09-12-2006 05:32 AM
hy guys,
following the link below i tried to test in our lab the last scenario :
http://www.cisco.com/en/US/products/hw/switches/ps708/products_white_paper0900aecd803e5017.shtml
CONFIGURING UBRL: BIDIRECTIONAL UBRL.
but in the outbound direction, the policing for the traffic destined for the subnet in question is not policed at all.
i have an 7606 SUP720-3BXL router.
this a show module from the device :
7606-2-PLR#sh module
Mod Ports Card Type Model Serial No.
--- ----- -------------------------------------- ------------------ -----------
1 2 2+4 port GE-WAN OSM-2+4GE-WAN+ JAE10202BAC
2 48 48-port 10/100/1000 RJ45 EtherModule WS-X6148A-GE-TX SAL09496YWU
3 24 CEF720 24 port 1000mb SFP WS-X6724-SFP SAD101708G1
4 2 2+4 port GE-WAN OSM-2+4GE-WAN+ JAE10191JMF
5 2 Supervisor Engine 720 (Active) WS-SUP720-3BXL SAL1016KSBW
6 2 Supervisor Engine 720 (Cold) WS-SUP720-3BXL SAL09475RZL
Mod MAC addresses Hw Fw Sw Status
--- ---------------------------------- ------ ------------ ------------ -------
1 0017.5ad8.0d30 to 0017.5ad8.0d3f 2.3 12.2(33)SRA1 12.2(33)SRA1 Ok
2 0016.c816.6fc0 to 0016.c816.6fef 1.4 8.4(1) 8.6(0.259)CA Ok
3 0015.fa19.bb52 to 0015.fa19.bb69 2.3 12.2(14r)S5 12.2(33)SRA1 Ok
4 0017.5ad7.d600 to 0017.5ad7.d60f 2.3 12.2(33)SRA1 12.2(33)SRA1 Ok
5 0013.c43a.de28 to 0013.c43a.de2b 4.5 8.4(2) 12.2(33)SRA1 Ok
6 0014.a97e.1988 to 0014.a97e.198b 4.3 8.1(3) 12.2(2006061 Ok
Mod Sub-Module Model Serial Hw Status
---- --------------------------- ------------------ ----------- ------- -------
3 Distributed Forwarding Card WS-F6700-DFC3BXL SAL1020NAK0 5.2 Ok
5 Policy Feature Card 3 WS-F6K-PFC3BXL SAL1016KR81 1.8 Ok
5 MSFC3 Daughterboard WS-SUP720 SAL1018LJ0C 2.5 Ok
6 Policy Feature Card 3 WS-F6K-PFC3BXL SAL09412T06 1.6 Ok
6 MSFC3 Daughterboard WS-SUP720 SAL09475JLE 2.3 Ok
Mod Online Diag Status
---- -------------------
1 Pass
2 Pass
3 Pass
4 Pass
5 Pass
6 Pass
09-12-2006 06:05 AM
Hi,
can you please be more specific about your lab setup? How did you configure the 6500, how did you test the policy?
Regards, Martin
09-12-2006 06:33 AM
Hi Marius,
1) Can u also paste in your show run of the policy map, class map with the ACL.
2) and show run of the interface where you applied the configuration.
3) Output of "show policy-map interface"
HTH-Cheers,
Swaroop
09-12-2006 09:08 AM
class-map match-all Outbound
match access-group 111
class-map match-all Inbound
match access-group 110
policy-map Inbound
class Inbound
police flow mask src-only 1000000 2000 conform-action transmit exceed-action drop
class Outbound
police flow mask dest-only 1000000 2000 conform-action transmit exceed-action drop
interface GigabitEthernet2/3
switchport
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 2055,3000,3001
switchport mode trunk
switchport nonegotiate
load-interval 30
mls qos vlan-based
spanning-tree portfast trunk
interface Vlan3000
ip address 172.16.1.65 255.255.255.252
ip pim sparse-mode
load-interval 30
service-policy input Inbound
access-list 110 permit ip 11.11.11.0 0.0.0.255 any
access-list 111 permit ip any 11.11.11.0 0.0.0.255
7606-2-PLR#sh ip route 11.11.11.0
Routing entry for 11.11.11.0/24
Known via "bgp 100", distance 20, metric 0
Tag 666, type external
Last update from 172.16.1.66 05:04:25 ago
Routing Descriptor Blocks:
* 172.16.1.66, from 172.16.1.66, 05:04:25 ago
Route metric is 0, traffic share count is 1
AS Hops 1
Route tag 666
7606-2-PLR#sh policy-map interface
Vlan3000
Service-policy input: Inbound
Class-map: Inbound (match-all)
0 packets, 0 bytes
30 second offered rate 0 bps, drop rate 0 bps
Match: access-group 110
Class-map: Outbound (match-all)
0 packets, 0 bytes
30 second offered rate 0 bps, drop rate 0 bps
Match: access-group 111
Class-map: class-default (match-any)
11 packets, 725 bytes
30 second offered rate 0 bps, drop rate 0 bps
Match: any
11 packets, 725 bytes
30 second rate 0 bps
09-13-2006 12:07 AM
Hi,
You config looks ok and your hardware supports flow policers on a Layer 3 Interface. Seems like a MLS problem.
