3

I have a simliar question to this one: Access-Lists and VLAN and understanding traffic flow schematics

But my question is concerning service-policies. Have a look at the image above. I triet to make a traffic flow visible. Traffic from the LAN into a VPN connection is marked yellow, the coresponding back traffic from the VPN back to the LAN is green. I have multipe questions regarding traffic flow thru "virtual" interfaces.

  • If i put a service-policy input on the SVI Vlan10. Does this affect yellow1 & green2 traffic?

  • If i put a service-policy output on the SVI Vlan10. Does this affect
    yellow2 & green1 traffic?

  • If i put a service-policy input on the tunnel1 interface. Does this affect yellow3 & green4 traffic?

  • If i put a service-policy output on the tunnel1 interface. Does this affect
    yellow4 & green3 traffic?

  • If i put a service-policy input on the dialer1 interface. Does this affect yellow5 & green6 traffic?

  • If i put a service-policy output on the dialer1 interface. Does this affect
    yellow6 & green5 traffic?

Thanks for clarifying this up.

Mario Jost
  • 1,690
  • 8
  • 20

2 Answers2

2

It is necessary to determine the true egress interface towards the destination for traffic sourced from VLAN10 to the WAN site, are red boxes interfaces on a single device or different devices with different interfaces?

Nonetheless, the rule is pretty simple, a service-policy will only take effect for traffic that hits an interface as input or an egress interface as output.

Example.

If an input policy is configured on an SVI, only traffic which is actually using the SVI as next hop will be affected.

If traffic needs to be routed from an SVI to another SVI, this doesn't mean that the second SVI is another ingress, it is in fact an egress interface, there is no double input on a route lookup or L2 lookup.

To identify if traffic is going to be affected by an output policy, if talking about L3 exclusively, do a show ip cef to the destination, whatever is the egress interface is where the QoS output policy should be placed to take effect, other than that, QoS will not be enforced.

Last_remote_
  • 21
  • 1
  • Thank you for your answer. The drawing above represents a single device. The red boxes symbolize virtual interfaces, while the black ones represent physical interfaces. So based on your explanation, i can answer question 1,2,5 and 6. But what about question 3 and 4 thoguh? Ingress and egress are both towards other virtual interfaces. – Mario Jost Jun 09 '20 at 06:53
0

I can't make out what your VLANs are actually used for and how your routing works, but basically:

  • Policies applied to outer packets affect inner/tunneled packets as well.
  • Policies applied to inner packets do not affect outer packets - essentially, QoS purely inside a tunnel ist mostly useless. Note that there may be mechanisms to copy inner QoS/ToS to outer packets, depending on the hardware and its configuration.
  • Policies applied to an SVI affect packets that use this SVI (=get routed there), either on ingress (=from another VLAN) or on egress (=to another VLAN). They don't affect frames just crossing the VLAN.
Zac67
  • 81,287
  • 3
  • 67
  • 131
  • So can you answer the 6 questions, then? – Mario Jost Jun 05 '20 at 10:48
  • @MarioJost Not without knowing how you actually use VLANs and SVIs, no. You need to either describe in more detail or add the relevant configuration parts. – Zac67 Jun 05 '20 at 10:59