Consolidated Platform Configuration Guide, Cisco IOS XE 3.7E and Later (Catalyst 3850 Switches)

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table at the end of this module.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.

Prerequisites for QoS

Before configuring standard QoS, you must have a thorough understanding of these items:

Standard QoS concepts.
Wireless concepts and network topologies.
Classic Cisco IOS QoS.
Modular QoS CLI (MQC).
Understanding of QoS implementation.
The types of applications used and the traffic patterns on your network.
Traffic characteristics and needs of your network. For example, is the traffic on your network bursty? Do you need to reserve bandwidth for voice and video streams?
Bandwidth requirements and speed of the network.
Location of congestion points in the network.

QoS Components

QoS consists of the following key components:

Classification— Classification is the process of distinguishing one type of traffic from another based upon ACLs, Differentiated Services Code Point (DSCP), Class of Service (CoS), and other factors.
Marking and mutation— Marking is used on traffic to convey specific information to a downstream device in the network, or to carry information from one interface in a to another. When traffic is marked, QoS operations on that traffic can be applied. This can be accomplished directly using the set command or through a table map, which takes input values and translates them directly to values on output.
Shaping and policing— Shaping is the process of imposing a maximum rate of traffic, while regulating the traffic rate in such a way that downstream devices are not subjected to congestion. Shaping in the most common form is used to limit the traffic sent from a physical or logical interface. Policing is used to impose a maximum rate on a traffic class. If the rate is exceeded, then a specific action is taken as soon as the event occurs.
Queuing — Queueing is used to prevent traffic congestion. Traffic is sent to specific queues for servicing and scheduling based upon bandwidth allocation. Traffic is then scheduled or sent out through the port.
Bandwidth—Bandwidth allocation determines the available capacity for traffic that is subject to QoS policies.
Trust— Trust enables traffic to pass through the , and the DSCP, precedence, or CoS values coming in from the end points are retained in the absence of any explicit policy configuration.

QoS Terminology

The following terms are used interchangeably in this QoS configuration guide:

Upstream (direction towards the ) is the same as ingress.
Downstream (direction from the ) is the same as egress.

Note

Upstream is wireless to wired. Downstream is wired to wireless. Wireless to wireless has no specific term.

QoS Overview

By configuring the quality of service (QoS), you can provide preferential treatment to specific types of traffic at the expense of other traffic types. Without QoS, the device offers best-effort service to each packet, regardless of the packet contents or size. The device sends the packets without any assurance of reliability, delay bounds, or throughput.

The following are specific features provided by QoS:

Low latency
Bandwidth guarantee
Buffering capabilities and dropping disciplines
Traffic policing
Enables the changing of the attribute of the frame or packet header
Relative services

Modular QoS Command-Line Interface

With the device, QoS features are enabled through the Modular QoS command-line interface (MQC). The MQC is a command-line interface (CLI) structure that allows you to create traffic policies and attach these policies to interfaces. A traffic policy contains a traffic class and one or more QoS features. A traffic class is used to classify traffic, while the QoS features in the traffic policy determine how to treat the classified traffic. One of the main goals of MQC is to provide a platform-independent interface for configuring QoS across Cisco platforms.

Wireless QoS Overview

Wireless QoS can be configured on the following wireless targets:

Wireless ports, including all physical ports to which an access point can be associated.
Radio
SSID (applicable on a per-radio, per-AP, and per-SSID)
Client

From Cisco IOS XE Release 3E, marking and policing actions for ingress SSID and client policies are applied at the access point. The SSID and client ingress policies that you configure in the are moved to the access point. The access point performs policing and marking actions for each packet. However, the selects the QoS policies. Marking and policing of egress SSID and client policies are applied at the .

The following table displays how policies are supported for the wireless targets.

Table 1. Wireless Targets Policies Support
Wireless Target	Policies on Wireless Targets Supported	Policies Supported Egress Direction	Policies Supported Ingress Direction
Wireless port	Yes	Yes - user configurable	No
Radio	Yes	Yes - but not configurable by user	No
SSID	Yes	Yes - user configurable	Yes - user configurable
Client	Yes	Yes - user configurable	Yes - user configurable

Note

Additional polices that are user configured include multidestination policers and VLANs.

Wireless QoS supports the following features:

Queuing in the egress direction.
Policing of wireless traffic
Marking of wireless traffic.
Shaping of wireless traffic in the egress direction.
Approximate Fair Drop (AFD) in the egress direction.
Mobility support for QoS.
Compatibility with precious metal QoS policies available on Cisco Unified Wireless Controllers.
Combination of CLI/Traffic Class (TCLAS) and CLI/snooping.
Application control (can drop or mark the data traffic) by configuring an AVC QoS client policy.
Drop action for ingress policies.
QoS statistics for client and SSID targets in the ingress direction.
QoS attribute for local profiling policy.
Hierarchical policies.

QoS and IPv6 for Wireless

The supports QoS for both IPv4 and IPv6 traffic, and client policies can now have IPv4 and IPv6 filters.

Supported QoS Features for Wired Access

The following table describes the supported QoS features for wired access.

Table 2. Supported QoS Features for Wired Access
Feature	Description
Supported targets	Gigabit Ethernet 10-Gigabit Ethernet VLAN
Configuration sequence	QoS policy installed using the service-policy command.
Supported number of queues at port level	Up to 8 queues supported on a port. No Approximate Fair Dropping or Discard (AFD) support for wired targets.
Supported classification mechanism	DSCP IP precedence CoS QoS-group ACL membership including: IPv4 ACLs IPv6 ACLS MAC ACLs

Wired and Wireless Access Supported Features

The following table describes the supported features for both wired and wireless access.

Table 3. Supported QoS Features for Wired and Wireless Access
Feature	Wired	Wireless
Targets	Gigabit Ethernet 10 Gigabit Ethernet VLAN	Wireless port (CAPWAP tunnel) SSID Client Radio CAPWAP multicast tunnel
Configuration Sequence	QoS policy installed using the service-policy command.	When an access point joins the switch, the switch installs a policy on the port. The port policy has a child policy called port_child_policy. A policy is installed on the radio which has a shaper configured to the radio rate. The default radio policy (which cannot be modified) is attached to the radio. The default client policies take effect when a WMM client associates, and if admission control is enabled on the radio. User can modify the port_child_policy to add more classes. User can attach a user-defined policy at the SSID level. User can attach a user-defined policy at the client level. User can configure a port policy. User can configure an SSID policy. These policies can then be modified. The default radio policy (which cannot be modified) is attached to the radio. Optionally, the user can attach a client policy as required. The default client policies take effect when a WMM client associates, and if admission control is enabled on the radio.
Number of queues permitted at port level	Up to 8 queues supported on a port.	Only four queues supported.
Classification mechanism	DSCP IP precedence CoS QoS-group ACL membership including: IPv4 ACLs IPv6 ACLS MAC ACLs	Port level Ingress: QoS policies not supported on ingress in wireless ports. Egress: Only DSCP based classification. SSID level Ingress: DSCP, UP Egress: DSCP,COS, QoS group Client level Ingress: ACL, DSCP, UP Egress: DSCP and COS

Supported QoS Features on Wireless Targets

This table describes the various features available on wireless targets.

Table 4. QoS Features Available on Wireless Targets
Target	Features	Traffic	Direction Where Policies Are Applicable	Comments
Port	Port shaper Priority queuing Multicast policing	Non-Real Time (NRT), Real Time (RT)	Egress
Radio	Shaping	Non-Real Time	Egress	Radio policies are not user configurable.
SSID	Police Table map	Non-Real Time, Real Time	Ingress and egress
	Shaping		Egress
	BRR		Egress
	Set actions Table map set dscp set cos		Ingress	You can use set in both class-default and user-defined classes of SSID ingress policies. You can define table maps only in the class-default class of an SSID policy.
	Set actions Table map set dscp set wlan user-priority		Egress
	Drop		Ingress
Client	Police	Non-Real Time, Real time	Ingress and egress	For client policies, the following filters are supported: ACL DSCP CoS (only for egress) WLAN UP protocol
	Drop		Ingress
	Set actions set dscp set cos		Ingress
	Set actions set dscp set wlan user-priority		Egress

Port Policies

The device supports port-based policies. The port policies includes port shaper and a child policy (port_child_policy).

Note

Port child policies only apply to wireless ports and not to wired ports on the switch. A wireless port is defined as a port to which APs join. A default port child policy is applied on the switch to the wireless ports at start up.The port shaper rate is limited to 1G

Port shaper specifies the traffic policy applicable between the device and the AP. This is the sum of the radio rates supported on the access point.

The child policy determines the mapping between packets and queues defined by the port-child policy. The child policy can be configured to include voice, video, class-default, and non-client-nrt classes where voice and video are based on DSCP value (which is the outer CAPWAP header DSCP value). The definition of class-default is known to the system as any value other than voice and video DSCP.

The DSCP value is assigned when the packet reaches the port. Before the packet arrives at the port, the SSID policies are applied on the packet. Port child policy also includes multicast percentage for a given port traffic. By default, the port child policy allocates up to 10 percent of the available rate.

Port Policy Format

This section describes the behavior of the port policies on a switch. The ports on the switch do not distinguish between wired or wireless physical ports. Depending on the kind of device associated to the switch, the policies are applied. For example, when an access point is connected to a switch port, the switch detects it as a wireless device and applies the default hierarchical policy which is in the format of a parent-child policy. This policy is an hierarchical policy. The parent policy cannot be modified but the child policy (port-child policy) can be modified to suit the QoS configuration. The switch is pre configured with a default class map and a policy map.

Default class map:



Class Map match-any non-client-nrt-class
   Match non-client-nrt

The above port policy processes all network traffic to the Q3 queue. You can view the class map by executing the show class-map command.

Default policy map:

Policy Map port_child_policy
    Class non-client-nrt-class
      bandwidth remaining ratio 10

Note

The class map and policy map listed are system-defined policies and cannot be changed.

The following is the system-defined policy map available on the ports on which wireless devices are associated. The format consists of a parent policy and a service child policy (port_child_policy). To customize the policies to suite your network needs, you must configure the port child policy.


Policy-map policy_map_name
    Class class-default 
         Shape average average_rate
         Service-policy port_child_policy

Note

The parent policy is system generated and cannot be changed. You must configure the port_child_policy policy to suit the QoS requirements on your network.

Depending on the type of traffic in your network, you can configure the port child policy. For example, in a typical wireless network deployment, you can assign specific priorities to voice and video traffic. Here is an example:


Policy-map port_child_policy 
     Class  voice-policy-name (match dscp ef)
          Priority level 1
         Police (multicast-policer-name-voice) Multicast Policer
    Class video-policy-name (match dscp af41)
        Priority level 2
        Police (multicast-policer-name-video) Multicast Policer
Class non-client-nrt-class traffic(match non-client-nrt)
        Bandwidth remaining ratio (brr-value-nrt-q2)
    Class class-default  (NRT Data)
        Bandwidth remaining ratio (brr-value-q3)

In the above port child policy:

voice-policy-name— Refers to the name of the class that specifies rules for the traffic for voice packets. Here the DSCP value is mapped to a value of 46 (represented by the keyword ef ). The voice traffic is assigned the highest priority of 1.
video-policy-name— Refers to the name of the class that specifies rules for the traffic for video packets. The DSCP value is mapped to a value of 34 (represented by the keyword af41 ).
multicast-policer-name-voice— If you need to configure multicast voice traffic, you can configure policing for the voice class map.
multicast-policer-name-video— If you need to configure multicast video traffic, you can configure policing for the video class map.

In the above sample configuration, all voice and video traffic is directed to the Q0 and Q1 queues, respectively. These queues maintain a strict priority. The packets in Q0 and Q1 are processed in that order. The bandwidth remaining ratios brr-value-nrt-q2 and brr-value-q3 are directed to the Q2 and Q3 respectively specified by the class maps and class-default and non-client-nrt. The processing of packets on Q2 and Q3 are based on a weighted round-robin approach. For example, if the brr-value-nrtq2 has a value of 90 and brr-value-nrtq3 is 10, the packets in queue 2 and queue 3 are processed in the ratio of 9:1.

The Cisco 5700 Series Wireless Controller does not contain a default port policy. Physical port policies must be configured for voice and video to function. Because a Cisco 5700 Series Wireless Controller contains six 10-gigabit ports, the policy map must be configured on all ports.

Note

The policy must be configured on all of the six physical ports on the controller even if LAG (Link Aggregation/Etherchannel) is configured.

The following basic port policy must be configured on the physical ports. You can add further classification if required:


Policy-map <port-policy-name>
  Class voice
      Priority level 1
  class video
     Priority level 2

Radio Policies

The radio policies are system defined and are not user configurable. Radio wireless targets are only applicable in the egress direction.

Radio policies are applicable on a per-radio, per-access point basis. The rate limit on the radios is the practical limit of the AP radio rate. This value is equivalent to the sum of the radios supported by the access point.

The following radios are supported:

802.11 a/n
802.11 b/n
802.11 ac

SSID Policies

You can create QoS policies on SSID BSSID (Basic Service Set Identification) in both the ingress and egress directions. By default, there is no SSID policy. All traffic is transmitted as best effort because the wireless traffic in untrusted. You can configure an SSID policy based on the SSID name. The policy is applicable on a per BSSID.

The types of policies you can create on SSID include marking by using table maps (table-maps), shape rate, and RT1 (Real Time 1) and RT2 (Real Time 2) policiers. If traffic is ingress, you usually configure a marking and policing policy on the SSID. If traffic is downstream, you can configure marking and queuing.

There should be a one-to-one mapping between the policies configured on a port and an SSID. For example, if you configure class voice and class video on the port, you can have a similar policy on the SSID.

The policy on the port is mandatory if you want to preserve the voice and video behavior priority at the port level. Queuing policy is applicable in a downstream direction. When packets arrive from the AP, you can only configure policing and rate limiting.

SSID priorities can be specified by configuring bandwidth remaining ratio. Queuing SSID policies are applied in the egress direction.

Client Policies

Client policies are applicable in the ingress and egress direction. The wireless control module of the device applies the default client policies when admission control is enabled for WMM clients. When admission control is disabled, there is no default client policy. You can configure policing and marking policies on clients.

Note

A client policy can have both IPv4 and IPv6 filters.

You can configure client policies in the following ways:

Using AAA
Using the Cisco IOS MQC CLI
- You can use service policy client command in the WLAN configuration.
Using the default configuration
Using local policies (native profiling)

Use the show wireless client mac address mac_address service-policy command to display the source of the client policy (for example, local profiling policy, AAA, or CLI). The precedence order of client policies is AAA > local policy > WLAN service client policy CLI > default configuration.

Note

If you configured AAA by configuring the unified wireless controller procedure, and using the MQC QoS commands, the policy configuration performed through the MQC QoS commands takes precedence.

Note

When applying client policies on a WLAN, you must disable the WLAN before modifying the client policy. SSID policies can be modified even if the WLAN is enabled.

The default client policy is enabled only on Wi-Fi Multimedia (WMM) clients that are admission control (ACM)-enabled.

Policy Chaining

Every packet has a maximum of two applicable policies, first at the client target and second at the SSID target. The client policing action is applied to the packet before the marking action that is specified in the client policy. After the client policing and marking actions are applied to the packet, the SSID policy action is applied to the updated packet. If no custom policies are specified, the system trust configuration is applied to the packet. Egress trust is based on DSCP, and ingress trust is based on WLAN user priority.

Hierarchical QoS

The supports hierarchical QoS (HQoS). HQoS allows you to perform:

Hierarchical classification— Traffic classification is based upon other classes.
Hierarchical policing—The process of having the policing configuration at multiple levels in a hierarchical policy.

Hierarchical shaping—Shaping can also be configured at multiple levels in the hierarchy.

Note

Hierarchical shaping is only supported for the port shaper, where for the parent you only have a configuration for the class default, and the only action for the class default is shaping.

Hierarchical Wireless QoS

The device supports hierarchical QoS for wireless targets. Hierarchical QoS policies are applicable on port, radio, SSID, and client. QoS policies configured on the device (including marking, shaping, policing) can be applied across the targets. If the network contains non-realtime traffic, the non-realtime traffic is subject to approximate fair drop. Hierarchy refers to the process of application of the various QoS policies on the packets arriving to the device. You can configure policing in both the parent and child policies.

Note

For hierarchical client and SSID policies, you only configure marking either in the parent or child policy.

Wireless Packet Format

Figure 1. Wireless Packet Path in the Egress Direction during First Pass.
This figure displays the wireless packet flow and encapsulation used in hierarchical wireless QoS. The incoming packet enters the device. The device encapsulates this incoming packet and adds the 802.11e and CAPWAP headers.

Hierarchical AFD

Approximate Fair Dropping (AFD) is a feature provided by the QoS infrastructure in Cisco IOS. For wireless targets, AFD can be configured on SSID (via shaping) and clients (via policing). AFD shaping rate is only applicable for downstream direction. Unicast real-time traffic is not subjected to AFD drops.

QoS Implementation

Typically, networks operate on a best-effort delivery basis, which means that all traffic has equal priority and an equal chance of being delivered in a timely manner. When congestion occurs, all traffic has an equal chance of being dropped.

When you configure the QoS feature, you can select specific network traffic, prioritize it according to its relative importance, and use congestion-management and congestion-avoidance techniques to provide preferential treatment. Implementing QoS in your network makes network performance more predictable and bandwidth utilization more effective.

The QoS implementation is based on the Differentiated Services (Diff-Serv) architecture, a standard from the Internet Engineering Task Force (IETF). This architecture specifies that each packet is classified upon entry into the network.

The classification is carried in the IP packet header, using 6 bits from the deprecated IP type of service (ToS) field to carry the classification (class) information. Classification can also be carried in the Layer 2 frame.

Figure 2. QoS Classification Layers in Frames and Packets. The special bits in the Layer 2 frame or a Layer 3 packet are shown in the following figure:

Layer 2 Frame Prioritization Bits

Layer 2 Inter-Switch Link (ISL) frame headers have a 1-byte User field that carries an IEEE 802.1p class of service (CoS) value in the three least-significant bits. On ports configured as Layer 2 ISL trunks, all traffic is in ISL frames.

Layer 2 802.1Q frame headers have a 2-byte Tag Control Information field that carries the CoS value in the three most-significant bits, which are called the User Priority bits. On ports configured as Layer 2 802.1Q trunks, all traffic is in 802.1Q frames except for traffic in the native VLAN.

Other frame types cannot carry Layer 2 CoS values.

Layer 2 CoS values range from 0 for low priority to 7 for high priority.

Layer 3 Packet Prioritization Bits

Layer 3 IP packets can carry either an IP precedence value or a Differentiated Services Code Point (DSCP) value. QoS supports the use of either value because DSCP values are backward-compatible with IP precedence values.

IP precedence values range from 0 to 7. DSCP values range from 0 to 63.

End-to-End QoS Solution Using Classification

All switches and routers that access the Internet rely on the class information to provide the same forwarding treatment to packets with the same class information and different treatment to packets with different class information. The class information in the packet can be assigned by end hosts or by switches or routers along the way, based on a configured policy, detailed examination of the packet, or both. Detailed examination of the packet is expected to occur closer to the edge of the network, so that the core switches and routers are not overloaded with this task.

Switches and routers along the path can use the class information to limit the amount of resources allocated per traffic class. The behavior of an individual device when handling traffic in the Diff-Serv architecture is called per-hop behavior. If all devices along a path provide a consistent per-hop behavior, you can construct an end-to-end QoS solution.

Implementing QoS in your network can be a simple task or complex task and depends on the QoS features offered by your internetworking devices, the traffic types and patterns in your network, and the granularity of control that you need over incoming and outgoing traffic.

Packet Classification

Packet classification is the process of identifying a packet as belonging to one of several classes in a defined policy, based on certain criteria. The Modular QoS CLI (MQC) is a policy-class based language. The policy class language is used to define the following:

Class-map template with one or several match criteria
Policy-map template with one or several classes associated to the policy map

The policy map template is then associated to one or several interfaces on the .

Packet classification is the process of identifying a packet as belonging to one of the classes defined in the policy map. The process of classification will exit when the packet being processed matches a specific filter in a class. This is referred to as first-match exit. If a packet matches multiple classes in a policy, irrespective of the order of classes in the policy map, it would still exit the classification process after matching the first class.

If a packet does not match any of the classes in the policy, it would be classified into the default class in the policy. Every policy map has a default class, which is a system-defined class to match packets that do not match any of the user-defined classes.

Packet classification can be categorized into the following types:

Classification based on information that is propagated with the packet
Classification based on information that is specific
Hierarchical classification

Classification Based on Information That is Propagated with the Packet

Classification that is based on information that is part of the packet and propagated either end-to-end or between hops, typically includes the following:

Classification based on Layer 3 or 4 headers
Classification based on Layer 2 information

Classification Based on Layer 3 or Layer 4 Header

This is the most common deployment scenario. Numerous fields in the Layer 3 and Layer 4 headers can be used for packet classification.

At the most granular level, this classification methodology can be used to match an entire flow. For this deployment type, an access control list (ACLs) can be used. ACLs can also be used to match based on various subsets of the flow (for example, source IP address only, or destination IP address only, or a combination of both).

Classification can also be done based on the precedence or DSCP values in the IP header. The IP precedence field is used to indicate the relative priority with which a particular packet needs to be handled. It is made up of three bits in the IP header's type of service (ToS) byte.

The following table shows the different IP precedence bit values and their names.

Note

IP precedence is not supported for wireless QoS.

Table 5. IP Precedence Values and Names
IP Precedence Value	IP Precedence Bits	IP Precedence Names
0	000	Routine
1	001	Priority
2	010	Immediate
3	011	Flash
4	100	Flash Override
5	101	Critical
6	110	Internetwork control
7	111	Network control

Note

All routing control traffic in the network uses IP precedence value 6 by default. IP precedence value 7 also is reserved for network control traffic. Therefore, the use of IP precedence values 6 and 7 is not recommended for user traffic.

The DSCP field is made up of 6 bits in the IP header and is being standardized by the Internet Engineering Task Force (IETF) Differentiated Services Working Group. The original ToS byte contained the DSCP bits has been renamed the DSCP byte. The DSCP field is part of the IP header, similar to IP precedence. The DSCP field is a super set of the IP precedence field. Therefore, the DSCP field is used and is set in ways similar to what was described with respect to IP precedence.

Note

The DSCP field definition is backward-compatible with the IP precedence values.

Classification Based on Layer 2 Header

A variety of methods can be used to perform classification based on the Layer 2 header information. The most common methods include the following:

MAC address-based classification (only for access groups)—Classification is based upon the source MAC address (for policies in the input direction) and destination MAC address (for policies in the output direction).
Class-of-Service—Classification is based on the 3 bits in the Layer 2 header based on the IEEE 802.1p standard. This usually maps to the ToS byte in the IP header.
VLAN ID—Classification is based on the VLAN ID of the packet.

Note

Some of these fields in the Layer 2 header can also be set using a policy.

Classification Based on Information that is Device Specific (QoS Groups)

The also provides classification mechanisms that are available where classification is not based on information in the packet header or payload.

At times you might be required to aggregate traffic coming from multiple input interfaces into a specific class in the output interface. For example, multiple customer edge routers might be going into the same access on different interfaces. The service provider might want to police all the aggregate voice traffic going into the core to a specific rate. However, the voice traffic coming in from the different customers could have a different ToS settings. QoS group-based classification is a feature that is useful in these scenarios.

Policies configured on the input interfaces set the QoS group to a specific value, which can then be used to classify packets in the policy enabled on output interface.

The QoS group is a field in the packet data structure internal to the . It is important to note that a QoS group is an internal label to the and is not part of the packet header.

Hierarchical Classification

The permits you to perform a classification based on other classes. Typically, this action may be required when there is a need to combine the classification mechanisms (that is, filters) from two or more classes into a single class map.

