A major part of your Quality of Service configuration is the policy statements you create in QoS Policy Manager and deploy to your network devices. These policies define how the network devices manage the data that flows through the network.

These topics cover the details about creating and managing policies.

Understanding Policies

Using QPM, you can create the following types of policies:

QoS policies—A QoS policy is a conditional statement that applies one or more specified QoS actions to a packet if the packet satisfies the conditions (filters) defined in the policy.
Access control policies—An access control policy permits or denies the flow of data if the data packet satisfies the conditions (filters) defined in the policy. An access control policy does not have an associated QoS action.

Note You cannot create access control policies on Catalyst 5000 and Catalyst 6000 switches.

The filter you create for a policy can be broad, in which case the policy is applied to a high percentage of the traffic that travels through the device or interface, or it can be very narrow and selective. When the device determines that a packet satisfies the conditions of the policy, it applies the policy's action to it. If there is more than one policy defined on the interface or device, the device looks at the policies in order, top to bottom, until a match is found, at which point it applies the policy and ignores remaining policies. (If you are creating an advanced coloring or limiting policy, however, you can specify that additional policies be considered after the device applies a matching policy.)

If an interface belongs to a device group, the list of policies includes those defined on the device group, as well as those defined directly on the interface. You cannot edit or change the order of group policies when viewing them from a member interface; you can only change the order on the device group. Group policies are always given lower priority than individual interface policies.

When you create a policy, QPM presents you with only actions and settings that are valid for the device and interface as they are defined in the QoS database. If an action you want is not available, ensure that the QoS database has the correct configuration information for the device, and that the device supports the QoS feature.

With QPM, you can enable and disable policies without deleting them. However, the status of the policy on the device does not change until you deploy the database to the devices.

QoS Policy Actions

QPM uses CLI or modular CLI (also known as MQC) to implement QoS policies, depending on the interface, QoS property, and software version. Policies implemented with modular CLI can contain multiple actions.

The actions you can apply using QoS policies depend on several factors:

The QoS property defined on the interface or device group—Some actions are available only if you select a complementary QoS property in the interface or device group properties. For example, you must configure an interface to use the Custom Queuing QoS property before you can create custom queuing policies on the interface.
The type of device—Some actions are only available on a particular type of device.
The type of interface—Some actions are only available on certain interface types.
The type of card—Some actions are not available on VIP cards.
The software version for the device—Some actions are available only on certain releases of the device software. Typically, the higher the release level of the software, the more QoS features are available.

Creating a Policy

You can create a QoS policy whenever you want to apply specific QoS actions to a selected group of packets, rather than just change how an interface or group of interfaces manages traffic. See Policy Actions, for information about the QoS actions you can apply through QPM.

You can create an access control policy to permit or deny specific classes of traffic. These policies do not contain any associated actions.

Before You Begin

Determine the characteristics of the packets you are targeting. For example, the port the packets use, the protocol the packets use, the IP address of the source of the packets, the IP address of the destination of the packets, and so on.
You must add the device and its interfaces to the database before you can create policies for it.

Procedure

Step 1 In the tree view, select the interface, device, device group, or VLAN on which you want to create a policy.

Step 2
To create a QoS policy, click the New QoS Policy button, or right-click in the List View pane and select NewQoS Policy.

To create an access control policy, click the New Access Control Policy button, or right-click in the List View pane and select New Access Control Policy.

QPM opens the Properties of Policy dialog box, in which you will create the policy.

When you first open the Properties of Policy dialog box, the General page appears in the right pane of the Properties of Policy dialog box. The types of actions that can be defined appear in the left pane. This list depends on the device, software version, interface, and type of policy (QoS or access control).

Step 3 In the General Properties page, change the name of the policy and add a meaningful comment. By default, the policy you create is enabled—you can disable it by changing the status on this page.

Step 4 Click Next to open the Direction Properties page, and choose the direction of packets to which the policy applies.

Actions that are invalid for the selected direction are grayed out in the left pane.

Step 5 Click Next to open the Filter Properties page, and create the policy filter.

The filters you create determine to which packets the policy applies. The filter elements available to you differ depending on the type of device. Typically, you can identify the traffic by its general characteristics, its source, or its destination.

