QoS Marking Issue on Cisco Catalyst 9500

=====================

+ Problem Description:

=====================

The customer mentioned that he is having issues with QoS marking as he mentioned that it is not working under the port channel; on the other hand, he mentioned that it is applied on Cisco Catalyst 9500-48Y4C running IOS-XE version 16.12.4.

====================

+ Action Plan:

====================

 

1. Better understanding of the issue by describing the problem description from a technical point of view, in addition to collecting additional information that will help troubleshoot the issue:

• Was this working before, or is it a new implementation?
• Is this a part of a stack or a standalone switch?
• Are there any abnormal error/s observed regarding the QoS?
• Additionally, what is the configuration used to configure the QoS?
• Finally, we need to collect the show tech file from the mentioned switch.

 

2. Our goal for this configuration is to provide L3 VPN customers with the proper COS values and the requested capacity.
3. After building an internal lab, we can have the first solution by configuring the two physical interfaces as switchport:

 

===================

+ LAB Test 1:

===================

 

• Hardware: C9500-48Y4C
• Software: 16.12.4

• Configured port channel 16 with two members (Twe1/0/44 and Twe1/0/46) as shown below:

Group Port-channel Protocol Ports

------+-------------+-----------+-----------------------------------------------

16 Po16(SU) LACP Twe1/0/44(P) Twe1/0/46(P)

 

• Configuration of the mentioned interfaces:

interface TwentyFiveGigE1/0/44

description SW-VC-Manage-C31

switchport mode trunk

mtu 9216

channel-group 16 mode active

service-policy input eth-port-policy-map-in

end

 

interface TwentyFiveGigE1/0/46

description SW-VC-Manage-C31

switchport mode trunk

mtu 9216

channel-group 16 mode active

service-policy input eth-port-policy-map-in

end

 

• Configured the policy map as on our switch:

Policy Map eth-port-policy-map-in

Class class-vlan200

police cir 100000 bc 3125

conform-action transmit

exceed-action drop

set dscp cs2

 

• The interface was not working when we applied L3 configuration for the port channel.
• Once the configuration was changed to a switchport, we were able to see the marking working as expected.
• This can be also confirmed with a capture on the next hop:

Frame 1: 118 bytes on wire (944 bits), 118 bytes captured (944 bits) on interface 0

Interface id: 0 (/tmp/epc_ws/wif_to_ts_pipe)

Encapsulation type: Ethernet (1)

Arrival Time: May 7, 2021 11:01:20.316759000 UTC

[Time shift for this packet: 0.000000000 seconds]

Epoch Time: 1620385280.316759000 seconds

[Time delta from previous captured frame: 0.000000000 seconds]

[Time delta from previous displayed frame: 0.000000000 seconds]

[Time since reference or first frame: 0.000000000 seconds]

Frame Number: 1

Frame Length: 118 bytes (944 bits)

Capture Length: 118 bytes (944 bits)

[Frame is marked: False]

[Frame is ignored: False]

[Protocols in frame: eth:ethertype:vlan:ethertype:ip:icmp:data]

Ethernet II, Src: 00:9e:1e:72:4c:c1 (00:9e:1e:72:4c:c1), Dst: e4:1f:7b:36:65:7f (e4:1f:7b:36:65:7f)

Destination: e4:1f:7b:36:65:7f (e4:1f:7b:36:65:7f)

Address: e4:1f:7b:36:65:7f (e4:1f:7b:36:65:7f)

.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)

.... ...0 .... .... .... .... = IG bit: Individual address (unicast)

Source: 00:9e:1e:72:4c:c1 (00:9e:1e:72:4c:c1)

Address: 00:9e:1e:72:4c:c1 (00:9e:1e:72:4c:c1)

.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)

.... ...0 .... .... .... .... = IG bit: Individual address (unicast)

Type: 802.1Q Virtual LAN (0x8100)

802.1Q Virtual LAN, PRI: 2, CFI: 0, ID: 100

010. .... .... .... = Priority: Spare (2)

...0 .... .... .... = CFI: Canonical (0)

.... 0000 0110 0100 = ID: 100

Type: IPv4 (0x0800)

Internet Protocol Version 4, Src: 100.0.0.1, Dst: 100.0.0.3

0100 .... = Version: 4

.... 0101 = Header Length: 20 bytes (5)

Differentiated Services Field: 0x40 (DSCP: CS2, ECN: Not-ECT) <<<

0100 00.. = Differentiated Services Codepoint: Class Selector 2 (16)

.... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)

Total Length: 100

Identification: 0x0075 (117)

 

4. On the other hand, we have applied another solution on the same lab setup, but this time using ACL to match the range of addresses instead of matching via VLAN tag:

 

===================

+ LAB Test 2:

===================

 

• VLAN 80 was implemented on Cisco C2960 switch with the below configuration:

interface Vlan80

description A2-DC-CORE-MNG

ip address 192.168.190.162 255.255.255.252

no ip route-cache

 

• From the subnet mask showing above, we can conclude that we have 4 available addresses in this range.
• We can proceed with configuring class map to match VLAN 80 but since this will not work with our current configuration as explained then we can replace it with an ACL to match the IP addresses available in this subnet and proceed with the needed action, as shown in the below test:

