cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1263
Views
0
Helpful
17
Replies

service policy output command rejected.

lambay2000
Level 2
Level 2

Dears,

Topology:

Its a Carrier Supporting Carrier Scenario.

A------DS/PE--------------CORE/P---------ISP/PE-------P---------ISP/PE------B

The link between Core and ISP is back to back VRF connected via a layer 2 trunk.The ISP is creating a sub-interfaces on his 3800 router with encapsulation and vlan number. AND on Core am creating a SVI with a same vlan number and ip address within the subnet. Am trying to match packets by access-list on core and applying a dedicated bandwith for the particular customer A as per the SLA with the customer, The bandwith command is not accepted on the SVI.It give me this error, " bandwidth command is not supported for this interface"" when i try to execute the service policy output policy1234

The link between Distribution and core is 10 GIG ,I don't want to limit bandwith on distribution switch outbound direction because as i want client to use 10Gig interface between Distribution and core. I want to implement a QOS on egress interface of each VRF on Core facing to ISP

What is the alternate solution u experts can give me.

Each customer VRF for example:(Customer A) is associated with SVI virtual interface on 6500 (Core) and traffic is passed to customer B.

Configs Below:

BGP is routing protocol between CORE nd ISP.

ON 3800 router (ISP End)

int gig0/0

no shut

no ip add

int gig0/0.1

no shut

encapsulation dot1q 50

ip vrf forwarding XX

ip add 10.10.10.1 255.255.255.254

ON MY END (CORE)

int gig5/1

switchport trunk encapsulation dot1q

switch mode trunk

int vlan 50

ip vrf forwarding customer A

ip add 10.10.10.2 255.255.255.254.

Thanks

17 Replies 17

Giuseppe Larosa
Hall of Fame
Hall of Fame

Hello Altaf,

if this is the same scenario of your other thread your multilayer switch should be a C6500.

you haven't provided the policy-map config.

Be aware of following restrictions for QoS on PFC

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SXF/native/configuration/guide/qos.html#wp1581673

this can be a starting point for this issue.

Hope to help

Giuseppe

Hi,

Expecting ur call,

Yes it is a same secnario with 6500,Am not classifying packet on Distribution switch but classifying packet on core by access-list,

My customer A is using a crypto device which is encryting data at one end and decryting data at other end of customer B on cryto device,The crpto device company is equivalent to IPSEC but not IPSEC,and he told me that the source and destination of each and every packet passing from customer A to customer B will be always the both end crypto boxes.

Am not doing any MPLS QOS as i have read from books that by default TOS byte reflects to EXP bits in mpls and from MPLS to IP again exp bits are copied to TOS.so am deciding to classify traffic by access-list of crypto device on core and assigning a traffic a bandwith of 4 MB and class-default as a fair queue.

The command is rejected on SVI stating that bandwith command rejected on this interface.

access-list 1 permit 10.10.10.0 0.0.0.248

class-map match-all custA

match access-group 1

policy-map custA

class custA

bandwith 4000

class class-default

fair-queue

One more thing i want to ask you on executing a command sh policy map

class class-default bandwith is 0kbs just have a look down,but what i remember is that after allocating bandwith to particular queue the remaining bandwith is to class class-default queue???????? correct me if am wrong.

One more confirmation quilsar customer A has asked 4MB is it necessary to assign bandwith to traffic of class class-default queue or by default the remaining is assigned to it after specifying the required bandwith for useful matches.

Router#sh policy-map custA

Policy Map custA

Class custA

Bandwidth 4000(kbps) Max Threshold 64 (packets)

Class class-default

Flow based Fair Queueing

Bandwidth 0 (kbps) Max Threshold 64 (packets)

Hello Altaf,

in the link I've provided among restrictions of PFC QoS there is:

>> PFC QoS does not support these policy map class commands:

•bandwidth

•priority

•queue-limit

•random-detect

•set qos-group

•service-policy

>> end of insert

So to use this kind of QoS you should have or a FlexWAN module or a SIP + SPA combination or the ES20 or ES40 linecards that are more powerful.

on class class-default you can only decide to apply fair-queue and/or WRED I don't think a bandwidth command is accepted in any platform.

The reason is the BW for class default is defined by allocating BW with bandwidth or priority commands to the other classes.

I think application to an SVI of a CBWFQ is not possible because you can have ports on different linecards with different capabilities.

Also CBWFQ implies a physical link where you can measure outgoing traffic.

So you need to change your action plan

note:

I wouldn't worry about that 0 kbps for class class-default in your show.

Hope to help

Giuseppe

Hi,

Thank You very much its a very useful link for restrictions for QOS commands on 6500,

The alternate what i have thought is to classify a important traffic and allocate a police cir command to a particular traffic,and also to class class-default instead of bandwith to specific queue becz it not accepting.