Each row in the filter grid in the filter properties tab is a complete condition—in order for a packet to satisfy the condition in a row, it must satisfy all elements of the row.

When the software version on the device supports modular CLI, and you select Class Based QoS for the QoS property on the interface, the filter pages displays additional tabs for filtering options using Network Based Application Recognition (NBAR) properties (or dNBAR for VIP interfaces) and IP RTP ports. You do not have to define an NBAR or IP RTP filter. You can leave these tabs blank. When the interface QoS property is Class Based QoS or Priority Queuing, you can also create a policy for unclassified traffic that does not match any other filter condition. This policy is called the class default policy.

You can create many separate filter conditions for the policy. Rows in the filter grid are logically disjoined—that is, a packet satisfies the filter if it satisfies the condition in any one complete row. For example, if one row specifies TCP for protocol and 80 for sender port, and a second row specifies only UDP for protocol, then the filter applies to all UDP traffic and all TCP port 80 traffic (web traffic).

When creating filters using NBAR properties or IP RTP ports, you can apply the policy to packets that match any of the NBAR/IP RTP conditions, or any of the filter conditions, or to packets that match all of the NBAR/IP RTP conditions, and any one of the filter conditions.

See these tables for specific information on the filter elements available:

Table B-25, Part 1—For router interfaces and Catalyst switches
Table B-25, Part 2—For Cisco 8500 switches. (For other layer 3 switches, you do not define a filter, you choose the destination interface to which the policy applies in the Tree view.)
Table B-25, Part 3—For LocalDirector

Step 6 For an Access Control policy, click Finish to save the policy. QPM adds the policy to the selected folder.

For a QoS policy, do one of the following to define a policy action:

Click Next. The next page in the dialog box is displayed.
Choose an action in the left pane of the dialog box. The corresponding page opens.

On interfaces for which the QoS property is Class Based QoS, you can define multiple actions in a single policy. In other cases, after you define one action, the other actions are disabled, and you cannot define additional actions.

The actions available to you are determined by many factors (described in Understanding Policies). QPM only shows you the actions that are valid for this policy. See Policy Actions for a description of the actions you can select.

Step 7 Click Finish to save the QoS policy.

QPM adds the policy to the selected folder.

Tips

Some types of QoS configurations require that Cisco Express Forwarding (CEF) is enabled on the device. CEF must be enabled on the device in order to use NBAR. In addition, CEF is required in order to deploy policies on VIP interfaces. For further information, see QoS Features That Require IP CEF or dCEF.

Policy Actions

The policy actions that are available for a specific interface or device group and its software version, are listed in the left pane of the Properties of Policy dialog box. The possible actions are as follows:

Coloring—Choose Coloring in the left pane to change the color of a packet (IP precedence or DSCP value), thus changing the packet's relative importance. The Coloring Properties page appears in the right pane.

Select the Coloring Properties check box to enable the coloring action.
In the Coloring Mechanism field, choose whether you want to color by IP precedence or by DSCP values (if both are supported by the selected interface, software version and QoS property).

Note On Catalyst 6000 switches, you also have the option of coloring by trust. In this way, you can choose to trust the IP precedence, CoS or DSCP settings on packets that meet the policy's filter, while having different trust settings for other packets on the port.

Select the desired value in the Precedence or DSCP field (or Trust State field for Catalyst 6000 devices).

Note Some versions of device software support complex coloring policies using committed access rate (CAR) classification. If you are creating a coloring policy on an interface that supports it, you can click Advanced and define a complex coloring action, rather than filling in the Precedence or DSCP field.

QPM scans policies in order, from top to bottom and applies the first matching policy. However, for certain policies, a Continue check box is provided so that you can specify that subsequent policies are examined after the coloring policy is applied. Ensure that the coloring policy appears before the subsequent policies in the list pane for the selected interface. For example, if you create a limiting policy that should also apply to the selected traffic, the limiting policy must appear after the coloring policy (or alternately, the limiting policy must also use Continue).

: See Table B-27 for complete information on the coloring properties.

Shaping—Choose Shaping in the left pane to smooth the rate of an outbound traffic flow. QPM generally uses Generic Traffic Shaping (GTS). On VIP interfaces, Distributed Traffic Shaping (dTS) is used. (On Frame Relay interfaces, you can define Frame Relay Traffic Shaping as an interface property.) Shaping policies buffer traffic flows to even out the transmission rate. Packets are not dropped until the buffer limits are reached. You cannot shape incoming traffic flows.

