需求:思科9504交换机配置QOS,要求按照应用的重要性进行分类,根据分类配置优先级队列,每个分类还要进行限速。
思路:
1、使用ACL配置队列,TOP_1 优先级最高,TOP_7优先级最低。
2、根据ACL配置class-map
3、根据class-map 配置分别配置qos_marking、qos_out-8q等policy,前一个policy配置在入接口进行包分类标记,后一个配置在出接口进行队列按优先级转发。
4、根据class-map 配置qos_out-policy,用于在出接口进行限速。
实现步骤:
1、配置ACL
ip access-list TOP_1
10 permit tcp any any eq 22000
20 permit tcp any eq 22000 any
30 permit tcp any host 10.3.1.11 eq 1433
40 permit tcp host 10.66.1.11 eq 1433 any
ip access-list TOP_2
30 permit tcp any any eq telnet
40 permit tcp any eq telnet any
50 permit tcp any any eq 3389
60 permit tcp any eq 3389 any
70 permit tcp any any eq 4899
80 permit tcp any eq 4899 any
90 permit icmp any any
ip access-list TOP_3
description voip
10 permit ip 10.32.9.0/24 10.66.1.111/32
20 permit ip 10.32.9.0/24 10.66.1.112/32
30 permit ip 10.32.9.0/24 10.66.1.113/32
ip access-list TOP_4
10 permit tcp host 10.3.1.15 host 10.67.1.31 eq 1433
20 permit tcp host 10.67.1.31 eq 1433 host 10.3.1.15
30 permit tcp host 10.3.1.25 host 10.67.1.35 eq 1433
40 permit tcp host 10.67.1.35 eq 1433 host 10.3.1.25
50 permit tcp host 10.3.1.11 host 10.67.1.11 eq 1433
ip access-list TOP_5
30 permit tcp any any eq 1521
40 permit tcp any eq 1521 any
50 permit tcp any any eq 1433
60 permit tcp any eq 1433 any
70 permit tcp any any eq 22
80 permit tcp any eq 22 any
90 permit ip 10.128.32.28/32 any
ip access-list TOP_7
10 permit tcp any any eq 445
20 permit tcp any eq 445 any
70 permit tcp any any eq ftp
70 permit tcp any eq ftp any
90 permit tcp any any eq ftp-data
100 permit tcp any eq ftp-data any
2、根据ACL配置class-map,TOP-X用于queuing mark打标记,TOP1-X用于限速
class-map type qos match-any TOP_1
match access-group name TOP_1
class-map type qos match-any TOP_2
match access-group name TOP_2
class-map type qos match-any TOP_3
match access-group name TOP_3
class-map type qos match-any TOP_4
match access-group name TOP_4
class-map type qos match-any TOP_5
match access-group name TOP_5
class-map type qos match-any TOP_7
match access-group name TOP_7
class-map type qos match-any TOP1_1
match access-group name TOP_1
class-map type qos match-any TOP1_2
match access-group name TOP_2
class-map type qos match-any TOP1_3
match access-group name TOP_3
class-map type qos match-any TOP1_4
match access-group name TOP_4
class-map type qos match-any TOP1_5
match access-group name TOP_5
class-map type qos match-any TOP1_7
match access-group name TOP_7
3、配置队列标记的policy-map,应用在入接口
policy-map type qos qos_marking
class TOP_1
set qos-group 7
class TOP_2
set qos-group 6
class TOP_5
set qos-group 3
class TOP_3
set qos-group 5
class TOP_4
set qos-group 4
class TOP_7
set qos-group 1
4、配置queuing的policy,应用在出接口。我们这里使用的是8q,支持8个列队
policy-map type queuing qos_out-8q
class type queuing c-out-8q-q7
priority level 1
class type queuing c-out-8q-q6
priority level 2
class type queuing c-out-8q-q5
priority level 3
class type queuing c-out-8q-q4
priority level 4
class type queuing c-out-8q-q3
priority level 5
class type queuing c-out-8q-q2
priority level 6
class type queuing c-out-8q-q1
priority level 7
class type queuing c-out-8q-q-default
bandwidth remaining percent 100
5、配置限速的policy,对每个class进行限速,应用在出接口
policy-map type qos qos_out-policy
class TOP1_1
police cir 9 mbps bc 1 mbytes conform transmit violate drop
class TOP1_2
police cir 9 mbps bc 1 mbytes conform transmit violate drop
class TOP1_3
police cir 7 mbps bc 1 mbytes conform transmit violate drop
class TOP1_4
police cir 9 mbps bc 1 mbytes conform transmit violate drop
class TOP1_7
police cir 4 mbps bc 1 mbytes conform transmit violate drop
6、在接口下调用policy
在入接口调用,对进来的包打标记
vlan configuration 620
service-policy type qos input qos_marking
在出接口调用,对出去的包使用queuing和进行限速。
interface Ethernet1/43
description TO-GY
service-policy type qos output qos_out-policy
service-policy type queuing output qos_out-8q
7、注意事项
因为N9K交换板卡上有缓存限制,交换机板卡上的缓存已经预分配出去了,可能会出现用于QOS的硬件缓存不足的问题,从而接口下应用policy报错:
报错信息:
SZ-IDC-SD-SW-9504-02(config)# interface Ethernet1/43
SZ-IDC-SD-SW-9504-02(config-if)# service-policy type qos output qos_out-policy
Unable to perform the action due to incompatibility: Module 1 returned status "TCAM region is not configured. Please configure TCAM region and retry the command"
我们咨询了思科,解决方案如下:
查看缓存分配大小
show hardware access-list tcam region
重新分配缓存大小,原racl、vqos缓存为1024,原e-racl、e-qos缓存为512,我这里分配了一半.
hardware access-list tcam region racl 512
hardware access-list tcam region e-racl 256
hardware access-list tcam region vqos 512
hardware access-list tcam region e-qos 256
需要重启板卡才能生效
reload module 1
现在就可以继续进行第6步,在接口下配置policy。