ASR 1000 Parameterized QoS
Generally two types of QoS is supported;
- Per-Session : Per-session policing is applied to the session, all the data flow. It can be initially applied with subscriber access-accept or later applied or changed via COA. Cisco-Session-Info avp is used for this purpose. Example Cisco-Session-Info=QU;512000;256000; D;512000;256000. Search for Cisco RADIUS CoA Interface Guide, Appendix-A contains detailed information about this attribute. This method means using general policing to all session. You can not prioritize some kind of traffic (voip etc).
- Per-Flow : Per-Flow is applied via regular policy-map. QoS policy-map is defined and applied with the following methods : Deploying the Quality of Service (QoS), Configuring ISG Policies for Regulating Network Access
-
-
-
-
- Define and apply the QoS policy from CLI.
- Define the QoS policy in CLI, but apply it from RAIDUS.
- Define and apply the QoS policy from RAIDUS. It is also called Parameterized QoS.
You can not apply per-session and per-flow simultaneously.
Also QoS order of operation is changed for ASR 1K or on IOS XE. Please read Hierarchical Color-Aware Policing carefully.
For more detailed information :
Deploying the Quality of Service (QoS)
Configuring RADIUS-Based Policing, IOS XE 3S
Hierarchical Color-Aware Policing
Examples :
General Config (Only related config)
aaa server radius dynamic-author
client X.X.X.X server-key X
port 1645
auth-type any
ignore session-key
!
policy-map type service INTERNET
service local
ip unnumbered Loopback10
!
policy-map type control PPPOE_TEST
……
class type control INTERNET event service-start
1 service-policy type service unapply name UNAUTH_PPP_SERVICE
2 service-policy type service identifier service-name
!
class type control INTERNET event service-stop
1 service-policy type service unapply identifier service-name
2 service-policy type service name UNAUTH_PPP_SERVICE
!
……
class type control always event session-start
1 service-policy type service name PBHK
2 authenticate aaa list pppoe
!
aaa policy interface-config allow-subinterface
!
bba-group pppoe yapa
virtual-template 3
!
interface Virtual-Template3
mtu 1492
ip unnumbered Loopback10
ip verify unicast reverse-path
no ip split-horizon
ip tcp adjust-mss 1452
no logging event link-status
load-interval 30
no peer default ip address
ppp authentication pap pppoe
ppp authorization pppoe
ppp accounting pppoe
service-policy type control PPPOE_TEST
end
!
1 – Per-Session Example :
Subscriber AAA Profile :
testdsl3@testadsl Cisco-Service-Info += QU;512000;256000;D;512000;256000
testdsl3@testadsl cisco-avpair += ip:addr-pool=xdslpool
testdsl3@testadsl Cisco-Account-Info += AINTERNET
show subscriber session username testdsl3@testadsl
……….
Policing:
Class-id Dir Avg. Rate Normal Burst Excess Burst Source
0 In 512000 256000 0 Peruser
1 Out 512000 256000 0 Peruser………
Update Session via COA
radpwtst -s 192.168.1.1 -secret XXXX -noauth -noacct -code Change-Filter-Request -trace 4 Cisco-Account-Info=”S1.1.1.1:vrf-id=INTERNET” Cisco-Service-Info=”QU;100000;256000;D;100000;256000”
show subscriber session username testdsl3@testadsl
……….
Policing:
Class-id Dir Avg. Rate Normal Burst Excess Burst Source
0 In 100000 256000 0 Peruser
1 Out 100000 256000 0 Peruser
……….
2- Per-Flow Example :
2.1 Define and apply the QoS policy from CLI : It’s simple apply the policy-map under virtual-template etc which will be applied to all sessions. Not very useful as long as you find a way to change policy parameters according to each customer via radius etc.
2.2 Define the QoS policy in CLI, but apply it from RAIDUS : You can change or add new config to the policy-map via radius (but the ACL, and class-maps should be configured locally on the ISG).
Example 1 : Simple setup. Policy-map is defined in the CLI. Radius sends the policy-map name for each customer in access-accept messaged. So for every customer or speed group different policy-map is required that is configured with customers download/upload speeds and service classes. I don’t put any configuration for this kind of a setup as its very simple.