Select the Shaping Properties check box to enable the shaping action.
If the interface, software version, and QoS property support average and peak shaping, choose the shaping type in the Shaping type list.
Enter the desired rate in the Rate field, in kilobits per second. Optionally, you can include a burst and exceed burst size. The burst size determines the number of kilobits that can be transmitted per time interval, whereas the exceed burst size determines the additional number of kilobits that can be transmitted when there is congestion.

: See Table B-29 for complete information on the shaping properties.

Limiting—Choose Limiting in the left pane to limit the bandwidth available to traffic.

: Select the Limiting Properties check box to enable the limiting action.

Queuing—Choose the queuing option in the left pane to create a queuing policy. The queuing options differ according to the type of QoS property chosen for the interface.

: Select the queuing Properties check box to enable the queuing action.

Resolving the Host Names in a Policy to Their IP Addresses

QoS Policy Manager resolves newly added host names to their IP addresses when you save the QoS database, so you are never required to manually resolve new host names. However, QPM cannot identify if an already-used host name's IP address has changed. When IP addresses for host names have changed, you should resolve all host names so that the IP address changes are recognized and distributed to the devices.

Before You Begin

The DNS resolution process requires that the DNS server is up and available. Do not resolve host names if you are currently having DNS server problems.

Procedure

Step 1 To resolve only those host names that you have added to the database since your last save, select Tools>DNS Resolution>Resolve Unresolved Host Names.

To resolve all host names in the QoS database, select Tools>DNS Resolution>Resolve All Host Names.

Tips

An arrow indicates the host name that is currently being resolved.
Click Skip Resolution to skip the resolution of the host name currently being resolved. You might want to do this if the host name is taking a long time to resolve.
Click Show Unresolved to filter the list so that correctly-resolved host names are not displayed. This helps you locate any resolution failures. Click Show All Hosts to switch the list back to showing all hosts, including those whose IP addresses were successfully found.
Click Abort to stop the DNS resolution process.

Modifying a Policy

If a policy is not meeting your needs, you can modify its properties. When you redistribute the policies, the modified policy replaces the old policy on the device.

Procedure

Step 1 Select the interface, device, or device group that contains the policy you want to modify in the tree view.

Step 2 Double-click the policy you want to modify in the list view.

QPM opens the Properties of Policy window.

Step 3 Click the definition stage in the left pane that contains the settings you want to change, and alter the settings as desired. See Creating a Policy for information on each stage in policy creation.

Tips

The policy is not modified on the device until you save the database and distribute the policies.
You can open the policy to a specific pane by clicking the associated property in the list pane. For example, if you click in the filter column, the policy is opened to the filter properties.

Deleting a Policy

When you no longer want to use a policy, you can delete it from the QoS database. When you redistribute the policies, the deleted policy is removed from the associated device.

Before You Begin

If you are not sure that you no longer need a policy, consider disabling it instead of deleting it. See Enabling and Disabling Policies for more information.

Procedure

Step 1 Select the interface, device, or device group that contains the policy you want to delete in the tree view.

Step 2 Right-click the policy you want to delete in the list view and select Delete, or select Devices>Policy>Delete.

Tips

The policy is not removed from the device until you save the database and distribute the policies.

Enabling and Disabling Policies

When you create a policy on an interface, device, or device group, it is enabled by default. That is, when you distribute the QoS database to the devices, the policy is distributed and takes effect. However, you can disable a policy, or enable a disabled one, so that some policies that exist in the QoS database are not enacted on the network. This allows you to define policies before you want to make them effective, or temporarily remove a policy from the network without erasing it completely.

Procedure

Step 1 Select the interface, device, or device group that contains the policy you want to enable or disable in the tree view.

Step 2 Select the policy you want to enable or disable in the list view.

Step 3 Right-click on the policy and select Enable or Disable.

If you enable the policy, it is used on the interface, device, or device group.

If you disable the policy, it only resides in the QoS database, it is not defined on the devices.

Step 4
Click the Save button to save your changes to the database. This only updates the database—it does not change the policies on the devices.