QoS Wired Model

To implement QoS, the must perform the following tasks:

Traffic classification—Distinguishes packets or flows from one another.
Traffic marking and policing—Assigns a label to indicate the given quality of service as the packets move through the , and then make the packets comply with the configured resource usage limits.
Queuing and scheduling—Provides different treatment in all situations where resource contention exists.
Shaping—Ensures that traffic sent from the meets a specific traffic profile.

Ingress Port Activity

The following activities occur at the ingress port of the :

Classification—Classifying a distinct path for a packet by associating it with a QoS label. For example, the maps the CoS or DSCP in the packet to a QoS label to distinguish one type of traffic from another. The QoS label that is generated identifies all future QoS actions to be performed on this packet.
Policing—Policing determines whether a packet is in or out of profile by comparing the rate of the incoming traffic to the configured policer. The policer limits the bandwidth consumed by a flow of traffic. The result is passed to the marker.
Marking—Marking evaluates the policer and configuration information for the action to be taken when a packet is out of profile and determines what to do with the packet (pass through a packet without modification, mark down the QoS label in the packet, or drop the packet).

Note

Applying polices on the wireless ingress port is not supported on the .

Egress Port Activity

The following activities occur at the egress port of the :

Policing—Policing determines whether a packet is in or out of profile by comparing the rate of the incoming traffic to the configured policer. The policer limits the bandwidth consumed by a flow of traffic. The result is passed to the marker.
Marking—Marking evaluates the policer and configuration information for the action to be taken when a packet is out of profile and determines what to do with the packet (pass through a packet without modification, mark down the QoS label in the packet, or drop the packet).
Queueing—Queueing evaluates the QoS packet label and the corresponding DSCP or CoS value before selecting which of the egress queues to use. Because congestion can occur when multiple ingress ports simultaneously send data to an egress port, Weighted Tail Drop (WTD) differentiates traffic classes and subjects the packets to different thresholds based on the QoS label. If the threshold is exceeded, the packet is dropped.

Classification

Classification is the process of distinguishing one kind of traffic from another by examining the fields in the packet. Classification is enabled only if QoS is enabled on the . By default, QoS is enabled on the .

During classification, the performs a lookup and assigns a QoS label to the packet. The QoS label identifies all QoS actions to be performed on the packet and from which queue the packet is sent.

Access Control Lists

You can use IP standard, IP extended, or Layer 2 MAC ACLs to define a group of packets with the same characteristics (class). You can also classify IP traffic based on IPv6 ACLs.

In the QoS context, the permit and deny actions in the access control entries (ACEs) have different meanings from security ACLs:

If a match with a permit action is encountered (first-match principle), the specified QoS-related action is taken.

If a match with a deny action is encountered, the ACL being processed is skipped, and the next ACL is processed.

Note

Deny action is supported in Cisco IOS Release 3.7.4E and later releases.

If no match with a permit action is encountered and all the ACEs have been examined, no QoS processing occurs on the packet, and the offers best-effort service to the packet.

If multiple ACLs are configured on a port, the lookup stops after the packet matches the first ACL with a permit action, and QoS processing begins.

Note

When creating an access list, note that by default the end of the access list contains an implicit deny statement for everything if it did not find a match before reaching the end.

After a traffic class has been defined with the ACL, you can attach a policy to it. A policy might contain multiple classes with actions specified for each one of them. A policy might include commands to classify the class as a particular aggregate (for example, assign a DSCP) or rate-limit the class. This policy is then attached to a particular port on which it becomes effective.

You implement IP ACLs to classify IP traffic by using the access-list global configuration command; you implement Layer 2 MAC ACLs to classify non-IP traffic by using the mac access-list extended global configuration command.

Class Maps

A class map is a mechanism that you use to name a specific traffic flow (or class) and isolate it from all other traffic. The class map defines the criteria used to match against a specific traffic flow to further classify it. The criteria can include matching the access group defined by the ACL or matching a specific list of DSCP or IP precedence values. If you have more than one type of traffic that you want to classify, you can create another class map and use a different name. After a packet is matched against the class-map criteria, you further classify it through the use of a policy map.

You create a class map by using the class-map global configuration command or the class policy-map configuration command. You should use the class-map command when the map is shared among many ports. When you enter the class-map command, the enters the class-map configuration mode. In this mode, you define the match criterion for the traffic by using the match class-map configuration command.

You can create a default class by using the class class-default policy-map configuration command. The default class is system-defined and cannot be configured. Unclassified traffic (traffic that does not meet the match criteria specified in the traffic classes) is treated as default traffic.

Policy Maps

A policy map specifies which traffic class to act on. Actions can include the following:

Setting a specific DSCP or IP precedence value in the traffic class
Setting a CoS value in the traffic class
Setting a QoS group
Setting a wireless LAN (WLAN) value in the traffic class
Specifying the traffic bandwidth limitations and the action to take when the traffic is out of profile

Before a policy map can be effective, you must attach it to a port.

You create and name a policy map using the policy-map global configuration command. When you enter this command, the enters the policy-map configuration mode. In this mode, you specify the actions to take on a specific traffic class by using the class or set policy-map configuration and policy-map class configuration commands.

The policy map can also be configured using the police and bandwidth policy-map class configuration commands, which define the policer, the bandwidth limitations of the traffic, and the action to take if the limits are exceeded. In addition, the policy-map can further be configured using the priority policy-map class configuration command, to schedule priority for the class or the queueing policy-map class configuration commands, queue-buffers and queue-limit .

To enable the policy map, you attach it to a port by using the service-policy interface configuration command.

Note

You cannot configure both priority and set for a policy map. If both these commands are configured for a policy map, and when the policy map is applied to an interface, error messages are displayed. The following example shows this restriction:

Switch# configure terminal
Switch(config)# class-map cmap
Switch(config-cmap)# exit
Switch(config)# class-map classmap1
Switch(config-cmap)# exit
Switch(config)# policy-map pmap
Switch(config-pmap)# class cmap
Switch(config-pmap-c)# priority
Switch(config-pmap-c)# exit
Switch(config-pmap)# class classmap1
Switch(config-pmap-c)# set
Switch(config-pmap-c)# exit
Switch(config-pmap)# exit
Switch(config)# interface gigabitethernet 0/1/1
Switch(config-if)# service-policy output pmap

Non-queuing action only is unsupported in a queuing policy!!!
%QOS-6-POLICY_INST_FAILED:
Service policy installation failed

Policy Map on Physical Port

You can configure a nonhierarchical policy map on a physical port that specifies which traffic class to act on. Actions can include setting a specific DSCP or IP precedence value in the traffic class, specifying the traffic bandwidth limitations for each matched traffic class (policer), and taking action when the traffic is out of profile (marking).

A policy map also has these characteristics:

A policy map can contain multiple class statements, each with different match criteria and policers.
A policy map can contain a predefined default traffic class explicitly placed at the end of the map.

When you configure a default traffic class by using the class class-default policy-map configuration command, unclassified traffic (traffic that does not meet the match criteria specified in the traffic classes) is treated as the default traffic class (class-default ).
A separate policy-map class can exist for each type of traffic received through a port.

Policy Map on VLANs

The supports a VLAN QoS feature that allows the user to perform QoS treatment at the VLAN level (classification and QoS actions) using the incoming frame’s VLAN information. In VLAN-based QoS, a service policy is applied to an SVI interface. All physical interfaces belonging to a VLAN policy map then need to be programmed to refer to the VLAN-based policy maps instead of the port-based policy map.

Although the policy map is applied to the VLAN SVI, any policing (rate-limiting) action can only be performed on a per-port basis. You cannot configure the policer to take account of the sum of traffic from a number of physical ports. Each port needs to have a separate policer governing the traffic coming into that port.

Wireless QoS Multicast

You can configure multicast policing rate at the port level.

There are two modes of a multicast configuration in the Cisco 5700 Series Wireless Controller:

multicast-unicast mode—Multicast traffic is copied as unicast traffic to the APs. QoS on multicast traffic when multicast-unicast mode is not supported on the Cisco 5700 Series Wireless Controller.
multicast-multicast mode—The controller sends the traffic to the multicast group. The APs in the multicast group then receive the multicast traffic.

Policing

After a packet is classified and has a DSCP-based, CoS-based, or QoS-group label assigned to it, the policing and marking process can begin.

Policing involves creating a policer that specifies the bandwidth limits for the traffic. Packets that exceed the limits are out of profile or nonconforming. Each policer decides on a packet-by-packet basis whether the packet is in or out of profile and specifies the actions on the packet. These actions, carried out by the marker, include passing through the packet without modification, dropping the packet, or modifying (marking down) the assigned DSCP or CoS value of the packet and allowing the packet to pass through.

To avoid out-of-order packets, both conform and nonconforming traffic typically exit the same queue.

Note

All traffic, regardless of whether it is bridged or routed, is subjected to a policer, if one is configured. As a result, bridged packets might be dropped or might have their DSCP or CoS fields modified when they are policed and marked.

You can only configure policing on a physical port.

After you configure the policy map and policing actions, attach the policy to an ingress port or SVI by using the service-policy interface configuration command.

Token-Bucket Algorithm

Policing uses a token-bucket algorithm. As each frame is received by the , a token is added to the bucket. The bucket has a hole in it and leaks at a rate that you specify as the average traffic rate in bits per second. Each time a token is added to the bucket, the verifies that there is enough room in the bucket. If there is not enough room, the packet is marked as nonconforming, and the specified policer action is taken (dropped or marked down).

How quickly the bucket fills is a function of the bucket depth (burst-byte), the rate at which the tokens are removed (rate-bps), and the duration of the burst above the average rate. The size of the bucket imposes an upper limit on the burst length and limits the number of frames that can be transmitted back-to-back. If the burst is short, the bucket does not overflow, and no action is taken against the traffic flow. However, if a burst is long and at a higher rate, the bucket overflows, and the policing actions are taken against the frames in that burst.

You configure the bucket depth (the maximum burst that is tolerated before the bucket overflows) by using the burst-byte option of the police policy-map class configuration command. You configure how fast (the average rate) that the tokens are removed from the bucket by using the rate option of the police policy-map class configuration command.

Marking

Marking is used to convey specific information to a downstream device in the network, or to carry information from one interface in a to another.

Marking can be used to set certain field/bits in the packet headers, or marking can also be used to set certain fields in the packet structure that is internal to the . Additionally, the marking feature can be used to define mapping between fields. The following marking methods are available for QoS:

Packet header
Device () specific information
Table maps

Packet Header Marking

Marking on fields in the packet header can be classified into two general categories:

IPv4/v6 header bit marking
Layer 2 header bit marking

The marking feature at the IP level is used to set the precedence or the DSCP in the IP header to a specific value to get a specific per-hop behavior at the downstream device (switch or router), or it can also be used to aggregate traffic from different input interfaces into a single class in the output interface. The functionality is currently supported on both the IPv4 and IPv6 headers.

Marking in the Layer 2 headers is typically used to influence dropping behavior in the downstream devices (switch or router). It works in tandem with the match on the Layer 2 headers. The bits in the Layer 2 header that can be set using a policy map are class of service.

Switch Specific Information Marking

This form of marking includes marking of fields in the packet data structure that are not part of the packets header, so that the marking can be used later in the data path. This is not propagated between the switches. Marking of QoS-group falls into this category. This form of marking is only supported in policies that are enabled on the input interfaces. The corresponding matching mechanism can be enabled on the output interfaces on the same switch and an appropriate QoS action can be applied.

Table Map Marking

Table map marking enables the mapping and conversion from one field to another using a conversion table. This conversion table is called a table map.

Depending upon the table map attached to an interface, CoS, DSCP, and UP values (UP specific to wireless packets) of the packet are rewritten. The allows configuring both ingress table map policies and egress table map policies.

Note

The stack supports a total of 14 table maps. Only one table map is supported per wired port, per direction.

As an example, a table map can be used to map the Layer 2 CoS setting to a precedence value in Layer 3. This feature enables combining multiple set commands into a single table, which indicates the method to perform the mapping. This table can be referenced in multiple policies, or multiple times in the same policy.

The following table shows the currently supported forms of mapping:

Table 6. Packet-Marking Types Used for Establishing a To-From Relationship
The To Packet-Marking Type	The From Packet-Marking Type
Precedence	CoS
Precedence	QoS Group
DSCP	CoS
DSCP	QoS Group
CoS	Precedence
CoS	DSCP
QoS Group	Precedence
QoS Group	DSCP

A table map-based policy supports the following capabilities:

Mutation—You can have a table map that maps from one DSCP value set to another DSCP value set, and this can be attached to an egress port.
Rewrite—Packets coming in are rewritten depending upon the configured table map.
Mapping—Table map based policies can be used instead of set policies.

The following steps are required for table map marking:

Define the table map—Use the table-map global configuration command to map the values. The table does not know of the policies or classes within which it will be used. The default command in the table map is used to indicate the value to be copied into the to field when there is no matching from field.
Define the policy map—You must define the policy map where the table map will be used.
Associate the policy to an interface.

Note

A table map policy on an input port changes the trust setting of that port to the from type of qos-marking.

Traffic Conditioning

To support QoS in a network, traffic entering the service provider network needs to be policed on the network boundary routers to ensure that the traffic rate stays within the service limit. Even if a few routers at the network boundary start sending more traffic than what the network core is provisioned to handle, the increased traffic load leads to network congestion. The degraded performance in the network makes it difficult to deliver QoS for all the network traffic.

Traffic policing functions (using the police feature) and shaping functions (using the traffic shaping feature) manage the traffic rate, but differ in how they treat traffic when tokens are exhausted. The concept of tokens comes from the token bucket scheme, a traffic metering function.

Note

When running QoS tests on network traffic, you may see different results for the shaper and policing data. Network traffic data from shaping provides more accurate results.

This table compares the policing and shaping functions.

Table 7. Comparison Between Policing and Shaping Functions
Policing Function	Shaping Function
Sends conforming traffic up to the line rate and allows bursts.	Smooths traffic and sends it out at a constant rate.
When tokens are exhausted, action is taken immediately.	When tokens are exhausted, it buffers packets and sends them out later, when tokens are available. A class with shaping has a queue associated with it which will be used to buffer the packets.
Policing has multiple units of configuration – in bits per second, packets per second and cells per second.	Shaping has only one unit of configuration - in bits per second.
Policing has multiple possible actions associated with an event, marking and dropping being example of such actions.	Shaping does not have the provision to mark packets that do not meet the profile.
Works for both input and output traffic.	Implemented for output traffic only.
Transmission Control Protocol (TCP) detects the line at line speed but adapts to the configured rate when a packet drop occurs by lowering its window size.	TCP can detect that it has a lower speed line and adapt its retransmission timer accordingly. This results in less scope of retransmissions and is TCP-friendly.

Policing

The QoS policing feature is used to impose a maximum rate on a traffic class. The QoS policing feature can also be used with the priority feature to restrict priority traffic. If the rate is exceeded, then a specific action is taken as soon as the event occurs. The rate (committed information rate [CIR] and peak information rate [PIR] ) and the burst parameters (conformed burst size [ B_c] and extended burst size [B_e] ) are all configured in bytes per second.

The following policing forms or policers are supported for QoS:

Single-rate two-color policing
Dual-rate three-color policing

Note

Single-rate three-color policing is not supported.

Single-Rate Two-Color Policing

Single-rate two-color policer is the mode in which you configure only a CIR and a B_c.

The B_c is an optional parameter, and if it is not specified it is computed by default. In this mode, when an incoming packet has enough tokens available, the packet is considered to be conforming. If at the time of packet arrival, enough tokens are not available within the bounds of B_c, the packet is considered to have exceeded the configured rate.

Note

For information about the token-bucket algorithm, see Token-Bucket Algorithm.

Dual-Rate Three-Color Policing

With the dual rate policer, the supports only color-blind mode. In this mode, you configure a committed information rate (CIR) and a peak information rate (PIR). As the name suggests, there are two token buckets in this case, one for the peak rate, and one for the conformed rate.

Note

For information about the token-bucket algorithm, see Token-Bucket Algorithm.

In the color-blind mode, the incoming packet is first checked against the peak rate bucket. If there are not enough tokens available, the packet is said to violate the rate. If there are enough tokens available, then the tokens in the conformed rate buckets are checked to determine if there are enough tokens available. The tokens in the peak rate bucket are decremented by the size of the packet. If it does not have enough tokens available, the packet is said to have exceeded the configured rate. If there are enough tokens available, then the packet is said to conform, and the tokens in both the buckets are decremented by the size of the packet.

The rate at which tokens are replenished depends on the packet arrival. Assume that a packet comes in at time T1 and the next one comes in at time T2. The time interval between T1 and T2 determines the number of tokens that need to be added to the token bucket. This is calculated as:

Time interval between packets (T2-T1) * CIR)/8 bytes

Shaping

Shaping is the process of imposing a maximum rate of traffic, while regulating the traffic rate in such a way that the downstream switches and routers are not subjected to congestion. Shaping in the most common form is used to limit the traffic sent from a physical or logical interface.

Shaping has a buffer associated with it that ensures that packets which do not have enough tokens are buffered as opposed to being immediately dropped. The number of buffers available to the subset of traffic being shaped is limited and is computed based on a variety of factors. The number of buffers available can also be tuned using specific QoS commands. Packets are buffered as buffers are available, beyond which they are dropped.

Class-Based Traffic Shaping

The uses class-based traffic shaping. This shaping feature is enabled on a class in a policy that is associated to an interface. A class that has shaping configured is allocated a number of buffers to hold the packets that do not have tokens. The buffered packets are sent out from the class using FIFO. In the most common form of usage, class-based shaping is used to impose a maximum rate for an physical interface or logical interface as a whole. The following shaping forms are supported in a class:

Average rate shaping
Hierarchical shaping

Shaping is implemented using a token bucket. The values of CIR, B_c and B_e determine the rate at which the packets are sent out and the rate at which the tokens are replenished.

Note

For information about the token-bucket algorithm, see Token-Bucket Algorithm.

Average Rate Shaping

You use the shape average policy-map class command to configure average rate shaping.

This command configures a maximum bandwidth for a particular class. The queue bandwidth is restricted to this value even though the port has more bandwidth available. The supports configuring shape average by either a percentage or by a target bit rate value.

Hierarchical Shaping

Shaping can also be configured at multiple levels in a hierarchy. This is accomplished by creating a parent policy with shaping configured, and then attaching child policies with additional shaping configurations to the parent policy.

There are two supported types of hierarchical shaping:

Port shaper
User-configured shaping

The port shaper uses the class default and the only action permitted in the parent is shaping. The queueing action is in the child with the port shaper. With the user configured shaping, you cannot have queueing action in the child.

Queueing and Scheduling

The uses both queueing and scheduling to help prevent traffic congestion. The supports the following queueing and scheduling features:

Bandwidth
Weighted Tail Drop
Priority queues
Queue buffers

Bandwidth

The supports the following bandwidth configurations:

Bandwidth percent
Bandwidth remaining ratio

Bandwidth Percent

You can use the bandwidth percent policy-map class command to allocate a minimum bandwidth to a particular class. The total sum cannot exceed 100 percent and in case the total sum is less than 100 percent, then the rest of the bandwidth is divided equally among all bandwidth queues.

Note

A queue can oversubscribe bandwidth in case the other queues do not utilize the entire port bandwidth.

You cannot mix bandwidth types on a policy map. For example, you cannot configure bandwidth in a single policy map using both a bandwidth percent and in kilobits per second.

Bandwidth Remaining Ratio

You use the bandwidth remaining ratio policy-map class command to create a ratio for sharing unused bandwidth in specified queues. Any unused bandwidth will be used by these specific queues in the ratio that is specified by the configuration. Use this command when the priority command is also used for certain queues in the policy.

When you assign ratios, the queues will be assigned certain weights which are inline with these ratios.

You can specify ratios using a range from 0 to 100. For example, you can configure a bandwidth remaining ration of 2 on one class, and another queue with a bandwidth remaining ratio of 4 on another class. The bandwidth remaining ratio of 4 will be scheduled twice as often as the bandwidth remaining ratio of 2.

The total bandwidth ratio allocation for the policy can exceed 100. For example, you can configure a queue with a bandwidth remaining ratio of 50, and another queue with a bandwidth remaining ratio of 100.

Weighted Tail Drop

The egress queues use an enhanced version of the tail-drop congestion-avoidance mechanism called weighted tail drop (WTD). WTD is implemented on queues to manage the queue lengths and to provide drop precedences for different traffic classifications.

As a frame is enqueued to a particular queue, WTD uses the frame’s assigned QoS label to subject it to different thresholds. If the threshold is exceeded for that QoS label (the space available in the destination queue is less than the size of the frame), the drops the frame.

Each queue has three configurable threshold values. The QoS label determines which of the three threshold values is subjected to the frame.

Figure 3. WTD and Queue Operation. The following figure shows an example of WTD operating on a queue whose size is 1000 frames. Three drop percentages are configured: 40 percent (400 frames), 60 percent (600 frames), and 100 percent (1000 frames). These percentages indicate that up to 400 frames can be queued at the 40-percent threshold, up to 600 frames at the 60-percent threshold, and up to 1000 frames at the 100-percent threshold.

In the example, CoS value 6 has a greater importance than the other CoS values, and is assigned to the 100-percent drop threshold (queue-full state). CoS values 4 is assigned to the 60-percent threshold, and CoS values 3 is assigned to the 40-percent threshold. All of these threshold values are assigned using the queue-limit cos command.

Assuming the queue is already filled with 600 frames, and a new frame arrives. It contains CoS value 4 and is subjected to the 60-percent threshold. If this frame is added to the queue, the threshold will be exceeded, so the drops it.

Weighted Tail Drop Default Values

The following are the Weighted Tail Drop (WTD) default values and the rules for configuring WTD threshold values.

If you configure less than three queue-limit percentages for WTD, then WTD default values are assigned to these thresholds.

The following are the WTD threshold default values:

Table 8. WTD Threshold Default Values
Threshold	Default Value Percentage
0	80
1	90
2	400

If 3 different WTD thresholds are configured, then the queues are programmed as configured.
If 2 WTD thresholds are configured, then the maximum value percentage will be 400.
If a WTD single threshold is configured as x, then the maximum value percentage will be 400.
- If the value of x is less than 90, then threshold1=90 and threshold 0= x.
- If the value of x equals 90, then threshold1=90, threshold 0=80.
- If the value x is greater than 90, then threshold1=x, threshold 0=80.

Priority Queues

Each port supports eight egress queues, of which two can be given a priority.

You use the priority level policy class-map command to configure the priority for two classes. One of the classes has to be configured with a priority queue level 1, and the other class has to be configured with a priority queue level 2. Packets on these two queues are subjected to less latency with respect to other queues.

Note

You can configure a priority only with a level.

Only one strict priority or a priority with levels is allowed in one policy map. Multiple priorities with the same priority levels without kbps/percent are allowed in a policy map only if all of them are configured with police.

Queue Buffer

Each 1-gigabit port on the is allocated 168 buffers for a wireless port and 300 buffers for a wired port. Each 10-gigabit port is allocated 1800 buffers. At boot time, when there is no policy map enabled on the wired port, there are two queues created by default. Wired ports can have a maximum of 8 queues configured using MQC-based policies. The following table shows which packets go into which one of the queues:

Table 9. DSCP, Precedence, and CoS - Queue Threshold Mapping Table
DSCP, Precedence or CoS	Queue	Threshold
Control Packets	0	2
Rest of Packets	1	2

Note

You can guarantee the availability of buffers, set drop thresholds, and configure the maximum memory allocation for a queue. You use the queue-buffers policy-map class command to configure the queue buffers. You use the queue-limit policy-map class command to configure the maximum thresholds.

There are two types of buffer allocations: hard buffers, which are explicitly reserved for the queue, and soft buffers, which are available for other ports when unused by a given port.

For the wireless port default, Queue 0 will be given 40 percent of the buffers that are available for the interface as hard buffers, that is 67 buffers are allocated for Queue 0 in the context of 1-gigabit ports. The soft maximum for this queue is set to 268 (calculated as 67 * 400/100) for 1-gigabit ports, where 400 is the default maximum threshold that is configured for any queue.