Example 2 : Like the example 1, a generic policy map is defined. It can be dynamically changed via radius attributes (add/modify classes).
MQC CLI Configuration :
access-list 102 remark BB_QoS_UP
access-list 102 permit ip any host X.X.X.X
access-list 101 remark BB_QoS_DOWN
access-list 101 permit ip host X.X.X.X any
class-map match-all BB_QoS_VOIP_DOWN
match access-group 101
class-map match-all BB_QoS_VOIP_UP
match access-group 102
policy-map BB_GENERIC_PARENT_DOWN
class class-default
shape average 200000
service-policy BB_QoS_VOIP_DOWN
policy-map BB_QoS_VOIP_DOWN
class BB_QoS_VOIP_DOWN
priority percent 30
policy-map BB_GENERIC_PARENT_UP
class class-default
police cir 5120000 bc 160000 conform-action transmit exceed-action drop
service-policy BB_QoS_VOIP_UP
policy-map BB_QoS_VOIP_UP
class BB_QoS_VOIP_UP
set mpls experimental imposition 0
class class-default
set mpls experimental imposition 0
Subscriber Profile :
testdsl3@testadsl cisco-avpair += ip:sub-qos-policy-in=BB_GENERIC_PARENT_UP
testdsl3@testadsl cisco-avpair += ip:sub-qos-policy-out=BB_GENERIC_PARENT_DOWN
testdsl3@testadsl cisco-avpair += ip:addr-pool=xdslpool
testdsl3@testadsl Cisco-Account-Info += AINTERNET
Update Session via COA : Chaining the class-default of parent policy value (ISG apply the twice the value in the COA message to the configuration, this is result of subscriber service police percent-factor 100, if qos contains policing or subscriber service shaper percent-factor 100, if qos contains shaping). Also you can change the other policy-map class values.
radpwtst -s X.X.X.X -secret X -noauth -noacct -code Change-Filter-Request -trace 4 Cisco-Account-Info=”S1.1.1.1:vrf-id=INTERNET” cisco-avpair=”ip:qos-policy-in=add-class(sub,(class-default),police(220000))”
radpwtst -s X.X.X.X -secret X -noauth -noacct -code Change-Filter-Request -trace 4 Cisco-Account-Info=”S1.1.1.1:vrf-id=INTERNET” cisco-avpair=”ip:qos-policy-out=add-class(sub,(class-default),shape(150400))”
show policy-map interface Vi2.1
Virtual-Access2.1
SSS session identifier 887 –
Service-policy input: BB_GENERIC_PARENT_UP$class-default;police=440000,0,0$BB_QoS_VOIP_UP$class-default
Class-map: class-default (match-any)
0 packets, 0 bytes
30 second offered rate 0000 bps, drop rate 0000 bps
Match: any
police:
cir 440000 bps, bc 13750 bytes, be 13750 bytes
conformed 0 packets, 0 bytes; actions:
transmit
exceeded 0 packets, 0 bytes; actions:
drop
violated 0 packets, 0 bytes; actions:
drop
conformed 0000 bps, exceeded 0000 bps, violated 0000 bps
Service-policy : BB_QoS_VOIP_UP
Class-map: BB_QoS_VOIP_UP (match-all)
0 packets, 0 bytes
30 second offered rate 0000 bps, drop rate 0000 bps
Match: access-group 102
QoS Set
mpls experimental imposition 0
Marker statistics: Disabled
Class-map: class-default (match-any)
0 packets, 0 bytes
30 second offered rate 0000 bps, drop rate 0000 bps
Match: any
QoS Set
mpls experimental imposition 0
Marker statistics: Disabled
Virtual-Access2.1
SSS session identifier 887 –
Service-policy output: BB_GENERIC_PARENT_DOWN$class-default;shape=300800$BB_QoS_VOIP_DOWN$class-default
Class-map: class-default (match-any)
0 packets, 0 bytes
30 second offered rate 0000 bps, drop rate 0000 bps
Match: any
Queueing
queue limit 64 packets
(queue depth/total drops/no-buffer drops) 0/0/0
(pkts output/bytes output) 0/0
shape (average) cir 300800, bc 1204, be 1204
target shape rate 300800
Service-policy : BB_QoS_VOIP_DOWN
queue stats for all priority classes:
Queueing
queue limit 512 packets
(queue depth/total drops/no-buffer drops) 0/0/0
(pkts output/bytes output) 0/0
Class-map: BB_QoS_VOIP_DOWN (match-all)
0 packets, 0 bytes
30 second offered rate 0000 bps, drop rate 0000 bps
Match: access-group 101
Priority: 30% (90 kbps), burst bytes 9216, b/w exceed drops: 0
Class-map: class-default (match-any)
0 packets, 0 bytes
30 second offered rate 0000 bps, drop rate 0000 bps
Match: any
queue limit 64 packets
(queue depth/total drops/no-buffer drops) 0/0/0
(pkts output/bytes output) 0/0
Also the policy-map parameters can be changed in initial Access-Accept. A general policy-map must be configured on the ISG and the policy-map values changed according to subscriber bandwidth profile ( a kind usage of dynamic template).