Step 5
Click the Distribution Manager button to start Distribution Manager, and distribute your policies. See Distributing Policies and QoS Configurations for the procedure.

Creating Policy Building Blocks

You can simplify your policies by creating various building blocks that you can then use in the individual policy statements.

For example, you can create a host group that includes every host that requires a specific type of QoS. Instead of entering every host name in each related policy statement, you would use the name of the host group. Then, to add a host to a policy, you would edit the host group instead of every related policy.

These topics cover the types of building blocks you can create in QPM:

Working with Host Groups

A host group is a group of network hosts or subnets. You can use host groups to simplify the writing of your policies, because you can write a policy for the group instead of listing each host in the policy's filter.

Creating Host Groups

Create a host group when you want to treat a set of network hosts or subnets identically in a policy statement.

Before You Begin

Determine the names or IP addresses of the hosts or subnets you want to group together.

Procedure

Step 1
Click the Host Groups button, or select Tools>Host Groups.

QPM opens the Host Groups window.

Step 2 In the Host Groups window, click New to create a new host group.

QPM opens the Properties of Host Group window.

Step 3 Enter a host group name in Group Name. Choose a name you will find meaningful.

Step 4 In the Members group, click in an empty box in the Host column and enter a host name or IP address. You can enter a subnet by including both IP address and subnet mask information.

If you run out of empty boxes, press Enter when your cursor is in the last row. QPM will also add a row if you click out of a box and select another box.

When you are finished adding members, click OK to return to the Host Groups window. Click OK in the Host Groups window to return to Policy Manager.

Tips

You can also create a new group while writing a policy filter by clicking the groups button (...) in the sender or destination field of a policy filter after opening the filter's expansion dialog and selecting In Group for Type.
Host names must be resolved to IP addresses before distributing policies to devices. QPM prompts you to do DNS resolution when you save the database, or you can do it directly by selecting Tools>DNS Resolution>Resolve Unresolved Host Names. If the host does not have a static IP address, or a long-term lease from a DHCP server, your policy may not effectively apply to traffic involving the host.
If the group you want to create is similar to an existing group, you can select the existing group and click Duplicate. Double-click the copy of the group and change its name and membership as required.

Modifying Host Groups

Modify a host group to add or remove members, or to change the host group name.

Procedure

Step 1
Click the Host Groups button, or select Tools>Host Groups.

QPM opens the Host Groups window.

Step 2 In the Host Groups window, double-click the name of the host group you want to modify.

QPM opens the Properties of Host Group window.

Step 3 Make your desired changes to the host group:

To change the host group name, type over the existing name with the desired name. QPM updates all policies that are using the old name to use the new name.
To remove a member, select it in the Members list and click Delete.
To add a member, click in an empty box in the Host column in the Members list and enter a host name or IP address. You can enter a subnet by including both IP address and subnet mask information.

: If you run out of empty boxes, press Enter when your cursor is in the last row. QPM will also add a row if you click out of a box and select another box.

Step 4 When you finish modifying the host group, click OK to return to the Host Groups window. Click OK in the Host Groups window to return to Policy Manager.

Tips

You can also create a new group while writing a policy filter by clicking the groups button (...) in the sender or destination field of a policy filter after opening the filter's expansion dialog and selecting In Group for Type.
Host names must be resolved to IP addresses before distributing policies to devices. QPM prompts you to do DNS resolution when you save the database, or you can do it directly by selecting Tools>DNS Resolution>Resolve Unresolved Host Names. If the host does not have a static IP address, or a long-term lease from a DHCP server, your policy may not effectively apply to traffic involving the host.

Deleting Host Groups

Delete a host group when you no longer need to treat the set of hosts as a group. However, you can modify a host group to remove selected hosts, or add other hosts, if you still need to group a subset of the hosts in the group.

Before You Begin

You cannot delete a host group if it is being used in a policy. If you try to delete the group, QPM tells you the interface and policy name of the first policy it finds that uses the group.

Procedure

Step 1
Click the Host Groups button, or select Tools>Host Groups.

QPM opens the Host Groups window.

Step 2 In the Host Groups window, select the name of the host group you want to delete.

Step 3 Click Delete. QPM asks for confirmation before deleting the group.

