cbwfq and atm/dsl bridging, 3620, ios12.3

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

The following config runs on a 3620 with a frame relay

circuit and an atm/dsl circuit. Load balancing is done with

multiple default routes and 'no ip route-cache' and it can

saturate both pipes.


The problem is that I cannot get either priority queueing,

or cbwfq to apply to any of

the bridge interface, BVI1

the main atm interface, atm0/0

the dsl pvc, pvc Isp 0/35

For the first two, we get an error message about cbwfq not

supported on that interface. For the pvc, it accepts the

policy map, but 'show run' does not show it, and neither

does 'show queueing'.


Is there something incompatible between queueing (anything

other than fifo) and either bridging or atm/dsl?




version 12.3

no service timestamps debug uptime

no service timestamps log uptime

no service password-encryption

no service dhcp

!

hostname gw

!

boot-start-marker

boot-end-marker

!

no logging console

!

clock timezone PST -8

no aaa new-model

ip subnet-zero

no ip source-route

!

!

no ip domain lookup

!

ip inspect alert-off

ip inspect max-incomplete low 300

ip inspect max-incomplete high 400

ip inspect one-minute low 500

ip inspect one-minute high 600

ip inspect name Internet_cbac http

ip inspect name Internet_cbac tcp

ip inspect name Internet_cbac udp

ip inspect name Internet_cbac rcmd

ip inspect name Internet_cbac ftp

ip inspect name Internet_cbac tftp

ip inspect name Ethernet_cbac http

ip inspect name Ethernet_cbac tcp

ip inspect name Ethernet_cbac udp

ip inspect name Ethernet_cbac ftp

ip inspect name Ethernet_cbac tftp

ip audit attack action alarm drop

ip audit notify log

ip audit po max-events 100

ip audit signature 2004 list 10

ip audit signature 3103 disable

ip audit signature 6053 disable

ip audit signature 6063 disable

ip audit name AUDIT info action alarm

ip audit name AUDIT attack action alarm drop

!



class-map local-llq

match access-group 111

!

policy-map local

class local-llq

priority 10

class class-default

fair-queue 32

queue-limit 30

!

bridge irb

!

interface ATM0/0

description Isp DSL connection

bandwidth 768

no ip address

ip access-group Internet_Firewall in

ip inspect Internet_cbac in

ip audit AUDIT in

no atm ilmi-keepalive

pvc Isp 0/35

service-policy output local

encapsulation aal5snap

!

dsl operating-mode auto

bridge-group 1

!

interface FastEthernet0/0

description local LAN

ip address xxx.xxx.40.33 255.255.255.224

ip access-group Ethernet_Firewall in

no ip proxy-arp

ip inspect Ethernet_cbac in

no ip mroute-cache

duplex auto

speed auto

no keepalive

!

interface Serial0/0

description Frame Relay (Verizon:10.QRDB.000030)

no ip address

service-policy output local

encapsulation frame-relay IETF

no ip route-cache

no ip mroute-cache

service-module t1 timeslots 1-4

!

interface Serial0/0.1 point-to-point

description Isp Internet connection

ip unnumbered FastEthernet0/0

ip access-group Internet_Firewall in

no ip proxy-arp

ip inspect Internet_cbac in

ip audit AUDIT in

no ip route-cache

no ip mroute-cache

no cdp enable

frame-relay interface-dlci 16 IETF

!

interface BVI1

ip address xxx.xxx.8.15 255.255.255.192

ip access-group Internet_Firewall in

ip inspect Internet_cbac in

ip audit AUDIT in

no ip route-cache

no ip mroute-cache

!

no ip http server

no ip http secure-server

ip classless

ip route 0.0.0.0 0.0.0.0 xxx.xxx.1.1

ip route 0.0.0.0 0.0.0.0 xxx.xxx.8.1

ip route xxx.xxx.1.1 255.255.255.255 Serial0/0.1

ip route xxx.xxx.1.1 255.255.255.255 BVI1

!