testdsl3@testadsl cisco-avpair += ip:addr-pool=xdslpool
testdsl3@testadsl cisco-avpair += ip:qos-policy-out=add-class(sub,(class-default),shape(160000))
testdsl3@testadsl Cisco-Account-Info += AINTERNET
testdsl3@testadsl cisco-avpair += ip:sub-qos-policy-in=BB_GENERIC_PARENT_UP
testdsl3@testadsl cisco-avpair += ip:qos-policy-in=add-class(sub,(class-default),police(220000))
testdsl3@testadsl cisco-avpair += ip:sub-qos-policy-out=BB_GENERIC_PARENT_DOWN
sh policy-map interface Vi2.1
Virtual-Access2.1
SSS session identifier 888 –
Service-policy input: BB_GENERIC_PARENT_UP$class-default;police=440000,0,0$BB_QoS_VOIP_UP$class-default
Class-map: class-default (match-any)
27 packets, 1240 bytes
30 second offered rate 0000 bps, drop rate 0000 bps
Match: any
police:
cir 440000 bps, bc 13750 bytes, be 13750 bytes
conformed 27 packets, 1240 bytes; actions:
transmit
exceeded 0 packets, 0 bytes; actions:
drop
violated 0 packets, 0 bytes; actions:
drop
conformed 0000 bps, exceeded 0000 bps, violated 0000 bps
Service-policy : BB_QoS_VOIP_UP
Class-map: BB_QoS_VOIP_UP (match-all)
0 packets, 0 bytes
30 second offered rate 0000 bps, drop rate 0000 bps
Match: access-group 102
QoS Set
mpls experimental imposition 0
Marker statistics: Disabled
Class-map: class-default (match-any)
27 packets, 1240 bytes
30 second offered rate 0000 bps, drop rate 0000 bps
Match: any
QoS Set
mpls experimental imposition 0
Marker statistics: Disabled
Virtual-Access2.1
SSS session identifier 888 –
Service-policy output: BB_GENERIC_PARENT_DOWN$class-default;shape=320000$BB_QoS_VOIP_DOWN$class-default
Class-map: class-default (match-any)
6 packets, 340 bytes
30 second offered rate 0000 bps, drop rate 0000 bps
Match: any
Queueing
queue limit 64 packets
(queue depth/total drops/no-buffer drops) 0/0/0
(pkts output/bytes output) 1/150
shape (average) cir 320000, bc 1280, be 1280
target shape rate 320000
Service-policy : BB_QoS_VOIP_DOWN
queue stats for all priority classes:
Queueing
queue limit 512 packets
(queue depth/total drops/no-buffer drops) 0/0/0
(pkts output/bytes output) 0/0
Class-map: BB_QoS_VOIP_DOWN (match-all)
0 packets, 0 bytes
30 second offered rate 0000 bps, drop rate 0000 bps
Match: access-group 101
Priority: 30% (96 kbps), burst bytes 9216, b/w exceed drops: 0
Class-map: class-default (match-any)
6 packets, 340 bytes
30 second offered rate 0000 bps, drop rate 0000 bps
Match: any
queue limit 64 packets
(queue depth/total drops/no-buffer drops) 0/0/0
(pkts output/bytes output) 1/150
Example 3 :
More complex QoS deployment with radius integration. Generally subscribers have different up/down speed combination. Defining a different policy-map will increase configuration file. Also some customers may have Voice service some do not. In the example 2, child policy has default voice service applied. In this example I have applied empty child policy (this is required for adding additional classes to the customer parent policy-map).