Is the above thoughts will work,pls confirm.

Can u explain me the below paragraph.

The bandwidth configured on interface suppose 64 kbs so from that only 75% of bandwith is available???? that means 48 kbs,so while configuring the bandwith or priority command in CBWFQ or LLQ we have to consider 48kbs or 64kbps,

for ex:i gave bandwith 32 command this will calculate from 48kbs or from 64kbps????

My last mail query speaking General not related to 6500 configs.

I have been through wendoll odam book he says that remaining bandwith is by default allocated to class class-defualt

the thread i posted in my last mail is from dynamips,class class-defualt is not getting any bandwith,from this what i understand is if a client SLA is for 4MB for all traffic than i dont have to classify any traffic just assigned a bandwith statement in policy map for 4MB and all it is OK

BUT IF

client requirement says classify voip traffic,WEB traffic to a diffrent bandwith if suppose i assigned a full interface bandwith to these classes then there will be no bandwith for class-default so then for this reason i have to kept measure also for class class-default. In Books it says assigning a bandwith to voip and web not the full interface bandwith the remaining bandwith is assignmed to class default??????????

Thanks,

Hi,

Awaiting ur replies experts,

Help to each other will lead to success.

Hello Altaf,

unfortunately policing is not the same action on traffic:

dropping exceeding traffic or meaning a queue are different form of traffic volume control.

So you can consider this an approximate solution.

you could simply mark down exceeding traffic.

2)

here I think the book is introducing the concept of the hidden system queue for routing protocol messages.

Most Cisco platforms (but not all platforms) have a parameter that says do not allow to assign more then 75% of declared bandwidth on link to user defined traffic classes.

this interface command

max-reserved-bandwidth ?

<1-100> Max. reservable bandwidth as % of interface bandwidth

says how much BW is usable.

the parameter can be modified specially on high speed link where leaving 25% of bandwidth to signalling traffic is too much.

so in book example you have a 64 Kbps serial link and when you assign 32 kbps to an LLQ queue it leaves:

64-16-32 = 16 kbps that can be assigned to other traffic classes.

>> rom this what i understand is if a client SLA is for 4MB for all traffic than i dont have to classify any traffic just assigned a bandwith statement in policy map for 4MB and all it is OK

this can be an acceptable solution if no diffserv QoS is requested your understanding is correct.

>> n Books it says assigning a bandwith to voip and web not the full interface bandwith the remaining bandwith is assignmed to class default

again for the presence of the hidden system queue that uses 25% of bandwidth by default as explained above.

Notice that in your case with a capable platform you could use hierarchical QoS:

a parent policy that shapes at 4 Mbps that invokes a child policy that is a scheduler

policy-map clientX_4Mbps

class class-default

shape average 4000000

service clientX_LLQ

class voice_clientX

match ip address voice_clientX

class web_traffic_clientX

match ip address web_traffic_clientX

policy-map clientX_LLQ

class voice_clientX

priority 500

class web_traffic_clientX

bandwidth 1000

class class-default

fair-queue

all this on a device that supports hierarchical QoS.

(it can be a C6500/C7600 with the right linecards)

Hope to help

Giuseppe

Thanks for ur reply,

The above solution what i have mentioned u have accepted as a approximate solution.Can u provide me with any alternate solution which is perfect as u r aware of requirement.

I want to confirm one more query, as the client has kept a crytpo device connecting to my DS which will create a tunnel from CUST-A crypto to CUST-B crypto,he told me to redistrbute the connected interfaces between DS and Crypto and always a source and destination will be the crypto devices end,the internal routing traffic and all traffic will be encryted and not be seen by us,

So for classification what i have thought is to classify by standard access-list by ip subnet between DS and Crypto as a source,and i shld call that access-list in class-map.Pls coinfirm ,

Awaitng ur reply.

Hello Altaf,

>> The above solution what i have mentioned u have accepted as a approximate solution.Can u provide me with any alternate solution which is perfect as u r aware of requirement.

the hierarchical QoS example that I've described in my previous post would be a better solution.

Unfortunately with your current hardware this may be not applicable.

>> to classify by standard access-list by ip subnet between DS and Crypto as a source,and i shld call that access-list in class-map.Pls coinfirm ,

your understanding is correct this would be enough to classify customer traffic.

Hope to help

Giuseppe

Hi qiuslar,

I have been through the above link they too are speaking regarding the police a subset of traffic.

Am finalizing the configs by police a subset of traffic for different burst and class default for different burst,As per ur confirmation from last mail the classification by access-list will do BUT i forgot to tell u it will be done on CORE switch not on the DS,pls confirm ,As i dont want to implement unnecessary MPLS QOS becz when a packet arrives from IP-to-MPLS TOS bytes are copied to EXP bits and from mpls-to IP EXP bits to TOS bytes this will be at core when the core will recive the packet.Traffic will pass as IPV4 to ISP.