1) Locate all the port which are under Vlan 3000 and issue the command,
"mls qos vlan-based"
2) Verify If the ports have been enabled with Vlan Based QOS "show mls qos"
The enabled ports should be showing as Vlan Based QOS enabled.
This should help to solve the issue.
If it doesnt send the output of step 2 as an attachment.
HTH-Cheers,
Swaroop
09-13-2006 02:55 AM
policy-map Inbound
class Inbound
police flow mask src-only 1000000 2000 conform-action set-prec-transmit 5 exceed-action drop
class Outbound
police flow mask dest-only 1000000 2000 conform-action set-prec-transmit 5 exceed-action drop
class-map match-all Inbound
match access-group 110
class-map match-all Outbound
match access-group 111
7606-2-PLR#sh vlan id 3000
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
3000 VLAN3000 active Gi2/3
VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
3000 enet 103000 1500 - - - - - 0 0
Remote SPAN VLAN
----------------
Disabled
Primary Secondary Type Ports
------- --------- ----------------- ------------------------------------------
interface GigabitEthernet2/3
description *** Multicast Sources - PORT 1 ***
switchport
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 2055,3000,3001
switchport mode trunk
switchport nonegotiate
no ip address
load-interval 30
mls qos vlan-based
spanning-tree portfast trunk
interface Vlan3000
ip address 172.16.1.65 255.255.255.252
load-interval 30
isis circuit-type level-2-only
service-policy input Inbound
7606-2-PLR#sh mls qos
QoS is enabled globally
Policy marking depends on port_trust
QoS ip packet dscp rewrite enabled globally
Input mode for GRE Tunnel is Pipe mode
Input mode for MPLS is Pipe mode
QoS is vlan-based on the following interfaces:
Gi2/3
Vlan or Portchannel(Multi-Earl) policies supported: Yes
Egress policies supported: Yes
----- Module [3] -----
QoS global counters:
Total packets: 2273
IP shortcut packets: 0
Packets dropped by policing: 0
IP packets with TOS changed by policing: 273
IP packets with COS changed by policing: 29
Non-IP packets with COS changed by policing: 9
MPLS packets with EXP changed by policing: 0
----- Module [5] -----
QoS global counters:
Total packets: 222
IP shortcut packets: 0
Packets dropped by policing: 0
IP packets with TOS changed by policing: 46
IP packets with COS changed by policing: 6
Non-IP packets with COS changed by policing: 14
MPLS packets with EXP changed by policing: 0
----- Module [6] -----
QoS global counters:
Total packets: 0
IP shortcut packets: 0
Packets dropped by policing: 0
IP packets with TOS changed by policing: 0
IP packets with COS changed by policing: 0
Non-IP packets with COS changed by policing: 0
MPLS packets with EXP changed by policing: 0
7606-2-PLR#sh policy-map interface
Vlan3000
Service-policy input: Inbound
Class-map: Inbound (match-all)
0 packets, 0 bytes
30 second offered rate 0 bps, drop rate 0 bps
Match: access-group 110
Class-map: Outbound (match-all)
0 packets, 0 bytes
30 second offered rate 0 bps, drop rate 0 bps
Match: access-group 111
Class-map: class-default (match-any)
1178 packets, 80300 bytes
30 second offered rate 0 bps, drop rate 0 bps
Match: any
09-13-2006 02:41 AM
Bindar
Also did you try using the command specified "mls qos vlan-based"
Reply back what is the status of this issue.
HTH-Cheers,
Swaroop
09-13-2006 06:34 AM
Bindar,
Can u try enabling "mls qos bridged" on the SVI where you apply this policy.
And give the output here.
HTH-Cheers,
Swaroop
09-13-2006 07:06 AM
7606-2-PLR#sh run interface vlan 3000
Building configuration...
Current configuration : 186 bytes
!
interface Vlan3000
ip vrf forwarding QOS
ip address 172.16.1.65 255.255.255.252
load-interval 30
mls qos bridged
isis circuit-type level-2-only
service-policy input Inbound
end
7606-2-PLR#sh run int gi
7606-2-PLR#sh run int gigabitEthernet 2/3
Building configuration...