no ip access-list extended Ethernet_Firewall

ip access-list extended Ethernet_Firewall

permit tcp any any eq ftp

permit tcp any any eq ftp-data

permit tcp any any eq www

permit tcp any any eq 443

permit icmp any any

deny ip any any log

!

no ip access-list extended Internet_Firewall

ip access-list extended Internet_Firewall

! *** servers

permit tcp any host xxx.xxx.40.50 eq www

permit tcp any host xxx.xxx.40.51 eq www

permit tcp any host xxx.xxx.40.52 eq www

deny ip any any log

!

!

!

logging facility local1

logging xxx.xxx.40.34

!

no access-list 10

access-list 10 deny xxx.xxx.0.0 0.0.0.255

access-list 10 deny xxx.xxx.39.138 0.0.0.0

access-list 10 permit any

!

! acl to define low latency queueing

!

no access-list 111

access-list 111 permit udp any any eq ntp

access-list 111 deny any

!

!

bridge 1 protocol ieee

bridge 1 route ip

no call rsvp-sync

!

dial-peer cor custom

!

!

!

!

!

line con 0

exec-timeout 0 0

logging synchronous

speed 115200

line aux 0

line vty 0 4

exec-timeout 30 0

logging synchronous

login

!

ntp clock-period 17179857

ntp server xxx.xxx.40.34

end


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFAEuRCL6j7milTFsERAtQ8AJ99ca/2a26KxgJEKXIMhaAJaZWe4wCfQr6y
bDnFVibXBLVdNuS+5OFkYJU=
=t8Mw
-----END PGP SIGNATURE-----

 

You probably won't be able to do CBWFQ with a BVI. I would suggest you try
route-bridged encapsulation (rbe). This will allow the ATM interface to
provide enhanced layer 3 functionality while accepting bridge formatted
packets. The only caveat is that I'm not sure if rbe will allow you to
bridge those other pesky protocols while routing ip.

Here is a fairly good link showing this functionality.

http://www.cisco.com/en/US/tech/tk39/tk824/technologies_configuration_example09186a00800c96e5.shtml

Good luck!
JC

--

 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

[snip]

Thanks for the link. I have shifted to rbe with the
following config, but it still accepts (and does not act
upon) the policy map on the dsl pvc. The link above uses a
policy map on the ethernet side to set precedence values,
that are then acted upon with another random-detect policy
on the atm/pvc side. Is there any way to use that scheme to
achieve LLQ, especially the strict priority queue for
voice/ntp packets?


interface Loopback1
ip address xxx.xxx.8.15 255.255.255.192
!
interface ATM0/0
no ip address
no ip route-cache
no ip mroute-cache
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0/0.1 point-to-point
bandwidth 768
ip unnumbered Loopback1
ip access-group Internet_Firewall in
ip inspect Internet_cbac in
ip audit AUDIT in
no ip route-cache
no ip mroute-cache
atm route-bridged ip
pvc Isp 0/35
service-policy output local
encapsulation aal5snap

ip route 0.0.0.0 0.0.0.0 xxx.xxx.1.1
ip route 0.0.0.0 0.0.0.0 xxx.xxx.8.1
ip route xxx.xxx.1.1 255.255.255.255 Serial0/0.1
ip route xxx.xxx.1.1 255.255.255.255 ATM0/0.1
ip route xxx.xxx.8.1 255.255.255.255 ATM0/0.1
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFAFJPpL6j7milTFsERAl/VAJ9btvBlGf/SIjpHHLYUhHsqt8yp5gCffj/8
BGHvYy9C2emkSGI4AvN5NXY=
=qJpu
-----END PGP SIGNATURE-----

 

or cbwfq to apply to any of

I think it is the same problem as with any non-physical
interface, including subinterfaces.

