Basic QoS bandwidth for all devices/clients

Question

I have an IP network that has about 500+ clients on the network at any given time. The network uses a Cisco 1941 router as it's gateway, and has 5 different subnets. The network also has 2 DCs, a asterisk PBX server, and farm of 5 exchange servers. The router uses a single WAN with 100MB internet.

I simply want to regulate traffic in a manner that would prevent any client or device from taking up the whole bandwidth. For an example, I do not want a single device to be able to take up the bandwidth by downloading a large file, application, or movie.

What would the configuration on a Cisco 1921 router (or like) look like? This would be for regulating outbound traffic only. I assume I would do a policing policy to make sure each client does not exceed a determined amount of bits?

Answer 1

I've created an extensive answer on Network Engineering regarding QoS, which is a copy/paste from there: https://networkengineering.stackexchange.com/questions/42660/implementing-cisco-qos-model-to-end-users/45176

The configuration might vary depending on equipment, but the commands are typically the same on any Cisco device. Answer two takes care of marking and prioritizing traffic based on the type of traffic.

Introduction

First off, let me write that i spend most of the summer trying to figure out a correct way to get this done. More so i had to hire a CCIE full time for a week or so to help out and in the process we had Cisco TAC trying to figure out an error on our 6500 series switches.

Why would you do this?

Today there's a virtual explosion of rich media applications on the IP network. This explosion of content and media types, both managed and un-managed, requires network architects to take a new look at their Quality of Service (QoS) designs.

The first step may seem obvious and superfluous, but in actuality it is crucial: clearly define the business objectives that your QoS policies are to enable. These may include any/all of the following:

• Guaranteeing voice quality meets enterprise standards.
• Ensuring a high Quality of Experience (QoE) for video.
• Increasing user productivity by increasing network response times for interactive applications.
• Managing applications that are "bandwidth hogs".
• Identifying and de-prioritizing consumer applications.
• Improving network availability.
• Hardening the network infrastructure.

With these goals in mind, network architects can clearly identify which applications are relevant to their business. Conversely, this experience will also make it apparent, which applications are not relevant towards achieving business objectives. Such applications could be consumer-oriented and/or entertainment-oriented applications. In the end it is all up to you.

The solution

I wanted to make this as easy and configuration free as possible. With that in mind combined with the fact, that QoS should always be processed in hardware, i was recommended to make use of the Auto-QoS feature in Cisco by the CCIE i hired.

So instead of marking traffic at the access level, the marking can be made by the end users or servers themselves. Auto-QoS then provides the correct classes for transportation of the traffic throughout the network. This enabled me to decide what applications or services which should be prioritized or de-prioritized via active directory group policies.

For starters i wanted to make it simpel. This meant prioritizing VoIP and Video applications, which is already predefined in Auto-QoS when you are using Cisco IP devices/TelePresence/Cameras etc., which we do.

Topology overview

We make use of the following access/core equipment.

1. Core: Cisco 897 series, Cisco 3650 Series, Cisco 3850 Series and Cisco 6500 Series
2. Access: Cisco 3560CX Compact series and Cisco 2960X Series

Our topology is primarily based on a star topology, observe the following topology drawing (We use BGP in our WAN MPLS):

---

---

QoS on the access layer

The configuration is very simpel and straight forward, when using Auto-QoS. Remarking traffic and sending that to the MPLS ISP is a bit more complicated, but i will showcase examples below.

All access switches are setup with Auto-QoS, where all ports both access and trunk/uplinks are trusted with DSCP. Observe the following QoS table, where all values for DSCP, CoS, ToS etc. are setup in a table. This gives a good overview of the selected classes and the structure in which i'm trying to accomplish in my design:

---

---

Auto-QoS uses AF (Assured Forwarding) values for DSCP marking.

Enabling Auto-QoS on the access switch

Global configuration

mls qos (Activates QoS)
mls qos map cos-dscp 0 8 16 24 32 46 48 56 (Maps CoS to DSCP values, because CoS is a layer 2 marking, which cannot be routed)
auto qos srnd4 (Autogenerates all configuration in accordance to Cisco best practice SRND4 standard)

Port configuration

auto qos trust dscp (Activates QoS and trusts DSCP on a port)
priority-queue out (Sends all traffic to the priority queues)

That's it, the switch and ports will now run Auto-QoS.