Current configuration : 310 bytes
!
interface GigabitEthernet2/3
description *** Multicast Sources - PORT 1 ***
switchport
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 2055,3000,3001
switchport mode trunk
switchport nonegotiate
no ip address
load-interval 30
mls qos vlan-based
spanning-tree portfast trunk
end
7606-2-PLR#sh vlan id 3000
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
3000 VLAN3000 active Gi2/3
VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
3000 enet 103000 1500 - - - - - 0 0
Remote SPAN VLAN
----------------
Disabled
Primary Secondary Type Ports
------- --------- ----------------- ------------------------------------------
7606-2-PLR#
7606-2-PLR#
7606-2-PLR#sh pol
7606-2-PLR#sh policy-map in
7606-2-PLR#sh policy-map interface
Vlan3000
Service-policy input: Inbound
Class-map: Inbound (match-all)
0 packets, 0 bytes
30 second offered rate 0 bps, drop rate 0 bps
Match: access-group 110
Class-map: Outbound (match-all)
0 packets, 0 bytes
30 second offered rate 0 bps, drop rate 0 bps
Match: access-group 111
Class-map: class-default (match-any)
52 packets, 3458 bytes
30 second offered rate 0 bps, drop rate 0 bps
Match: any
All the counters are zero even after 14Mbps traffic load through that interface.
09-13-2006 08:00 AM
Hi Bindar,
I dont see any document which says two way micro flow policing is not supported on a SVI. Also I dont see a document confirming it either. I dont have internal product level feture compliance information.
But anyways, can u try this, lets hope it works.
#config t
mls flow ip full
ip flow ingress layer2-switched vlan 3000
HTH-Cheers,
Swaroop
09-13-2006 11:03 AM
so, after the mls flow ip full was applied the following messages appears :
%FM-2-FLOWMASK_CONFLICT: Features configured on interface Vlan3000 have conflicting flowmask requirements, traffic may be switched in software
maybe because the mask in my scenario is src-only or dest-only.
09-13-2006 02:21 PM
ok did u try enabling flow detection on layer 2 and try.
"ip flow ingress layer2-switched vlan 3000"
let us know...whats the result...
09-13-2006 03:26 PM
Ok..
Can u give the output of these commands,
"show mls netflow module 2"
"show mls netflow source 11.11.11.0"
"show mls netflow destination 11.11.11.0"
?show mls netflow ip"
"show mls netflow flowmask"
HTH-Cheers,
Swaroop
09-13-2006 09:40 PM
7606-2-PLR#sh mls netflow ip
Displaying Netflow entries in Supervisor Earl
DstIP SrcIP Prot:SrcPort:DstPort Src i/f :AdjPtr
-----------------------------------------------------------------------------
Pkts Bytes Age LastSeen Attributes
---------------------------------------------------
0.0.0.0 11.11.11.1 0 :0 :0 -- :0x0
359926 38152156 398 08:09:15 L3 - Dynamic
0.0.0.0 11.11.11.4 0 :0 :0 -- :0x0
359925 38152050 398 08:09:15 L3 - Dynamic
0.0.0.0 11.11.11.5 0 :0 :0 -- :0x0
359925 38152050 398 08:09:15 L3 - Dynamic
0.0.0.0 11.11.11.2 0 :0 :0 -- :0x0
359926 38152156 398 08:09:15 L3 - Dynamic
0.0.0.0 11.11.11.3 0 :0 :0 -- :0x0
359925 38152050 398 08:09:15 L3 - Dynamic
0.0.0.0 0.0.0.0 0 :0 :0 -- :0x0
559177 58444378 192 08:09:53 L3 - Dynamic
7606-2-PLR#sh mls netflow flowmask
current ip flowmask for unicast: null
current ipv6 flowmask for unicast: null
7606-2-PLR#sh mls netflow ip module 2
No forwarding engine in module 2
the ip flow ingress command was already issued
in the previous post.
7606-2-PLR#sh mls netflow ip source 11.11.11.0
Displaying Netflow entries in Supervisor Earl
DstIP SrcIP Prot:SrcPort:DstPort Src i/f :AdjPtr
-----------------------------------------------------------------------------
Pkts Bytes Age LastSeen Attributes
---------------------------------------------------
7606-2-PLR#sh mls netflow ip dest 11.11.11.0
Displaying Netflow entries in Supervisor Earl
DstIP SrcIP Prot:SrcPort:DstPort Src i/f :AdjPtr
-----------------------------------------------------------------------------
Pkts Bytes Age LastSeen Attributes
---------------------------------------------------
09-14-2006 01:49 AM
Ok Thats great,
Now can u enable the source-destination flowmask as below and record the observation.
In global
"mls flow ip destination-source"
once you enable this command simply take the output of
1) show policy int
2) show mls flow ip
3) show mls netflow flowmask
thats it...
HTH-Cheers,
Swaroop
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide