threshold, the packet is dropped.

See Weighted Random Early Detection (WRED) for more details on how WRED works.

To configure WRED on a switch, perform the tasks described in the following sections. The tasks described in the first section are required; the tasks in the remaining sections are optional.

• Enabling WRED (Required)
• Changing the WRED Parameters (Optional)

Note WTD and WRED cannot be configured under the same class of a policy map.

Enabling WRED

In the privileged EXEC mode, perform the following steps to enable WRED for a class in a policy map.

The following example configures a policy for a class called acl10 included in a policy map called policy10:

Changing the WRED Parameters

To change the WRED parameters, use the following commands in the interface configuration mode, as needed.