User-Based Rate Limiting in the Cisco Catalyst 6500

Unanswered Question
Sep 12th, 2006
User Badges:

hy guys,


following the link below i tried to test in our lab the last scenario :


http://www.cisco.com/en/US/products/hw/switches/ps708/products_white_paper0900aecd803e5017.shtml


CONFIGURING UBRL: BIDIRECTIONAL UBRL.


but in the outbound direction, the policing for the traffic destined for the subnet in question is not policed at all.

i have an 7606 SUP720-3BXL router.

this a show module from the device :

7606-2-PLR#sh module

Mod Ports Card Type Model Serial No.

--- ----- -------------------------------------- ------------------ -----------

1 2 2+4 port GE-WAN OSM-2+4GE-WAN+ JAE10202BAC

2 48 48-port 10/100/1000 RJ45 EtherModule WS-X6148A-GE-TX SAL09496YWU

3 24 CEF720 24 port 1000mb SFP WS-X6724-SFP SAD101708G1

4 2 2+4 port GE-WAN OSM-2+4GE-WAN+ JAE10191JMF

5 2 Supervisor Engine 720 (Active) WS-SUP720-3BXL SAL1016KSBW

6 2 Supervisor Engine 720 (Cold) WS-SUP720-3BXL SAL09475RZL


Mod MAC addresses Hw Fw Sw Status

--- ---------------------------------- ------ ------------ ------------ -------

1 0017.5ad8.0d30 to 0017.5ad8.0d3f 2.3 12.2(33)SRA1 12.2(33)SRA1 Ok

2 0016.c816.6fc0 to 0016.c816.6fef 1.4 8.4(1) 8.6(0.259)CA Ok

3 0015.fa19.bb52 to 0015.fa19.bb69 2.3 12.2(14r)S5 12.2(33)SRA1 Ok

4 0017.5ad7.d600 to 0017.5ad7.d60f 2.3 12.2(33)SRA1 12.2(33)SRA1 Ok

5 0013.c43a.de28 to 0013.c43a.de2b 4.5 8.4(2) 12.2(33)SRA1 Ok

6 0014.a97e.1988 to 0014.a97e.198b 4.3 8.1(3) 12.2(2006061 Ok


Mod Sub-Module Model Serial Hw Status

---- --------------------------- ------------------ ----------- ------- -------

3 Distributed Forwarding Card WS-F6700-DFC3BXL SAL1020NAK0 5.2 Ok

5 Policy Feature Card 3 WS-F6K-PFC3BXL SAL1016KR81 1.8 Ok

5 MSFC3 Daughterboard WS-SUP720 SAL1018LJ0C 2.5 Ok

6 Policy Feature Card 3 WS-F6K-PFC3BXL SAL09412T06 1.6 Ok

6 MSFC3 Daughterboard WS-SUP720 SAL09475JLE 2.3 Ok


Mod Online Diag Status

---- -------------------

1 Pass

2 Pass

3 Pass

4 Pass

5 Pass

6 Pass




  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
Loading.
mheusinger Tue, 09/12/2006 - 06:05
User Badges:
  • Green, 3000 points or more

Hi,


can you please be more specific about your lab setup? How did you configure the 6500, how did you test the policy?


Regards, Martin

swaroop.potdar Tue, 09/12/2006 - 06:33
User Badges:
  • Blue, 1500 points or more

Hi Marius,


1) Can u also paste in your show run of the policy map, class map with the ACL.


2) and show run of the interface where you applied the configuration.


3) Output of "show policy-map interface"



HTH-Cheers,

Swaroop



bindar.marius Tue, 09/12/2006 - 09:08
User Badges:

class-map match-all Outbound

match access-group 111


class-map match-all Inbound

match access-group 110




policy-map Inbound

class Inbound

police flow mask src-only 1000000 2000 conform-action transmit exceed-action drop

class Outbound

police flow mask dest-only 1000000 2000 conform-action transmit exceed-action drop



interface GigabitEthernet2/3

switchport

switchport trunk encapsulation dot1q

switchport trunk allowed vlan 2055,3000,3001

switchport mode trunk

switchport nonegotiate

load-interval 30

mls qos vlan-based

spanning-tree portfast trunk


interface Vlan3000

ip address 172.16.1.65 255.255.255.252

ip pim sparse-mode

load-interval 30

service-policy input Inbound


access-list 110 permit ip 11.11.11.0 0.0.0.255 any


access-list 111 permit ip any 11.11.11.0 0.0.0.255


7606-2-PLR#sh ip route 11.11.11.0

Routing entry for 11.11.11.0/24

Known via "bgp 100", distance 20, metric 0

Tag 666, type external

Last update from 172.16.1.66 05:04:25 ago

Routing Descriptor Blocks:

