Per-Flow Admission

The Per-Flow Admission feature provides explicit controls to limit packet flow into a WAN edge in order to protect already admitted flows on the routing/WAN edge.

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/​go/​cfn. An account on Cisco.com is not required.

Prerequisites for Per-Flow Admission

A class must have bandwidth or priority defined before configuring the Per-Flow Admission feature.

Restrictions for Per-Flow Admission

Per-flow admission is currently supported only on Ethernet and serial interfaces, and Dynamic Multipoint Virtual Private Network (DMVPN) tunnels.

Information About Per-Flow Admission

Overview of Per-Flow Admission

Application (mainly voice and video) quality drops when they are connected from a branch to head quarters and data centers over a WAN because the WAN interface bandwidth is limited and always comes at a premium cost. There are no well-defined controls to restrict flows through a WAN link and no explicit controls to limit the flows to protect already admitted flows. This limitation leads to quality degradation of already admitted flows.

The Per-Flow Admission feature allows operators to understand the number of flows that can be accommodated into an interface without quality degradation. In most deployments, the N+1st flow affects the quality of all existing valid first N flows. The Per-Flow Admission feature enables nodes to automatically learn about flows and their bandwidth as they get accommodated into the interface where bandwidth is at a premium. The network node accommodates only flows that the interface can handle, and it drops flows thereafter.

Benefits of Per-Flow Admission

The following are benefits of integrating the Per-Flow Admission feature to Quality of Service (QoS):

  • Makes QoS networks more predictable and robust.
  • Requires no end-to-end coordination because per-flow admission is a per-hop decision and each hop makes decision independently.
  • Does not require the source to predict the flow rate.
  • Ensures a higher probability of getting a reservation in the network.
  • Works well with rate adaption because certain parts of the flow may be elastic.
  • Promotes better selection of admitted traffic.
  • Works at the IP layer.
  • Works transparently with other network technologies such as Network Address Translation (NAT).
  • Does not allow the source to hog the network.
  • Provides benefits for certain endpoints by selecting only certain parts of the flow as admitted.

How to Configure Per-Flow Admission

Configuring a Class Map

SUMMARY STEPS

    1.    enable

    2.    configure terminal

    3.    metadata flow

    4.    class-map [match-all | match-any] class-map-name

    5.    match cac status {admitted | un-admitted}

    6.    exit

    7.    class-map [match-all | match-any] class-map-name

    8.    match dscp dscp-value

    9.    end


DETAILED STEPS
     Command or ActionPurpose
    Step 1enable


    Example:
    Device> enable
     

    Enables privileged EXEC mode.

    • Enter your password if prompted.

     
    Step 2 configure terminal


    Example:
    Device# configure terminal
     

    Enters global configuration mode.

     
    Step 3 metadata flow


    Example:
    Device(config)# metadata flow
     
    Enables metadata on all interfaces.  
    Step 4 class-map [match-all | match-any] class-map-name


    Example:
    Device(config)# class-map match-all admitted
     

    Creates a class map for matching traffic to a specified class, and enters class-map configuration mode.

    • Enter the class map name.

     
    Step 5 match cac status {admitted | un-admitted}


    Example:
    Device(config-cmap)# match cac status admitted
     
    Creates a filter to tag a flow as either admitted or non-admitted.  
    Step 6exit


    Example:
    Device(config-cmap)# exit
     

    Exits the class-map configuration mode and returns to global configuration mode.

     
    Step 7 class-map [match-all | match-any] class-map-name


    Example:
    Device(config-cmap)# class-map match-all af4
     

    Creates a class map to be used for matching traffic to a specified class.

    • Enter the class map name.

     
    Step 8 match dscp dscp-value


    Example:
    Device(config-cmap)# match dscp af41 af42 af43
     

    Identifies a specific IP Differentiated Services Code Point (DSCP) value as a match criterion.

     
    Step 9 end


    Example:
    Device(config-cmap)#end
     
    Exits class-map configuration mode and returns to privilged EXEC mode.  

    Configuring a Child Policy Map

    SUMMARY STEPS

      1.    enable

      2.    configure terminal

      3.    policy-map policy-map-name

      4.    class {class-name | class-default}

      5.    set dscp dscp-value

      6.    class {class-name | class-default}

      7.    set dscp dscp-value

      8.    end


    DETAILED STEPS
       Command or ActionPurpose
      Step 1enable


      Example:
      Device> enable
       

      Enables privileged EXEC mode.

      • Enter your password if prompted.

       
      Step 2 configure terminal


      Example:
      Device# configure terminal
       

      Enters global configuration mode.

       
      Step 3 policy-map policy-map-name


      Example:
      Device(config)# policy-map child
      
       

      Creates a policy map using the specified name and enters policy-map configuration mode.

      • Enter the name of the policy map that you want to create.

       
      Step 4 class {class-name | class-default}


      Example:
      Device(config-pmap)# class admitted
      
       

      Specifies the name of the class whose policy you want to create and enters policy-map class configuration mode.

      • This class is associated with the class map created earlier.
       
      Step 5 set dscp dscp-value


      Example:
      Device(config-pmap-c)# set dscp af41
      
       

      Sets the differentiated services code point (DSCP) value in the type of service (ToS) byte and assigns higher priority to admitted traffic by marking up the admitted flow and marking down the un-admitted flow.

      • Enter the DSCP value.

       
      Step 6 class {class-name | class-default}


      Example:
      Device(config-pmap-c)# class un-admitted
      
       

      Specifies the name of the class whose policy you want to create or change or specifies the default class (commonly known as the class default class) before you configure its policy.

      • Enter the name of the class or enter the class-default keyword.
      This class will be matched against the match metadata cac status un-admitted command.  
      Step 7 set dscp dscp-value


      Example:
      Device(config-pmap-c)# set dscp af42
      
       

      Sets the DSCP value in the ToS byte. Sets higher priority to admitted traffic by marking up the admitted flow and marking down the un-admitted flow.

      • Enter the DSCP value.

       
      Step 8 end


      Example:
      Device(config-pmap-c)# end
       

      Exits policy-map class configuration mode and returns to privileged EXEC mode.

       

      Configuring Per-Flow Admission for a Class

      Before You Begin

      A class must have bandwidth or priority defined before configuring per-flow admission.

      SUMMARY STEPS

        1.    enable

        2.    configure terminal

        3.    policy-map policy-map-name

        4.    class {class-name | class-default}

        5.    bandwidth {kilobits | percent percentage}

        6.    admit cac local

        7.    rate {kbps | percent percentage}

        8.    flow rate fixed kbps flow-bit-rate

        9.    end


      DETAILED STEPS
         Command or ActionPurpose
        Step 1enable


        Example:
        Device> enable
         

        Enables privileged EXEC mode.

        • Enter your password if prompted.

         
        Step 2 configure terminal


        Example:
        Device# configure terminal
         

        Enters global configuration mode.

         
        Step 3 policy-map policy-map-name


        Example:
        Device(config)# policy-map test
        
         

        Creates a policy map using the specified name and enters policy-map configuration mode.

        • Enter the name of the policy map that you want to create.

         
        Step 4 class {class-name | class-default}


        Example:
        Device(config-pmap)# class af4
        
        Note    To divide packets into admitted and un-admitted buckets, you must assign the policy map created earlier, under the class command that is defined here as a child policy.

        Note   

        To give preference to admitted packets over non-admitted ones, use weighted Random Early Detection (RED).

         

        Specifies the name of the class whose policy you want to create and enters policy-map class configuration mode.

        • This class is associated with the class map created earlier.
         
        Step 5 bandwidth {kilobits | percent percentage}


        Example:
        Device(config-pmap-c)# bandwidth 200
        
         

        Specifies the bandwidth for a class of traffic belonging to the policy map.

        • Enter the bandwidth in kbps.
         
        Step 6admit cac local


        Example:
        Device(config-pmap-c)# admit cac local
         
        Enables per-flow admission for this class and enters per-flow admission configuration mode.  
        Step 7 rate {kbps | percent percentage}

        Example:
        Device(config-pmap-admit-cac)# rate percent 80
        
         
        Configures the size of the bandwidth pool in kbps or as a percentage of output class bandwidth.  
        Step 8 flow rate fixed kbps flow-bit-rate


        Example:
        Device(config-pmap-admit-cac)# flow rate fixed 100
        
         
        Specifies how much bandwidth to allocate for each flow.  
        Step 9 end


        Example:
        Device(config-pmap-admit-cac)# end
         

        Exits per-flow admission configuration mode and returns to privileged EXEC mode.