I tried to define one general default policy map via CLI for each QoS customer and add/change class map’s to this default policy map via radius according to subscriber QoS requirements.
General policy-map definition : This will be used for all subscribers. Radius will change the generic shaping and policing value according to the customer’s service speed. But be careful with this kind of a usage as the physical interface speed and the customers service speed may be different (Like broadband xddl configuration, read broadband from TR-147 section 6.1 6.2). So actually there is no problem as long as the customer physical access speed is more or equal to the customer service speed (what the customer bought). If its below customer service speed, there will be problem in QoS deployment. There will congestion on the physical level before the customer reach its service speed. For example;
Customer service speed = 10MB download and 1 MB upload. But DSLAM and the customer may sync on 4MB. With this method you regulate the customer on 10MB, there is no problem with that. But if you are also deploying QoS, QoS mechanism whats line to be congested which is 10MB that is never going to happen.
You have to tell BGN or radius this physical speed. This can be done via pppoe tags, DSLAM may set pppoe tags with line’s psychical speed. And the radius can use this information for setting customer speed, QoS parameters also for reporting. Another method can be ANCP.
policy-map BB_GENERIC_CHILD_DOWN ! Empty child policy is required to add additional classes via radius
policy-map BB_GENERIC_PARENT_DOWN
class class-default
shape average 20000000
service-policy BB_GENERIC_CHILD_DOWN
policy-map BB_GENERIC_CHILD_UP ! Empty child policy is required to add additional classes via radius
policy-map BB_GENERIC_PARENT_UP
class class-default
police cir 512000 bc 16000 conform-action set-mpls-exp-topmost-transmit 0 exceed-action drop violate-action drop
service-policy BB_GENERIC_CHILD_UP
For IN (CE to PE) : added one qos group, BB_QoS_VOIP_UP, which is not defined in the CLI defined class BB_GENERIC_PARENT_UP (although class map must previously defined via CLI). Some qos actions is not supported like set-mpls-exp-topmost-transmit etc. Read carefully
Hierarchical Color-Aware Policing for detail information about input policing feature.
‘cisco-avpair’, ‘ip:qos-policy-in=add-class(sub,(class-default,BB_QoS_VOIP_UP),police(128000),set-qos-grp(43)) ‘ ! This will add voice class
‘cisco-avpair’, ‘ip:sub-qos-policy-in=BB_GENERIC_PARENT_UP’ ! This is the default policy map
‘cisco-avpair’, ‘ip:qos-policy-in=add-class(sub,(class-default),police(1500000))’ ! This will change the police bandwidth of all session.
If you want to change all session bandwidth like for Fair usage reasons but don’t want upper class like voice to be influenced you can add default class to the child policy with the speed you want.
‘cisco-avpair’, ‘ip:qos-policy-in=add-class(sub,(class-default,class-default),police(50000))’ ! This will add default class to the child policy map.
For DOWN (PE to CE) : Similar with IN policy map with more classes.
‘cisco-avpair’, ‘ip:qos-policy-out=add-class(sub,(class-default,BB_QoS_VOIP_DOWN),police(128000),pri-level(1))’
‘cisco-avpair’, ‘ip:qos-policy-out=add-class(sub,(class-default,BB_QoS_IPTV_DOWN),police(1000000),pri-level(2))’
‘cisco-avpair’, ‘ip:qos-policy-out=add-class(sub,(class-default),shape(1500000))’
‘cisco-avpair’, ‘ip:qos-policy-out=add-class(sub,(class-default,class-default),shape(350000))’
‘cisco-avpair’, ‘ip:sub-qos-policy-out=BB_GENERIC_PARENT_DOWN’
with this all customer in traffic will be policed to 3MB and class BB_GENERIC_PARENT_UP will have 256K, and the default class will have which will be 1M which.
Also I write a sub code on radius for solving the physical speed problem.
DSLAM is inserting pppoe tags for dsl-sync-rate.
bba-group pppoe yapa
virtual-template 1
vendor-tag circuit-id service
vendor-tag remote-id service
vendor-tag dsl-sync-rate service
policy-map BB_GENERIC_ERROR_DOWN
class class-default
shape average 1000000
service-policy BB_GENERIC_CHILD_DOWN
policy-map BB_GENERIC_ERROR_UP
class class-default
police cir 512000 bc 16000 conform-action set-mpls-exp-topmost-transmit 0 exceed-action drop violate-action drop
service-policy BB_GENERIC_CHILD_UP
Radius is checking the customers physical speed which is coming via pppoe tags via customer speed. Simply;
If customer speed < physical speed send BB_GENERIC_ERROR policy maps
if defined customer specific policy map sent it (for enterprise customers which may have dedicated QoS policy-maps)
if sum of all classes speed < physical speed send BB_GENERIC_ERROR policy maps
if sum of all classes speed < customer speed send BB_GENERIC_ERROR policy maps
else sent customer class and speed parameters
Also in the CDR’es you can get the applied policy names and report the customer which will have ERROR policy maps.
2.3 Define and apply the QoS policy from RAIDUS : This is explained in ASR 9000 configuration guide (for ASR 1000 it should be defined via CLI, Configuring Parameterized QoS Policy Through RADIUS), so not have chance to try it. However I tried for ASR 1000 but the session never come up. I only tried to configure a simple policy-map via radius, just a shaping under default class;
testdsl3@testadsl cisco-avpair += ip:addr-pool=xdslpool
testdsl3@testadsl Cisco-Account-Info += AINTERNET
testdsl3@testadsl cisco-avpair += ip:qos-policy-out=add-class(sub, (class-default), shape(4000))
Apply config request set to AAA list
Config: ssg-account-info 0 “AINTERNET”
Config: addr-pool 0 “xdslpool”
Config: qos-policy-out 0 “add-class(sub, (class-default), shape(4000))”
Oct 23 11:52:48 TR: SSS PM [uid:904][425345B0]: Sending testdsl3@testadsl request to AAA
Oct 23 11:52:48 TR: SSS PM [uid:904][425345B0]: SSS PM: Allocating per-user profile info
Oct 23 11:52:48 TR: SSS PM [uid:904][425345B0]: SSS PM: Add per-user profile info to policy context
Oct 23 11:52:48 TR: SSS AAA AUTHOR [uid:904]: Root SIP PPPoE
Oct 23 11:52:48 TR: SSS AAA AUTHOR [uid:904]: Enable PPPoE parsing
Oct 23 11:52:48 TR: SSS AAA AUTHOR [uid:904]: Enable PPP parsing
Oct 23 11:52:48 TR: SSS PM [uid:904][425345B0]: ACTIVE HANDLE[0]: Snapshot captured in Active context
Oct 23 11:52:48 TR: SSS PM [uid:904][425345B0]: ACTIVE HANDLE[0]: Active context created
Oct 23 11:52:48 TR: SSS AAA AUTHOR [uid:904]: Event <make request>, state changed from idle to authorizing
Oct 23 11:52:48 TR: SSS AAA AUTHOR [uid:904]: Active key set to Auth-User
Oct 23 11:52:48 TR: SSS AAA AUTHOR [uid:904]: Authorizing key testdsl3@testadsl
Oct 23 11:52:48 TR: SSS AAA AUTHOR [uid:904]: Spoofed AAA reply sent for key testdsl3@testadsl
Oct 23 11:52:48 TR: SSS AAA AUTHOR [uid:904]: Received an AAA pass
Oct 23 11:52:48 TR: SSS AAA AUTHOR [uid:904]: Could not parse AAA interim interval
Oct 23 11:52:48 TR: COA_CCM:Poisoning session for SHDB 0x3C0002BB.
Oct 23 11:52:48 TR: COA_HA: [ERR] Unable to get coa_ctx from shdb 0x3C0002BB
Oct 23 11:52:48 TR: SSS PM [uid:904][425345B0]: RULE: Service Name = INTERNET Ok
Oct 23 11:52:48 TR: SSS PM [uid:904][425345B0]: Attribute list added to service name INTERNET
Oct 23 11:52:48 TR: SSS AAA AUTHOR [uid:904]: AAA service-policy config for testdsl3@testadsl had errors