Auto-QoS Configuration guide for the 2960X Series: https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960x/software/15-0_2_EX/qos/configuration_guide/b_qos_152ex_2960-x_cg/b_qos_152ex_2960-x_cg_chapter_011.html

Enabling Auto-QoS on the Core layer

There's a big difference in the way QoS is handled by Core switches. The Cisco 6500 Series does not support Auto-QoS SRND4, therefore we will need to manually configure QoS and map it to the correct classes in order to preserve the Auto-QoS design. The Cisco 3650 and 3850 Series support Auto-QoS SRND4 and therefore it's pretty simpel to configure:

Enabling Auto-QoS on the 3650 and 3850 Series

Global configuration

auto qos srnd4 (Activates and autogenerates the QoS configuration)

Port configuration

auto qos trust dscp (Activates and autogenerates the QoS configuration)

When connecting the Core to the MPLS ISP, we want to remark the traffic into 5 classes (Because this is what our ISP supports). This is so, that the traffic will be prioritized through the MPLS to all the locations in the topology (See drawing for reference). Your ISP might be different and therefore the remarking should be made so it fits your design. The following example is how you remark all traffic into 5 classes.

You need to copy the auto generated Auto-QoS "AutoQos-4.0-Output-Policy" policy-map and then create a new one. You HAVE to use the same class-maps as generated by Auto-QoS. If you try to create your own they will be ignored, therefore the same class-maps are used and the marking is made from those classes:

policy-map WAN-OUTPUT-QoS (The name can be whatever you like)
 class AutoQos-4.0-Output-Priority-Queue
  set dscp ef
  priority level 1 percent 10
 class AutoQos-4.0-Output-Control-Mgmt-Queue
  bandwidth remaining percent 10 
  queue-buffers ratio 10
  set dscp af21
 class AutoQos-4.0-Output-Multimedia-Conf-Queue
  bandwidth remaining percent 10 
  queue-buffers ratio 10
  set dscp af41
 class AutoQos-4.0-Output-Trans-Data-Queue
  bandwidth remaining percent 10 
  queue-buffers ratio 10
  set dscp af21
 class AutoQos-4.0-Output-Bulk-Data-Queue
  bandwidth remaining percent 2 
  queue-buffers ratio 10
  set dscp default
 class AutoQos-4.0-Output-Scavenger-Queue
  bandwidth remaining percent 1 
  queue-buffers ratio 10
  set dscp cs1
 class AutoQos-4.0-Output-Multimedia-Strm-Queue
  bandwidth remaining percent 10 
  queue-buffers ratio 10
  set dscp af41
 class class-default
  bandwidth remaining percent 25

The 5 classes will hereafter be prioritized and sent to the MPLS as follows:

• DSCP AF value: EF (VoIP)
• DSCP AF value: af41 (All Video media)
• DSCP AF value: af21 (Transactional data etc.)
• DSCP AF value: default (AF=0 & DSCP=0 Bulk data for instance)
• DSCP AF value: cs1 (Scavenger class For Bittorrent etc.)

The bandwidth percentages are used as remaining. This means that all classes are allowed to use 100% of the bandwidth and loan from the other classes if the bandwidth is not used. It's like bandwidth sharing, which means that whatever class is prioritized the highest will be able to send traffic if the link is congested.

The policy-map classes and percentages can be modified as needed to suit your individual requirements.

On the port uplink to the ISP the following needs to be configured:

interface XXX
auto qos trust dscp
service-policy input AutoQos-4.0-Trust-Dscp-Input-Policy
service-policy output WAN-OUTPUT-QoS

That's it for the 3650 and 3850 Series.

Enabling QoS on the 6500 Series

The 6500 Series does not support Auto-QoS SRND4. It's very basic and it only understands layer 2 CoS values for VoIP. This means you need to configure all QoS from the ground up, to fit the Auto-QoS infrastructure from the access layer. QoS needs to be configured based on which module is installed on the chassis. You also need to create policy-maps for both ingress and egress (input/output).

The Supervisor only understands CoS between the module and the ASIC in the chassis.