         

        Attaching a Per-Flow Admission Policy to an Interface

        SUMMARY STEPS

          1.    enable

          2.    configure terminal

          3.    policy-map policy-map-name

          4.    class {class-name | class-default}

          5.    service-policy policy-map

          6.    end

          7.    configure terminal

          8.    interface type number

          9.    ip address ip-address mask

          10.    load-interval seconds

          11.    service-policy output policy-map-name

          12.    no shutdown

          13.    end


        DETAILED STEPS
           Command or ActionPurpose
          Step 1enable


          Example:
          Device> enable
           

          Enables privileged EXEC mode.

          • Enter your password if prompted.

           
          Step 2 configure terminal


          Example:
          Device# configure terminal
           

          Enters global configuration mode.

           
          Step 3 policy-map policy-map-name


          Example:
          Device(config)# policy-map test
          
           

          Creates a policy map using the specified name and enters policy-map configuration mode.

          • Enter the name of the policy map that you want to create.

           
          Step 4 class {class-name | class-default}


          Example:
          Device(config-pmap)# class af4
           

          Specifies the name of the class whose policy you want to create and enters policy-map class configuration mode.

          • This class is associated with the class map created earlier.
           
          Step 5 service-policy policy-map


          Example:
          Device(config-pmap-c)# service-policy child
          
           
          Attaches the policy map to a class.  
          Step 6 end


          Example:
          Device(config-pmap-c)# end
           

          Exits policy-map class configuration mode and returns to privileged EXEC mode.

           
          Step 7 configure terminal


          Example:
          Device# configure terminal
           

          Enters global configuration mode.

           
          Step 8 interface type number


          Example:
          Device(config)# interface Serial2/0
           

          Configures the specified interface and enters interface configuration mode.

          • Enter the interface type and number.
           
          Step 9 ip address ip-address mask


          Example:
          Device(config-if)# ip address 10.10.100.1 255.255.255.0
           

          Sets an IP address for an interface.

           
          Step 10 load-interval seconds


          Example:
          Device(config-if)# load-interval 30
           

          Specifies the interval for load calculation of an interface.

           
          Step 11 service-policy output policy-map-name


          Example:
          Device(config-if)# service-policy output test
           

          Attaches a policy map to an interface.

           
          Step 12 no shutdown


          Example:
          Device(config-if)# no shutdown
           

          Enables the interface.

           
          Step 13end


          Example:
          Device(config-if)# end
           

          Exits interface configuration mode and returns to privileged EXEC mode.

           

          Verifying Per-flow Admission

          SUMMARY STEPS

            1.    enable

            2.    show policy-map interface interface-name

            3.    show policy-map multipoint [tunnel tunnel-interface-number]


          DETAILED STEPS
             Command or ActionPurpose
            Step 1 enable


            Example:
            Device> enable
             

            Enables privileged EXEC mode.

            • Enter your password if prompted.

             
            Step 2 show policy-map interface interface-name


            Example:
            Device# show policy-map interface serial2/0
             

            Displays the configuration of all classes configured for all service policies on the specified interface.

            • Enter the name of the policy map whose complete configuration is to be displayed.

             
            Step 3 show policy-map multipoint [tunnel tunnel-interface-number]


            Example:
            Device# show policy-map multipoint tunnel 1
             

            Displays QoS policy details applied to multipoint tunnels.