* 172.16.1.66, from 172.16.1.66, 05:04:25 ago

Route metric is 0, traffic share count is 1

AS Hops 1

Route tag 666


7606-2-PLR#sh policy-map interface

Vlan3000


Service-policy input: Inbound


Class-map: Inbound (match-all)

0 packets, 0 bytes

30 second offered rate 0 bps, drop rate 0 bps

Match: access-group 110


Class-map: Outbound (match-all)

0 packets, 0 bytes

30 second offered rate 0 bps, drop rate 0 bps

Match: access-group 111


Class-map: class-default (match-any)

11 packets, 725 bytes

30 second offered rate 0 bps, drop rate 0 bps

Match: any

11 packets, 725 bytes

30 second rate 0 bps



swaroop.potdar Wed, 09/13/2006 - 00:07
User Badges:
  • Blue, 1500 points or more

Hi,


You config looks ok and your hardware supports flow policers on a Layer 3 Interface. Seems like a MLS problem.


1) Locate all the port which are under Vlan 3000 and issue the command,

"mls qos vlan-based"


2) Verify If the ports have been enabled with Vlan Based QOS "show mls qos"

The enabled ports should be showing as Vlan Based QOS enabled.


This should help to solve the issue.

If it doesnt send the output of step 2 as an attachment.


HTH-Cheers,

Swaroop


bindar.marius Wed, 09/13/2006 - 02:55
User Badges:

policy-map Inbound

class Inbound

police flow mask src-only 1000000 2000 conform-action set-prec-transmit 5 exceed-action drop

class Outbound

police flow mask dest-only 1000000 2000 conform-action set-prec-transmit 5 exceed-action drop



class-map match-all Inbound

match access-group 110


class-map match-all Outbound

match access-group 111


7606-2-PLR#sh vlan id 3000


VLAN Name Status Ports

---- -------------------------------- --------- -------------------------------

3000 VLAN3000 active Gi2/3


VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2

---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------

3000 enet 103000 1500 - - - - - 0 0


Remote SPAN VLAN

----------------

Disabled


Primary Secondary Type Ports

------- --------- ----------------- ------------------------------------------


interface GigabitEthernet2/3

description *** Multicast Sources - PORT 1 ***

switchport

switchport trunk encapsulation dot1q

switchport trunk allowed vlan 2055,3000,3001

switchport mode trunk

switchport nonegotiate

no ip address

load-interval 30

mls qos vlan-based

spanning-tree portfast trunk


interface Vlan3000

ip address 172.16.1.65 255.255.255.252

load-interval 30

isis circuit-type level-2-only

service-policy input Inbound


7606-2-PLR#sh mls qos

QoS is enabled globally

Policy marking depends on port_trust

QoS ip packet dscp rewrite enabled globally

Input mode for GRE Tunnel is Pipe mode

Input mode for MPLS is Pipe mode


QoS is vlan-based on the following interfaces:

Gi2/3

Vlan or Portchannel(Multi-Earl) policies supported: Yes

Egress policies supported: Yes



----- Module [3] -----

QoS global counters:

Total packets: 2273

IP shortcut packets: 0

Packets dropped by policing: 0

IP packets with TOS changed by policing: 273

IP packets with COS changed by policing: 29

Non-IP packets with COS changed by policing: 9

MPLS packets with EXP changed by policing: 0


----- Module [5] -----

QoS global counters:

Total packets: 222

IP shortcut packets: 0

Packets dropped by policing: 0

IP packets with TOS changed by policing: 46

IP packets with COS changed by policing: 6

Non-IP packets with COS changed by policing: 14

MPLS packets with EXP changed by policing: 0


----- Module [6] -----

QoS global counters:

Total packets: 0

IP shortcut packets: 0

Packets dropped by policing: 0

IP packets with TOS changed by policing: 0

IP packets with COS changed by policing: 0

Non-IP packets with COS changed by policing: 0

MPLS packets with EXP changed by policing: 0



7606-2-PLR#sh policy-map interface

Vlan3000


Service-policy input: Inbound


Class-map: Inbound (match-all)

0 packets, 0 bytes

30 second offered rate 0 bps, drop rate 0 bps

Match: access-group 110


Class-map: Outbound (match-all)

0 packets, 0 bytes

30 second offered rate 0 bps, drop rate 0 bps

Match: access-group 111


Class-map: class-default (match-any)

1178 packets, 80300 bytes

30 second offered rate 0 bps, drop rate 0 bps

Match: any



swaroop.potdar Wed, 09/13/2006 - 02:41
User Badges:
  • Blue, 1500 points or more

Bindar


Also did you try using the command specified "mls qos vlan-based"


Reply back what is the status of this issue.


HTH-Cheers,

Swaroop

swaroop.potdar Wed, 09/13/2006 - 06:34
User Badges:
  • Blue, 1500 points or more

Bindar,


Can u try enabling "mls qos bridged" on the SVI where you apply this policy.


And give the output here.


HTH-Cheers,

Swaroop

bindar.marius Wed, 09/13/2006 - 07:06
User Badges:

7606-2-PLR#sh run interface vlan 3000

Building configuration...


Current configuration : 186 bytes

!

interface Vlan3000

ip vrf forwarding QOS

ip address 172.16.1.65 255.255.255.252

load-interval 30

mls qos bridged

isis circuit-type level-2-only

service-policy input Inbound

end


7606-2-PLR#sh run int gi

7606-2-PLR#sh run int gigabitEthernet 2/3

Building configuration...


Current configuration : 310 bytes

!

interface GigabitEthernet2/3

description *** Multicast Sources - PORT 1 ***

switchport

switchport trunk encapsulation dot1q

switchport trunk allowed vlan 2055,3000,3001

switchport mode trunk

switchport nonegotiate

no ip address

load-interval 30

mls qos vlan-based

spanning-tree portfast trunk

end


7606-2-PLR#sh vlan id 3000


VLAN Name Status Ports

---- -------------------------------- --------- -------------------------------

3000 VLAN3000 active Gi2/3


VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2

---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------

3000 enet 103000 1500 - - - - - 0 0


Remote SPAN VLAN

----------------

Disabled


Primary Secondary Type Ports

------- --------- ----------------- ------------------------------------------


7606-2-PLR#

7606-2-PLR#

7606-2-PLR#sh pol

7606-2-PLR#sh policy-map in

7606-2-PLR#sh policy-map interface

Vlan3000


Service-policy input: Inbound


Class-map: Inbound (match-all)

0 packets, 0 bytes

30 second offered rate 0 bps, drop rate 0 bps

Match: access-group 110


Class-map: Outbound (match-all)

0 packets, 0 bytes

30 second offered rate 0 bps, drop rate 0 bps

Match: access-group 111


Class-map: class-default (match-any)

52 packets, 3458 bytes

30 second offered rate 0 bps, drop rate 0 bps

Match: any


All the counters are zero even after 14Mbps traffic load through that interface.

swaroop.potdar Wed, 09/13/2006 - 08:00
User Badges:
  • Blue, 1500 points or more

Hi Bindar,


I dont see any document which says two way micro flow policing is not supported on a SVI. Also I dont see a document confirming it either. I dont have internal product level feture compliance information.


But anyways, can u try this, lets hope it works.


#config t

mls flow ip full

ip flow ingress layer2-switched vlan 3000


HTH-Cheers,

Swaroop



bindar.marius Wed, 09/13/2006 - 11:03
User Badges:

so, after the mls flow ip full was applied the following messages appears :


%FM-2-FLOWMASK_CONFLICT: Features configured on interface Vlan3000 have conflicting flowmask requirements, traffic may be switched in software


maybe because the mask in my scenario is src-only or dest-only.



swaroop.potdar Wed, 09/13/2006 - 14:21
User Badges:
  • Blue, 1500 points or more

ok did u try enabling flow detection on layer 2 and try.


"ip flow ingress layer2-switched vlan 3000"


let us know...whats the result...

swaroop.potdar Wed, 09/13/2006 - 15:26
User Badges:
  • Blue, 1500 points or more

Ok..


Can u give the output of these commands,


"show mls netflow module 2"


"show mls netflow source 11.11.11.0"


"show mls netflow destination 11.11.11.0"


?show mls netflow ip"


"show mls netflow flowmask"


HTH-Cheers,

Swaroop

bindar.marius Wed, 09/13/2006 - 21:40
User Badges:

7606-2-PLR#sh mls netflow ip

Displaying Netflow entries in Supervisor Earl

DstIP SrcIP Prot:SrcPort:DstPort Src i/f :AdjPtr

-----------------------------------------------------------------------------

Pkts Bytes Age LastSeen Attributes

---------------------------------------------------

0.0.0.0 11.11.11.1 0 :0 :0 -- :0x0

359926 38152156 398 08:09:15 L3 - Dynamic

0.0.0.0 11.11.11.4 0 :0 :0 -- :0x0

359925 38152050 398 08:09:15 L3 - Dynamic

0.0.0.0 11.11.11.5 0 :0 :0 -- :0x0

359925 38152050 398 08:09:15 L3 - Dynamic

0.0.0.0 11.11.11.2 0 :0 :0 -- :0x0

359926 38152156 398 08:09:15 L3 - Dynamic

0.0.0.0 11.11.11.3 0 :0 :0 -- :0x0

359925 38152050 398 08:09:15 L3 - Dynamic

0.0.0.0 0.0.0.0 0 :0 :0 -- :0x0

559177 58444378 192 08:09:53 L3 - Dynamic


7606-2-PLR#sh mls netflow flowmask

current ip flowmask for unicast: null

current ipv6 flowmask for unicast: null


7606-2-PLR#sh mls netflow ip module 2

No forwarding engine in module 2


the ip flow ingress command was already issued

in the previous post.


7606-2-PLR#sh mls netflow ip source 11.11.11.0

Displaying Netflow entries in Supervisor Earl

DstIP SrcIP Prot:SrcPort:DstPort Src i/f :AdjPtr

-----------------------------------------------------------------------------

Pkts Bytes Age LastSeen Attributes

---------------------------------------------------


7606-2-PLR#sh mls netflow ip dest 11.11.11.0

Displaying Netflow entries in Supervisor Earl

DstIP SrcIP Prot:SrcPort:DstPort Src i/f :AdjPtr

-----------------------------------------------------------------------------

Pkts Bytes Age LastSeen Attributes

---------------------------------------------------



swaroop.potdar Thu, 09/14/2006 - 01:49
User Badges:
  • Blue, 1500 points or more

Ok Thats great,


Now can u enable the source-destination flowmask as below and record the observation.


In global

"mls flow ip destination-source"


once you enable this command simply take the output of


1) show policy int


2) show mls flow ip


3) show mls netflow flowmask


thats it...


HTH-Cheers,

Swaroop

bindar.marius Thu, 09/14/2006 - 02:27
User Badges:

pls find the attach.

in this scenario the policing doesn't working in any direction.

every time the FLOWMASK_CONFLICT error appears, the policing stops working.



Attachment: 
swaroop.potdar Thu, 09/14/2006 - 04:42
User Badges:
  • Blue, 1500 points or more

Ok...Thanks for the O/P


1) Can u enable "mls flow ip"


take the output of show mls netflow flowmask


2) Can u enable "mls flow ip destination"


take the output of "show mls netflow flowmask"


3) Can u enable "mls flow ip source"


take the output of "show mls netflow flowmask"


when you are carrying above steps dont do a no of any of the commands entered. Just keep entering the commands one after the another and take the outputs.


IT would have been the best if had direct access to the devices, but anyways we can try it this way also.


HTH-Cheers,

Swaroop


bindar.marius Thu, 09/14/2006 - 06:26
User Badges:

7606-2-PLR(config)#mls flow ip destination

7606-2-PLR(config)#end

7606-2-PLR#sh ml

7606-2-PLR#sh mls ne

Sep 14 16:17:40.040 buc: %SYS-5-CONFIG_I: Configured from console by m onvty0 (192.168.1.1)

7606-2-PLR#sh mls ne

7606-2-PLR#sh mls netflow flo

7606-2-PLR#sh mls netflow flowmask

current ip flowmask for unicast: dst

current ipv6 flowmask for unicast: null

7606-2-PLR#conf t

Enter configuration commands, one per line. End with CNTL/Z.

7606-2-PLR(config)#ml

7606-2-PLR(config)#mls flo

7606-2-PLR(config)#mls flow ip sou

7606-2-PLR(config)#mls flow ip source

7606-2-PLR(config)#end

7606-2-PLR#sh mls netflow flowmask

current ip flowmask for unicast: src

current ipv6 flowmask for unicast: null


for the mls flow ip command i have a lot of options. the ios shell don't permit to issue

just "mls flow ip" command.

swaroop.potdar Thu, 09/14/2006 - 08:15
User Badges:
  • Blue, 1500 points or more

Hi Bindar,


From your output,


use only "mls flow ip source" as UBRL uses only source flow masks as per the docs.


Lets see if this closes the issue so we can flag off this thread for future references.