To activate Auto-QoS for CoS, you need to utilize the following global command:

auto qos default

This will create a table-map of CoS to DSCP, but the values do not all comply to the Auto-QoS SRND4 standard (CoS 7 is mapped to 54, which should be 56). Therefore you will need to remove the table-map and replace it with the following:

no table-map cos-discard-class-map
table-map cos-discard-class-map
  map from  0 to 0
  map from  1 to 8
  map from  2 to 16
  map from  3 to 24
  map from  4 to 32
  map from  5 to 46
  map from  6 to 48
  map from  7 to 56

To create QoS and policy-maps we need to find out, what queueing model a module is using. In the example below the Ingress and Egress queue is the same, but on some modules the Rx and Tx queues are different and therefore you will need to create policy-maps in accordance to how the queueing model is. To find out what queueing model an interface is using, you need to issue the following command. The below example is based on the module: C6800-16P10G

show queueing interface xxx | sec Transmit queues
Transmit queues [type = 1p7q4t]
show queueing interface xxx | sec Receive queues
Receive queues [type = 1p7q4t]

As written the queues are the same on this module and therefore we can use the same policy for both input and output.

1p7q4t basically means: 1 priority queue, 7 normal queues, where all 7 normal queues have 4 thresholds. You can get more info by searching for the module name and queueing. This module, the C6800-16P10G is explained in this link: https://www.cisco.com/c/en/us/products/collateral/switches/catalyst-6800-series-switches/datasheet-c78-733662.html

See table 1, Queues.

Firstly we need to create the class-maps, that will be used for all policy-maps. This will match the DSCP values for the individual classes that matches the classes from Auto-QoS SRND4. Notice that the class-maps are created as lan-queueing with the match-all statement, which functions like AND/OR in programming. match-all=AND & match-any=OR.

Check the following configuration guide; Cisco Campus QoS design simplified, where configuration examples are provided per different modules at the bottom of the presentation: http://honim.typepad.com/files/campus-qos-design-simplified-brkcrs-2501.pdf

225 pages, link is slow.

Creating class-maps (Global configuration):

class-map type lan-queuing match-all REALTIME-1P7Q4T
  match dscp cs4 cs5 ef
class-map type lan-queuing match-all CONTROL-1P7Q4T
  match dscp cs2 cs3 cs6 cs7
class-map type lan-queuing match-all MM_CONF-1P7Q4T
  match dscp af41 af42 af43
class-map type lan-queuing match-all MM_STREAM-1P7Q4T
  match dscp af31 af32 af33
class-map type lan-queuing match-all TRANS_DATA-1P7Q4T
  match dscp af21 af22 af23
class-map type lan-queuing match-all BULK_DATA-1P7Q4T
  match dscp af11 af12 af13
class-map type lan-queuing match-all SCAVENGER-1P7Q4T
  match dscp cs1

You can change the names or edit as you like, to fit your needs.

After creating the class-maps i'll create the policy-map. It defines the priority of the DSCP value and sets the bandwidth in the different queues, after it matches a DSCP value.

policy-map type lan-queuing 1P7Q4T
 class REALTIME-1P7Q4T
  priority
 class CONTROL-1P7Q4T
  bandwidth remaining percent 10
 class MM_CONF-1P7Q4T
  bandwidth remaining percent 20
  random-detect dscp-based
  random-detect dscp af41 percent 80 100
  random-detect dscp af42 percent 70 100
  random-detect dscp af42 percent 60 100
 class MM_STREAM-1P7Q4T
  bandwidth remaining percent 15
  random-detect dscp-based
  random-detect dscp af31 percent 80 100
  random-detect dscp af32 percent 70 100
  random-detect dscp af33 percent 60 100
 class TRANS_DATA-1P7Q4T
  bandwidth remaining percent 15
  random-detect dscp-based
  random-detect dscp af21 percent 80 100
  random-detect dscp af22 percent 70 100
  random-detect dscp af23 percent 60 100
 class BULK_DATA-1P7Q4T
  bandwidth remaining percent 9
  random-detect dscp-based
  random-detect dscp af11 percent 80 100
  random-detect dscp af12 percent 70 100
  random-detect dscp af13 percent 60 100
 class SCAVENGER-1P7Q4T
  bandwidth remaining percent 1
 class class-default
  random-detect dscp-based
  random-detect dscp default percent 80 100

After creating the policy-map you need to apply it to an interface:

interface xxx
  service-policy type lan-queuing input 1P7Q4T
  service-policy type lan-queuing output 1P7Q4T

To verify your configuration and to see that queueing is being performed you can use the following command (you might need to shut/no shut the interface for it to take effect):

show queueing interface xxx

To remark the traffic on the 6500 Series you need to create new class-maps and a new policy-map. The class-maps are not created as lan-queues and the match statement is match-any=OR instead of match-all as we want to check multiple values one after one. So if the first value does not match the packet, the next one will be checked and so forth.

