SGT Based QoS

The SGT Based QoS feature supports the application of security group for packet classification for user group and role based or device based QoS traffic routing.

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.

Prerequisites for SGT Based QoS

  • The user groups and devices used for SGT Based QoS configuration must be assigned to the appropriate SGT groups. SGT definition and mapping can be done through Cisco ISE or through static SGT classification on the network device.

Restrictions for SGT Based QoS

  • The SGT Based QoS feature does not support application prioritization within a user group.

  • The SGT Based QoS feature does not support combining match application or match protocol criteria with the match sgt criteria within a policy.

Information About SGT Based QoS

SGT Based QoS

Security Group classification includes both Source and Destination Group, which is specified by source SGT and DGT. The SGT Based QoS feature enables prioritized allocation of bandwidth and QoS policies for a defined user group or device. The SGT Based QoS feature provides you the capability to assign multiple QoS policies to an application or traffic type initiated by different user groups. Each user group is defined by a unique SGT value and supports hierarchical and non-hierarchical QoS configuration. The SGT Based QoS feature supports both user group and device based QoS service levels for SGT/DGT based packet classification. The SGT Based QoS feature supports defining of user groups based on contextual information for QoS policy prioritization.

How to Configure SGT Based QoS

Configuring User Group, Device, or Role Based QoS Policies

SUMMARY STEPS

  1. enable
  2. configure terminal
  3. class-map class-map-name
  4. match security-group source tag sgt-number
  5. match security-group destination tag dgt-number
  6. end

DETAILED STEPS

  Command or Action Purpose
Step 1

enable

Example:

Device> enable

Enables privileged EXEC mode.

  • Enter your password if prompted.
Step 2

configure terminal

Example:

Device# configure terminal

Enters global configuration mode.

Step 3

class-map class-map-name

Example:

Device(config)# class-map c1

Specifies the class-map and enters class-map configuration mode.

Step 4

match security-group source tag sgt-number

Example:

Device(config-cmap)# match security-group source tag 1000

Configures the value for security-group source security tag.

Step 5

match security-group destination tag dgt-number

Example:

Device(config-cmap)# match security-group destination tag 2000

Configures the value for security-group destination security tag.

Step 6

end

Example:

Device(config-cmap)# end

Exits route-map configuration mode and returns to privileged EXEC mode.

Configuring and Assigning Policy-Map to an Interface

SUMMARY STEPS

  1. enable
  2. configure terminal
  3. policy-map policy-map-name
  4. class class-map-name
  5. bandwidth percent number
  6. set dscp codepoint value
  7. end
  8. interface type slot/subslot/port [. subinterface-number]
  9. service-policy {input | output } policy-map-name
  10. end

DETAILED STEPS

  Command or Action Purpose
Step 1

enable

Example:

Device> enable

Enables privileged EXEC mode.

  • Enter your password if prompted.
Step 2

configure terminal

Example:

Device# configure terminal

Enters global configuration mode.

Step 3

policy-map policy-map-name

Example:

Device(config)# policy-map p1

Specifies the policy-map and enters policy-map configuration mode.

Step 4

class class-map-name

Example:

Device(config-pmap)# class c1

Specifies the class and enters class configuration mode.

Step 5

bandwidth percent number

Example:

Device(config-pmap-c)# bandwidth percent 20

Configures the value for bandwidth percent.

Step 6

set dscp codepoint value

Example:

Device(config-pmap-c)# set dscp ef

Configures the Differentiated Services Code Point (DSCP) value.

Step 7

end

Example:

Device(config-pmap-c)# end

Exits policy-map class action configuration mode and returns to privileged EXEC mode.

Step 8

interface type slot/subslot/port [. subinterface-number]

Example:

Device(config)#interface gigabitEthernet0/0/0.1

Specifies the interface information and enters interface configuration mode.

Step 9

service-policy {input | output } policy-map-name

Example:

Device(config-if)# service-policy input p1

Assigns policy-map to the input of an interface.

Step 10

end

Example:

Device(config-if)# end

Exits interface configuration mode and returns to privileged EXEC mode.

Displaying and Verifying SGT Based QoS Configuration

SUMMARY STEPS

  1. enable
  2. show class-map
  3. debug cpl provisioning {api | db | errors | ttc }

DETAILED STEPS


Step 1

enable

Example:

Device> enable

Enables privileged EXEC mode.

  • Enter your password if prompted.
Step 2

show class-map

Example:

Device# show class-map

 Class Map match-any class-default (id 0)
   Match any 

 Class Map match-all c1 (id 1)
   Match security-group source tag 1000
   Match security-group destination tag 2000

Displays class-map information.

Step 3

debug cpl provisioning {api | db | errors | ttc }

Example:

Device# debug cpl provisioning api

CPL Policy Provisioning Manager API calls debugging is on

Enables debugging for Call Processing Language (CPL) provisioning.


Configuration Examples for SGT Based QoS

Example: Configuring User Group, Device, or Role Based QoS Policies

The following example shows how to configure User Group, Device, or Role Based QoS Policies:

enable
 configure terminal
 class-map c4
  match security-group source tag 7000
  match security-group destination tag 8000
  end
 policy-map p5
  class c4
   bandwidth percent 50
   set dscp ef
   end
 interface gigabitEthernet0/0/0.1
  service-policy input p5

Additional References for SGT Based QoS

Related Documents

Related Topic

Document Title

Cisco IOS commands

Cisco IOS Master Command List, All Releases

Cisco IOS IP Routing Protocol Independent commands

Cisco IOS IP Routing Protocol Independent Command Reference

Cisco TrustSec Overview

Understanding Cisco TrustSec

Technical Assistance

Description

Link

The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies.

To receive security and technical information about your products, you can subscribe to various services, such as the Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds.

Access to most tools on the Cisco Support website requires a Cisco.com user ID and password.

http://www.cisco.com/cisco/web/support/index.html

Feature Information for SGT Based QoS

The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.

Table 1. Feature Information for SGT Based QoS

Feature Name

Releases

Feature Information

SGT Based QoS

Cisco IOS XE Release 3.17S

The SGT Based QoS feature supports classification of packets based on Security Group Tag (SGT) for grouping the traffic into user groups and devices to match the defined QoS policies.

The following commands were introduced or modified: debug cpl provisioning , class-map match security-group destination tag , match security-group source tag , show class-map .