Tuesday, March 10, 2009

CCIE ALU - CBWFQ and qos-group tagging to match traffic

Foreward: An ALU is an Autonomous Learning Unit to help with CCIE lab preparation , you can read this post to learn more about them.





All traffic coming in Serial0/1 of R2 needs to be guaranteed 512Kbit/sec of bandwidth when exiting the frame relay interface of R2.  All traffic entering FastEthernet0/0 of R2 should be dropped if it tries to exit the frame relay interface of R2, unless it is HTTPS traffic.  No change in configuration should be required if any IP addresses change in the future.  Also, no part of the packet header should be modified in any way by this configuration.





Highlight below for the solution:




class-map match-all MATCH_HTTPS

 match protocol secure-http

class-map match-all MATCH_QOS1

 match qos-group 1

class-map match-all MATCH_QOS2

 match qos-group 2


policy-map IN_S0-1

 class class-default

  set qos-group 1

policy-map OUT_S0-0

 class MATCH_QOS1

  bandwidth 512

 class MATCH_QOS2


policy-map IN_FA0-0


 class class-default

  set qos-group 2


interface FastEthernet0/0

 service-policy input IN_FA0-0

interface Serial0/1

 service-policy input IN_S0-1

interface Serial0/0

 service-policy output OUT_S0-0




R2#show policy-map interface



  Service-policy input: IN_FA0-0


    Class-map: MATCH_HTTPS (match-all)

      0 packets, 0 bytes

      5 minute offered rate 0 bps

      Match: protocol secure-http


    Class-map: class-default (match-any)

      45 packets, 670 bytes

      5 minute offered rate 0 bps, drop rate 0 bps

      Match: any

      QoS Set

        qos-group 2

          Packets marked 45



  Service-policy output: OUT_S0-0


    Class-map: MATCH_QOS1 (match-all)

      0 packets, 0 bytes

      5 minute offered rate 0 bps, drop rate 0 bps

      Match: qos-group 1


        Output Queue: Conversation 265

        Bandwidth 512 (kbps)Max Threshold 64 (packets)

        (pkts matched/bytes matched) 0/0

        (depth/total drops/no-buffer drops) 0/0/0


    Class-map: MATCH_QOS2 (match-all)

      0 packets, 0 bytes

      5 minute offered rate 0 bps, drop rate 0 bps

      Match: qos-group 2



    Class-map: class-default (match-any)

      33 packets, 462 bytes

      5 minute offered rate 0 bps, drop rate 0 bps

      Match: any



  Service-policy input: IN_S0-1


    Class-map: class-default (match-any)

      15 packets, 150 bytes

      5 minute offered rate 0 bps, drop rate 0 bps

      Match: any

      QoS Set

        qos-group 1

          Packets marked 15




Qos-group is a flag that can be set and matched on packets, and is local to the router; that is, it is not an industry standard flag, or a flag that is part of the IP or Ethernet headers.  The qos-group is very useful because it allows you to apply QOS policy without modifying a packet.  For example, in the above question we could have set a DSCP or IP Precedence value, then matched based on that.  However, that would modify the packet and change those values; which might have been set by other devices in the network.


In this example we are setting QOS Group 1 on any packets entering the PPP serial link from R3 using the policy-map IN_S0-1.  We are also setting QOS Group 2 on any non-HTTPS packet entering FastEthernet0/0 using policy-map IN_FA0-0.  We are then reserving bandwidth for QOS Group 1, and dropping QOS Group 2 in policy-map OUT_S0-0.


An important point to remember is that policy-maps are "first hit exit" policies.  Meaning traffic is compared to each class within the policy-map, and as soon as it finds one that matches, the actions in that class are executed and the policy-map is exited.  In the example of IN_FA0-0 we can see that we are matching HTTPS traffic, and applying no action to it.  All other traffic hits the class class-default and has a QOS-GROUP 2 set on it.  An alternative to this configuration would be to set QOS-GROUP 2 on all traffic entering FastEthernet0/0, then in policy-map OUT_S0-0 you could match HTTPS and do nothing to it, thereby bypassing the drop associated with QOS GROUP 2.  Both options are valid and would be awarded full credit in the CCIE lab.


DocCD items to reference:

Configuration Guide (Class-Based Weighted Fair Queueing Configuration Task List)



match protocol

drop (in a class-map)

set qos-group

service-policy in

service-policy out

show policy-map interface


  1. Hello! I really like your ALU posts. I stumbled upon your site while doing some research on spaced learning that I learned from Greg Ferro (Etherealmind.com) and in turn lead me to yours.

    I have a question about creating flash cards. When you create them, do you write out the question on one side of an index card and write the "entire" solution on the back? I'm kinda curious if I should put "meaty" details in the answer/solution part of the flash card, or just enough information to jog your memory of related solutions but are not necessarily written down on the back of the flash card. The solutions just seem a bit long to fit in a small flash card.

  2. Hi Aragoen!

    Thank you for the kind words, I'm glad you are enjoying my posts. I have been pretty occupied on a job for the past week or so; so I apologize for not churning them out quite as fast as usual.

    As for my cards, I generally put exactly what I am supposed to type at the command line. Then when I pick up a card, I actually go to a router (or a dynamips session), and do what the question says. I then will verify the configuration inside the router, and then finally turn the card over.

    Also, I use very large cards, they are 5"x7" and are easily able to go through a laser printer, so I was able to copy directly from my notes onto the back of the card. I would imagine full sheets of paper would work just as well too.

    Thanks again for reading my blog, I felt a strong need to give back to the CCIE community after I passed, and I am very happy that my work is helping others!