I want to point out that this is where we had to involve Cisco TAC, because the following bug came up: https://bst.cloudapps.cisco.com/bugsearch/bug/CSCuz52151

We had to change the class-maps from matching on AF values to raw DSCP values (discard-class) instead. We also had to upgrade the switch to version 152-1.SY5 (MD). After we followed these directions we've not had any problems since.

The configuration is as follows:

class-map match-any WAN-HIGH
  match discard-class 32
  match discard-class 40
  match discard-class 46
class-map match-any WAN-GOLD
  match discard-class 26
  match discard-class 28
  match discard-class 30
  match discard-class 34
  match discard-class 36
  match discard-class 38
class-map match-any WAN-SILVER
  match discard-class 16
  match discard-class 18
  match discard-class 20
  match discard-class 22
  match discard-class 24
  match discard-class 48
  match discard-class 56
class-map match-any WAN-BEST_EFFORT
  match discard-class 0
  match discard-class 10
  match discard-class 12
  match discard-class 14
class-map match-any WAN-SCAVENGER
  match discard-class 8

After this we create the policy-map:

policy-map WAN-OUTPUT-QoS
 class WAN-HIGH
   set dscp ef
 class WAN-GOLD
  set dscp af41
 class WAN-SILVER
  set dscp af21
 class WAN-BEST_EFFORT
  set dscp default
 class WAN-SCAVENGER
  set dscp cs1

Then we need to apply it to an interface:

interface xxx
 service-policy output WAN-OUTPUT-QoS
 service-policy type lan-queuing input 1P7Q4T

That's it. I hope this information helps you. I understand when people say, that QoS is complicated. It can be done in various ways and the above example is just a snip of how it can be done. I know that Cisco are working on spreading the Auto-QoS SRND4 standard to more and more devices to help creating a good basis for Quality of Service.

Answer 2

Answer two (since i ran out of space)

Marking incomming traffic based on port/type

Introduction

This section will cover how to mark incoming traffic using access lists to check the source port or type. The difference from the above examples are, that by using access lists you can decide specifically what you want to prioritize through your network. Where AutoQoS gives priority to the 'most common' protocols and types of traffic, this example gives you total control to design QoS as you like. The idea is simple: detect and remark traffic coming into your network from hosts. Transport the marked classes throughout your network.

Prerequisites

Before you configure QoS as explained below you must have a thorough understanding of how it works and take notice of the following:

1. The types of applications used and the traffic patterns on your network.
2. Traffic characteristics and needs of your network. Is the traffic bursty? Do you need to reserve bandwidth for voice and video streams?
3. Bandwidth requirements and speed of the network.
4. Location of congestion points in the network.
5. Would AutoQoS be sufficient to accomplish your goals?

Considerations

The example is ONLY tested on the Cisco 2960X Series. Therefore please consider:

1. Cisco 2960 and 2960S Series or older versions does NOT support this method. Ignoring this can cause severe downtime on your network. Only newer Cisco hardware has the capability to process these amounts of access-lists per port.
2. My example only works on incomming traffic. The Cisco 2960X Series does not support output QoS policies.
3. You should know that the example is administratively heavy to continuously support if you have lots of changes or additional patterns to add. Please notice that i have not tested with more than what is showed below. You might hit a boundary of what is actually capable for the switch.
4. In my test environment I have not seen any impact on performance. You might experience something different. The policy was enabled on all 24 or 48 access ports (WS-C2960X-24PS-L & WS-C2960X-48FPD-L).