• From our C9500 lab device:

F241.01.05.C9500-48Y4C-2#show run int tw 1/0/44

 

interface TwentyFiveGigE1/0/44

description SW-VC-Manage-C31

no switchport

mtu 9216

no ip address

channel-protocol lacp

channel-group 16 mode active

lacp rate fast

 

F241.01.05.C9500-48Y4C-2#show run int tw 1/0/44

 

interface TwentyFiveGigE1/0/46

description SW-VC-Manage-C31

no switchport

mtu 9216

no ip address

channel-protocol lacp

channel-group 16 mode active

lacp rate fast

 

F241.01.05.C9500-48Y4C-2#show run int po 16

 

interface Port-channel16

no switchport

no ip address

 

F241.01.05.C9500-48Y4C-2#show run int po 16.100

 

interface Port-channel16.100

encapsulation dot1Q 100

ip address 100.0.0.2 255.255.255.0

 

F241.01.05.C9500-48Y4C-2#conf t

F241.01.05.C9500-48Y(config)#class-map match-all

F241.01.05.C9500-48Y(config)#ip access-list ex test

F241.01.05.C9500-48Y(config-ext-nacl)#permit ip 100.0.0.0 0.0.0.255 any

F241.01.05.C9500-48Y(config-ext-nacl)#exit

 

F241.01.05.C9500-48Y(config)#class-map match-all test

F241.01.05.C9500-48Y(config-cmap)#match access-group name test

F241.01.05.C9500-48Y(config-cmap)#exit

 

F241.01.05.C9500-48Y(config)#policy-map test

F241.01.05.C9500-48Y(config-pmap)#class test

F241.01.05.C9500-48Y(config-pmap-c)#police cir 100000 bc 3125

F241.01.05.C9500-48Y(config-pmap-c-police)#conform-action transmit

F241.01.05.C9500-48Y(config-pmap-c-police)#exceed-action drop

F241.01.05.C9500-48Y(config-pmap-c-police)#set dscp cs2

F241.01.05.C9500-48Y(config-pmap-c)#exit

 

F241.01.05.C9500-48Y4C-2#conf t

F241.01.05.C9500-48Y(config)#int twentyFiveGigE 1/0/44

F241.01.05.C9500-48Y(config-if)#service-policy input test

F241.01.05.C9500-48Y(config-if)#int twentyFiveGigE 1/0/46

F241.01.05.C9500-48Y(config-if)#service-policy input test

 

- Capturing the traffic on the neighbor switch :

 

F241.01.05.C9500-48Y4C-1#show cdp ne

 

Device ID Local Intrfce Holdtme Capability Platform Port ID

F241.01.05.C9500-48Y4C-2.cisco.com

Twe 1/0/1 153 R S I C9500-48Y Twe 1/0/1

 

F241.01.05.C9500-48Y4C-1#mon cap tac int tw 1/0/1 both match ipv4 a a b s 100

 

• We can observe that the DSCP value is set properly as shown below:

 

F241.01.05.C9500-48Y4C-1#sh mon cap tac buffer det

 

Frame 2: 114 bytes on wire (912 bits), 114 bytes captured (912 bits) on interface 0

Interface id: 0 (/tmp/epc_ws/wif_to_ts_pipe)

Encapsulation type: Ethernet (1)

Arrival Time: May 11, 2021 08:42:38.862843000 UTC

[Time shift for this packet: 0.000000000 seconds]

Epoch Time: 1620722558.862843000 seconds

[Time delta from previous captured frame: 0.000432000 seconds]

[Time delta from previous displayed frame: 0.000432000 seconds]

[Time since reference or first frame: 0.000432000 seconds]

Frame Number: 2

Frame Length: 114 bytes (912 bits)

Capture Length: 114 bytes (912 bits)

[Frame is marked: False]

[Frame is ignored: False]

[Protocols in frame: eth:ethertype:ip:icmp:data]

Ethernet II, Src: e4:1f:7b:36:64:e0 (e4:1f:7b:36:64:e0), Dst: e4:1f:7b:36:64:e0 (e4:1f:7b:36:64:e0)

Destination: e4:1f:7b:36:64:e0 (e4:1f:7b:36:64:e0)

Address: e4:1f:7b:36:64:e0 (e4:1f:7b:36:64:e0)

.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)

.... ...0 .... .... .... .... = IG bit: Individual address (unicast)

Source: e4:1f:7b:36:64:e0 (e4:1f:7b:36:64:e0)

Address: e4:1f:7b:36:64:e0 (e4:1f:7b:36:64:e0)

.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)

.... ...0 .... .... .... .... = IG bit: Individual address (unicast)

Type: IPv4 (0x0800)

Internet Protocol Version 4, Src: 200.0.0.3, Dst: 100.0.0.1

0100 .... = Version: 4

.... 0101 = Header Length: 20 bytes (5)

Differentiated Services Field: 0x40 (DSCP: CS2, ECN: Not-ECT)

0100 00.. = Differentiated Services Codepoint: Class Selector 2 (16)

.... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)

Total Length: 100

 

5. Finally, in conclusion, we can use switchport method for L2, on the other hand, in case we need the marking to be applied on the L3, we need to proceed with applying an ACL as a workaround.