Advanced QoS on IOS-XE Pt. 2

Topology: ine-spv4

Load basic.l3vpn.fully.setup.cfg

#IOS-XE
config replace flash:basic.l3vpn.fully.setup.cfg

#IOS-XR
configure
load bootflash:basic.l3vpn.fully.setup.cfg  
commit replace
y

On R2, remove Gi2.12 and create two subinterfaces:

  • Gi2.100

  • Gi2.200

We will pretend these connect to the same CE on two different VLANs. Perhaps VLAN 100 is for internet and VLAN 200 is for MPLS.

We must police the aggregate of VLAN 100 and VLAN 200 to 100M.

Additionally, let’s imagine we are connecting to a NID which has already done initial policing at the VLAN level, and marked conforming traffic to CS0 and traffic exceeding 100M on either VLAN with CS1.

  • Use a tool to ensure that previously-exceeding traffic cannot be marked down to CS0.

  • Conforming traffic should be left marked as CS0.

  • Previously-conforming or exceeding traffic that is up to 120M should be marked with CS1.

  • Violating traffic should be dropped.

Lastly, R2’s egress interface towards the core is MPLS enabled. Without marking the packets directly, find a way to do WRED based on exceeding traffic from the customer. (On the MPLS link, the DSCP value is not visible).

Answer

#R2

no int gi2.12
int gi2.100
 encapsulation dot1q 100
 ip add 10.100.12.2 255.255.255.0
int gi2.200
 encapsulation dot1q 200
 ip add 10.200.12.2 255.255.255.0

class-map CS0
 match dscp default
class-map CS1
 match dscp cs1
!
class-map QOS_GROUP_1
 match qos-group 1
class-map QOS_GROUP_2
 match qos-group 2
!
policy-map MARK_COLOR
 class CS0
  set qos-group 1
 class CS1
  set qos-group 2
!
policy-map POLICE_100M
 class class-default
  police cir 100 m pir 120 m
   conform-action set-dscp-transmit default
   conform-action set-discard-class-transmit 0
   exceed-action set-dscp-transmit cs1
   exceed-action set-discard-class-transmit 1
   violate-action drop
   conform-color QOS_GROUP_1 exceed-color QOS_GROUP_2
   service-policy MARK_COLOR
!
service-group 1
 service-policy input POLICE_100M
!
int gi2.100
 group 1
int gi2.200
 group 1

Explanation

The service-group feature is a nice way to be able to apply an aggregate policy to multiple EFPs and/or sub-interfaces. The idea is that you create a logical service-group, to which the policy-map is applied, and associate the subinterfaces or EFPs with that group. All members of the group must be on the same physical interface.

service-group 1
 service-policy input POLICE_100M
!
int gi2.100
 group 1
int gi2.200
 group 1

In order to not mark down previously exceeding traffic to conforming, we must use a color-aware policer. This simply means that the policer is aware of the color of the traffic as it was marked by the previous device upstream. The previous device marked exceeding traffic as CS1, so this local device must not mark this traffic down to conforming.

To do this, we must identify conforming and exceeding traffic using a QoS-group marking. There is no other way to match this traffic. We use a simple marking policy as follows:

class-map CS0
 match dscp default
class-map CS1
 match dscp cs1
!
policy-map MARK_COLOR
 class CS0
  set qos-group 1
 class CS1
  set qos-group 2

This is applied to the policer:

policy-map POLICE_100M
 class class-default
  service-policy MARK_COLOR

Now we need two more class-maps to match the QoS group marking.

class-map QOS_GROUP_1
 match qos-group 1
class-map QOS_GROUP_2
 match qos-group 2

The conform-color and exceed-color match these class-maps:

policy-map POLICE_100M
 class class-default
  police cir 100 m pir 120 m
   conform-action set-dscp-transmit default
   exceed-action set-dscp-transmit cs1
   violate-action drop
   conform-color QOS_GROUP_1 exceed-color QOS_GROUP_2
  service-policy MARK_COLOR

You might wonder why the exceed-color is needed. Isn’t the conform color enough to not mark non-conforming packets down to conform? The reason seems to be that violate packets are implicitly any packet not colored as conform or exceed. Violate packets cannot be marked down to exceed.

Finally, we are asked to use WRED on the egress MPLS-enabled link. The DSCP value will not be visable. To account for this, we use an internal marking on the packet which is called the discard-class. We can use multiple set statements for conforming and exceeding traffic:

policy-map POLICE_100M
 class class-default
  police cir 100 m pir 120 m
   conform-action set-dscp-transmit default
   conform-action set-discard-class-transmit 0
   exceed-action set-dscp-transmit cs1
   exceed-action set-discard-class-transmit 1

This is an internal marking similar to the QoS group, but it is only used for the purpose of WRED.

On the egress link we would use a policy such as this:

policy-map EGRESS
 class class-default
  random-detect discard-class-based
  random-detect discard-class 0 200 300 10
  random-detect discard-class 1 100 200 10    ! Drop discard-class 1 more often

Also note that if you use WRED in DSCP mode, the MPLS EXP can be used. The EXP value is treated as IPP which is mapped to a CS value. So using the MPLS EXP value for WRED on egress is a valid alternative to using this discard-class tool.

Last updated