MLS QOS Configurations

This will be kept simple and copied from the AutoQoS. This way we know that the buffers will be setup correctly according to Cisco. If you want to know more you can check out the previous QoS Values Calculator. This only handles how the output buffers react to marked traffic and makes sure everything is prioritized correctly when going out on an interface.

mls qos
mls qos map cos-dscp 0 8 16 24 32 46 48 56
mls qos srr-queue output cos-map queue 1 threshold 3 4 5
mls qos srr-queue output cos-map queue 2 threshold 1 2
mls qos srr-queue output cos-map queue 2 threshold 2 3
mls qos srr-queue output cos-map queue 2 threshold 3 6 7
mls qos srr-queue output cos-map queue 3 threshold 3 0
mls qos srr-queue output cos-map queue 4 threshold 3 1
mls qos srr-queue output dscp-map queue 1 threshold 3 32 33 40 41 42 43 44 45
mls qos srr-queue output dscp-map queue 1 threshold 3 46 47
mls qos srr-queue output dscp-map queue 2 threshold 1 16 17 18 19 20 21 22 23
mls qos srr-queue output dscp-map queue 2 threshold 1 26 27 28 29 30 31 34 35
mls qos srr-queue output dscp-map queue 2 threshold 1 36 37 38 39
mls qos srr-queue output dscp-map queue 2 threshold 2 24
mls qos srr-queue output dscp-map queue 2 threshold 3 48 49 50 51 52 53 54 55
mls qos srr-queue output dscp-map queue 2 threshold 3 56 57 58 59 60 61 62 63
mls qos srr-queue output dscp-map queue 3 threshold 3 0 1 2 3 4 5 6 7
mls qos srr-queue output dscp-map queue 4 threshold 1 8 9 11 13 15
mls qos srr-queue output dscp-map queue 4 threshold 2 10 12 14
mls qos queue-set output 1 threshold 1 100 100 50 200
mls qos queue-set output 1 threshold 2 125 125 100 400
mls qos queue-set output 1 threshold 3 100 100 100 400
mls qos queue-set output 1 threshold 4 60 150 50 200
mls qos queue-set output 1 buffers 15 25 40 20

Access-Lists Configurations

The following access lists are made solely based on, what most organizations use. I have, of course, looked throughout the internet and asked developers, System administrators and some users about what their perspective is. The example is also based on Cisco's Quality of Service for VoIP whitepaper.

Source for whitepaper: https://www.cisco.com/c/en/us/td/docs/ios/solutions_docs/qos_solutions/QoSVoIP/QoSVoIP.html

Remember that the list is based on my needs. You can add or delete whatever you like. There's a no statement removing the ACL before adding. This is to make it easier to edit/delete new rows in the ACL when copy/pasting.

All ACL's have a remark to explain what it's used for.

no ip access-list extended IP-ROUTING
ip access-list extended IP-ROUTING
 remark BGP
 permit tcp any eq 179 any
 permit tcp any any eq 179
 remark RIP
 permit udp any eq 520 any
 permit udp any any eq 520
 remark EIGRP
 permit eigrp any any
 remark OSPF
 permit ospf any any
 remark HSRP
 permit tcp any eq 1985 any
 permit tcp any any eq 1985
 permit udp any eq 1985 any
 permit udp any any eq 1985
 remark VRRP
 permit tcp any eq 112 any
 permit tcp any any eq 112
 permit 112 any any
!--------------------------IP ROUTING END

no ip access-list extended VOICE
ip access-list extended VOICE
 remark RTP - SRTP - Cisco UC & IP Phones
 permit udp any range 16384 32767 any range 16384 32767
 remark Asterisk IAX2
 permit udp any eq 4569 any
 permit udp any any eq 4569
 remark Cisco VCS RTP & RTCP media
 permit udp any eq 2776 any
 permit udp any any eq 2776
 permit udp any eq 2777 any
 permit udp any any eq 2777
!--------------------------VOICE END

no ip access-list extended VIDEO
ip access-list extended VIDEO
 remark PIM (Protocol Independent Multicast)
 permit pim any any
 permit tcp any any eq pim-auto-rp
 permit udp any any eq pim-auto-rp
 remark Real Time Streaming Protocol (RTSP)
 permit tcp any eq 554 any
 permit tcp any any eq 554
 permit udp any eq 554 any
 permit udp any any eq 554
 remark Camstreams Media Encoder
 permit udp any eq 5700 any
 permit udp any any eq 5700
 remark Cisco Unified Video
 permit udp any eq 5445 any
 permit udp any any eq 5445
 remark IGMP
 permit igmp any any
 remark Philips Video Conferencing
 permit tcp any eq 583 any
 permit tcp any any eq 583
 permit udp any eq 583 any
 permit udp any any eq 583
 remark H.263 Video Streaming
 permit tcp any eq 2979 any
 permit tcp any any eq 2979
 permit udp any eq 2979 any
 permit udp any any eq 2979
 remark Windows Media streaming (used by Cisco)
 permit tcp any eq 1755 any
 permit tcp any any eq 1755
 permit udp any eq 1755 any
 permit udp any any eq 1755
!--------------------------VIDEO END

no ip access-list extended MISSION-CRITICAL
ip access-list extended MISSION-CRITICAL
 remark GRE Tunneling
 permit gre any any
 remark IP in IP Tunneling
 permit ipinip any any
 remark IPsec ESP & AHP
 permit ahp any any
 permit esp any any
 remark LWAPP & CAPWAPP
 permit udp any any range 12222 12223
 permit udp any range 12222 12223 any
 permit udp any any range 5246 5247
 permit udp any range 5246 5247 any
 remark Cisco IP SLA
 permit tcp any eq 1167 any
 permit tcp any any eq 1167
 permit udp any eq 1167 any
 permit udp any any eq 1167
 permit udp any eq 1967 any
 permit udp any any eq 1967
 remark LDAP
 permit tcp any eq 389 any
 permit tcp any any eq 389
 permit udp any eq 389 any
 permit udp any any eq 389
 permit tcp any eq 636 any
 permit tcp any any eq 636
 permit udp any eq 636 any
 permit udp any any eq 636
 remark TACACS+
 permit tcp any eq 49 any
 permit udp any eq 49 any
 permit tcp any any eq 49
 permit udp any any eq 49
 remark SSH & SCTP
 permit tcp any eq 22 any
 permit udp any eq 22 any
 permit tcp any any eq 22
 permit udp any any eq 22
 remark Netop Remote Control
 permit tcp any eq 1970 any
 permit udp any eq 1970 any
 permit tcp any any eq 1970
 permit udp any any eq 1970
 remark RDP & Microsoft remote assistance
 permit tcp any eq 3389 any
 permit udp any eq 3389 any
 permit tcp any any eq 3389
 permit udp any any eq 3389
 remark WSUS HTTP & HTTPS
 permit tcp any any range 8530 8531
 permit tcp any range 8530 8531 any
 permit udp any any range 8530 8531
 permit udp any range 8530 8531 any
 remark Citrix ICA
 permit tcp any eq 1494 any
 permit udp any eq 1494 any
 permit tcp any any eq 1494
 permit udp any any eq 1494
 permit tcp any eq 2598 any
 permit tcp any any eq 2598
 remark DHCP
 permit udp any range 67 68 any
 permit udp any any range 67 68
 remark DNS
 permit tcp any eq 53 any
 permit udp any eq 53 any
 permit tcp any any eq 53
 permit udp any any eq 53
!--------------------------MISSION-CRITICAL END

no ip access-list extended CALL-SIGNALING
ip access-list extended CALL-SIGNALING
 remark SCCP / Skinny
 permit tcp any any range 2000 2002
 permit tcp any range 2000 2002 any
 remark SIP & SIP over TLS
 permit udp any any eq 5060
 permit tcp any any eq 5060
 permit tcp any any eq 5061
 remark H.323
 permit tcp any any range 1718 1719
 permit udp any any range 1718 1719
 permit tcp any any eq 1720
 permit udp any any eq 1720
 permit tcp any any eq 1300
 permit tcp any eq 1300 any
 permit udp any any eq 1300
 permit udp any eq 1300 any
 permit tcp any any eq 2517
 permit tcp any eq 2517 any
 permit udp any any eq 2517
 permit udp any eq 2517 any
 permit tcp any any eq 11720
 permit tcp any eq 11720 any
 permit udp any any eq 11720
 permit udp any eq 11720 any
 remark MGCP
 permit tcp any any eq 2428
 permit tcp any eq 2428 any
 permit udp any any eq 2427
 permit udp any eq 2427 any
 permit tcp any any eq 2727
 permit tcp any eq 2727 any
 permit udp any any eq 2727
 permit udp any eq 2727 any
 remark Cisco VCS call signaling
 permit tcp any any eq 2776
 permit tcp any eq 2776 any
 permit tcp any any eq 2777
 permit tcp any eq 2777 any
!--------------------------CALL-SIGNALING END

no ip access-list extended NET-MGMT
ip access-list extended NET-MGMT
 remark NTP
 permit udp any eq 123 any
 permit udp any any eq 123
 remark Time
 permit tcp any eq 37 any
 permit tcp any any eq 37
 permit udp any eq 37 any
 permit udp any any eq 37
 remark SNMP
 permit udp any eq 161 any
 permit udp any any range 161 162
 remark Syslog
 permit udp any any eq 514
 remark Telnet
 permit tcp any eq 23 any
 permit tcp any any eq 23
 remark ICMP
 permit icmp any any
 remark TFTP
 permit udp any eq 69 any
 permit udp any any eq 69
 remark Asterisk Manager interface
 permit tcp any any eq 5038
 permit tcp any eq 5038 any
!--------------------------NET MGMT END

no ip access-list extended BULK-DATA
ip access-list extended BULK-DATA
 remark FTP & Secure FTP
 permit tcp any any eq ftp
 permit tcp any any eq ftp-data
 permit tcp any eq ftp any
 permit tcp any eq ftp-data any
 permit tcp any any eq 989
 permit tcp any eq 989 any
 permit tcp any any eq 990
 permit tcp any eq 990 any
 remark IMAP
 permit tcp any any eq 143
 permit tcp any eq 143 any
 permit tcp any any eq 993
 permit tcp any eq 993 any
 remark POP2/3
 permit tcp any any eq 110
 permit tcp any eq 110 any
 permit tcp any any eq 109
 permit tcp any eq 109 any
 permit tcp any any eq 995
 permit tcp any eq 995 any
 remark SMTP
 permit tcp any any eq 25
 permit tcp any eq 25 any
 permit tcp any any eq 465
 permit tcp any eq 465 any
 remark HTTP & HTTPS
 permit tcp any any eq www
 permit tcp any eq www any
 permit tcp any any eq 8080
 permit tcp any eq 8080 any
 permit tcp any any eq 8008
 permit tcp any eq 8008 any
 permit tcp any any eq 443
 permit tcp any eq 443 any
 remark CIFS & SMB
 permit tcp any any eq 3020
 permit tcp any eq 3020 any
 permit udp any any eq 3020
 permit udp any eq 3020 any
 permit tcp any any eq 445
 permit tcp any eq 445 any
 permit udp any any eq 445
 permit udp any eq 445 any
 remark PRINTER
 permit tcp any any eq 515
 permit tcp any eq 515 any
 permit udp any any eq 515
 permit udp any eq 515 any
!--------------------------BULK DATA END

Here on it's pretty much straight forward if you have read the above on AutoQoS.

Class maps and policy maps

We need to create class maps to match the ACL's. You need to use the match-any statement otherwise it wont work. This is because we want to check all lines in the ACL and match the traffic. If a match is found the traffic will be marked. All traffic that is not matched will be put into default.

class-map match-any IP-ROUTING
 match access-group name IP-ROUTING
class-map match-any VOICE
 match access-group name VOICE
class-map match-any VIDEO
 match access-group name VIDEO
class-map match-any MISSION-CRITICAL
 match access-group name MISSION-CRITICAL
class-map match-any CALL-SIGNALING
 match access-group name CALL-SIGNALING
class-map match-any NET-MGMT
 match access-group name NET-MGMT
class-map match-any BULK-DATA
 match access-group name BULK-DATA

Now we need to create a policy map and remark the traffic if a match is found.

You can rename the policy map to whatever you like.

policy-map QoS-MARKING
 class IP-ROUTING
  set dscp cs6
 class VOICE
  set dscp ef
 class VIDEO
  set dscp af41
 class MISSION-CRITICAL
  set dscp af31
 class CALL-SIGNALING
  set dscp cs3
 class NET-MGMT
  set dscp cs2
 class BULK-DATA
  set dscp af11
 class class-default
  set dscp default

Check the QoS calculator in this post. You can put in any value or marking you want. Default class will set any traffic not matched.

Adding the policy to an interface.

Besides the service policy i have added the criterias from AutoQoS on the buffers. Again to keep the design as streamlined as possible. We also need to trust dscp. Example:

interface range gi1/0/1-48
 desc User Access
 mls qos trust dscp
 srr-queue bandwidth share 1 30 35 5
 priority-queue out
 service-policy input QoS-MARKING

This is basically it for the Access Switch. The configuration might change depending on other models like Cisco 3650 or Cisco 3850 Series etc.