HTH-CHeers,

Swaroop

bindar.marius Thu, 09/14/2006 - 10:34
User Badges:

7606-2-PLR#sh mls netflow ip

Displaying Netflow entries in Supervisor Earl

DstIP SrcIP Prot:SrcPort:DstPort Src i/f :AdjPtr

-----------------------------------------------------------------------------

Pkts Bytes Age LastSeen Attributes

---------------------------------------------------

0.0.0.0 192.168.255.13 0 :0 :0 -- :0x0

71 4163 1921 21:32:15 L3 - Dynamic

0.0.0.0 172.16.1.66 0 :0 :0 -- :0x0

0 0 1224 21:31:52 L3 - Dynamic

0.0.0.0 192.168.255.12 0 :0 :0 -- :0x0

0 0 1916 21:32:16 L3 - Dynamic

0.0.0.0 0.0.0.0 0 :0 :0 -- :0x0

927 42642 1889 21:32:07 L3 - Dynamic

0.0.0.0 192.168.1.26 0 :0 :0 -- :0x0

0 0 1924 21:32:18 L3 - Dynamic

0.0.0.0 172.16.1.65 0 :0 :0 -- :0x0

79 4566 1224 21:31:52 L2 - Dynamic

0.0.0.0 11.11.11.4 0 :0 :0 -- :0x0

101352 10743312 88 21:31:51 L3 - Dynamic

0.0.0.0 192.168.255.11 0 :0 :0 -- :0x0

0 0 1915 21:32:11 L3 - Dynamic

0.0.0.0 11.11.11.1 0 :0 :0 -- :0x0

101352 10743312 88 21:31:51 L3 - Dynamic

0.0.0.0 192.168.1.46 0 :0 :0 -- :0x0

0 0 1836 21:32:07 L3 - Dynamic

0.0.0.0 11.11.11.5 0 :0 :0 -- :0x0

101352 10743312 88 21:31:51 L3 - Dynamic

0.0.0.0 11.11.11.2 0 :0 :0 -- :0x0

101352 10743312 88 21:31:51 L3 - Dynamic

0.0.0.0 12.12.12.1 0 :0 :0 -- :0x0

101352 10743312 88 21:31:51 L3 - Dynamic

0.0.0.0 11.11.11.3 0 :0 :0 -- :0x0

101352 10743312 88 21:31:51 L3 - Dynamic

0.0.0.0 12.12.12.2 0 :0 :0 -- :0x0

101351 10743206 88 21:31:51 L3 - Dynamic



the policing doesn't working in any direction.

let's close this thread if u agree.

thank u very much for your patience .


swaroop.potdar Thu, 09/14/2006 - 10:45
User Badges:
  • Blue, 1500 points or more

Hi Marius,


Thanks for your persistence as well.


If you happen to get it working later, do update the thread for others reference.


HTH-Cheers!

Swaroop

syntaxmonster Tue, 10/31/2006 - 03:25
User Badges:

Hi guys,


i had the same problem on a Cat6509 therefore i opend a case. This is the result:


-----snip-----


" I have been investigating this issue deeper since being back from vacation.

**************************************************************

The first point to mention is that the Bidir UBRL as described in the doc you referencd is not valid:

http://www.cisco.com/en/US/products/hw/switches/ps708/products_white_p

aper0

900aecd803e5017.shtml

**************************************************************

Due to hardware limitation there is no way that this config could work.

There would be a conflict between Src and Dest mask applied to the same interface. When configuring in lab you should see the message:

switch(config)#int gig 6/2

switch(config-if)# service-policy input livingdata-police

switch(config-if)#

QoS-ERROR: QoS policy on interface Gi6/2 cannot be successfully

installed due to the interaction with other feature configuration

Failure reason is Unresolvable flowmask conflict with other features

QoS-ERROR: installation of policy on Gi6/2 failed

5d18h: %FM_EARL7-4-NO_FLOWMASK_REGISTERS: Feature configuration on

interface GigabitEthernet6/2 could not allocate required flowmask

registers, traffic may be switched in software switch(config-if)#

**************************************************************

I have submitted feedback to the author and CCO team and it should be either removed from CCO or amended."


-----snap------



happy12345 Mon, 12/28/2009 - 06:00
User Badges:

mls flow ip full

police flow mask src 1000000 conform-action transmit exceed-action drop


I got the "FLOWMASK_CONFLICT: Features configured on interface " errors


however, when i used:

mls flow ip full

police flow 1000000 conform-action transmit exceed-action drop



without specified the mask, i get no error and the microflow working. Is there any issue with this?


http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps708/prod_white_paper0900aecd803e5017.html does not seem to work


Any advice and thanks.

Actions

This Discussion