Working with Application Services Aliases

An application service alias is a name of a defined set of characteristics that can identify the source of network traffic from a host or subnet. You can use application service aliases to simplify the writing of your policies, because you can write a policy for the application service instead of one for each host.

Creating Application Service Aliases

Create an application service alias when you want to identify a particular type of network traffic source.

Before You Begin

Determine the IP address of the host or subnet that is the source of the targeted traffic.

Procedure

Step 1
Click the Application Services button, or select Tools>Application Services.

QPM opens the Application Services window.

Step 2 Click Add in the Application Services window.

QPM opens the Application Service window.

Step 3 In the Application Service window, fill in the required information to identify the source of the targeted traffic, and to give the application service alias a name.

Click OK when finished to return to the Application Services window.

Step 4 Click OK in the Application Services window.

Modifying Application Service Aliases

Modify an application service alias when you want to change some characteristic of the type of network traffic source.

Procedure

Step 1
Click the Application Services button, or select Tools>Application Services.

QPM opens the Application Services window.

Step 2 Select the alias you want to change and click Edit in the Application Services window.

QPM opens the Application Service window.

Step 3 In the Application Service window, change the information as required to identify the source of the targeted traffic, or change the application service alias name.

Click OK when finished to return to the Application Services window.

Step 4 Click OK in the Application Services window.

Deleting Application Service Aliases

Delete an application service alias when you no longer want to use the alias in policies.

Procedure

Step 1
Click the Application Services button, or select Tools>Application Services.

QPM opens the Application Services window.

Step 2 Select the alias you want to delete and click Delete in the Application Services window.

QPM deletes the alias. If a policy still uses the alias, QPM changes the policy's filter by replacing the alias with the properties defined in the application service.

Changing the Priority of Policies

The device examines QoS policies in order until a match is found for the packet. Even if a packet satisfies more than one policy, it will be treated as satisfying only the first policy that the device encounters, unless you define your policy to include the Continue setting, in which case a subsequent match will be sought.

Policies on an interface are examined top-down according to the QPM display. Therefore your policies for an interface should appear in order of importance, from top to bottom, in order to ensure that policies get the priority you require. If you are creating complex policy structures that include Continue settings (so that you can set multiple policies on a given packet), ensure that the statements with the Continue setting come before the subsequent policy statement you want applied.

If an interface belongs to a device group, the list of policies includes those defined on the device group as well as those defined directly on the interface. You cannot edit or change the order of group policies when viewing them from a member interface. Group policies are always given lower priority than individual interface policies.

Procedure

Step 1 Select the interface, device, or device group whose policies you want to reorder in the tree view.

Step 2 Select the policy whose position you want to change in the list view, and:

Click the Up button to move the policy higher in the list of policies.
Click the Down button to move the policy lower in the list of policies.

Creating Policy Reports

You can create reports about your policies to help you identify the policies you have deployed. This might help you identify inconsistencies or other issues that you want to address.

Table 7-1 lists the reports available and the commands for creating them. The reports are created in HTML and displayed in your default web browser. Use the web browser's Print and Save As commands to print or save the reports.

Table 7-1: Policy Reports

Report Type	Command	Description
All Policies	Tools>Reports>All Policies	Displays the information on all policies defined in the database.
Device Policies	Tools>Reports>Device Policies	Displays information on all policies defined on the selected device.
Interface Policies	Tools>Reports>Interface Policies	Displays information on all policies defined on the selected interface.
Device Group Policies	Tools>Reports>Device Group Policies	Displays information on all policies defined on the selected device group.

Tips

When you create a report, it overwrites the last report you generated, if any.
If you want to save a report, you must save it to a different directory than the one it was created in, or change the file's name.
If you save a report to a different directory, you must also copy the GIF images from the original reports directory to maintain the look of the page. If you do not copy the images, you will see missing image errors when viewing the page in your web browser.

Table of Contents

QoS Policy Actions

Related Topics

Before You Begin

Procedure

Tips

Related Topics

Before You Begin

Procedure

Tips

Procedure

Tips

Related Topics

Before You Begin

Procedure

Tips

Related Topics

Procedure

Related Topics

Before You Begin

Procedure

Tips

Related Topics

Procedure

Tips

Related Topics

Before You Begin

Procedure

Before You Begin

Procedure

Procedure

Procedure

Procedure

Tips