             

            Configuration Examples for Per-Flow Admission

            Example: Configuring a Class Map

            Device> enable
            Device# configure terminal
            Device(config)# metadata flow
            Device(config)# class-map match-all admitted
            Device(config-cmap)# match metadata cac status admitted
            Device(config-cmap)# class-map match-all af4
            Device(config-cmap)# match dscp af41 af42 af43
            Device(config-cmap)# end
            
            
            
            
            
            
            

            Example: Configuring a Policy Map

            Device> enable
            Device# configure terminal
            Device(config)# policy-map child
            Device(config-pmap)# class admitted
            Device(config-pmap-c)# set dscp af41
            Device(config-pmap-c)# class class-default
            Device(config-pmap-c)# set dscp af42
            Device(config-pmap-c)# end

            Example: Configuring Per-Flow Admission for a Class

            Device> enable
            Device# configure terminal
            Device(config)# policy-map test
            Device(config-pmap)# class af4
            Device(config-pmap-c)# bandwidth 200
            Device(config-pmap-c)# admit cac local
            Device(config-pmap-admit-cac)# rate percent 80
            Device(config-pmap-admit-cac)# flow rate fixed 100
            Device(config-pmap-c)# exit

            Example: Attaching a Per-Flow Admission Policy to an Interface

            
            Device> enable
            Device# configure terminal
            Device(config-pmap-c)# service-policy child
            Device(config-pmap-c)# end
            Device# configure terminal
            Device(config)# interface Serial2/0
            Device(config-if)# bandwidth 384
            Device(config-if)# ip address 10.10.100.1 255.255.255.0
            Device(config-if)# load-interval 30
            Device(config-if)# service-policy output test
            Device(config-if)# no shutdown
            Device(config-if)# end
            
            

            Example: Verifying Per-Flow Admission

            Device# show policy-map interface
            
              GigabitEthernet0/0/3 
            
              Service-policy output: test
            
                Class-map: af4 (match-all)  
                  269 packets, 336250 bytes
                  30 second offered rate 90000 bps, drop rate 13000 bps
                  Match:  dscp af41 (34) af42 (36) af43 (38)
                  Queueing
                  queue limit 100 ms/ 2500 bytes
             
                  
                  (queue depth/total drops/no-buffer drops) 2500/39/0
                  (pkts output/bytes output) 230/287500
                  bandwidth 200 kbps
                  
                  cac local rate 200 kbps, reserved 200 kbps
                  flow rate fixed 100 kbps
                  
                  All flows:
                    Number of admitted flows: [2]
                    Number of non-admitted flows: [1]
                      
                  Service-policy : child
            
                    Class-map: admitted (match-all)  
                      178 packets, 222500 bytes
                      30 second offered rate 60000 bps, drop rate 0000 bps
                      Match:  metadata cac status admitted
                      QoS Set
                        dscp af41
                          Packets marked 194
            
                    Class-map: unadmitted (match-all)  
                      88 packets, 110000 bytes
                      30 second offered rate 30000 bps, drop rate 0000 bps
                      Match:  metadata cac status un-admitted
                      QoS Set
                        dscp af42
                          Packets marked 96
            
                    Class-map: class-default (match-any)  
                      3 packets, 3750 bytes
                      30 second offered rate 1000 bps, drop rate 0000 bps
                      Match: any 
                      
                Class-map: class-default (match-any)  
                  181 packets, 115396 bytes
                  30 second offered rate 31000 bps, drop rate 0000 bps
                  Match: any 
                  
                  queue limit 64 packets
                  (queue depth/total drops/no-buffer drops) 0/0/0
                  (pkts output/bytes output) 181/115396
            
            

            Additional References for Per-Flow Admission

            Related Documents

            Related Topic

            Document Title

            Cisco IOS commands

            Cisco IOS Master Commands List, All Releases

            QoS commands: complete command syntax, command modes, command history, defaults, usage guidelines, and examples.

            Cisco IOS Quality of Service Solutions Command Reference

            Technical Assistance

            Description

            Link

            The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies.

            To receive security and technical information about your products, you can subscribe to various services, such as the Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds.

            Access to most tools on the Cisco Support website requires a Cisco.com user ID and password.

            http:/​/​www.cisco.com/​cisco/​web/​support/​index.html

            Feature Information for Per-Flow Admission

            The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.

            Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/​go/​cfn. An account on Cisco.com is not required.
            Table 1 Feature Information for Per-Flow Admission

            Feature Name

            Releases

            Feature Information

            Per-Flow Admission

            Cisco IOS XE Release 3.17 S

            The Per-Flow Admission feature provides explicit controls to limit flows in order to protect already admitted flows on the routing/WAN edge.

            The following commands were introduced by this feature: admit cac local, flow rate fixed, rate.