For the wired port default, Queue 0 will be given 40 percent of the buffers that are available for the interface as hard buffers, that is 120 buffers are allocated for Queue 0 in the context of 1-gigabit ports, and 720 buffers in the context of 10-gigabit ports. The soft maximum for this queue is set to 480 (calculated as 120 * 400/100) for 1-gigabit ports and 2880 for 10-gigabit ports, where 400 is the default maximum threshold that is configured for any queue.

Queue 1 does not have any hard buffers allocated. The default soft buffer limit is set to 400 (which is the maximum threshold). The threshold would determine the maximum number of soft buffers that can be borrowed from the common pool.

Queue Buffer Allocation

The buffer allocation to any queue can be tuned using the queue-buffers ratio policy-map class configuration command.

Dynamic Threshold and Scaling

Traditionally, reserved buffers are statically allocated for each queue. No matter whether the queue is active or not, its buffers are held up by the queue. In addition, as the number of queues increases, the portion of the reserved buffers allocated for each queue can become smaller and smaller. Eventually, a situation may occur where there are not enough reserved buffers to support a jumbo frame for all queues.

The supports Dynamic Thresholding and Scaling (DTS), which is a feature that provides a fair and efficient allocation of buffer resources. When congestion occurs, this DTS mechanism provides an elastic buffer allocation for the incoming data based on the occupancy of the global/port resources. Conceptually, DTS scales down the queue buffer allocation gradually as the resources are used up to leave room for other queues, and vice versa. This flexible method allows the buffers to be more efficiently and fairly utilized.

As mentioned in the previous sections, there are two limits configured on a queue—a hard limit and a soft limit.

Hard limits are not part of DTS. These buffers are available only for that queue. The sum of the hard limits should be less than the globally set up hard maximum limit. The global hard limit configured for egress queuing is currently set to 5705. In the default scenario when there are no MQC policies configured, the 24 1-gigabit ports would take up 24 * 67 = 1608, and the 4 10-gigabit ports would take up 4 * 720 = 2880, for a total of 4488 buffers, allowing room for more hard buffers to be allocated based upon the configuration.

Soft limit buffers participate in the DTS process. Additionally, some of the soft buffer allocations can exceed the global soft limit allocation. The global soft limit allocation for egress queuing is currently set to 7607. The sum of the hard and soft limits add up to 13312, which in turn translates to 3.4 MB. Because the sum of the soft buffer allocations can exceed the global limit, it allows a specific queue to use a large number of buffers when the system is lightly loaded. The DTS process dynamically adjusts the per-queue allocation as the system becomes more heavily loaded.

Queuing in Wireless

Queuing in the wireless component is performed based on the port policy and is applicable only in the downstream direction. The wireless module supports the following four queues:

Voice—This is a strict priority queue. Represented by Q0, this queue processes control traffic and multicast or unicast voice traffic. All control traffic (such as CAPWAP packets) is processed through the voice queue. The QoS module uses a different threshold within the voice queue to process control and voice packets to ensure that control packets get higher priority over other non-control packets.
Video—This is a strict priority queue. Represented by Q1, this queue processes multicast or unicast video traffic.
Data NRT—Represented by Q2, this queue processes all non-real-time unicast traffic.
Multicast NRT—Represented by Q3, this queue processes Multicast NRT traffic. Any traffic that does not match the traffic in Q0, Q1, or Q2 is processed through Q3.

Note

By default, the queues Q0 and Q1 are not enabled.

Note

A weighted round-robin policy is applied for traffic in the queues Q2 and Q3.

For upstream direction only one queue is available. Port and radio policies are applicable only in the downstream direction.

Note

The wired ports support eight queues.

Trust Behavior for Wired Ports

For wired ports that are connected to the (end points such as IP phones, laptops, cameras, telepresence units, or other devices), their DSCP, precedence, or CoS values coming in from these end points are trusted by the and therefore are retained in the absence of any explicit policy configuration.

The packets are enqueued to the appropriate queue per the default initial configuration.

In scenarios where the incoming packet type differs from the outgoing packet type, the trust behavior and the queuing behavior are explained in the following table. Note that the default trust mode for a wired port is DSCP based. The trust mode ‘falls back’ to CoS if the incoming packet is a pure Layer 2 packet. You can also change the trust setting from DSCP to CoS. This is accomplished by using an MQC policy that has a class default with a 'set cos cos table default default-cos' action, where default-cos is the name of the table map created (which only performs a default copy).

Table 10. Trust and Queueing Behavior
Incoming Packet	Outgoing Packet	Trust Behavior	Queuing Behavior
Layer 3	Layer 3	Preserve DSCP/Precedence	Based on DSCP
Layer 2	Layer 2	Not applicable	Based on CoS
Tagged	Tagged	Preserve DSCP and CoS	Based on DSCP (trust DSCP takes precedence)
Layer 3	Tagged	Preserve DSCP, CoS is set to 0	Based on DSCP

Trust Behavior for Wired and Wireless Ports

For wired or wireless ports that are connected to the (end points such as IP phones, laptops, cameras, telepresence units, or other devices), their DSCP, precedence, or CoS values coming in from these end points are trusted by the and therefore are retained in the absence of any explicit policy configuration.

This trust behavior is applicable to both upstream and downstream QoS.

The packets are enqueued to the appropriate queue per the default initial configuration. No priority queuing at the is done by default. This is true for unicast and multicast packets.

In scenarios where the incoming packet type differs from the outgoing packet type, the trust behavior and the queuing behavior are explained in the following table. Note that the default trust mode for a port is DSCP based. The trust mode ‘falls back’ to CoS if the incoming packet is a pure Layer 2 packet. You can also change the trust setting from DSCP to CoS. This setting change is accomplished by using an MQC policy that has a class default with a 'set cos cos table default default-cos' action, where default-cos is the name of the table map created (which only performs a default copy).

Table 11. Trust and Queueing Behavior
Incoming Packet	Outgoing Packet	Trust Behavior	Queuing Behavior
Layer 3	Layer 3	Preserve DSCP/Precedence	Based on DSCP
Layer 2	Layer 2	Not applicable	Based on CoS
Tagged	Tagged	Preserve DSCP and CoS	Based on DSCP (trust DSCP takes precedence)
Layer 3	Tagged	Preserve DSCP, CoS is set to 0	Based on DSCP

The Cisco IOS XE 3.2 Release supported different trust defaults for wired and wireless ports. The trust default for wired ports was the same as for this software release. For wireless ports, the default system behavior was non-trust, which meant that when the came up, all markings for the wireless ports were defaulted to zero and no traffic received priority treatment. For compatibility with an existing wired , all traffic went to the best-effort queue by default. The access point performed priority queuing by default. In the downstream direction, the access point maintained voice, video, best-effort, and background queues for queuing. The access selected the queuing strategy based on the 11e tag information. By default, the access point treated all wireless packets as best effort.

The default trust behavior in the case of wireless ports could be changed by using the qos wireless default untrust command.

Note

If you upgrade from Cisco IOS XE 3.2 SE Release to a later release, the default behavior of the wireless traffic is still untrusted. In this situation, you can use the no qos wireless-default untrust command to enable trust behavior for wireless traffic. However, if you install Cisco IOS XE 3.3 SE or a later release on the device, the default QoS behavior for wireless traffic is trust. Starting with Cisco IOS XE 3.3 SE Release and later, the packet markings are preserved in both egress and ingress directions for new installations (not upgrades) for wireless traffic.

Port Security on a Trusted Boundary for Cisco IP Phones

In a typical network, you connect a Cisco IP Phone to a port and cascade devices that generate data packets from the back of the telephone. The Cisco IP Phone guarantees the voice quality through a shared data link by marking the CoS level of the voice packets as high priority (CoS = 5) and by marking the data packets as low priority (CoS = 0). Traffic sent from the telephone to the is typically marked with a tag that uses the 802.1Q header. The header contains the VLAN information and the class of service (CoS) 3-bit field, which is the priority of the packet.

For most Cisco IP Phone configurations, the traffic sent from the telephone to the should be trusted to ensure that voice traffic is properly prioritized over other types of traffic in the network. By using the trust device interface configuration command, you configure the port to which the telephone is connected to trust the traffic received on that port.

Note

The trust device device_type command available in interface configuration mode is a stand-alone command on the device. When using this command in an AutoQoS configuration, if the connected peer device is not a corresponding device (defined as a device matching your trust policy), both CoS and DSCP values are set to "0" and any input policy will not take effect. If the connected peer device is a corresponding device, input policy will take effect.

With the trusted setting, you also can use the trusted boundary feature to prevent misuse of a high-priority queue if a user bypasses the telephone and connects the PC directly to the . Without trusted boundary, the CoS labels generated by the PC are trusted by the (because of the trusted CoS setting). By contrast, trusted boundary uses CDP to detect the presence of a Cisco IP Phone (such as the Cisco IP Phone 7910, 7935, 7940, and 7960) on a port. If the telephone is not detected, the trusted boundary feature disables the trusted setting on the port and prevents misuse of a high-priority queue. Note that the trusted boundary feature is not effective if the PC and Cisco IP Phone are connected to a hub that is connected to the .

Wireless QoS Mobility

Wireless QoS mobility enables you to configure QoS policies so that the network provides the same service anywhere in the network. A wireless client can roam from one location to another and as a result the client can get associated to different access points associated with a different device. Wireless client roaming can be classified into two types:

Intra-device roaming
Inter-device roaming

Note

The client policies must be available on all of the devices in the mobility group. The same SSID and port policy must be applied to all devices in the mobility group so that the clients get consistent treatment.

Inter-Device Roaming

When a client roams from one location to another, the client can get associated to access points either associated to the same device (anchor device) or a different device (foreign device). Inter-device roaming refers to the scenario where the client gets associated to an access point that is not associated to the same device before the client roamed. The host device is now foreign to the device to which the client was initially anchored.

In the case of inter-device roaming, the client QoS policy is always executed on the foreign controller. When a client roams from anchor device to foreign device, the QoS policy is uninstalled on the anchor device and installed on the foreign device. In the mobility handoff message, the anchor device passes the name of the policy to the foreign device. The foreign device should have a policy with the same name configured for the QoS policy to be applied correctly.

In the case of inter-device roaming, all of the QoS policies are moved from the anchor device to the foreign device. While the QoS policies are in transition from the anchor device to the foreign device, the traffic on the foreign device is provided the default treatment. This is comparable to a new policy installation on the client target.

Note

If the foreign device is not configured with the user-defined physical port policy, the default port policy is applicable to all traffic is routed through the NRT queue, except the control traffic which goes through RT1 queue. The network administrator must configure the same physical port policy on both the anchor and foreign devices symmetrically.

During inter-device roaming, client and SSID policy statistics are collected only for the duration that the client is associated with the foreign device. Cumulative statistics for the whole roaming (anchor device and foreign device) are not collected.

Intra-Device Roaming

With intra-device roaming, the client gets associated to an access point that is associated to the same device before the client roamed, but this association to the device occurs through a different access point.

Note

QoS policies remain intact in the case of intra-device roaming.

Precious Metal Policies for Wireless QoS

Wireless QoS is backward compatible with the precious metal policies offered by the unified wireless controller platforms. The precious metal policies are system-defined policies that are available on the controller.

The following policies are available:

Platinum—Used for VoIP clients.
Gold—Used for video clients.
Silver— Used for traffic that can be considered best-effort.
Bronze—Used for NRT traffic.

These policies (also known as profiles) can be applied to a WLAN based on the traffic. We recommend the configuration using the Cisco IOS MQC configuration. The policies are available in the system based on the precious metal policy required. You can configure precious metal policies only for SSID ingress and egress policies.

Based on the policies applied, the 802.1p, 802.11e (WMM), and DSCP fields in the packets are affected. These values are preconfigured and installed when the device is booted.

Note

Unlike the precious metal policies that were applicable in the Cisco Unified Wireless controllers, the attributes rt-average-rate, nrt-average-rate, and peak rates are not applicable for the precious metal policies configured on this device platform.

Note

The 802.1p protocol priority is applicable on the Cisco 5700 Series Wireless Controller.

Default Wired QoS Configuration

There are two queues configured by default on each wired interface on the . All control traffic traverses and is processed through queue 0. All other traffic traverses and is processed through queue 1.

DSCP Maps

Default CoS-to-DSCP Map

You use the CoS-to-DSCP map to map CoS values in incoming packets to a DSCP value that QoS uses internally to represent the priority of the traffic. The following table shows the default CoS-to-DSCP map. If these values are not appropriate for your network, you need to modify them.

Table 12. Default CoS-to-DSCP Map
CoS Value	DSCP Value
0	0
1	8
2	16
3	24
4	32
5	40
6	48
7	56

Default IP-Precedence-to-DSCP Map

You use the IP-precedence-to-DSCP map to map IP precedence values in incoming packets to a DSCP value that QoS uses internally to represent the priority of the traffic. The following table shows the default IP-precedence-to-DSCP map. If these values are not appropriate for your network, you need to modify them.

Table 13. Default IP-Precedence-to-DSCP Map
IP Precedence Value	DSCP Value
0	0
1	8
2	16
3	24
4	32
5	40
6	48
7	56

Default DSCP-to-CoS Map

You use the DSCP-to-CoS map to generate a CoS value, which is used to select one of the four egress queues. The following table shows the default DSCP-to-CoS map. If these values are not appropriate for your network, you need to modify them.

Table 14. Default DSCP-to-CoS Map
DSCP Value	CoS Value
0–7	0
8–15	1
16–23	2
24–31	3
32–39	4
40–47	5
48–55	6
56–63	7

Default Wireless QoS Configuration

The ports on the switch do not distinguish between wired or wireless physical ports. Depending on the kind of device associated to the switch, the policies are applied. For example, when an access point is connected to a switch port, the switch detects it as a wireless device and applies the default hierarchical policy which is in the format of a parent-child policy. This policy is an hierarchical policy. The parent policy cannot be modified but the child policy (port-child policy) can be modified to suite the QoS configuration. The switch is preconfigured with a default class map and a policy map.

Information About Auto QoS for Wireless

Auto QoS for Wireless feature, introduced in Cisco IOS XE Release 3.7.0, is supported on the following platforms:

Cisco 5760 Wireless Controller
Catalyst 3850 Series Switches
Catalyst 3650 Series Switches
Cisco Catalyst 4500E Supervisor Engine 8-E

The following pre-defined global configuration templates/profiles are available:

Enterprise
Voice
Guest

You can customize these templates to suit your needs. Auto QoS for Wireless can be configured using both CLI and GUI. Auto QoS for Wireless can be applied on a per-WLAN basis.

Precedence applicable:

AAA QoS
Native Profile QoS
Auto QoS/CLI-based QoS

Policy Names


P1	AutoQos-4.0-wlan-ET-Client-Input-Policy
P2	AutoQos-4.0-wlan-ET-SSID-Output-Policy
P3	platinum-up (Auto generated system policy at boot-up)
P4	platinum (Auto generated system policy at boot-up)
P5	AutoQos-4.0-wlan-GT-SSID-Input-Policy
P6	AutoQos-4.0-wlan-GT-SSID-Output-Policy
P7	port_child_policy
P8	AutoQos-4.0-wlan-Port-Output-Policy
P9	Capwap-SRND4-Queuing-Policy

List of Targets

Client
BSSID
Radio
AP Port (Catalyst 3850 Switch)
Uplink Port (Catalyst 3850 Switch)
Cisco 5760 WLC physical port
Catalyst 4500E Supervisor Engine 8-E Front Panel Ports

Auto QoS for Wireless - Wireless QoS Matrix


Templates/Targets	Client		BSSID		Radio	AP Port (Catalyst 3850 Switch)		Uplink Port (Catalyst 3850 Switch)		Cisco 5760 WLC physical port		Catalyst 4500E Supervisor Engine 8-E Front Panel Ports
	Ingress	Egress	Ingress	Egress		Ingress	Egress	Ingress	Egress	Ingress	Egress	Ingress	Egress
Enterprise	P1	N/A	N/A	P2	N/A	N/A	P7	N/A	N/A	N/A	P8	N/A	P9
Voice	N/A	N/A	P3	P4	N/A	N/A	P7	N/A	N/A	N/A	P8	N/A	P9
Guest	N/A	N/A	P5	P6	N/A	N/A	N/A	N/A	N/A	N/A	N/A	N/A	P9

Guidelines for Auto QoS for Wireless

The Catalyst 3850 Switch uplink ports should not be configured along with Auto QoS for Wireless. This should be managed using Wired Auto QoS
The Catalyst 3850 Switch AP Port Policy (port_child_policy) and Cisco 5760 WLC physical ports should be automatically configured for Enterprise and Voice templates.
AP Control traffic must go through the P0 queue (should be given highest priority among all traffic).
All the Auto QoS policies for Wireless applied through the GUI have the prefix 'AutoQos-4.0'. This enables you to recognize the policies that are applied through templates.
On the CLI, it is not possible to create a policy name that starts with 'AutoQos-4.0' because this is reserved for policies generated through templates.

Configuring Auto QoS for Wireless (GUI)

Procedure

Step 1

Choose Configuration > Wireless > WLAN.

Step 2

Click the WLAN ID.

Step 3

Click the QoS tab.

Step 4

In the Auto QoS section, choose the policy from the drop-down list.

Note

By default, the Auto QoS policy applied for a WLAN is 'None'.

Step 5

Save the configuration.

Configuring Auto QoS for Wireless (CLI)

Device(config-wlan)# auto qos {enterprise | guest | voice}

Guidelines for QoS Policies

Follow these guidelines to prevent clients from getting excluded due to malformed QoS policies:

When a new QoS policy is added to the device, a QoS policy with the same name should be added to other device within the same roam or mobility domain.
When a device is loaded with a software image of a later release, the new policy formats are supported. If you have upgraded the software image from an earlier release to a later release, you should save the configuration separately. When an earlier release image is loaded, some QoS policies might show as not supported, and you should restore those QoS policies to supported policy formats.

Restrictions for QoS on Wired Targets

A target is an entity where a policy is applied. You can apply a policy to either a wired or wireless target. A wired target can be either a port or VLAN. A wireless target can be either a port, radio, SSID, or client. Only port, SSID, and client policies are user configurable. Radio polices are not user configurable. Wireless QoS policies for port, radio, SSID, and client are applied in the downstream direction, and for upstream only SSID and client targets are supported. Downstream indicates that traffic is flowing from the device to the wireless client. Upstream indicates that traffic is flowing from wireless client to the device.

The following are restrictions for applying QoS features on the device for the wired target:

A maximum of 8 queuing classes are supported on the device port for the wired target.
A maximum of 63 policers are supported per policy on the wired port for the wired target.
In Cisco IOS XE Release 3.7.5E and later releases, by default all downlink ports are allocated 1 GB port buffer, even though the downlink port size is 10 GB. Prior to this change, all 1 GB downlink ports had 1 GB buffer and 10 GB downlink ports had 10 GB buffer.
A maximum of 1600 policies are supported on the switch.
No more than two levels are supported in a QoS hierarchy.
In a hierarchical policy, overlapping actions between parent and child are not allowed, except when a policy has the port shaper in the parent and queueing features in the child policy.
A QoS policy cannot be attached to any EtherChannel interface.
Policing in both the parent and child is not supported in a QoS hierarchy.
Marking in both the parent and child is not supported in a QoS hierarchy.

A mixture of queue limit and queue buffer in the same policy is not supported.

Note

The queue-limit percent is not supported on the device because the queue-buffer command handles this functionality. Queue limit is only supported with the DSCP and CoS extensions.

With shaping, there is an IPG overhead of 20Bytes for every packet that is accounted internally in the hardware. Shaping accuracy will be effected by this, specially for packets of small size.
The classification sequence for all wired queuing-based policies should be the same across all wired upstream ports (10-Gigabit Ethernet), and the same for all downstream wired ports (1-Gigabit Ethernet).
Empty classes are not supported.
Class-maps with empty actions are not supported. If there are two policies with the same order of class-maps and if there are class-maps with no action in one of the policies, there may be traffic drops. As a workaround, allocate minimal bandwidth for all the classes in PRIORITY_QUEUE.
A maximum of 256 classes are supported per policy on the wired port for the wired target.
The match vlan class-map configuration command supports either a match VLAN range or a single VLAN.
The actions under a policer within a policy map have the following restrictions:
- The conform action must be transmit.
- The exceed/violate action for markdown type can only be cos2cos, prec2prec, dscp2dscp.
- The markdown types must be the same within a policy.
A port-level input marking policy takes precedence over an SVI policy; however, if no port policy is configured, the SVI policy takes precedence. For a port policy to take precedence, define a port-level policy; so that the SVI policy is overwritten.
Classification counters have the following specific restrictions:
- Classification counters count packets instead of bytes.
- Filter-based classification counters are not supported
- Only QoS configurations with marking or policing trigger the classification counter.
- The classification counter is not port based. This means that the classification counter aggregates all packets belonging to the same class of the same policy which attach to different interfaces.
- As long as there is policing or marking action in the policy, the class-default will have classification counters.
- When there are multiple match statements in a class, then the classification counter only shows the traffic counter for one of the match statements.
Table maps have the following specific restrictions:
- Only one table map for policing exceeding the markdown and one table map for policing violating the markdown per direction per target is supported.
- Table maps must be configured under the class-default; table maps are unsupported for a user-defined class.

Hierarchical policies are required for the following:

Port-shapers
Aggregate policers
PV policy
Parent shaping and child marking/policing

Note

Any "on-the-fly" change (modifying a policy while it is attached to a target) is not permitted for wired hierarchical policies.

For ports with wired targets, these are the only supported hierarchical policies:
- Police chaining in the same policy is unsupported, except for wireless client.
- Hierarchical queueing is unsupported in the same policy (port shaper is the exception).
- In a parent class, all filters must have the same type. The child filter type must match the parent filter type with the following exceptions:
  - If the parent class is configured to match IP, then the child class can be configured to match the ACL.
  - If the parent class is configured to match CoS, then the child class can be configured to match the ACL.
Modification to a policy name on a wired port is not recommended. Please remove and reapply the policies if any unexpected behavior is seen.
The trust device device_type command available in interface configuration mode is a stand-alone command on the device. When using this command in an AutoQoS configuration, if the connected peer device is not a corresponding device (defined as a device matching your trust policy), both CoS and DSCP values are set to "0" and any input policy will not take effect. If the connected peer device is a corresponding device, input policy will take effect.

The following are restrictions for applying QoS features on the VLAN to the wired target:

For a flat or nonhierarchical policy, only marking or a table map is supported.

The following are restrictions and considerations for applying QoS features on EtherChannel and channel member interfaces:

QoS is not supported on an EtherChannel interface.
QoS is supported on EtherChannel member interfaces in both ingress and egression directions. All EtherChannel members must have the same QoS policy applied. If the QoS policy is not the same, each individual policy on the different link acts independently.
On attaching a service policy to channel members, the following warning message appears to remind the user to make sure the same policy is attached to all ports in the EtherChannel: ' Warning: add service policy will cause inconsistency with port xxx in ether channel xxx. '.
Auto QoS is not supported on EtherChannel members.

Note

On attaching a service policy to an EtherChannel, the following message appears on the console: ' Warning: add service policy will cause inconsistency with port xxx in ether channel xxx. '. This warning message should be expected. This warning message is a reminder to attach the same policy to other ports in the same EtherChannel. The same message will be seen during boot up. This message does not mean there is a discrepancy between the EtherChannel member ports.

Restrictions for QoS on Wireless Targets

General Restrictions

A target is an entity where a policy is applied. You can apply a policy to either a wired or wireless target. A wired target can be either a port or VLAN. A wireless target can be either a port, radio, SSID, or client. Only port, SSID, and client policies are user configurable. Radio polices are not user configurable. Wireless QoS policies for port, radio, SSID, and client are applied in the downstream direction, and for upstream only SSID and client targets are supported. Downstream indicates that traffic is flowing from the device to the wireless client. Upstream indicates that traffic is flowing from wireless client to the device.

Only port, SSID, and client (using AAA and Cisco IOS command-line interface) policies are user-configurable. Radio policies are set by the wireless control module and are not user-configurable.
Port and radio policies are applicable only in the egress direction.
SSID and client targets can be configured only with marking and policing policies.
One policy per target per direction is supported.
For the egress class-default SSID policy, you must configure the queue buffer ratio as 0 after you configure the average shape rate.
Class maps in a policy map can have different types of filters. However, only one marking action (either table map, or set dscp, or set cos) is supported in a map in egress direction.
For hierarchical client and SSID ingress policies, you cannot configure marking in both the parent and child policies. You can only configure marking either in the parent or child policy.
You cannot configure multiple set actions in the same class.
For both SSID and client ingress policies, supported set actions are only for DSCP, and CoS values.
You cannot delete a group of WLANs or QoS policy.

Wireless QoS Restrictions on Ports

The following are restrictions for applying QoS features on a wireless port target:

All wireless ports have similar parent policy with one class-default and one action shape under class-default. Shape rates are dependent on the 802.11a/b/g/ac bands.
You can create a maximum of four classes in a child policy by modifying the port_chlid_policy.
If there are four classes in the port_child_policy at the port level, one must be a non-client-nrt class and one must be class-default.
No two classes can have the same priority level. Only priority level 1 (for voice traffic and control traffic) and 2 (for video) are supported.
Priority is not supported in the multicast NRT class (non-client-nrt class) and class-default.
If four classes are configured, two of them have to be priority classes. If only three classes are configured, at least one of them should be a priority class. If three classes are configured and there is no non-client-nrt class, both priority levels must be present.
Only match DSCP is supported.
The port policy applied by the wireless control module cannot be removed using the CLI.
Both priority rate and police CIR (using MQC) in the same class is unsupported.
Queue limit (which is used to configure Weighted Tail Drop) is unsupported.

Wireless QoS Restrictions on SSID

The following are restrictions for applying QoS features on SSID:

One table map is supported at the ingress policy.

Table maps are supported for the parent class-default only. Up to two table maps are supported in the egress direction and three table-maps can be configured when a QoS group is involved.

Note

Table-maps are not supported at the client targets.

If a wireless port has a default policy with only two queues (one for multicast-NRT, one for class-default), the policy at SSID level cannot have voice and video class in the egress direction.
Policing without priority is not supported in the egress direction.
Priority configuration at the SSID level is used only to configure the RT1 and RT2 policers (AFD for policer). Priority configuration does not include the shape rate. Therefore, priority is restricted for SSID policies without police.
If set is not enabled in class-default, the classification at the SSID for voice or video must be a subset of the classification for the voice or video class at the port level.
The mapping in the DSCP2DSCP and COS2COS table should be based on the classification function for the voice and video classes in the port level policy.
No action is allowed under the class-default of a child policy.
For SSID ingress policies, only UP and DSCP filters (match criteria) are supported. ACL and protocol match criteria are not supported.
For a flat policy (non hierarchical), in the ingress direction, the policy configuration must be a set (table map) or policing or both.

Wireless QoS Restrictions on Clients

The following are restrictions for applying QoS policies on client targets:

The default client policy is enabled only on WMM clients that are ACM-enabled.
Queuing is not supported.
Attaching, removing, or modifying client policies on a WLAN in the enabled state is not supported. You must shut down the WLAN to apply, remove, or modify a policy.
Table-map configuration is not supported for client targets.
Policing and set configured together in class-default is blocked in egress direction:
```
policy-map foo
class class-default
police X
set dscp Y
```
Child policy is not supported under class-default if the parent policy contains other user-defined class maps in it.
For flat egress client policy, policing in class-default and marking action in other classes are not supported.
Only set marking actions are supported in the client policies.
For client ingress policies, only ACL, UP, DSCP, and protocol filters (match criteria) are supported.

All the filters in classes in a policy map for client policy must have the same attributes. Filters matching on protocol-specific attributes such as IPv4 or IPv6 addresses are considered as different attribute sets.

For filters matching on ACLs, all ACEs (Access Control Entry) in the access list should have the same type and number of attributes.
In client egress policies, all filters in the policy-map must match on the same marking attribute for filters matching on marking attributes. For example, If filter matches on DSCP, then all filters in the policy must match on DSCP.
ACL matching on port ranges and subnet are only supported in ingress direction.

Creating a Traffic Class (CLI)

To create a traffic class containing match criteria, use the class-map command to specify the traffic class name, and then use the following match commands in class-map configuration mode, as needed.

Before you begin

All match commands specified in this configuration task are considered optional, but you must configure at least one match criterion for a class.

SUMMARY STEPS

configure terminal
class-map { class-map name | match-any|type}
match access-group { index number| name}
match class-map class-map name
match cos cos value
match dscp dscp value
match ip { dscp dscp value| precedence precedence value}
match non-client-nrt
match precedence precedence value
match qos-group qos group value
match vlan vlan value
match wlan user-priority wlan value
end

DETAILED STEPS

Command or Action Purpose

Step 1

configure terminal

Example:


Device# configure terminal

Enters the global configuration mode.

Step 2

class-map { class-map name | match-any|type}

Example:


Device(config)# class-map test_1000
Device(config-cmap)#

Enters class map configuration mode.

Creates a class map to be used for matching packets to the class whose name you specify.
If you specify match-any , one of the match criteria must be met for traffic entering the traffic class to be classified as part of the traffic class. This is the default.
If you specify type , configures the CPL class map. Additional sub-command parameters include:
- control—This sub-command parameter configures the control policies.
- multicast-flows—This sub-command parameter configures multicast class-maps.

Note

The type command option is not supported on the device

Step 3

match access-group { index number| name}

Example:


Device(config-cmap)# match access-group 100
Device(config-cmap)#

The following parameters are available for this command:

access-group
class-map
cos
dscp
ip
non-client-nrt
precedence
qos-group
vlan
wlan user priority

(Optional) For this example, enter the access-group ID:

Access list index (value from 1 to 2799)
Named access list

Step 4

match class-map class-map name

Example:


Device(config-cmap)# match class-map test_2000
Device(config-cmap)#

(Optional) Matches to another class-map name.

Step 5

match cos cos value

Example:


Device(config-cmap)# match cos 2 3 4 5
Device(config-cmap)#

(Optional) Matches IEEE 802.1Q or ISL class of service (user) priority values.

Enters up to 4 CoS values separated by spaces (0 to 7).

Step 6

match dscp dscp value

Example:


Device(config-cmap)# match dscp af11 af12
Device(config-cmap)#

(Optional) Matches the DSCP values in IPv4 and IPv6 packets.

Step 7

match ip { dscp dscp value| precedence precedence value}

Example:


Device(config-cmap)# match ip dscp af11 af12
Device(config-cmap)#

(Optional) Matches IP values including the following:

dscp—Matches IP DSCP (DiffServ codepoints).

precedence—Matches IP precedence (0 to 7).

Note

Since CPU generated packets are not marked at egress, the packet will not match the configured class-map.

Step 8

match non-client-nrt

Example:


Device(config-cmap)# match non-client-nrt
Device(config-cmap)#

(Optional) Matches non-client NRT (Non-Real-Time).

Step 9

match precedence precedence value

Example:


Device(config-cmap)# match precedence 7
Device(config-cmap)#

(Optional) Matches precedence for IPv4 or IPv6 packets. Possible values include:

Critical—Match packets with critical precedence (5)
Flash—Match packets with flash precedence (3)
Flash-override—Match packets with flash override precedence (4)
Immediate—Match packets with immediate precedence (2)
Internet—Match packets with internetwork control precedence (6)
Network—Match packets with network control precedence (7)
Priority—Match packets with priority precedence (1)
Routine—Match packets with routine precedence (0)

Step 10

match qos-group qos group value

Example:


Device(config-cmap)# match qos-group 10
Device(config-cmap)#

(Optional) Matches QoS group value (from 0 to 31).

Step 11

match vlan vlan value

Example:


Device(config-cmap)# match vlan 210
Device(config-cmap)#

(Optional) Matches a VLAN ID (from 1 to 4095).

Step 12

match wlan user-priority wlan value

Example:


Device(config-cmap)# match wlan user priority 7
Device(config-cmap)#

(Optional) Matches 802.11e specific values. Enter the user priority 802.11e user priority (0 to 7).

Step 13

end

Example:


Device(config-cmap)# end

Saves the configuration changes.

What to do next

Configure the policy map.

Creating a Traffic Policy (CLI)

To create a traffic policy, use the policy-map global configuration command to specify the traffic policy name.

The traffic class is associated with the traffic policy when the class command is used. The class command must be entered after you enter the policy map configuration mode. After entering the class command, the is automatically in policy map class configuration mode, which is where the QoS policies for the traffic policy are defined.

The following policy map class-actions are supported:

admit—Admits the request for Call Admission Control (CAC).
bandwidth—Bandwidth configuration options.
exit—Exits from the QoS class action configuration mode.
netflow-sampler—NetFlow sampler configuration options.
no—Negates or sets default values for the command.
police—Policer configuration options.
priority—Strict scheduling priority configuration options for this class.
queue-buffers—Queue buffer configuration options.
queue-limit—Queue maximum threshold for Weighted Tail Drop (WTD) configuration options.
service-policy—Configures the QoS service policy.
set—Sets QoS values using the following options:
- CoS values
- DSCP values
- Precedence values
- QoS group values
- WLAN values
shape—Traffic-shaping configuration options.

Before you begin

You should have first created a class map.

SUMMARY STEPS

configure terminal
policy-map policy-map name
class { class-name| class-default}
admit
bandwidth { kb/s kb/s value | percent percentage|remaining {percent | ratio}}
exit
netflow-sampler
no
police { target_bit_rate |cir | rate}
priority { kb/s | level level value | percent percentage value }
queue-buffers ratio ratio limit
queue-limit { packets | cos | dscp | percent}
service-policy policy-map name
set { cos | dscp | ip | precedence | qos-group | wlan}
shape average { target _bit_rate| percent}
end

DETAILED STEPS

Command or Action Purpose

Step 1

configure terminal

Example:


Device# configure terminal

Enters the global configuration mode.

Step 2

policy-map policy-map name

Example:


Device(config)# policy-map test_2000
Device(config-pmap)#

Enters policy map configuration mode.

Creates or modifies a policy map that can be attached to one or more interfaces to specify a service policy.

Step 3

class { class-name| class-default}

Example:


Device(config-pmap)# class test_1000
Device(config-pmap-c)#

Specifies the name of the class whose policy you want to create or change.

You can also create a system default class for unclassified packets.

Step 4

admit

Example:


Device(config-pmap-c)# admit cac wmm-tspec
Device(config-pmap-c)#

(Optional) Admits the request for Call Admission Control (CAC). For a more detailed example of this command and its usage, see Configuring Call Admission Control (CLI).

Note

This command only configures CAC for wireless QoS.

Step 5

bandwidth { kb/s kb/s value | percent percentage|remaining {percent | ratio}}

Example:


Device(config-pmap-c)# bandwidth 50
Device(config-pmap-c)#

(Optional) Sets the bandwidth using one of the following:

kb/s—Kilobits per second, enter a value between 20000 and 10000000 for Kb/s.
percent—Enter the percentage of the total bandwidth to be used for this policy map.
remaining—Enter the percentage ratio of the remaining bandwidth.

For a more detailed example of this command and its usage, see Configuring Bandwidth (CLI).

Step 6

exit

Example:


Device(config-pmap-c)# exit
Device(config-pmap-c)#

(Optional) Exits from QoS class action configuration mode.

Step 7

netflow-sampler

Example:

Device(config-pmap-c)# netflow-sampler
Device(config-pmap-c)#

(Optional) Configures the Flexible NetFlow policy. Enter the name of the Flexible NetFlow sampler. For a more detailed example of this command and its usage, see Configuring NetFlow Sampler.

Step 8

no

Example:


Device(config-pmap-c)# no
Device(config-pmap-c)#

(Optional) Negates the command.

Step 9

police { target_bit_rate |cir | rate}

Example:


Device(config-pmap-c)# police 100000
Device(config-pmap-c)#

(Optional) Configures the policer:

target_bit_rate—Enter the bit rate per second, enter a value between 8000 and 10000000000.
cir—Committed Information Rate
rate—Specify police rate, PCR for hierarchical policies or SCR for single-level ATM 4.0 policer policies.

For a more detailed example of this command and its usage, see Configuring Police (CLI).

Step 10

priority { kb/s | level level value | percent percentage value }

Example:


Device(config-pmap-c)# priority percent 50 
Device(config-pmap-c)#

(Optional) Sets the strict scheduling priority for this class. Command options include:

kb/s—Kilobits per second, enter a value between 1 and 2000000.
level—Establishes a multi-level priority queue. Enter a value (1 or 2).
percent—Enter a percent of the total bandwidth for this priority.

For a more detailed example of this command and its usage, see Configuring Priority (CLI).

Step 11

queue-buffers ratio ratio limit

Example:


Device(config-pmap-c)# queue-buffers ratio 10
Device(config-pmap-c)#

(Optional) Configures the queue buffer for the class. Enter the queue buffers ratio limit (0 to 100).

For a more detailed example of this command and its usage, see Configuring Queue Buffers (CLI).

Step 12

queue-limit { packets | cos | dscp | percent}

Example:


Device(config-pmap-c)# queue-limit cos 7 percent 50
Device(config-pmap-c)#

(Optional) Specifies the queue maximum threshold for the tail drop:

packets—Packets by default, enter a value between 1 to 2000000.
cos—Enter the parameters for each COS value.
dscp—Enter the parameters for each DSCP value.
percent—Enter the percentage for the threshold.

For a more detailed example of this command and its usage, see Configuring Queue Limits (CLI).

Step 13

service-policy policy-map name

Example:


Device(config-pmap-c)# service-policy test_2000
Device(config-pmap-c)#

(Optional) Configures the QoS service policy.

Step 14

set { cos | dscp | ip | precedence | qos-group | wlan}

Example:


Device(config-pmap-c)# set cos 7
Device(config-pmap-c)#

(Optional) Sets the QoS values. Possible QoS configuration values include:

cos—Sets the IEEE 802.1Q/ISL class of service/user priority.
dscp—Sets DSCP in IP(v4) and IPv6 packets.
ip—Sets IP specific values.
precedence—Sets precedence in IP(v4) and IPv6 packet.
qos-group—Sets the QoS Group.
wlan—Sets the WLAN user-priority.

Step 15

shape average { target _bit_rate| percent}

Example:


Device(config-pmap-c) #shape average percent 50
Device(config-pmap-c) #

(Optional) Sets the traffic shaping. Command parameters include:

target_bit_rate—Target bit rate.
percent—Percentage of interface bandwidth for Committed Information Rate.

For a more detailed example of this command and its usage, see Configuring Shaping (CLI).

Step 16

end

Example:


Device(config-pmap-c) #end
Device(config-pmap-c) #

Saves the configuration changes.

What to do next

Configure the interface.

Configuring Client Policies (GUI)

Procedure

Step 1

Choose Configuration > Wireless.

Step 2

Expand the QoS node by clicking on the left pane and choose QOS-Policy.

The QOS-Policy page is displayed.

Step 3

Click Add New to create a new QoS Policy.

The Create QoS Policy page is displayed.

Step 4

Select Client from the Policy Type drop-down menu.

Step 5

Select the direction into which the policy needs to be applied from the Policy Direction drop-down menu.

The available options are:

Ingress
Egress

Step 6

Specify a policy name in the Policy Name text box.

Step 7

Provide a description to the policy in the Description text box.

Step 8

(Optional) Configure the default voice or video configuration parameters by checking the Enable Voice or Enable Video checkbox.

The following options are available:

Trust—Specify the classification type behavior on this policy. The options available are:
- DSCP—Assigns a label to indicate the given quality of service. The range is from 0 to 63.
- User Priority—This option is available when the Policy Direction is ingress. Enter the 802.11e user priority. The range is from 0 to 7.
- COS—This option is available when the Policy Direction is egress. Matches IEEE 802.1Q class of service. The range is from 0 to 7.
Mark—Specify the marking label for each packet. The following options are available:
- DSCP—Assigns a label to indicate the given quality of service. The range is from 0 to 63.
- CoS—Matches IEEE 802.1Q class of service. The range is from 0 to 7.
- User Priority—Enter the 802.11e user priority. The range is from 0 to 7.
Police(kbps)—Specify the policing rate in kbps.

Note

The marking and policing options are optional.

Step 9

Specify the Class-default parameters.

The following options are available:

Mark—Specify the marking label for each packet. The following options are available:
- DSCP—Assigns a label to indicate the given quality of service. The range is from 0 to 63.
- CoS—Matches IEEE 802.1Q class of service. The range is from 0 to 7.
- User Priority—Enter the 802.11e user priority. The range is from 0 to 7.

Police (kbps)—This option is available when the Policy Direction is egress. This option Specify the policing rate in kbps.

Note

You can choose either Mark or Police action for the class-default class when creating an egress client policy.

Step 10

(Optional) To configure the AVC class map for a client policy, check the Enable Application Recognition check box

Note

For an egress client policy, when you enable Application Recognition, the Voice, Video, and User Defined check boxes are disabled.

The following options are available:

Trust—Specify a classification type for this policy.
- Protocol—Allows you to choose the protocols and configure the marking and policing of the packets.
- Category—Allows you to choose the category of the application. For example, browsing.
- Subcategory—Allows you to choose the subcategory of the application. For example, file-sharing.
- Application-Group—Allows you to choose the application group. For example, ftp-group.
Protocol Choice—Choose the protocols, category, subcategory, or application group from the Available Protocols list into the Assigned Protocols to apply the marking and policing of the packets.
Mark—Specify the marking label for each packet. The following options are available:
- DSCP—Assigns a label to indicate the given quality of service. The range is from 0 to 63.
- CoS—Matches IEEE 802.1Q class of service. The range is from 0 to 7.
- None—Choose this option when you do not want to mark the packets.

Police (kbps)—Specifies the policing rate in kbps. This option is available when the Policy Direction is egress.
Drop—Drops the ingress packets that correspond to the chosen protocols.

Step 11

(Optional) To configure user defined classes, check the User Defined Classes checkbox.

The following options are available:

Trust—Specify the classification type behavior on this policy.
- DSCP—Assigns a label to indicate the given quality of service. The range is from 0 to 63.
- User Priority—This option is available when the Policy Direction is ingress. Enter the 802.11e user priority. The range is from 0 to 7.
- COS—This option is available when the Policy Direction is egress. Matches IEEE 802.1Q class of service. The range is from 0 to 7.
Mark—Specify the marking label for each packet. The following options are available:
- DSCP—Assigns a label to indicate the given quality of service. The range is from 0 to 63.
- CoS—Matches IEEE 802.1Q class of service. The range is from 0 to 7.
- User Priority—Enter the 802.11e user priority. The range is from 0 to 7.

Police (kbps)—This option is available when the Policy Direction is egress. This option specifies the policing rate in kbps.

Note

You can add a maximum of five user-defined classes for each client policy.

Step 12

Click Add to add the policy.

Configuring Client Policies

You can configure client policies using one of the following methods:


Method	Topic/Details
Default client policies	The wireless control module of the applies the default client policies when admission control (ACM) is enabled for WMM clients. When ACM is disabled, there is no default client policy. The default policies are: Ingress—cldeffromWMM Egress—cldeftoWMM You can verify if ACM is enabled by using the show ap dot11 `{` 5ghz`\|`24ghz`}` command. To enable ACM, use the ap dot11 `{` 5ghz`\|`24ghz`}` cac voice acm command.
Apply the client policy on the WLAN using the GUI.	Configuring Client Policies (GUI)
Apply the client policy on the WLAN using the CLI.	Applying an SSID or Client Policy on a WLAN
Apply the QoS attributes policy using a local profiling policy using the CLI.	Applying a Local Policy for a Device on a WLAN (CLI)
Apply the QoS attributes policy using a local profiling policy using the GUI.	Choose Configuration > Security > Local Policies to create a local profiling policy. Choose Configuration > Wireless > WLAN > Policy Mapping to apply a local profiling policy on a WLAN. For more information, see Applying Local Policies to WLAN (GUI)
Apply policy map through a AAA server (ACS/ISE)	Cisco Identity Services Engine User Guide Cisco Secure Access Control System User Guide

Configuring Class-Based Packet Marking (CLI)

This procedure explains how to configure the following class-based packet marking features on your :

CoS value
DSCP value
IP value
Precedence value
QoS group value
WLAN value

Before you begin

You should have created a class map and a policy map before beginning this procedure.

SUMMARY STEPS

configure terminal
policy-map policy name
class class name
set cos {cos value | cos table table-map name | dscp tabletable-map name | precedence table table-map name | qos-group table table-map name | wlan user-priority table table-map name}
set dscp {dscp value | default | dscp tabletable-map name | ef | precedence table table-map name | qos-group table table-map name | wlan user-priority table table-map name}
set ip {dscp | precedence}
set precedence {precedence value | cos table table-map name | dscp tabletable-map name | precedence table table-map name | qos-group table table-map name}
set qos-group {qos-group value | dscp tabletable-map name | precedence table table-map name}
set wlan user-priority {wlan user-priority value | cos table table-map name | dscp tabletable-map name | qos-group table table-map name | wlan table table-map name}
end
show policy-map

DETAILED STEPS

Command or Action Purpose

Step 1

configure terminal

Example:


Device# configure terminal

Enters the global configuration mode.

Step 2

policy-map policy name

Example:


Device(config)# policy-map policy1
Device(config-pmap)#

Enters policy map configuration mode.

Creates or modifies a policy map that can be attached to one or more interfaces to specify a service policy.

Step 3

class class name

Example:


Device(config-pmap)# class class1
Device(config-pmap-c)#

Enters policy class map configuration mode. Specifies the name of the class whose policy you want to create or change.

Command options for policy class map configuration mode include the following:

admit—Admits the request for Call Admission Control (CAC).
bandwidth—Bandwidth configuration options.
exit—Exits from the QoS class action configuration mode.
netflow-sampler—NetFlow sampler configuration options.
no—Negates or sets default values for the command.
police—Policer configuration options.
priority—Strict scheduling priority configuration options for this class.
queue-buffers—Queue buffer configuration options.
queue-limit—Queue maximum threshold for Weighted Tail Drop (WTD) configuration options.
service-policy—Configures the QoS service policy.
set—Sets QoS values using the following options:
- CoS values
- DSCP values
- Precedence values
- QoS group values
- WLAN values
shape—Traffic-shaping configuration options.

Note

This procedure describes the available configurations using set command options. The other command options (admit , bandwidth , etc.) are described in other sections of this guide. Although this task lists all of the possible set commands, only one set command is supported per class.

Step 4

set cos {cos value | cos table table-map name | dscp tabletable-map name | precedence table table-map name | qos-group table table-map name | wlan user-priority table table-map name}

Example:


Device(config-pmap)# set cos 5
Device(config-pmap)#

(Optional) Sets the specific IEEE 802.1Q Layer 2 CoS value of an outgoing packet. Values are from 0 to7.

You can also set the following values using the set cos command:

cos table—Sets the CoS value based on a table map.
dscp table—Sets the code point value based on a table map.
precedence table—Sets the code point value based on a table map.
qos-group table—Sets the CoS value from QoS group based on a table map.
wlan user-priority table—Sets the CoS value from the WLAN user priority based on a table map.

Step 5

set dscp {dscp value | default | dscp tabletable-map name | ef | precedence table table-map name | qos-group table table-map name | wlan user-priority table table-map name}

Example:


Device(config-pmap)# set dscp af11
Device(config-pmap)#

(Optional) Sets the DSCP value.

In addition to setting specific DSCP values, you can also set the following using the set dscp command:

default—Matches packets with default DSCP value (000000).
dscp table—Sets the packet DSCP value from DSCP based on a table map.
ef—Matches packets with EF DSCP value (101110).
precedence table—Sets the packet DSCP value from precedence based on a table map.
qos-group table—Sets the packet DSCP value from a QoS group based upon a table map.
wlan user-priority table—Sets the packet DSCP value based upon a WLAN user-priority based upon a table map.

Step 6

set ip {dscp | precedence}

Example:


Device(config-pmap)# set ip dscp c3
Device(config-pmap)#

(Optional) Sets IP specific values. These values are either IP DSCP or IP precedence values.

You can set the following values using the set ip dscp command:

dscp value—Sets a specific DSCP value.
default—Matches packets with default DSCP value (000000).
dscp table—Sets the packet DSCP value from DSCP based on a table map.
ef—Matches packets with EF DSCP value (101110).
precedence table—Sets the packet DSCP value from precedence based on a table map.
qos-group table—Sets the packet DSCP value from a QoS group based upon a table map.
wlan user-priority table—Sets the packet DSCP value based upon a WLAN user-priority based upon a table map.

You can set the following values using the set ip precedence command:

precedence value—Sets the precedence value (from 0 to 7) .
cos table—Sets the packet precedence value from Layer 2 CoS based on a table map.
dscp table—Sets the packet precedence from DSCP value based on a table map.
precedence table—Sets the precedence value from precedence based on a table map
qos-group table—Sets the precedence value from a QoS group based upon a table map.

Step 7

set precedence {precedence value | cos table table-map name | dscp tabletable-map name | precedence table table-map name | qos-group table table-map name}

Example:


Device(config-pmap)# set precedence 5
Device(config-pmap)#

(Optional) Sets precedence values in IPv4 and IPv6 packets.

You can set the following values using the set precedence command:

precedence value—Sets the precedence value (from 0 to 7) .
cos table—Sets the packet precedence value from Layer 2 CoS on a table map.
dscp table—Sets the packet precedence from DSCP value on a table map.
precedence table—Sets the precedence value from precedence based on a table map.
qos-group table—Sets the precedence value from a QoS group based upon a table map.

Step 8

set qos-group {qos-group value | dscp tabletable-map name | precedence table table-map name}

Example:


Device(config-pmap)# set qos-group 10
Device(config-pmap)#

(Optional) Sets QoS group values. You can set the following values using this command:

qos-group value—A number from 1 to 31.
dscp table—Sets the code point value from DSCP based on a table map.
precedence table—Sets the code point value from precedence based on a table map.

Step 9

set wlan user-priority {wlan user-priority value | cos table table-map name | dscp tabletable-map name | qos-group table table-map name | wlan table table-map name}

Example:


Device(config-pmap)# set wlan user-priority 1
Device(config-pmap)#

(Optional) Sets the WLAN user priority value. You can set the following values using this command:

wlan user-priority value—A value between 0 to 7.
cos table—Sets the WLAN user priority value from CoS based on a table map.
dscp table—Sets the WLAN user priority value from DSCP based on a table map.
qos-group table—Sets the WLAN user priority value from QoS group based on a table map.
wlan table—Sets the WLAN user priority value from the WLAN user priority based on a table map.

Step 10

end

Example:


Device(config-pmap)# end
Device#

Saves configuration changes.

Step 11

show policy-map

Example:


Device# show policy-map

(Optional) Displays policy configuration information for all classes configured for all service policies.

What to do next

Attach the traffic policy to an interface using the service-policy command.

Configuring Class Maps for Voice and Video (CLI)

To configure class maps for voice and video traffic, follow these steps:

SUMMARY STEPS

configure terminal
class-map class-map-name
match dscp dscp-value-for-voice
end
configure terminal
class-map class-map-name
match dscp dscp-value-for-video
end

DETAILED STEPS

	Command or Action	Purpose
Step 1	configure terminal Example: `Device# configure terminal`	Enters global configuration mode.
Step 2	class-map `class-map-name` Example: `Device(config)# class-map voice`	Creates a class map.
Step 3	match dscp `dscp-value-for-voice` Example: `Device(config-cmap)# match dscp 46`	Matches the DSCP value in the IPv4 and IPv6 packets. Set this value to 46.
Step 4	end Example: `Device(config)# end`	Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode.
Step 5	configure terminal Example: `Device# configure terminal`	Enters global configuration mode.
Step 6	class-map `class-map-name` Example: `Device(config)# class-map video`	Configures a class map.
Step 7	match dscp `dscp-value-for-video` Example: `Device(config-cmap)# match dscp 34`	Matches the DSCP value in the IPv4 and IPv6 packets. Set this value to 34.
Step 8	end Example: `Device(config)# end`	Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode.

Attaching a Traffic Policy to an Interface (CLI)

After the traffic class and traffic policy are created, you must use the service-policy interface configuration command to attach a traffic policy to an interface, and to specify the direction in which the policy should be applied (either on packets coming into the interface or packets leaving the interface).

Before you begin

A traffic class and traffic policy must be created before attaching a traffic policy to an interface.

SUMMARY STEPS

configure terminal
interface type
service-policy {input policy-map | output policy-map type control subscriber }
end
show policy map

DETAILED STEPS

Command or Action Purpose

Step 1

configure terminal

Example:


Device# configure terminal

Enters the global configuration mode.

Step 2

interface type

Example:


Device(config)# interface GigabitEthernet1/0/1
Device(config-if)#

Enters interface configuration mode and configures an interface.

Command parameters for the interface configuration include:

Auto Template— Auto-template interface
Capwap—CAPWAP tunnel interface
GigabitEthernet—Gigabit Ethernet IEEE 802
GroupVI—Group virtual interface
Internal Interface— Internal interface
Loopback—Loopback interface
Null—Null interface
Port-channel—Ethernet Channel of interface
TenGigabitEthernet—10-Gigabit Ethernet
Tunnel—Tunnel interface
Vlan—Catalyst VLANs
Range—Interface range

Step 3

service-policy {input policy-map | output policy-map type control subscriber }

Example:


Device(config-if)# service-policy output policy_map_01
Device(config-if)#

Attaches a policy map to an input or output interface. This policy map is then used as the service policy for that interface.

Note

The type control subscriber command option is not supported on thedevice .

In this example, the traffic policy evaluates all traffic leaving that interface.

Step 4

end

Example:


Device(config-if)# end
Device#

Saves configuration changes.

Step 5

show policy map

Example:


Device# show policy map

(Optional) Displays statistics for the policy on the specified interface.

What to do next

Proceed to attach any other traffic policy to an interface, and to specify the direction in which the policy should be applied.

Configuring SSID Policies (GUI)

Procedure

Step 1

Choose Configuration > Wireless.

Step 2

Expand the QoS node by clicking on the left pane and choose QOS-Policy.

The Create QoS Policy page is displayed.

Step 3

Click Add New to create a new QoS Policy.

The QoS Policy page is displayed.

Step 4

Select SSID from the Policy Type drop-down menu.

Step 5

Select the direction into which the policy needs to be applied from the Policy Direction drop-down list.

The available options are:

Ingress
Egress

Note

Voice and video configurations are available only in the egress direction.

Note

When creating an egress SSID policy for voice and video classes, if the port_child_policy is already configured with voice and video classes having priority level, the existing port_child_policy is used. If a port_child_policy does not exist with voice and video classes, the switch will create voice and video classes with priority levels 1 and 2 under port_child_policy for voice and video traffic.

Step 6

Specify a policy name in the Policy Name text box.

Step 7

Provide a description to the policy in the Description text box.

Step 8

Select the trust parameter from the Trust drop-down list.

The following options are available:

DSCP— Assigns a label to indicate the given quality of service as DSCP.
COS—Matches IEEE 802.1Q class of service. This option is not available when the Policy Direction is ingress.
User Priority—Enter the 802.11e user priority. This option is not available when the Policy Direction is egress.
None—This option is available when the Policy Direction is egress. This option is available only for egress policies.

Step 9

If you chose Egress policy above, the following options are available:

Bandwidth—Specifies the bandwidth rate. The following options are available:

Rate—Specifies the bandwidth in kbps. Enter a value in kbps in the Value field.
Remaining Ratio—Specifies the bandwidth in BRR (bandwidth remaining ratio). Enter the percentage in the Percent field.

Note

If you choose the Rate option for the Bandwidth parameter, this value must be greater than the sum of the policing values for voice and video traffic.

.

Enable Voice—Check the Enable Voice check box to enable voice traffic on this policy. Specify the following properties:

Priority—Sets the priority for this policy for strict scheduling. The priority level is set to 1.
Police (kbps)—Specifies the police rate in Kilobits per second.

CAC—Enables or disables CAC. If CAC is enabled, you must specify the following options:

User priorityThis option is available when the Policy Direction is ingress. Enter the 802.11e user priority. The range is from 0 to 7. By default, a value of 6 is assigned.

Rate(kbps)

Note

The CAC rate must be less than the police rate.

Enable Video—Check the Enable Video check box to enable video traffic on this policy. Specify the following properties:

Priority—Sets the priority for this policy for strict scheduling.
Police (kbps)—Specifies the police rate in kilobits per second.

Step 10

Click Apply.

Applying an SSID or Client Policy on a WLAN (CLI)

Before you begin

You must have a service-policy map configured before applying it on an SSID.

SUMMARY STEPS

configure terminal
wlan profile-name
service-policy [ input | output ] policy-name
service-policy client [ input | output ] policy-name
end

DETAILED STEPS

	Command or Action	Purpose
Step 1	configure terminal Example: `Device# configure terminal`	Enters global configuration mode.
Step 2	wlan `profile-name` Example: `Device# wlan test4`	Enters the WLAN configuration submode. The `profile-name` is the profile name of the configured WLAN.
Step 3	service-policy [ input \| output ] `policy-name` Example: `Device(config-wlan)# service-policy input policy-map-ssid`	Applies the policy. The following options are available: input — Assigns the policy map to WLAN ingress traffic. output — Assigns the policy map to WLAN egress traffic.
Step 4	service-policy client [ input \| output ] `policy-name` Example: `Device(config-wlan)# service-policy client input policy-map-client`	Applies the policy. The following options are available: input — Assigns the client policy for ingress direction on the WLAN. output — Assigns the client policy for egress direction on the WLAN.
Step 5	end Example: `Device(config)# end`	Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode.

Classifying, Policing, and Marking Traffic on Physical Ports by Using Policy Maps (CLI)

You can configure a nonhierarchical policy map on a physical port that specifies which traffic class to act on. Actions supported are remarking and policing.

Before you begin

You should have already decided upon the classification, policing, and marking of your network traffic by policy maps prior to beginning this procedure.

SUMMARY STEPS

configure terminal
class-map { class-map name | match-any |type}
match access-group { access list index | access list name }
policy-map policy-map-name
class {class-map-name | class-default}
set { cos | dscp | ip | precedence | qos-group | wlan user-priority}
police { target_bit_rate |cir | rate }
exit
exit
interface interface-id
service-policy input policy-map-name
end
show policy-map [policy-map-name [class class-map-name]]
copy running-config startup-config

DETAILED STEPS

	Command or Action	Purpose
Step 1	configure terminal Example: `Device# configure terminal`	Enters the global configuration mode.
Step 2	class-map `{` `class-map name` `\|` match-any `\|`type`}` Example: `Device(config)# class-map ipclass1 Device(config-cmap)# exit Device(config)#`	Enters class map configuration mode. Creates a class map to be used for matching packets to the class whose name you specify. If you specify match-any, one of the match criteria must be met for traffic entering the traffic class to be classified as part of the traffic class. This is the default.
Step 3	match access-group { `access list index` \| `access list name` } Example: `Device(config-cmap)# match access-group 1000 Device(config-cmap)# exit Device(config)#`	Specifies the classification criteria to match to the class map. You can match on the following criteria: access-group—Matches to access group. class-map—Matches to another class map. cos—Matches to a CoS value. dscp—Matches to a DSCP value. ip—Matches to a specific IP value. non-client-nrt—Matches non-client NRT. precedence—Matches precedence in IPv4 and IPv6 packets. qos-group—Matches to a QoS group. vlan—Matches to a VLAN. wlan—Matches to a wireless LAN.
Step 4	policy-map `policy-map-name` Example: `Device(config)# policy-map flowit Device(config-pmap)#`	Creates a policy map by entering the policy map name, and enters policy-map configuration mode. By default, no policy maps are defined.
Step 5	class {`class-map-name` \| class-default} Example: `Device(config-pmap)# class ipclass1 Device(config-pmap-c)#`	Defines a traffic classification, and enter policy-map class configuration mode. By default, no policy map class-maps are defined. If a traffic class has already been defined by using the class-map global configuration command, specify its name for `class-map-name` in this command. A class-default traffic class is predefined and can be added to any policy. It is always placed at the end of a policy map. With an implied match any included in the class-default class, all packets that have not already matched the other traffic classes will match class-default .
Step 6	set `{` cos `\|` dscp `\|` ip `\|` precedence `\|` qos-group `\|` wlan user-priority`}` Example: `Device(config-pmap-c)# set dscp 45 Device(config-pmap-c)#`	(Optional) Sets the QoS values. Possible QoS configuration values include: cos—Sets the IEEE 802.1Q/ISL class of service/user priority. dscp—Sets DSCP in IP(v4) and IPv6 packets. ip—Sets IP specific values. precedence—Sets precedence in IP(v4) and IPv6 packet. qos-group—Sets QoS group. wlan user-priority—Sets WLAN user priority. In this example, the set dscp command classifies the IP traffic by setting a new DSCP value in the packet.
Step 7	police `{` `target_bit_rate` `\|`cir `\|` rate `}` Example: `Device(config-pmap-c)# police 100000 conform-action transmit exceed-action drop Device(config-pmap-c)#`	(Optional) Configures the policer: target_bit_rate—Specifies the bit rate per second, enter a value between 8000 and 10000000000. cir—Committed Information Rate. rate—Specifies the police rate, PCR for hierarchical policies, or SCR for single-level ATM 4.0 policer policies. In this example, the police command adds a policer to the class where any traffic beyond the 100000 set target bit rate is dropped.
Step 8	exit Example: `Device(config-pmap-c)# exit`	Returns to policy map configuration mode.
Step 9	exit Example: `Device(config-pmap)# exit`	Returns to global configuration mode.
Step 10	interface `interface-id` Example: `Device(config)# interface gigabitethernet 2/0/1`	Specifies the port to attach to the policy map, and enters interface configuration mode. Valid interfaces include physical ports.
Step 11	service-policy input `policy-map-name` Example: `Device(config-if)# service-policy input flowit`	Specifies the policy-map name, and applies it to an ingress port. Only one policy map per ingress port is supported.
Step 12	end Example: `Device(config-if)# end`	Returns to privileged EXEC mode.
Step 13	show policy-map [`policy-map-name` [class `class-map-name`]] Example: `Device# show policy-map`	(Optional) Verifies your entries.
Step 14	copy running-config startup-config Example: `Device# copy-running-config startup-config`	(Optional) Saves your entries in the configuration file.

What to do next

If applicable to your QoS configuration, configure classification, policing, and marking of traffic on SVIs by using policy maps.

Classifying, Policing, and Marking Traffic on SVIs by Using Policy Maps (CLI)

Before you begin

You should have already decided upon the classification, policing, and marking of your network traffic by using policy maps prior to beginning this procedure.

SUMMARY STEPS

configure terminal
class-map { class-map name | match-any |type}
match vlan vlan number
policy-map policy-map-name
description description
class {class-map-name | class-default}
set { cos | dscp | ip | precedence | qos-group | wlan user-priority}
police { target_bit_rate |cir | rate}
exit
exit
interface interface-id
service-policy input policy-map-name
end
show policy-map [policy-map-name [class class-map-name]]
copy running-config startup-config

DETAILED STEPS

Command or Action Purpose

Step 1

configure terminal

Example:


Device# configure terminal

Enters the global configuration mode.

Step 2

class-map { class-map name | match-any |type}

Example:


Device(config)# class-map class_vlan100

Enters class map configuration mode.

Creates a class map to be used for matching packets to the class whose name you specify.
If you specify match-any, one of the match criteria must be met for traffic entering the traffic class to be classified as part of the traffic class. This is the default.

Step 3

match vlan vlan number

Example:


Device(config-cmap)# match vlan 100
Device(config-cmap)# exit
Device(config)#

Specifies the VLAN to match to the class map.

Note

The device installs the policy only if the lowest value in the VLAN range is configured on the device. For example, if the VLAN range is 100 to 200, VLAN with ID 100 must be configured on the device. If you have any of the other VLANs with ID starting from 101 to 200 configured on the device, the policy will not be installed on the device. This check is only performed when you install or reinstall a policy. You can delete all the VLANs after the policy is installed. The policy will continue to work.

Step 4

policy-map policy-map-name

Example:


Device(config)# policy-map policy_vlan100
Device(config-pmap)#

Creates a policy map by entering the policy map name, and enters policy-map configuration mode.

By default, no policy maps are defined.

Step 5

description description

Example:


Device(config-pmap)# description vlan 100

(Optional) Enters a description of the policy map.

Step 6

class {class-map-name | class-default}

Example:


Device(config-pmap)# class class_vlan100
Device(config-pmap-c)#

Defines a traffic classification, and enters the policy-map class configuration mode.

By default, no policy map class-maps are defined.

If a traffic class has already been defined by using the class-map global configuration command, specify its name for class-map-name in this command.

A class-default traffic class is predefined and can be added to any policy. It is always placed at the end of a policy map. With an implied match any included in the class-default class, all packets that have not already matched the other traffic classes will match class-default .

Step 7

set { cos | dscp | ip | precedence | qos-group | wlan user-priority}

Example:


Device(config-pmap-c)# set dscp af23
Device(config-pmap-c)#

(Optional) Sets the QoS values. Possible QoS configuration values include:

cos—Sets the IEEE 802.1Q/ISL class of service/user priority.
dscp—Sets DSCP in IP(v4) and IPv6 packets.
ip—Sets IP specific values.
precedence—Sets precedence in IP(v4) and IPv6 packet.
qos-group—Sets QoS group.
wlan user-priority—Sets WLAN user-priority.

In this example, the set dscp command classifies the IP traffic by matching the packets with a DSCP value of AF23 (010010).

Step 8

police { target_bit_rate |cir | rate}

Example:


Device(config-pmap-c)# police 200000 conform-action transmit 
exceed-action drop
Device(config-pmap-c)#

(Optional) Configures the policer:

target_bit_rate—Specifies the bit rate per second. Enter a value between 8000 and 10000000000.
cir—Committed Information Rate.
rate—Specifies the police rate, PCR for hierarchical policies, or SCR for single-level ATM 4.0 policer policies.

In this example, the police command adds a policer to the class where any traffic beyond the 200000 set target bit rate is dropped.

Step 9

exit

Example:


Device(config-pmap-c)# exit

Returns to policy map configuration mode.

Step 10

exit

Example:


Device(config-pmap)# exit

Returns to global configuration mode.

Step 11

interface interface-id

Example:


Device(config)# interface 
gigabitethernet 1/0/3

Specifies the port to attach to the policy map, and enters interface configuration mode.

Valid interfaces include physical ports.

Step 12

service-policy input policy-map-name

Example:


Device(config-if)# service-policy 
input policy_vlan100

Specifies the policy-map name, and applies it to an ingress port. Only one policy map per ingress port is supported.

Step 13

end

Example:


Device(config-if)# end

Returns to privileged EXEC mode.

Step 14

show policy-map [policy-map-name [class class-map-name]]

Example:


Device# show policy-map

(Optional) Verifies your entries.

Step 15

copy running-config startup-config

Example:


Device# copy-running-config 
startup-config

(Optional) Saves your entries in the configuration file.

Configuring Table Maps (CLI)

Table maps are a form of marking, and also enable the mapping and conversion of one field to another using a table. For example, a table map can be used to map and convert a Layer 2 CoS setting to a precedence value in Layer 3.

Note

A table map can be referenced in multiple policies or multiple times in the same policy.

SUMMARY STEPS

configure terminal
table-map name {default {default value | copy | ignore} | exit | map {from from value to to value } | no}
map from value to value
exit
exit
show table-map
configure terminal
policy-map
class class-default
set cos dscp table table map name
end

DETAILED STEPS

Command or Action Purpose

Step 1

configure terminal

Example:


Device# configure terminal

Enters the global configuration mode.

Step 2

table-map name {default {default value | copy | ignore} | exit | map {from from value to to value } | no}

Example:


Device(config)# table-map table01
Device(config-tablemap)#

Creates a table map and enters the table map configuration mode. In table map configuration mode, you can perform the following tasks:

default—Configures the table map default value, or sets the default behavior for a value not found in the table map to copy or ignore.
exit—Exits from the table map configuration mode.
map—Maps a from to a to value in the table map.
no—Negates or sets the default values of the command.

Step 3

map from value to value

Example:


Device(config-tablemap)# map from 0 to 2
Device(config-tablemap)# map from 1 to 4
Device(config-tablemap)# map from 24 to 3
Device(config-tablemap)# map from 40 to 6 
Device(config-tablemap)# default 0
Device(config-tablemap)#

In this step, packets with DSCP values 0 are marked to the CoS value 2, DSCP value 1 to the CoS value 4, DSCP value 24 to the CoS value 3, DSCP value 40 to the CoS value 6 and all others to the CoS value 0.

Note

The mapping from CoS values to DSCP values in this example is configured by using the set policy map class configuration command as described in a later step in this procedure.

Step 4

exit

Example:


Device(config-tablemap)# exit
Device(config)#

Returns to global configuration mode.

Step 5

exit

Example:


Device(config) exit
Device#

Returns to privileged EXEC mode.

Step 6

show table-map

Example:


Device# show table-map
Table Map table01
    from 0 to 2
    from 1 to 4
    from 24 to 3
    from 40 to 6
    default 0

Displays the table map configuration.

Step 7

configure terminal

Example:


Device# configure terminal
Device(config)#

Enters global configuration mode.

Step 8

policy-map

Example:


Device(config)# policy-map table-policy
Device(config-pmap)#

Configures the policy map for the table map.

Step 9

class class-default

Example:


Device(config-pmap)# class  class-default
Device(config-pmap-c)#

Matches the class to the system default.

Step 10

set cos dscp table table map name

Example:


Device(config-pmap-c)# set cos dscp table table01
Device(config-pmap-c)#

If this policy is applied on input port, that port will have trust DSCP enabled on that port and marking will take place depending upon the specified table map.

Step 11

end

Example:


Device(config-pmap-c)# end
Device#

Returns to privileged EXEC mode.

What to do next

Configure any additional policy maps for QoS for your network. After creating your policy maps, attach the traffic policy or polices to an interface using the service-policy command.

Configuring Trust Behavior for the Device Type

This procedure explains how to configure trust for one or more device classes within your network configuration.

Before you begin

There are two types of trust behavior supported on the :

Trust QoS at the policy level—You can configure trust for individual packets by creating specific policy maps and applying them on an interface. If you do not configure a specific policy map, then the default is to trust DSCP.
Trust devices at the interface level—You can configure trust for the device using the trust device interface configuration command.

Note

The default mode on an interface is trusted and changes to untrusted only when an untrusted device is detected. In the untrusted mode, the DSCP, IP precedence, or CoS value is reset to 0.

SUMMARY STEPS

configure terminal
interface type
trust device { cisco-phone | cts | ip-camera | media-player }
end
show interface status

DETAILED STEPS

	Command or Action	Purpose
Step 1	configure terminal Example: `Device# configure terminal`	Enters the global configuration mode.
Step 2	interface `type` Example: `Device(config)# interface GigabitEthernet1/0/1 Device(config-if)#`	Enters interface configuration mode and configures an interface. Command parameters for the interface configuration include: Auto Template— Auto-Template interface Capwap—Capwap tunnel interface GigabitEthernet—Gigabit Ethernet IEEE 802 GroupVI—Group virtual interface Internal Interface—Internal interface Loopback—Loopback interface Null—Null interface Port-channel—Ethernet Channel of interface TenGigabitEthernet—10-Gigabit Ethernet Tunnel—Tunnel interface Vlan—Catalyst VLANs range—interface range
Step 3	trust device { cisco-phone \| cts \| ip-camera \| media-player } Example: `Device(config-if)# trust device cisco-phone Device(config-if)#`	Configures the trust value for the interface. You can configure trust for the following supported devices: cisco-phone—Cisco IP Phone cts—Cisco TelePresence system ip-camera—IPVSC media-player—DMP
Step 4	end Example: `Device(config-if)# end Device#`	Saves configuration changes.
Step 5	show interface status Example: `Device# show interface status Device#`	(Optional) Displays the configured interface's status.

What to do next

Connect the trusted device to the appropriately configured trusted port on the .

Configuring Trust Behavior for Wireless Traffic (CLI)

The Cisco IOS XE 3.2 Release supported different trust defaults for wired and wireless ports. The trust default for wired ports was the same as for this software release. For wireless ports, the default system behavior was non-trust, which meant that when the came up, all markings for the wireless ports were defaulted to zero and no traffic received priority treatment. For compatibility with an existing wired , all traffic went to the best-effort queue by default. The access point performed priority queuing by default. In the downstream direction, the access point maintained voice, video, best-effort, and background queues for queuing. The access selected the queuing strategy based on the 11e tag information. By default, the access point treated all wireless packets as best effort.

SUMMARY STEPS

configure terminal
qos wireless-default-untrust
end

DETAILED STEPS

Command or Action Purpose

Step 1

configure terminal

Example:

Device# configure terminal

Enters global configuration mode.

Step 2

qos wireless-default-untrust

Example:

Device (config)# qos wireless-default-untrust

Configures the behavior of the device to untrust wireless traffic. To configure the device to trust wireless traffic by default, use the no form of the command.

Step 3

end

Example:

Device(config)# end

Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode.

Configuring Call Admission Control (CLI)

This task explains how to configure class-based, unconditional packet marking features on your device for Call Admission Control (CAC).

SUMMARY STEPS

configure terminal
class-map class name
match dscp dscp value
exit
class-map class name
match dscp dscp value
exit
table-map name
default copy
exit
table-map name
default copy
map from value to value
exit
policy-map policy name
class class-map-name
priority level level_value
police [ target_bit_rate |cir | rate ]
admit cac wmm-tspec
rate value
wlan-up value
exit
exit
class class name
priority level level_value
police [ target_bit_rate |cir | rate ]
admit cac wmm-tspec
rate value
wlan-up value
exit
exit
policy-map policy name
class class-map-name
set dscp dscp table table_map_name
set wlan user-priority dscp table table_map_name
shape average {target bit rate| percent percentage}
queue-buffers {ratio ratio value}
service-policy policy_map_name
end
show policy-map

DETAILED STEPS

Command or Action Purpose

Step 1

configure terminal

Example:


Device# configure terminal

Enters the global configuration mode.

Step 2

class-map class name

Example:


Device(config)# class-map voice
Device(config-cmap)#

Enters policy class map configuration mode. Specifies the name of the class whose policy you want to create or change. Command options for policy class map configuration mode include the following:

word—Class map name.
class-default—System default class matching any otherwise unclassified packets.

Step 3

match dscp dscp value

Example:


Device(config-cmap)#  match dscp 46

(Optional) Matches the DSCP values in IPv4 and IPv6 packets.

Step 4

exit

Example:


Device(config-cmap)# exit
Device(config)#

Returns to global configuration mode.

Step 5

class-map class name

Example:


Device(config)# class-map video
Device(config-cmap)#

Enters policy class map configuration mode. Specifies the name of the class whose policy you want to create or change. Command options for policy class map configuration mode include the following:

word—Class map name.
class-default—System default class matching any otherwise unclassified packets.

Step 6

match dscp dscp value

Example:


Device(config-cmap)#  match dscp 34

(Optional) Matches the DSCP values in IPv4 and IPv6 packets.

Step 7

exit

Example:


Device(config-cmap)# exit
Device(config)#

Returns to global configuration mode.

Step 8

table-map name

Example:


Device(config)# table-map  dscp2dscp
Device(config-tablemap)#

Creates a table map and enters the table map configuration mode.

Step 9

default copy

Example:


Device(config-tablemap)# default copy

Sets the default behavior for value not found in the table map to copy.

Note

This is the default option. You can also do a mapping of values for DSCP to DSCP.

Step 10

exit

Example:


Device(config-tablemap)# exit
Device(config)#

Returns to global configuration mode.

Step 11

table-map name

Example:


Device(config)# table-map dscp2up
Device(config-tablemap)#

Creates a new table map and enters the table map configuration mode.

Step 12

default copy

Example:


Device(config-tablemap)# default copy

Sets the default behavior for value not found in the table map to copy.

Note

This is the default option. You can also do a mapping of values for DSCP to UP.

Step 13

map from value to value

Example:


Device(config-tablemap)# map from 0 to 0
Device(config-tablemap)# map from 1 to 8
Device(config-tablemap)# map from 2 to 8
Device(config-tablemap)# map from 3 to 0
Device(config-tablemap)# map from 4 to 24 
Device(config-tablemap)# map from 5 to 34 
Device(config-tablemap)# map from 6 to 46 
Device(config-tablemap)# map from 7 to 48  
Device(config-tablemap)# default copy
Device(config-tablemap)#

In this step, packets with DSCP values 0 are marked to the DSCP value 0, DSCP value 1 to the DSCP value 8, DSCP value 2 to the DSCP value 8, DSCP value 3 to the DSCP value 0, DSCP value 4 to DSCP value 24, DSCP value 5 to DSCP value 34, DSCP value 6 to DSCP value 46, DSCP value 7 to DSCP value 48, and all others to the default.

Note

The mapping from DSCP values to DSCP values in this example is configured by using the set policy map class configuration command as described in a later step in this procedure.

Step 14

exit

Example:


Device(config-tablemap)# exit
Device(config)#

Returns to global configuration mode.

Step 15

policy-map policy name

Example:


Device(config)#  policy-map ssid_child_cac
Device(config-pmap)#

Enters policy map configuration mode.

Creates or modifies a policy map that can be attached to one or more interfaces to specify a service policy.

Step 16

class class-map-name

Example:


Device(config-pmap)# class voice

Defines an interface-level traffic classification, and enters policy-map configuration mode.

Step 17

priority level level_value

Example:


Device(config-pmap-c)# priority level 1

The priority command assigns a strict scheduling priority for the class.

Note

Priority level 1 is more important than priority level 2. Priority level 1 reserves bandwidth that is processed first for QoS, so its latency is very low. Both priority level 1 and 2 reserve bandwidth.

Step 18

police [ target_bit_rate |cir | rate ]

Example:

Device(config-pmap-c)#  police cir 10m

(Optional) Configures the policer:

target_bit_rate—Specifies the bit rate per second. Enter a value between 8000 and 10000000000.
cir—Committed Information Rate.
rate—Specifies the police rate, PCR for hierarchical policies, or SCR for single-level ATM 4.0 policer policies.

Step 19

admit cac wmm-tspec

Example:


Device(config-pmap-c)# admit cac wmm-tspec
Device(config-pmap-cac-wmm)#

Configures call admission control for the policy map.

Note

This command only configures CAC for wireless QoS.

Step 20

rate value

Example:


Device(config-pmap-admit-cac-wmm)# rate 5000

Configures the target bit rate (Kilo Bits per second). Enter a value from 8 to 10000000.

Step 21

wlan-up value

Example:


Device(config-pmap-admit-cac-wmm)# wlan-up 6 7

Configures the WLAN UP value. Enter a value from 0 to 7.

Step 22

exit

Example:


Device(config-pmap-admit-cac-wmm)# exit
Device(config-pmap-c)#

Returns to policy map class configuration mode.

Step 23

exit

Example:


Device(config-pmap-c)# exit
Device(config-pmap)#

Returns to policy map configuration mode.

Step 24

class class name

Example:


Device(config-pmap)# class video
Device(config-pmap-c)#

Enters policy class map configuration mode. Specifies the name of the class whose policy you want to create or change. Command options for policy class map configuration mode include the following:

word—Class map name.
class-default—System default class matching any otherwise unclassified packets.

Step 25

priority level level_value

Example:


Device(config-pmap-c)# priority level 2

The priority command assigns a strict scheduling priority for the class.

Note

Priority level 1 is more important than priority level 2. Priority level 1 reserves bandwidth that is processed first for QoS, so its latency is very low. Both priority level 1 and 2 reserve bandwidth.

Step 26

police [ target_bit_rate |cir | rate ]

Example:

Device(config-pmap-c)#  police cir 20m

(Optional) Configures the policer:

target_bit_rate—Specifies the bit rate per second. Enter a value between 8000 and 10000000000.
cir—Committed Information Rate.
rate—Specifies the police rate, PCR for hierarchical policies, or SCR for single-level ATM 4.0 policer policies.

Step 27

admit cac wmm-tspec

Example:


Device(config-pmap-c)# admit cac wmm-tspec
Device(config-pmap-admit-cac-wmm)#

Configures call admission control for the policy map.

Note

This command only configures CAC for wireless QoS.

Step 28

rate value

Example:


Device(config-pmap-admit-cac-wmm)# rate 5000

Configures the target bit rate (Kilo Bits per second). Enter a value from 8 to 10000000.

Step 29

wlan-up value

Example:


Device(config-pmap-admit-cac-wmm)# wlan-up 4 5

Configures the WLAN UP value. Enter a value from 0 to 7.

Step 30

exit

Example:


Device(config-pmap-cac-wmm)# exit
Device(config-pmap)#

Returns to policy map configuration mode.

Step 31

exit

Example:


Device(config-pmap)# exit
Device(config)#

Returns to global configuration mode.

Step 32

policy-map policy name

Example:


Device(config)# policy-map ssid_cac
Device(config-pmap)#

Enters policy map configuration mode.

Creates or modifies a policy map that can be attached to one or more interfaces to specify a service policy.

Step 33

class class-map-name

Example:


Device(config-pmap)# class default

Defines an interface-level traffic classification, and enters policy-map configuration mode.

In this example, the class map is set to default.

Step 34

set dscp dscp table table_map_name

Example:


Device(config-pmap-c)#  set dscp dscp table dscp2dscp

(Optional) Sets the QoS values. In this example, the set dscp dscp table command creates a table map and sets its values.

Step 35

set wlan user-priority dscp table table_map_name

Example:


Device(config-pmap-c)#   set wlan user-priority dscp table dscp2up

(Optional) Sets the QoS values. In this example, the set wlan user-priority dscp table command sets the WLAN user priority.

Step 36

shape average {target bit rate| percent percentage}

Example:


Device(config-pmap-c)# shape average 100000000

Configures the average shape rate. You can configure the average shape rate by target bit rates (bits per second) or by percentage of interface bandwidth for the Committed Information Rate (CIR).

Step 37

queue-buffers {ratio ratio value}

Example:


Device(config-pmap-c)# queue-buffers ratio 0

Configures the relative buffer size for the queue.

Note

The sum of all configured buffers in a policy must be less than or equal to 100 percent. Unallocated buffers are evenly distributed to all the remaining queues. Ensure sufficient buffers are allocated to all queues including the priority queues.

Note

Protocol Data Units (PDUs) for network control protocols such as spanning-tree and LACP utilize the priority queue or queue 0 (when a priority queue is not configured). Ensure sufficient buffers are allocated to these queues for the protocols to function.

Step 38

service-policy policy_map_name

Example:


Device(config-pmap-c)#  service-policy ssid_child_cac

Specifies the policy map for the service policy.

Step 39

end

Example:


Device(config-pmap)# end
Device#

Saves configuration changes.

Step 40

show policy-map

Example:


Device# show policy-map

(Optional) Displays policy configuration information for all classes configured for all service policies.

What to do next

Configure any additional policy maps for QoS for your network. After creating your policy maps, attach the traffic policy or polices to an interface using the service-policy command.

For additional information about CAC, refer to the System Management Configuration Guide, Cisco IOS XE Release 3SE (Catalyst 3850 Switches).

For additional information about CAC, refer to the System Management Configuration Guide, Cisco IOS XE Release 3SE (Cisco WLC 5700 Series) .

Configuring Bandwidth (CLI)

This procedure explains how to configure bandwidth on your .

Before you begin

You should have created a class map for bandwidth before beginning this procedure.

SUMMARY STEPS

configure terminal
policy-map policy name
class class name
bandwidth {Kb/s | percent percentage | remaining { ratio ratio}}
end
show policy-map

DETAILED STEPS

Command or Action Purpose

Step 1

configure terminal

Example:


Device# configure terminal

Enters the global configuration mode.

Step 2

policy-map policy name

Example:


Device(config)# policy-map policy_bandwidth01
Device(config-pmap)#

Enters policy map configuration mode.

Creates or modifies a policy map that can be attached to one or more interfaces to specify a service policy.

Step 3

class class name

Example:


Device(config-pmap)# class class_bandwidth01
Device(config-pmap-c)#

Enters policy class map configuration mode. Specifies the name of the class whose policy you want to create or change. Command options for policy class map configuration mode include the following:

word—Class map name.
class-default—System default class matching any otherwise unclassified packets.

Step 4

bandwidth {Kb/s | percent percentage | remaining { ratio ratio}}

Example:


Device(config-pmap-c)# bandwidth 200000
Device(config-pmap-c)#

Configures the bandwidth for the policy map. The parameters include:

Kb/s—Configures a specific value in kilobits per second (from 20000 to 10000000).
percent-—Allocates minimum bandwidth to a particular class based on a percentage. The queue can oversubscribe bandwidth in case other queues do not utilize the entire port bandwidth. The total sum cannot exceed 100 percent, and in case it is less than 100 percent, the rest of the bandwidth is equally divided along all bandwidth queues.
remaining— Allocates minimum bandwidth to a particular class. The queue can oversubscribe bandwidth in case other queues do not utilize entire port bandwidth. The total sum cannot exceed 100 percent. It is preferred to use this command when the priority command is used for certain queues in the policy. You can also assign ratios rather than percentages to each queue; the queues will be assigned certain weights which are inline with these ratios. Ratios can range from 0 to 100. Total bandwidth ratio allocation for the policy in this case can exceed 100.

Note

You cannot mix bandwidth types on a policy map. For example, you cannot configure bandwidth in a single policy map using both a bandwidth percent and in kilobits per second.

Step 5

end

Example:


Device(config-pmap-c)# end
Device#

Saves configuration changes.

Step 6

show policy-map

Example:


Device# show policy-map

(Optional) Displays policy configuration information for all classes configured for all service policies.

What to do next

Configure any additional policy maps for QoS for your network. After creating the policy maps, attach the traffic policy or polices to an interface using the service-policy command.

Configuring NetFlow Sampler

This task explains how to configure class-based, unconditional packet marking features on your device for Flexible NetFlow samplers.

Before you begin

You should have created a class map for the NetFlow sampler before beginning this procedure. You should also have created a NetFlow sampler before beginning this procedure.

SUMMARY STEPS

configure terminal
sampler sampler name
policy-map policy name
class class name
netflow-sampler flow sampler name
end
show policy-map

DETAILED STEPS

Command or Action Purpose

Step 1

configure terminal

Example:

Device# configure terminal
Device(config)#

Enters global configuration mode.

Step 2

sampler sampler name

Example:

Device(config)# sampler NFS01
Device(config-sampler)# exit

Defines a Cisco NetFlow sampler.

Step 3

policy-map policy name

Example:

Device(config)# policy-map policy_NFS01
Device(config-pmap)#

Enters policy map configuration mode.

Creates or modifies a policy map that can be attached to one or more interfaces to specify a service policy.

Step 4

class class name

Example:

Device(config-pmap)# class class_NFS01
Device(config-pmap-c)#

Enters policy class map configuration mode. Specifies the name of the class whose policy you want to create or change. Command options for policy class map configuration mode include the following:

Word—Class map name
class-default—System default class matching any otherwise unclassified packets

Step 5

netflow-sampler flow sampler name

Example:

Device(config-pmap)# netflow-sampler NFS01
Device(config-sampler)#

Attaches a Flexible Netflow sampler to the policy map. After attaching a NetFlow sampler to the policy map, the following configuration options are available:

default—Sets the sampler to its default.
description—Provides a sampler description.
exit—Exits from sampler configuration mode.
mode—Sampling mode selection (random or deterministic)
no—negates a command

Step 6

end

Example:

Device(config-sampler)# end
Device#

Saves configuration changes.

Step 7

show policy-map

Example:

Device# show policy-map

(Optional) Displays policy configuration information for all classes configured for all service policies.

What to do next

Proceed to configure any additional policy maps for your QoS network. After creating your policy maps, proceed to attach the traffic policy or polices to an interface using the service-policy command.

Configuring Police (CLI)

This procedure explains how to configure policing on your .

Before you begin

You should have created a class map for policing before beginning this procedure.

SUMMARY STEPS

configure terminal
policy-map policy name
class class name
police {target_bit_rate [burst bytes | bc | conform-action | pir ] | cir {target_bit_rate | percent percentage} | rate {target_bit_rate | percent percentage} conform-action transmit exceed-action {drop [violate action] | set-cos-transmit | set-dscp-transmit | set-prec-transmit | transmit [violate action] }}
end
show policy-map

DETAILED STEPS

Command or Action Purpose

Step 1

configure terminal

Example:


Device# configure terminal

Enters the global configuration mode.

Step 2

policy-map policy name

Example:


Device(config)# policy-map policy_police01
Device(config-pmap)#

Enters policy map configuration mode.

Creates or modifies a policy map that can be attached to one or more interfaces to specify a service policy.

Step 3

class class name

Example:


Device(config-pmap)# class class_police01
Device(config-pmap-c)#

Enters policy class map configuration mode. Specifies the name of the class whose policy you want to create or change. Command options for policy class map configuration mode include the following:

word—Class map name.
class-default—System default class matching any otherwise unclassified packets.

Step 4

police {target_bit_rate [burst bytes | bc | conform-action | pir ] | cir {target_bit_rate | percent percentage} | rate {target_bit_rate | percent percentage} conform-action transmit exceed-action {drop [violate action] | set-cos-transmit | set-dscp-transmit | set-prec-transmit | transmit [violate action] }}

Example:


Device(config-pmap-c)# police 8000 conform-action transmit exceed-action drop
Device(config-pmap-c)#

The following police subcommand options are available:

target_bit_rate—Bits per second (from 8000 to 10000000000).
- burst bytes—Enter a value from 1000 to 512000000.
- bc—Conform burst.
- conform-action—Action taken when rate is less than conform burst.
- pir—Peak Information Rate.
cir—Committed Information Rate.
- target_bit_rate—Target bit rate (8000 to10000000000).
- percent—Percentage of interface bandwidth for CIR.
rate—Specifies the police rate, PCR for hierarchical policies, or SCR for single-level ATM 4.0 policer policies.
- target_bit_rate—Target Bit Rate (8000 to 10000000000).
- percent—Percentage of interface bandwidth for rate.

The following police conform-action transmit exceed-action subcommand options are available:

drop—Drops the packet.
set-cos-transmit—Sets the CoS value and sends it.
set-dscp-transmit—Sets the DSCP value and sends it.
set-prec-transmit—Rewrites the packet precedence and sends it.
transmit—Transmits the packet.

Note

Policer-based markdown actions are only supported using table maps. Only one markdown table map is allowed for each marking field in the .

Step 5

end

Example:


Device(config-pmap-c)# end
Device#

Saves configuration changes.

Step 6

show policy-map

Example:


Device# show policy-map

(Optional) Displays policy configuration information for all classes configured for all service policies.

What to do next

Configure any additional policy maps for QoS for your network. After creating your policy maps, attach the traffic policy or polices to an interface using the service-policy command.

Configuring Priority (CLI)

This procedure explains how to configure priority on your .

The supports giving priority to specified queues. There are two priority levels available (1 and 2).

Note

Queues supporting voice and video should be assigned a priority level of 1.

Before you begin

You should have created a class map for priority before beginning this procedure.

SUMMARY STEPS

configure terminal
policy-map policy name
class class name
priority [Kb/s [burst_in_bytes] | level level_value [Kb/s [burst_in_bytes] | percent percentage [burst_in_bytes] ] | percent percentage [burst_in_bytes] ]
end
show policy-map

DETAILED STEPS

Command or Action Purpose

Step 1

configure terminal

Example:


Device# configure terminal

Enters the global configuration mode.

Step 2

policy-map policy name

Example:


Device(config)# policy-map policy_priority01
Device(config-pmap)#

Enters policy map configuration mode.

Creates or modifies a policy map that can be attached to one or more interfaces to specify a service policy.

Step 3

class class name

Example:


Device(config-pmap)# class class_priority01
Device(config-pmap-c)#

Enters policy class map configuration mode. Specifies the name of the class whose policy you want to create or change. Command options for policy class map configuration mode include the following:

word—Class map name.
class-default—System default class matching any otherwise unclassified packets.

Step 4

priority [Kb/s [burst_in_bytes] | level level_value [Kb/s [burst_in_bytes] | percent percentage [burst_in_bytes] ] | percent percentage [burst_in_bytes] ]

Example:


Device(config-pmap-c)# priority level 1
Device(config-pmap-c)#

(Optional) The priority command assigns a strict scheduling priority for the class.

The command options include:

Kb/s—Specifies the kilobits per second (from 1 to 2000000).
- burst_in_bytes—Specifies the burst in bytes (from 32 to 2000000).
level level_value—Specifies the multilevel (1-2) priority queue.
- Kb/s—Specifies the kilobits per second (from 1 to 2000000).
  - burst_in_bytes—Specifies the burst in bytes (from 32 to 2000000).
- percent—Percentage of the total bandwidth.
  - burst_in_bytes—Specifies the burst in bytes (from 32 to 2000000).
percent—Percentage of the total bandwidth.
- burst_in_bytes—Specifies the burst in bytes (32 to 2000000).

Note

Priority level 1 is more important than priority level 2. Priority level 1 reserves bandwidth that is processed first for QoS, so its latency is very low. Both priority level 1 and 2 reserve bandwidth.

Step 5

end

Example:


Device(config-pmap-c)# end
Device#

Saves configuration changes.

Step 6

show policy-map

Example:


Device# show policy-map

(Optional) Displays policy configuration information for all classes configured for all service policies.

What to do next

Configure any additional policy maps for QoS for your network. After creating your policy maps, attach the traffic policy or polices to an interface using the service-policy command.

Configuring Egress Queue Characteristics

Depending on the complexity of your network and your QoS solution, you may need to perform all of the procedures in this section. You need to make decisions about these characteristics:

Which packets are mapped by DSCP, CoS, or QoS group value to each queue and threshold ID?
What drop percentage thresholds apply to the queues, and how much reserved and maximum memory is needed for the traffic type?
How much of the fixed buffer space is allocated to the queues?
Does the bandwidth of the port need to be rate limited?
How often should the egress queues be serviced and which technique (shaped, shared, or both) should be used?

Note

You can only configure the egress queues on the .

Configuring Queue Buffers (CLI)

The allows you to allocate buffers to queues. If there is no allocation made to buffers, then they are divided equally for all queues. You can use the queue-buffer ratio to divide it in a particular ratio. Since by default DTS (Dynamic Threshold and Scaling) is active on all queues, these are soft buffers.

Before you begin

The following are prerequisites for this procedure:

You should have created a class map for the queue buffer before beginning this procedure.
You must have configured either bandwidth, shape, or priority on the policy map prior to configuring the queue buffers.

SUMMARY STEPS

configure terminal
policy-map policy name
class class name
bandwidth {Kb/s | percent percentage | remaining { ratio ratio value }}
queue-buffers {ratio ratio value}
end
show policy-map

DETAILED STEPS

Command or Action Purpose

Step 1

configure terminal

Example:


Device# configure terminal

Enters the global configuration mode.

Step 2

policy-map policy name

Example:


Device(config)# policy-map policy_queuebuffer01
Device(config-pmap)#

Enters policy map configuration mode.

Creates or modifies a policy map that can be attached to one or more interfaces to specify a service policy.

Step 3

class class name

Example:


Device(config-pmap)# class class_queuebuffer01
Device(config-pmap-c)#

Enters policy class map configuration mode. Specifies the name of the class whose policy you want to create or change. Command options for policy class map configuration mode include the following:

word—Class map name.
class-default—System default class matching any otherwise unclassified packets.

Step 4

bandwidth {Kb/s | percent percentage | remaining { ratio ratio value }}

Example:


Device(config-pmap-c)# bandwidth percent 80
Device(config-pmap-c)#

Configures the bandwidth for the policy map. The command parameters include:

Kb/s—Use this command to configure a specific value. The range is 20000 to 10000000.
percent—Allocates a minimum bandwidth to a particular class using a percentage. The queue can oversubscribe bandwidth in case other queues do not utilize the entire port bandwidth. The total sum cannot exceed 100 percent, and in case it is less than 100 percent, the rest of the bandwidth is equally divided along all bandwidth queues.
remaining—Allocates a minimum bandwidth to a particular class. The queue can oversubscribe bandwidth in case other queues do not utilize entire port bandwidth. The total sum cannot exceed 100 percent. It is preferred to use this command when the priority command is used for certain queues in the policy. You can also assign ratios rather than a percentage to each queue; the queues will be assigned certain weights that are inline with these ratios. Ratios can range from 0 to 100. Total bandwidth ratio allocation for the policy in this case can exceed 100.

Note

You cannot mix bandwidth types on a policy map.

Step 5

queue-buffers {ratio ratio value}

Example:


Device(config-pmap-c)# queue-buffers ratio 10
Device(config-pmap-c)#

Configures the relative buffer size for the queue.

Note

The sum of all configured buffers in a policy must be less than or equal to 100 percent. Unallocated buffers are are evenly distributed to all the remaining queues. Ensure sufficient buffers are allocated to all queues including the priority queues.

Note

Protocol Data Units(PDUs) for network control protocols such as spanning-tree and LACP utilize the priority queue or queue 0 (when a priority queue is not configured). Ensure sufficient buffers are allocated to these queues for the protocols to function.

Step 6

end

Example:


Device(config-pmap-c)# end
Device#

Saves configuration changes.

Step 7

show policy-map

Example:


Device# show policy-map

(Optional) Displays policy configuration information for all classes configured for all service policies.

What to do next

Configure any additional policy maps for QoS for your network. After creating your policy maps, attach the traffic policy or polices to an interface using the service-policy command.

Configuring Queue Limits (CLI)

You use queue limits to configure Weighted Tail Drop (WTD). WTD ensures the configuration of more than one threshold per queue. Each class of service is dropped at a different threshold value to provide for QoS differentiation. With the , each queue has 3 explicit programmable threshold classes—0, 1, 2. Therefore, the enqueue/drop decision of each packet per queue is determined by the packet’s threshold class assignment, which is determined by the DSCP, CoS, or QoS group field of the frame header.

WTD also uses a soft limit, and therefore you are allowed to configure the queue limit to up to 400 percent (maximum four times the reserved buffer from common pool). This soft limit prevents overrunning the common pool without impacting other features.

Note

You can only configure queue limits on the egress queues on wired ports.

Before you begin

The following are prerequisites for this procedure:

You should have created a class map for the queue limits before beginning this procedure.
You must have configured either bandwidth, shape, or priority on the policy map prior to configuring the queue limits.

SUMMARY STEPS

configure terminal
policy-map policy name
class class name
bandwidth {Kb/s | percent percentage | remaining { ratio ratio value }}
queue-limit {packets packets | cos {cos value { maximum threshold value | percent percentage } | values {cos value| percent percentage } } | dscp {dscp value {maximum threshold value | percent percentage} | match packet {maximum threshold value | percent percentage} | default {maximum threshold value | percent percentage} | ef {maximum threshold value | percent percentage} | dscp values dscp value} | percent percentage }}
end
show policy-map

DETAILED STEPS

Command or Action Purpose

Step 1

configure terminal

Example:


Device# configure terminal

Enters the global configuration mode.

Step 2

policy-map policy name

Example:


Device(config)# policy-map policy_queuelimit01
Device(config-pmap)#

Enters policy map configuration mode.

Creates or modifies a policy map that can be attached to one or more interfaces to specify a service policy.

Step 3

class class name

Example:


Device(config-pmap)# class class_queuelimit01
Device(config-pmap-c)#

Enters policy class map configuration mode. Specifies the name of the class whose policy you want to create or change. Command options for policy class map configuration mode include the following:

word—Class map name.
class-default—System default class matching any otherwise unclassified packets.

Step 4

bandwidth {Kb/s | percent percentage | remaining { ratio ratio value }}

Example:


Device(config-pmap-c)# bandwidth 500000
Device(config-pmap-c)#

Configures the bandwidth for the policy map. The parameters include:

Kb/s—Use this command to configure a specific value. The range is 20000 to 10000000.
percent—Allocates a minimum bandwidth to a particular class. The queue can oversubscribe bandwidth in case other queues do not utilize the entire port bandwidth. The total sum cannot exceed 100 percent, and in case it is less than 100 percent, the rest of the bandwidth is equally divided along all bandwidth queues.
remaining—Allocates a minimum bandwidth to a particular class. The queue can oversubscribe bandwidth in case other queues do not utilize entire port bandwidth. The total sum cannot exceed 100 percent. It is preferred to use this command when the priority command is used for certain queues in the policy. You can also assign ratios rather than a percentage to each queue; the queues will be assigned certain weights that are inline with these ratios. Ratios can range from 0 to 100. Total bandwidth ratio allocation for the policy in this case can exceed 100.

Note

You cannot mix bandwidth types on a policy map.

Step 5

queue-limit {packets packets | cos {cos value { maximum threshold value | percent percentage } | values {cos value| percent percentage } } | dscp {dscp value {maximum threshold value | percent percentage} | match packet {maximum threshold value | percent percentage} | default {maximum threshold value | percent percentage} | ef {maximum threshold value | percent percentage} | dscp values dscp value} | percent percentage }}

Example:


Device(config-pmap-c)# queue-limit dscp 3 percent 20
Device(config-pmap-c)# queue-limit dscp 4 percent 30
Device(config-pmap-c)# queue-limit dscp 5 percent 40

Sets the queue limit threshold percentage values.

With every queue, there are three thresholds (0,1,2), and there are default values for each of these thresholds. Use this command to change the default or any other queue limit threshold setting. For example, if DSCP 3, 4, and 5 packets are being sent into a specific queue in a configuration, then you can use this command to set the threshold percentages for these three DSCP values. For additional information about queue limit threshold values, see Weighted Tail Drop.

Note

The does not support absolute queue-limit percentages. The only supports DSCP or CoS queue-limit percentages.

Step 6

end

Example:


Device(config-pmap-c)# end
Device#

Saves configuration changes.

Step 7

show policy-map

Example:


Device# show policy-map

(Optional) Displays policy configuration information for all classes configured for all service policies.

What to do next

Proceed to configure any additional policy maps for QoS for your network. After creating your policy maps, proceed to attach the traffic policy or polices to an interface using the service-policy command.

Configuring Shaping (CLI)

You use the shape command to configure shaping (maximum bandwidth) for a particular class. The queue's bandwidth is restricted to this value even though the port has additional bandwidth left. You can configure shaping as an average percent, as well as a shape average value in bits per second.

Before you begin

You should have created a class map for shaping before beginning this procedure.

SUMMARY STEPS

configure terminal
policy-map policy name
class class name
shape average {target bit rate| percent percentage}
end
show policy-map

DETAILED STEPS

Command or Action Purpose

Step 1

configure terminal

Example:


Device# configure terminal

Enters the global configuration mode.

Step 2

policy-map policy name

Example:


Device(config)# policy-map policy_shaping01
Device(config-pmap)#

Enters policy map configuration mode.

Creates or modifies a policy map that can be attached to one or more interfaces to specify a service policy.

Step 3

class class name

Example:


Device(config-pmap)# class class_shaping01
Device(config-pmap-c)#

Enters policy class map configuration mode. Specifies the name of the class whose policy you want to create or change. Command options for policy class map configuration mode include the following:

word—Class map name.
class-default—System default class matching any otherwise unclassified packets.

Step 4

shape average {target bit rate| percent percentage}

Example:


Device(config-pmap-c)# shape average percent 50
Device(config-pmap-c)#

Configures the average shape rate. You can configure the average shape rate by target bit rates (bits per second) or by percentage of interface bandwidth for the Committed Information Rate (CIR).

Note

For the egress class-default SSID policy, you must configure the queue buffer ratio as 0 after you configure the average shape rate.

Step 5

end

Example:


Device(config-pmap-c)# end
Device#

Saves configuration changes.

Step 6

show policy-map

Example:


Device# show policy-map

(Optional) Displays policy configuration information for all classes configured for all service policies.

What to do next

Configure any additional policy maps for QoS for your network. After creating your policy maps, attach the traffic policy or polices to an interface using the service-policy command.

Configuring Precious Metal Policies (CLI)

You can configure precious metal QoS policies on a per-WLAN basis.

SUMMARY STEPS

configure terminal
wlan wlan-name
service-policy { input|output} policy-name
end
show wlan { wlan-id | wlan-name}

DETAILED STEPS

Command or Action Purpose

Step 1

configure terminal

Example:

Device# configure terminal

Enters global command mode.

Step 2

wlan wlan-name

Example:

Devicewlan test4

Enters the WLAN configuration submode.

Step 3

service-policy { input|output} policy-name

Example:


Device(config-wlan)# service-policy output platinum

Example:


Device(config-wlan)# service-policy input platinum-up

Configures the WLAN with the QoS policy. To configure the WLAN with precious metal policies, you must enter one of the following keywords: platinum, gold, silver, or bronze. The upstream policy is specified with the keyword platinum-up as shown in the example.

Note

Upstream policies differ from downstream policies. The upstream policies have a suffix of -up.

Step 4

end

Example:

Device(config)# end

Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit the global configuration mode.

Step 5

show wlan { wlan-id | wlan-name}

Example:

Device# show wlan name qos-wlan

Verifies the configured QoS policy on the WLAN.


Device# show wlan name qos-wlan
. . . 
. . . 
. . . 

QoS Service Policy - Input
  Policy Name                                  : platinum-up
  Policy State                                 : Validated
QoS Service Policy - Output
  Policy Name                                  : platinum
  Policy State                                 : Validated
. . . 

. . .

Configuring QoS Policies for Multicast Traffic (CLI)

Before you begin

The following are the prerequisites for configuring a QoS policy for multicast traffic:

You must have a multicast service policy configured.
You must enable multicast-multicast mode before applying the policy.

SUMMARY STEPS

configure terminal
ap capwap multicast service-policy output service-policy-name
end

DETAILED STEPS

Command or Action Purpose

Step 1

configure terminal

Example:

Device# configure terminal

Enters global configuration mode.

Step 2

ap capwap multicast service-policy output service-policy-name

Example:

Device(config)#ap capwap multicast service-policy output service-policy-mcast

Applies the configured multicast policy.

Step 3

end

Example:

Device(config)# end

Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode.

Configuring Port Policies (GUI)

Procedure

Step 1

Choose Configuration > Wireless

Step 2

Expand the QoS node by clicking on left pane and choose QOS-Policy.

The QOS-Policy page is displayed.

Step 3

Click Add New to create a new QoS policy.

The Create QoS Policy page is displayed.

Step 4

Select Port from the Policy Type drop-down menu.

Step 5

Enter the policy name in the Policy Name text field.

Step 6

Specify a description for the policy you want to create in the Description field.

Step 7

Configure the voice or video priorities for the port policies by enabling the Enable Voice and Enable Video parameters.

Note

You must attach the port policy to an interface. Default values are recommended.

Step 8

Click Add to add the policy.

What to do next

Proceed to assign the port policy on an interface.

Applying or Changing Port Policies (GUI)

Procedure

Step 1

Choose Configuration > Controller > System > Interfaces > Port Summary.

The Port Configuration page is displayed.

Step 2

Select the interface on which you want to configure the port policy from the Interface Name column.

Step 3

Apply or change the QoS Port Policy by selecting the policy from the Assign Policy drop-down list.

The Existing Policy field displays the current policy assigned.

Note

All interfaces in a channel group must be assigned to the same port policy.

Step 4

Click Apply.

Applying a QoS Policy on a WLAN (GUI)

Procedure

Step 1

Choose Configuration > Wireless.

Step 2

Expand the WLAN node by clicking on the left pane and choose WLANs.

The WLANs page is displayed.

Step 3

Select the WLAN for which you want to configure the QoS policies by clicking on the WLAN Profile.

Step 4

Click the QoS tab to configure the QoS policies on the WLAN.

You can also configure precious metal policies for the WLAN.

The following options are available:


Parameter	Description
QoS SSID Policy
Egress Policy	QoS downstream policy configuration. The Existing Policy column displays the current applied policy. To change the existing policy, select the policy from the drop-down list in the Assign Policy column. If a policy is not selected, NONE is displayed.
Ingress Policy	QoS upstream policy configuration. The Existing Policy column displays the current applied policy. To change the existing policy, select the policy from the drop-down list in the Assign Policy column. If a policy is not selected, NONE is displayed.
QoS Client Policy
Egress Policy	QoS downstream policy configuration. The Existing Policy column displays the current applied policy. To change the existing policy, select the policy from the drop-down list in the Assign Policy column. If a policy is not selected, NONE is displayed.
Ingress Policy	QoS upstream policy configuration. The Existing Policy column displays the current applied policy. To change the existing policy, select the policy from the drop-down list in the Assign Policy column. If a policy is not selected, NONE is displayed.
WMM
WMM Policy	WMM Policy. This parameter has the following values: Disabled—Disables this WMM policy. Allowed—Allows the clients to communicate with the WLAN. Require—Ensures that it is mandatory for the clients to have WMM features enabled on them to communicate with the WLAN.

Step 5

Click Apply.

Monitoring QoS

The following commands can be used to monitor QoS on the .

Table 15. Monitoring QoS
Command	Description
show class-map [`class_map_name`]	Displays a list of all class maps configured.
show class-map type control subscriber {all \| `name` } show class-map type control subscriber detail	Displays control class map and statistics. all—Displays information for all class maps. name—Displays configured class maps.
show policy-map [`policy_map_name`]	Displays a list of all policy maps configured. Command parameters include: policy map name control plane interface session type
show policy-map interface { Auto-template \| Capwap \| GigabitEthernet \| GroupVI \| InternalInterface \| Loopback \| Lspvif \| \| Null \| Port-channel \| TenGigabitEthernet \| Tunnel \| Vlan \| brief \| class \| input \| output \| wireless }	Displays the runtime representation and statistics of all the policies configured on the . Command parameters include: Auto-template—Auto-Template interface Capwap—CAPWAP tunnel interface GigabitEthernet—Gigabit Ethernet IEEE.802.3z GroupVI—Group virtual interface InternalInterface—Internal interface Loopback—Loopback interface Lspvif—LSP virtual interface Null—Null interface Port-channel—Ethernet channel of interfaces TenGigabitEthernet—10-Gigabit Ethernet Tunnel—Tunnel interface Vlan—Catalyst VLANs brief—Brief description of policy maps class—Statistics for individual class input—Input policy output—Output policy Wireless—wireless
show policy-map interface wireless ap [`access point`]	Displays the runtime representation and statistics for all the wireless APs on the .
show policy-map interface wireless ssid [`ssid`]	Displays the runtime representation and statistics for all the SSID targets on the .
show policy-map interface wireless client mac [`mac_address`]	Displays the runtime representation and statistics for all the client targets on the .
show policy-map session [ input \| output \| uid `UUID` ]	Displays the session QoS policy. Command parameters include: input—Input policy output—Output policy uid—Policy based on SSS unique identification.
show policy-map type control subscriber { all \| name }	Displays the type QoS policy-map.
show table-map	Displays all the table maps and their configurations.
show platform qos wireless {afd { client \| ssid } \| stats { bssid `bssid-value\|`client `name\|` ssid {`ssid-value\|`all} client all}}	Displays wireless targets. The following command parameters are supported: afd—AFD information stats—Statistics information
show policy-map interface wireless ssid name `ssid-name[` radio type {24ghz \| 5ghz} ap name `ap-name\|`ap name `ap-name]`	Displays SSID policy configuration on an access point.
show wireless client mac-address `mac_address`service-policy {input \| output}	Displays details of the client policy.
show wlan qos service-policies	Displays the SSID policies configured on all WLANs.
show ap name `ap_name`service-policy	Displays all the policies configured on the AP.

Monitoring SSID and Client Policies Statistics (GUI)

Statistics are supported only for ingress policies with a maximum of five classes on wireless targets. For very large policies, statistics for ingress policies are not visible at the . The frequency of the statistics depends on the number of clients associated with the access point.


Type of Statistics	Method	Details
SSID Policies	Choose Monitor > Controller > Statistics > QoS.	The QoS page is displayed with a list of SSID policies, Radio Type, and AP. Choose an SSID policy, radio, and access point from the drop-down lists and click Apply to view the statistics of the chosen SSID policy. You can view details such as match criteria, confirmed bytes, conformed rate, and exceeded rate.
Client Policies	Choose Monitor > Clients > Client Details .	The Clients page is displayed with a list of client MAC addresses, AP, and other details. Click the MAC address of a client and click the QoS Statistics tab. You can view details such as match criteria, confirmed bytes, conformed rate, and exceeded rate.

Examples: Classification by Access Control Lists

This example shows how to classify packets for QoS by using access control lists (ACLs):


Device# configure terminal
Device(config)# access-list 101 permit ip host 12.4.1.1 host 15.2.1.1 
Device(config)# class-map acl-101
Device(config-cmap)# description match on access-list 101
Device(config-cmap)# match access-group 101
Device(config-cmap)#

After creating a class map by using an ACL, you then create a policy map for the class, and apply the policy map to an interface for QoS.

Examples: Class of Service Layer 2 Classification

This example shows how to classify packets for QoS using a class of service Layer 2 classification:


Device# configure terminal
Device(config)# class-map cos
Device(config-cmap)# match cos ?
  <0-7>  Enter up to 4 class-of-service values separated by white-spaces
Device(config-cmap)# match cos 3 4 5
Device(config-cmap)#

After creating a class map by using a CoS Layer 2 classification, you then create a policy map for the class, and apply the policy map to an interface for QoS.

Examples: Class of Service DSCP Classification

This example shows how to classify packets for QoS using a class of service DSCP classification:


Device# configure terminal
Device(config)# class-map dscp
Device(config-cmap)# match dscp af21 af22 af23 
Device(config-cmap)#

After creating a class map by using a DSCP classification, you then create a policy map for the class, and apply the policy map to an interface for QoS.

Examples: VLAN ID Layer 2 Classification

This example shows how to classify for QoS using a VLAN ID Layer 2 classification:


Device# configure terminal
Device(config)# class-map vlan-120
Device(config-cmap)# match vlan ?
  <1-4095>  VLAN id
Device(config-cmap)# match vlan 120
Device(config-cmap)#

After creating a class map by using a VLAN Layer 2 classification, you then create a policy map for the class, and apply the policy map to an interface for QoS.

Examples: Classification by DSCP or Precedence Values

This example shows how to classify packets by using DSCP or precedence values:


Device# configure terminal
Device(config)# class-map prec2
Device(config-cmap)# description matching precedence 2 packets
Device(config-cmap)# match ip precedence 2 
Device(config-cmap)# exit
Device(config)# class-map ef 
Device(config-cmap)# description EF traffic
Device(config-cmap)# match ip dscp ef
Device(config-cmap)#

After creating a class map by using a DSCP or precedence values, you then create a policy map for the class, and apply the policy map to an interface for QoS.

Examples: Hierarchical Classification

The following is an example of a hierarchical classification, where a class named parent is created, which matches another class named child. The class named child matches based on the IP precedence being set to 2.


Device# configure terminal
Device(config)# class-map child
Device(config-cmap)# match ip precedence 2
Device(config-cmap)# exit
Device(config)# class-map parent
Device(config-cmap)# match class child
Device(config-cmap)#

After creating the parent class map, you then create a policy map for the class, and apply the policy map to an interface for QoS.

Examples: Hierarchical Policy Configuration

The following is an example of a configuration using hierarchical polices:


Device# configure terminal
Device(config)# class-map c1
Device(config-cmap)# match dscp 30
Device(config-cmap)# exit

Device(config)# class-map c2
Device(config-cmap)# match precedence 4
Device(config-cmap)# exit

Device(config)# class-map c3
Device(config-cmap)# exit

Device(config)# policy-map child
Device(config-pmap)# class c1
Device(config-pmap-c)# priority level 1
Device(config-pmap-c)# police rate percent 20 conform-action transmit exceed action drop 
Device(config-pmap-c-police)# exit
Device(config-pmap-c)# exit

Device(config-pmap)# class c2
Device(config-pmap-c)# bandwidth 20000
Device(config-pmap-c)# exit
Device(config-pmap)# class class-default
Device(config-pmap-c)# bandwidth 20000
Device(config-pmap-c)# exit
Device(config-pmap)# exit

Device(config)# policy-map parent
Device(config-pmap)# class class-default
Device(config-pmap-c)# shape average 1000000
Device(config-pmap-c)# service-policy child
Device(config-pmap-c)# end

The following example shows a hierarchical policy using table maps:

Device(config)# table-map dscp2dscp
 Device(config-tablemap)# default copy
Device(config)# table-map dscp2up
Device(config-tablemap)# map from 46 to 6
Device(config-tablemap)# map from 34 to 5
Device(config-tablemap)# default copy
Device(config)# policy-map ssid_child_policy
Device(config-pmap)# class voice
Device(config-pmap-c)# priority level 1
Device(config-pmap-c)# police 15000000
Device(config-pmap)# class video
Device(config-pmap-c)# priority level 2
Device(config-pmap-c)# police 10000000
Device(config)# policy-map ssid_policy
Device(config-pmap)# class class-default
Device(config-pmap-c)# shape average 30000000
Device(config-pmap-c)# queue-buffer ratio 0
Device(config-pmap-c)# set dscp dscp table dscp2dscp
Device(config-pmap-c)# service-policy ssid_child_policy

Examples: Classification for Voice and Video

This example describes how to classify packet streams for voice and video using device specific information.

In this example, voice and video are coming in from end-point A into GigabitEthernet1/0/1 on the device and have precedence values of 5 and 6, respectively. Additionally, voice and video are also coming from end-point B into GigabitEthernet1/0/2 on the device with DSCP values of EF and AF11, respectively.

Assume that all the packets from the both the interfaces are sent on the uplink interface, and there is a requirement to police voice to 100 Mbps and video to 150 Mbps.

To classify per the above requirements, a class to match voice packets coming in on GigabitEthernet1/0/1 is created, named voice-interface-1, which matches precedence 5. Similarly another class for voice is created, named voice-interface-2, which will match voice packets in GigabitEthernet1/0/2. These classes are associated to two separate policies named input-interface-1, which is attached to GigabitEthernet1/0/1, and input-interface-2, which is attached to GigabitEthernet1/0/2. The action for this class is to mark the qos-group to 10. To match packets with QoS-group 10 on the output interface, a class named voice is created which matches on QoS-group 10. This is then associated to another policy named output-interface, which is associated to the uplink interface. Video is handled in the same way, but matches on QoS-group 20.

The following example shows how classify using the above device specific information:


Device(config)#
Device(config)# class-map voice-interface-1
Device(config-cmap)# match ip precedence 5
Device(config-cmap)# exit

Device(config)# class-map video-interface-1
Device(config-cmap)# match ip precedence 6
Device(config-cmap)# exit

Device(config)# class-map voice-interface-2
Device(config-cmap)# match ip dscp ef
Device(config-cmap)# exit

Device(config)# class-map video-interface-2
Device(config-cmap)# match ip dscp af11
Device(config-cmap)# exit

Device(config)# policy-map input-interface-1
Device(config-pmap)# class voice-interface-1
Device(config-pmap-c)# set qos-group 10
Device(config-pmap-c)# exit

Device(config-pmap)# class video-interface-1
Device(config-pmap-c)# set qos-group 20

Device(config-pmap-c)# policy-map input-interface-2
Device(config-pmap)# class voice-interface-2
Device(config-pmap-c)# set qos-group 10
Device(config-pmap-c)# class video-interface-2
Device(config-pmap-c)# set qos-group 20
Device(config-pmap-c)# exit
Device(config-pmap)# exit

Device(config)# class-map voice
Device(config-cmap)# match qos-group 10
Device(config-cmap)# exit

Device(config)# class-map video
Device(config-cmap)# match qos-group 20

Device(config)# policy-map output-interface
Device(config-pmap)# class voice
Device(config-pmap-c)# police 256000 conform-action transmit exceed-action drop
Device(config-pmap-c-police)# exit
Device(config-pmap-c)# exit
  
Device(config-pmap)# class video
Device(config-pmap-c)# police 1024000 conform-action transmit exceed-action drop
Device(config-pmap-c-police)# exit
Device(config-pmap-c)# exit

Examples: Wireless QoS Policy Classified by Voice, Video, and Multicast Traffic

The following example provides a template for creating a port child policy for managing quality of service for voice and video traffic.


Policy-map port_child_policy
    Class voice (match dscp ef)
            Priority level 1
            Police  Multicast Policer
    Class video (match dscp af41)
            Priority level 2
            Police  Multicast Policer
    Class mcast-data  (match non-client-nrt)
            Bandwidth remaining ratio <>
    Class class-default  (NRT Data)
            Bandwidth remaining ratio <>

Note

Multicast Policer in the example above is not a keyword. It refers to the policing policy configured.

Two class maps with name voice and video are configured with DSCP assignments of 46 and 34. The voice traffic is assigned the priority of 1 and the video traffic is assigned the priority level 2 and is processed using Q0 and Q1. If your network receives multicast voice and video traffic, you can configure multicast policers. The non-client NRT data and NRT data are processed using the Q2 and Q3 queues.

Examples: Configuring Downstream SSID Policy

To configure a downstream BSSID policy, you must first configure a port child policy with priority level queuing.

Type of Policy Example

User-defined port child policy


policy-map port_child_policy
   class voice
     priority level 1 20000

   class video
     priority level 2 10000

   class non-client-nrt-class
     bandwidth remaining ratio 10

   class class-default
     bandwidth remaining ratio 15

Egress BSSID policy


policy-map bssid-policer
   queue-buffer ratio 0
   class class-default
   shape average 30000000
set dscp dscp table dscp2dscp
set wlan user-priority dscp table dscp2up  
service-policy ssid_child_qos

SSID Child QoS policy


Policy Map ssid-child_qos
    Class voice
      priority level 1
      police cir 5m
      admit cac wmm-tspec 
           UP 6,7  / tells WCM allow ‘voice’ TSPEC\SIP snoop for this ssid
            rate 4000 / must be police rate value is in kbps)
   Class video
      priority level 2
      police cir 60000

Examples: Ingress SSID Policies

The following examples show ingress SSID hierarchical policies:

Type of ingress SSID policies Example

Ingress SSID hierarchical policies


policy-map ssid-child-policy
class voice  //match dscp 46
police 3m
class video //match dscp 34
police 4m
policy-map ssid-in-policy
class class-default
set dscp wlan user-priority table up2dscp
service-policy ssid-child-policy


policy-map ssid_in_policy
class dscp-40
set cos 1
police 10m
class up-1
set dscp 34
police 12m
class dscp-10 
set dscp 20
police 15m
class class-default
set dscp wlan user-priority table up2dscp   
police 50m

Examples: Client Policies

Type of Client Policy Example/Details

Default egress client policy

Any incoming traffic contains the user-priority as 0.

Note

The default client policy is enabled only on WMM clients that are ACM-enabled.

You can verify if ACM is enabled by using the show ap dot11 5ghz network command. To enable ACM, use the ap dot11 5ghz cac voice acm command.


Policy-map client-def-down
  class class-default
      set wlan user-priority 0

Default ingress client policy

Any traffic that is sent to the wired network from wireless network will result in the DSCP value being set to 0.

Note

The default client policy is enabled only on WMM clients that are ACM-enabled.


Policy-map client-def-up
   class class-default
   	set dscp 0

Client policies generated automatically and applied to the WMM client when the client authenticates to a profile in AAA with a configured QoS-level attribute.


Policy Map platinum-WMM    
Class voice-plat     
	 set wlan user-priority 6   
 Class video-plat      
	set wlan user-priority 4    
Class class-default     
	 set wlan user-priority 0


Policy Map gold-WMM    
Class voice-gold     
	 set wlan user-priority 4   
 Class video-gold      
	set wlan user-priority 4    
Class class-default     
	 set wlan user-priority 0

Non-WMM client precious metal policies


Policy Map platinum         
	 set wlan user-priority 6

Egress client policy where any traffic matching class voice1, the user priority is set to a pre-defined value.

The class can be set to assign a DSCP or ACL.


Policy Map client1-down
Class voice1     //match dscp, cos   
	 set wlan user-priority <>
Class voice2    //match acl
   set wlan user-priority <>
Class voice3
   set wlan user-priority <>        
Class class-default     
	 set wlan user-priority 0

Client policy based on AAA and TCLAS


Policy Map client2-down[ AAA+ TCLAS pol example]
Class      voice\\match dscp
      police <>
      set <>
Class class-default
    set <> 
Class voice1|| voice2 [match acls]
      police <>
      class voice1
        set <>
      class voice2
        set <>

Client policy for voice and video for traffic in the egress direction


Policy Map client3-down
    class voice \\match dscp, cos
          police X
     class video
         police Y
    class class-default 
        police Z

Client policy for voice and video for traffic in the ingress direction using policing


Policy Map client1-up
    class voice     \\match dscp, up, cos
      police X
    class video
     police Y
  class class-default
    police Z

Client policy for voice and video based on DSCP


Policy Map client2-up
    class voice     \\match dscp, up, cos
set dscp <> 
    class video
     set dscp <>
  class class-default
    set dscp <>

Client ingress policy with marking and policing


policy-map client_in_policy
class dscp-48 //match dscp 48
 set cos 3
 police 2m
class up-4   //match wlan user-priority 4
 set dscp 10
police 3m
class acl   //match acl
 set cos 2
police 5m
class class-default
 set dscp 20
police 15m

Hierarchical client ingress policy


policy-map client-child-policy
class voice  //match dscp 46
set dscp 40
police 5m
class video //match dscp 34
set dscp 30
police 7m
policy-map client-in-policy
class class-default
police 15m
service-policy client-child-policy

Examples: Average Rate Shaping Configuration

The following example shows how to configure average rate shaping:


Device# configure terminal
Device(config)# class-map prec1
Device(config-cmap)# description matching precedence 1 packets
Device(config-cmap)# match ip precedence 1
Device(config-cmap)# end

Device# configure terminal
Device(config)# class-map prec2
Device(config-cmap)# description matching precedence 2 packets
Device(config-cmap)# match ip precedence 2
Device(config-cmap)# exit

Device(config)# policy-map shaper
Device(config-pmap)# class prec1
Device(config-pmap-c)# shape average 512000
Device(config-pmap-c)# exit

Device(config-pmap)# policy-map shaper
Device(config-pmap)# class prec2
Device(config-pmap-c)# shape average 512000
Device(config-pmap-c)# exit

Device(config-pmap)# class class-default
Device(config-pmap-c)# shape average 1024000

After configuring the class maps, policy map, and shape averages for your configuration, proceed to then apply the policy map to the interface for QoS.

Examples: Queue-limit Configuration

The following example shows how to configure a queue-limit policy based upon DSCP values and percentages:


Device# configure terminal
Device#(config)# policy-map port-queue
Device#(config-pmap)# class dscp-1-2-3
Device#(config-pmap-c)# bandwidth percent 20
Device#(config-pmap-c)# queue-limit dscp 1 percent 80
Device#(config-pmap-c)# queue-limit dscp 2 percent 90
Device#(config-pmap-c)# queue-limit dscp 3 percent 100
Device#(config-pmap-c)# exit

Device#(config-pmap)# class dscp-4-5-6
Device#(config-pmap-c)# bandwidth percent 20
Device#(config-pmap-c)# queue-limit dscp 4 percent 20
Device#(config-pmap-c)# queue-limit dscp 5 percent 30
Device#(config-pmap-c)# queue-limit dscp 6 percent 20
Device#(config-pmap-c)# exit

Device#(config-pmap)# class dscp-7-8-9
Device#(config-pmap-c)# bandwidth percent 20
Device#(config-pmap-c)# queue-limit dscp 7 percent 20
Device#(config-pmap-c)# queue-limit dscp 8 percent 30
Device#(config-pmap-c)# queue-limit dscp 9 percent 20
Device#(config-pmap-c)# exit

Device#(config-pmap)# class dscp-10-11-12
Device#(config-pmap-c)# bandwidth percent 20
Device#(config-pmap-c)# queue-limit dscp 10 percent 20
Device#(config-pmap-c)# queue-limit dscp 11 percent 30
Device#(config-pmap-c)# queue-limit dscp 12 percent 20
Device#(config-pmap-c)# exit

Device#(config-pmap)# class dscp-13-14-15
Device#(config-pmap-c)# bandwidth percent 10
Device#(config-pmap-c)# queue-limit dscp 13 percent 20
Device#(config-pmap-c)# queue-limit dscp 14 percent 30
Device#(config-pmap-c)# queue-limit dscp 15 percent 20
Device#(config-pmap-c)# end  
Device#

After finishing with the above policy map queue-limit configuration, you can then proceed to apply the policy map to an interface for QoS.

Examples: Queue Buffers Configuration

The following example shows how configure a queue buffer policy and then apply it to an interface for QoS:


Device# configure terminal
Device(config)# policy-map policy1001  
Device(config-pmap)# class class1001
Device(config-pmap-c)# bandwidth remaining ratio 10
Device(config-pmap-c)# queue-buffer ratio ?
  <0-100>  Queue-buffers ratio limit
Device(config-pmap-c)# queue-buffer ratio 20
Device(config-pmap-c)# end

Device# configure terminal
Device(config)# interface gigabitEthernet2/0/3
Device(config-if)# service-policy output policy1001
Device(config-if)# end

Examples: Policing Action Configuration

The following example displays the various policing actions that can be associated to the policer. These actions are accomplished using the conforming, exceeding, or violating packet configurations. You have the flexibility to drop, mark and transmit, or transmit packets that have exceeded or violated a traffic profile.

For example, a common deployment scenario is one where the enterprise customer polices traffic exiting the network towards the service provider and marks the conforming, exceeding and violating packets with different DSCP values. The service provider could then choose to drop the packets marked with the exceeded and violated DSCP values under cases of congestion, but may choose to transmit them when bandwidth is available.

Note

The Layer 2 fields can be marked to include the CoS fields, and the Layer 3 fields can be marked to include the precedence and the DSCP fields.

One useful feature is the ability to associate multiple actions with an event. For example, you could set the precedence bit and the CoS for all conforming packets. A submode for an action configuration could then be provided by the policing feature.

This is an example of a policing action configuration:


Device# configure terminal
Device(config)# policy-map police
Device(config-pmap)# class class-default
Device(config-pmap-c)# police cir 1000000 pir 2000000 
Device(config-pmap-c-police)# conform-action transmit
Device(config-pmap-c-police)# exceed-action set-dscp-transmit dscp table exceed-markdown-table
Device(config-pmap-c-police)# violate-action set-dscp-transmit dscp table violate-markdown-table  
Device(config-pmap-c-police)# end

In this example, the exceed-markdown-table and violate-mark-down-table are table maps.

Note

Policer-based markdown actions are only supported using table maps. Only one markdown table map is allowed for each marking field in the device.

Examples: Policer VLAN Configuration

The following example displays a VLAN policer configuration. At the end of this configuration, the VLAN policy map is applied to an interface for QoS.


Device# configure terminal
Device(config)# class-map vlan100
Device(config-cmap)# match vlan 100
Device(config-cmap)# exit
Device(config)# policy-map vlan100
Device(config-pmap)# policy-map class vlan100
Device(config-pmap-c)# police 100000 bc conform-action transmit exceed-action drop
Device(config-pmap-c-police)# end
Device# configure terminal
Device(config)# interface gigabitEthernet1/0/5
Device(config-if)#  service-policy input vlan100

Examples: Policing Units

The following examples display the various units of policing that are supported for QoS. The policing unit is the basis on which the token bucket works .

The following units of policing are supported:

CIR and PIR are specified in bits per second. The burst parameters are specified in bytes. This is the default mode; it is the unit that is assumed when no units are specified. The CIR and PIR can also be configured in percent, in which case the burst parameters have to be configured in milliseconds.
CIR and PIR are specified in packets per second. In this case, the burst parameters are configured in packets as well.

The following is an example of a policer configuration in bits per second:


Device(config)# policy-map bps-policer
Device(config-pmap)# class class-default
Device(config-pmap-c) # police rate 256000 bps burst 1000 bytes 
conform-action transmit exceed-action drop

The following is an example of a policer configuration in packets per second. In this configuration, a dual-rate three-color policer is configured where the units of measurement is packet. The burst and peak burst are all specified in packets.


Device(config)# policy-map pps-policer
Device(config-pmap)# class class-default
Device(config-pmap-c)# police rate 5000 pps burst 100 packets 
peak-rate 10000 pps peak-burst 200 packets conform-action transmit 
exceed-action drop violate-action drop

Examples: Single-Rate Two-Color Policing Configuration

The following example shows how to configure a single-rate two-color policer:


Device(config)# class-map match-any prec1
Device(config-cmap)# match ip precedence 1
Device(config-cmap)# exit
Device(config)# policy-map policer
Device(config-pmap)# class prec1
Device(config-pmap-c)# police cir 256000 conform-action transmit exceed-action drop 
Device(config-pmap-c-police)# exit
Device(config-pmap-c)#

Examples: Dual-Rate Three-Color Policing Configuration

The following example shows how to configure a dual-rate three-color policer:


Device# configure terminal
Device(config)# policy-Map dual-rate-3color-policer
Device(config-pmap)# class class-default
Device(config-pmap-c)# police cir 64000 bc 2000 pir 128000 be 2000
Device(config-pmap-c-police)# conform-action transmit
Device(config-pmap-c-police)# exceed-action set-dscp-transmit dscp table exceed-markdown-table
Device(config-pmap-c-police)# violate-action set-dscp-transmit dscp table violate-markdown-table
Device(config-pmap-c-police)# exit
Device(config-pmap-c)#

In this example, the exceed-markdown-table and violate-mark-down-table are table maps.

Note

Policer based markdown actions are only supported using table maps. Only one markdown table map is allowed for each marking field in the device.

Examples: Table Map Marking Configuration

The following steps and examples show how to use table map marking for your QoS configuration:

Define the table map.

Define the table-map using the table-map command and indicate the mapping of the values. This table does not know of the policies or classes within which it will be used. The default command in the table map indicates the value to be copied into the ‘to’ field when there is no matching ‘from’ field. In the example, a table map named table-map1 is created. The mapping defined is to convert the value from 0 to 1 and from 2 to 3, while setting the default value to 4.
```
Device(config)# table-map table-map1
Device(config-tablemap)# map from 0 to 1
Device(config-tablemap)# map from 2 to 3
Device(config-tablemap)# default 4
Device(config-tablemap)# exit

 
```
Define the policy map where the table map will be used.

In the example, the incoming CoS is mapped to the DSCP based on the mapping specified in the table table-map1. For this example, if the incoming packet has a DSCP of 0, the CoS in the packet is set 1. If no table map name is specified the command assumes a default behavior where the value is copied as is from the ‘from’ field (DSCP in this case) to the ‘to’ field (CoS in this case). Note however, that while the CoS is a 3-bit field, the DSCP is a 6-bit field, which implies that the CoS is copied to the first three bits in the DSCP.
```
Device(config)# policy map policy1
Device(config-pmap)# class class-default
Device(config-pmap-c)# set cos dscp table table-map1
Device(config-pmap-c)# exit
```

Associate the policy to an interface.


Device(config)# interface GigabitEthernet1/0/1
Device(config-if)# service-policy output policy1
Device(config-if)# exit

Example: Table Map Configuration to Retain CoS Markings

The following example shows how to use table maps to retain CoS markings on an interface for your QoS configuration.

The cos-trust-policy policy (configured in the example) is enabled in the ingress direction to retain the CoS marking coming into the interface. If the policy is not enabled, only the DSCP is trusted by default. If a pure Layer 2 packet arrives at the interface, then the CoS value will be rewritten to 0 when there is no such policy in the ingress port for CoS.


Device# configure terminal
Device(config)# table-map cos2cos
Device(config-tablemap)# default copy
Device(config-tablemap)# exit


Device(config)# policy map cos-trust-policy
Device(config-pmap)# class class-default
Device(config-pmap-c)# set cos cos table cos2cos
Device(config-pmap-c)# exit

Device(config)# interface GigabitEthernet1/0/2
Device(config-if)# service-policy input cos-trust-policy
Device(config-if)# exit

Where to Go Next

Review the auto-QoS documentation to see if you can use these automated capabilities for your QoS configuration.

Additional References for QoS

Error Message Decoder


Description	Link
To help you research and resolve system error messages in this release, use the Error Message Decoder tool.	https://www.cisco.com/cgi-bin/Support/Errordecoder/index.cgi

Standards and RFCs


Standard/RFC	Title
—

MIBs


MIB	MIBs Link
All supported MIBs for this release.	To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL: http://www.cisco.com/go/mibs

Technical Assistance


Description	Link
The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies. To receive security and technical information about your products, you can subscribe to various services, such as the Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds. Access to most tools on the Cisco Support website requires a Cisco.com user ID and password.	http://www.cisco.com/support

Feature History and Information for QoS

Release

Modification

Cisco IOS XE 3.3SE

This feature was introduced.

Cisco IOS XE 3.3SE

Consistent system default trust behavior for both wired and wireless ports.

The Cisco IOS XE 3.2 Release supported different trust defaults for wired and wireless ports. The trust default for wired ports was the same as for this software release. For wireless ports, the default system behavior was non-trust, which meant that when the came up, all markings for the wireless ports were defaulted to zero and no traffic received priority treatment. For compatibility with an existing wired , all traffic went to the best-effort queue by default. The access point performed priority queuing by default.

The default trust behavior in the case of wireless ports could be changed by using the no qos wireless default untrust command.

Cisco IOS XE 3.3SE

Support for IPv6 wireless clients.

The Cisco IOS XE 3.2 software release did not support IPv6 for wireless clients. This is now supported. Client policies can now have IPv4 and IPv6 filters.

Cisco IOS XE 3.3SE

Support for 3 radios and 11ac.

Cisco IOS XE 3.3SE

New classification counters available in the show policy-map command.

Note

This feature is only available on wired targets.

Cisco IOS XE 3.6E

Marking and policing actions for ingress SSID policies. Client policies are applied at the access point.

Cisco IOS XE 3.6E

New classification counters for wireless targets available in the show policy-map command.

Cisco IOS XE 3.6E

Statistics are supported only for ingress policies.

Related Topic	Document Title
For complete syntax and usage information for the commands used in this chapter.	QoS Command Reference (Catalyst 3850 Switches)QoS Command Reference (Cisco WLC 5700 Series) Cisco IOS Quality of Service Solutions Command Reference
Cisco Flexible NetFlow	Cisco Flexible NetFlow Configuration Guide, Cisco IOS XE Release 3SE (Catalyst 3850 Switches) Cisco Flexible NetFlow Configuration Guide, Cisco IOS XE Release 3SE (Catalyst 3650 Switches) Flexible Netflow Configuration Guide, Cisco IOS XE Release 3SE (Catalyst 3850 Switches) Flexible Netflow Configuration Guide, Cisco IOS XE Release 3SE (Catalyst 3650 Switches) Flexible NetFlow Configuration Guide, Cisco IOS XE Release 3.2SE (Cisco 5700 Series Wireless Controller)
Call Admission Control (CAC)	System Management Configuration Guide (Catalyst 3850 Switches)System Management Configuration Guide (Cisco WLC 5700 Series) System Management Command Reference (Catalyst 3850 Switches)System Management Command Reference (Cisco WLC 5700 Series)
Multicast Shaping and Policing Rate	IP Multicast Routing Configuration Guide (Catalyst 3850 Switches)Routing Configuration Guide (Cisco WLC 5700 Series)
Application Visibility and Control	System Management Configuration Guide (Catalyst 3850 Switches)System Management Configuration Guide (Cisco WLC 5700 Series) System Management Command Reference (Catalyst 3850 Switches)System Management Command Reference (Cisco WLC 5700 Series)
Application Visibility and Control	System Management Configuration Guide (Catalyst 3850 Switches)System Management Configuration Guide (Cisco WLC 5700 Series) System Management Command Reference (Catalyst 3850 Switches)System Management Command Reference (Cisco WLC 5700 Series)
Platform-independent configuration information	QoS: Classification Configuration Guide, Cisco IOS XE Release 3SE (Catalyst 3850 Switches) QoS: Congestion Management Configuration Guide, Cisco IOS XE Release 3SE (Catalyst 3850 Switches)
Platform-independent configuration information	QoS: Classification Configuration Guide, Cisco IOS XE Release 3SE (Catalyst 3650 Switches) QoS: Congestion Management Configuration Guide, Cisco IOS XE Release 3SE (Catalyst 3650 Switches)

Bias-Free Language

Results

Chapter: Configuring QoS

Configuring QoS

Finding Feature Information

Prerequisites for QoS

QoS Components

QoS Terminology

QoS Overview

Modular QoS Command-Line Interface

Wireless QoS Overview

QoS and IPv6 for Wireless

Supported QoS Features for Wired Access

Wired and Wireless Access Supported Features

Supported QoS Features on Wireless Targets

Port Policies

Port Policy Format

Radio Policies

SSID Policies

Client Policies

Policy Chaining

Hierarchical QoS

Hierarchical Wireless QoS

Wireless Packet Format

Hierarchical AFD

QoS Implementation

Layer 2 Frame Prioritization Bits

Layer 3 Packet Prioritization Bits

End-to-End QoS Solution Using Classification

Packet Classification

Classification Based on Information That is Propagated with the Packet

Classification Based on Layer 3 or Layer 4 Header

Classification Based on Layer 2 Header

Classification Based on Information that is Device Specific (QoS Groups)

Hierarchical Classification

QoS Wired Model

Ingress Port Activity

Egress Port Activity

Classification

Access Control Lists

Class Maps

Policy Maps

Policy Map on Physical Port

Policy Map on VLANs

Wireless QoS Multicast

Policing

Token-Bucket Algorithm

Marking

Packet Header Marking

Switch Specific Information Marking

Table Map Marking

Traffic Conditioning

Policing

Single-Rate Two-Color Policing

Dual-Rate Three-Color Policing

Shaping

Class-Based Traffic Shaping

Average Rate Shaping

Hierarchical Shaping

Queueing and Scheduling

Bandwidth

Bandwidth Percent

Bandwidth Remaining Ratio

Weighted Tail Drop

Weighted Tail Drop Default Values

Priority Queues

Queue Buffer

Queue Buffer Allocation

Dynamic Threshold and Scaling

Queuing in Wireless

Trust Behavior for Wired Ports

Trust Behavior for Wired and Wireless Ports

Port Security on a Trusted Boundary for Cisco IP Phones

Wireless QoS Mobility

Inter-Device Roaming

Intra-Device Roaming

Precious Metal Policies for Wireless QoS

Default Wired QoS Configuration

DSCP Maps