Pls confirm as i will classify traffic on core not on distribution, Am i correct?????? OR Provide me with any other alternative.

From ur recommended configs on above mail is it shaping works with policing in 6500 ????

Thanks a tons for ur above link,and back to back reply.

Hello Altaf,

>> From ur recommended configs on above mail is it shaping works with policing in 6500 ????

Sorry for having created some confusion as explained in the Ask the Expert shaping can be done only on WAN linecards that is flexwan, SIPs or ES linecards.

I had provided the configurations of hierarchical QoS to show how with a platform that supports it a scenario like yours could take advantage of two levels of QoS.

>> this will be at core when the core will recive the packet.Traffic will pass as IPV4 to ISP.

this is correct and allows you to use IP based QoS in the limits of your hardware.

However, if traffic is encrypted you can only apply policies that inspect the external IPv4 header.

So if customer or your PE devices are able to mark traffic with a different TOS byte, this is propagate to outer IPv4 header in IPSec or GRE.

So you should be able to apply different policies to different TOS bytes.

you need to use extended ACLs or to combine two match conditions

access-list 111 permit ip host siteA host siteB

access-list 112 permit ip host siteB host siteA

class-map AtoB_prec0

match ip address 111 112

match precedence 0

class-map AtoB_prec5

match ip address 111 112

match precedence 5

and so on

then on the policy-map you call the classes and apply for each of them a different police action.

Hope to help

Giuseppe

Hi qiuslar

Am confusing in the policing theory,help will be appreciated,

i want to do police for all traffic class-default, and the bandwith allocated to me by ISP is 4MB,

what are the preferable configs:

Q1:-- police cir 4000000 conform-action transmit exceed-action transmit violate-action drop

as i know from above confgs i dont need to specify BC and BE as it calculates itself by cir/32 and when pir configured pir/32

switch:(config-pmap-c-police)#do sh policy-map 4MB

Policy Map cisco

Class test

police cir 4000000 bc 125000 be 125000

conform-action transmit

exceed-action transmit

violate-action drop

Q2:-- police cir 2000000 pir 4000000 conform-action transmit exceed-action transmit violate-action drop

just have a look down when i configure the pir statement also there is no change in be as it is suppose to be double of bc, is it necessary to configure be while configuring PIR????????

Switch(config-pmap-c-police)#do sh policy-map cisco

Policy Map cisco

Class test

police cir 2000000 bc 62500 pir 4000000 be 62500

conform-action transmit

exceed-action transmit

violate-action drop

What is the advantage by configuring the PIR appose to single-rate as what actually happens ??? Is it more tokens are send on conform-action that means double the BC??? ,

Help will lead to success.

Hello Altaf,

practical results of a single rate 3 colors policer with rate= 4 Mbps

and of a dual rate 3 colors policers with PIR= 4 Mbps.

the first accomodates 4 Mbps and a burst over $ Mbps but for a single interval.

the two rates policer is able to sustain 4 Mbps for every interval because tokens are allocated to fill

Bc= cir/32

and Be = (pir-cir)/32

at every interval.

the single rate policer fills Bc with

CIR1 = 4 Mbps /32;

if Bc is full a spillage goes to Be token bucket.

Be is filled by what is not used in previous time intervals.

So Be starts full but if it is used it is not available in the next time interval.

In your case I would use a single rate 3 colors with CIR= 4 Mbps.

Hope to help

Giuseppe

quislar,

U have mentioned in my case u have configured single rate why ?? pls explain.

what i understand Dual rate three colour policer is good as if it is sending sustain 4Mbps every interval becz both buckets are getting filled at a time Bc + Be.As i have read in books the Be calculated when PIR configured is from PIR/32,but in my mail above the Bc+Be why???

If so PIR is configured then the PIR would be maximum the SLA or less than the SLA,In my case the SLA is 4Mbps then the configs would we seem like below.

police cir 2000000 pir 4000000 conform-action transmit exceed-action transmit violate-action drop.

quislar,u told me that single rate three colouir will be best in my case so the configs i have prepared below do they r correct pls confirm ????

police cir 4000000 conform-action transmit exceed-action transmit violate-action drop.

Question3: Attaching the file,i have tested the configs by sending the 50000 packets towards ISP and the output is in attached,have a look in there are voilate action but no exceed action as per my knowledge the packets will get excced first then they will voilate the contract??? here i dont see any exceed packets??? correct if am wrong????

Earl in slot 5

26667688 bytes

5 minute offered rate 325400 bps

aggregate-forwarded 26269860 bytes action: transmit

exceeded 0 bytes action: transmit

violated 397828 bytes action: drop

aggregate-forward 400464 bps exceed 0 bps violate 5872 bps

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco