Solved: Re: H-QoS on service instance on ES+ card in 7600 reports error

aacole · ‎02-04-2010

I am attempting to configure a dual level input policy on a service instance, the outer (class-default) policy is to apply policing, and the child policy is to mark traffic identified by ACL's with DSCP values. The card is an ES+, in a 7606-s

After reading the documentation I am sure this should work.

When I apply the service policy to the service instance the router reports an error, but the policy does appear in the running config for the service instance. Testing the policy, passing telnet across this service instance, checking the output of sh policy-map int te1/1 service instance 300, no packets are seen at all. But the traffic connection works.

The error message is:

%X40G_QOS-DFC1-3-CFN: TCAM key not supported on this intf,policymap MARK-INGRESS can not be applied to intf 6(type 1)

I cannot find any reference to this message.

One of the policies I tried:

Child policy

policy-map MARK-INGRESS

class IDENTIFY-VOICE

set ip dscp ef

class IDENTIFY-CALL-SIGNALLING

set ip dscp cs3

Parent policy

policy-map RATE-LIMIT

class class-default

police 2000000 conform-action transmit exceed-action set-dscp-transmit 0 violate-action drop

service-policy MARK-INGRESS

interface TenGigabitEthernet1/1

service instance 300 ethernet

service-policy input MARK-INGRESS

This didnt work, resulting in the error message, but does appear in the sh run int te1/1 output.

After more testing I found this one did work, and no error message:

policy-map test

class class-default

police 2000000 conform-action transmit exceed-action set-dscp-transmit 0 violate-action drop

interface TenGigabitEthernet1/1

service instance 300 ethernet

service-policy input test

So is what I'm trying to do possible? I think this may be a code issue, but as this is the first time trying to configure this I'm not sure yet.

Code and card details:

sh mod
Mod Ports Card Type Model .
--- ----- -------------------------------------- ------------------ -----------
5 5 Route Switch Processor 720 10GE (Activ RSP720-3C-10GE

6 5 Route Switch Processor 720 10GE (Hot) RSP720-3C-10GE

Mod MAC addresses                       Hw    Fw           Sw           Status
--- ---------------------------------- ------ ------------ ------------ -------
5 001c.584e.d884 to 001c.584e.d88b   2.2   12.2(33r)SRD 12.2(33)SRE Ok
6 001c.584e.e440 to 001c.584e.e447   2.2   12.2(33r)SRD 12.2(33)SRE Ok

Mod Sub-Module                  Model                     Hw     Status
---- --------------------------- ------------------ ----------- ------- -------
5 Policy Feature Card 3       7600-PFC3C-10GE      1.1    Ok
5 C7600 MSFC4 Daughterboard   7600-MSFC4           2.1    Ok
6 Policy Feature Card 3       7600-PFC3C-10GE      1.1    Ok
6 C7600 MSFC4 Daughterboard   7600-MSFC4           2.1    Ok

Sergei Vasilenko · ‎03-03-2010

Hello,

The config seems to be valid from H-QoS point of view.

But as per Table 7-3, first row and Note1, on the following CCO link there are restrictions

from Classification side (class-maps) on ES+:

https://www.cisco.com/en/US/docs/routers/7600/install_config/ES40_config_guide/es40_chap7.html#wp1337428

Like, for match ACLs only classify based on source MAC address using Layer 2 ACL

supported for L2-switchports, EVCs/Port-chan EVCs.

Deny ACL is not supported on ES+ linecards.

So if in your class maps classification is based on an ACLs trying to

match Layer3 (IPs) and/or Layer4 info, those classification options are not supported for ES+.

And you got those errors.

If such a case you would need a some kind of re-design, for example, to mark CoS fields on some downstream/access device,

and then on ES+ ingress l2 interface or EVCs use a class maps

which would just match on those DSCP/IP_Prec values.

Thanks,

Sergey

View solution in original post

Sergei Vasilenko · ‎03-03-2010

Hello,

The config seems to be valid from H-QoS point of view.

But as per Table 7-3, first row and Note1, on the following CCO link there are restrictions

from Classification side (class-maps) on ES+:

https://www.cisco.com/en/US/docs/routers/7600/install_config/ES40_config_guide/es40_chap7.html#wp1337428

Like, for match ACLs only classify based on source MAC address using Layer 2 ACL

supported for L2-switchports, EVCs/Port-chan EVCs.

Deny ACL is not supported on ES+ linecards.

So if in your class maps classification is based on an ACLs trying to

match Layer3 (IPs) and/or Layer4 info, those classification options are not supported for ES+.

And you got those errors.

If such a case you would need a some kind of re-design, for example, to mark CoS fields on some downstream/access device,

and then on ES+ ingress l2 interface or EVCs use a class maps

which would just match on those DSCP/IP_Prec values.

Thanks,

Sergey

aacole · ‎03-03-2010

Hi Sergey,

Thanks for your reply, I eventually found that as the interface is only processing at L2 no L3 criteria can be used for classification, which makes sense when you think about it.

So, yes I agree, classification needs to take place closer to the edge, I will have to come up with some alternate ideas.

Andy

judebryant · ‎01-04-2011

aacole,

Have you researched using policy-map(s) and the police command.

https://www.cisco.com/en/US/docs/routers/7600/install_config/ES40_config_guide/es40_chap7.html#wp1430024

Regards

Jude