CBWFQ is supported on a physical interface only
(usually). It works by making queuing desititions at
any time the interface queue has some packets.
When the interface queue is empty, it just forwards
any packet, no need to decide who can send and
who not.

The key point here is that CBWFQ needs a queue
agains which to work. If there is no queue (like
with logical interfaces), it is not accepted.
Keep in mind that cbwfq is a scheduler only, if
there is a queue it makes only desitions about
who is next to get through. With no queue you
have no way to schedule anything.

There is sometimes a way around this:
-make a policy that first shapes traffic (in order to
generate a queue, the shaping queue instead of
the normal interface queue)
-make that policy use a sub-policy that does whatever
needs a queue
-make a separate sub-policy which can now
contain cbwfq because it is working against the
shaping queue generated by the main policy.

ie. something like this (sure to have not the exact syntax)
#
int fa 0/0.1 ! whoa, a subinterface does not support cbwfq!
service policy output shape-and-cbwfq

!! the main policy
policy-map shape-and-cbwfq
class all-traffic
shape 1000000 ! shape all at 1meg
service-policy cbwfw ! apply a sub-policy after shaping

!! the sub-policy
policy-map cbwfq
! and the normal policy defined here
class-map all-traffic
! for matching everything

Unfortunately this requires that you know (and can set)
the absolute limit. In some cases this is not possible,
for example if you had to shape on a virtual interface
according to some aggregate depending on which
interfaces are up and which down.

 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

[snip]

Hm, maybe I am doing something wrong, but that does not work
for me either. I tried the following, and the service
policy is accepted at the cli for the pvc, but does not show
up in 'show run' or 'show queueing'. As before, the 'service-policy'
command is not accepted at the cli for the main ATM0/0 interface.

Possible issue - this is on a 3620 with the

ATM0/0 is up, line protocol is up
Hardware is DSLSAR (with Alcatel ADSL Module)
Description: Isp dsl
MTU 4470 bytes, sub MTU 4470, BW 864 Kbit, DLY 2370 usec,
reliability 255/255, txload 1/255, rxload 2/255
Encapsulation ATM, loopback not set
Encapsulation(s): AAL5 AAL2, PVC mode
23 maximum active VCs, 256 VCs per VP, 1 current VCCs
VC Auto Creation Disabled.
VC idle disconnect time: 300 seconds
Last input 00:00:00, output 00:00:00, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops:
0
Queueing strategy: Per VC Queueing


class-map match-all local-llq
match access-group 111
!
class-map match-all all-traffic
match access-group 11
!
policy-map local-shape
class all-traffic
shape average percent 100
service-policy local
!
policy-map local
class local-llq
priority 10
class class-default
fair-queue 32
queue-limit 30
!
interface ATM0/0.1 point-to-point
description Isp DSL connection
bandwidth 768
ip unnumbered Loopback1
ip access-group Internet_Firewall in
ip inspect Internet_cbac in
ip audit AUDIT in
no ip route-cache
no ip mroute-cache
atm route-bridged ip
pvc Isp 0/35
service-policy output local-shape
encapsulation aal5snap
!
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFAFfZNL6j7milTFsERAql6AJ4zjDe/KoEouRUG5TOVF9eyZUZ2ggCfRuxy
GoW28H79wbm6T5ZGOP8sRYM=
=NzbT
-----END PGP SIGNATURE-----

 

What is the output of your sh queueing? When I do it I don't see any
queueing information on my individual sub-ints. However when I do a show
policy int I see the policy enforcement information on each of my sub-int
and PVC.

Also, I had to enable something other than UBR on my individual PVC's such
as vbr-rt for the policy statement to take effect.

Before entering config mode type term mon to display console messages. If
you are saying that the service policy statement doesn't show up when after
applying it to the PVC, the cause may show up with the term mon turned on.

JC

--

 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Ah, thanks. That shows "GTS : Not supported over ATM VCs". I do have
"vbr-nrt 864 768 200" applied to the pvc, which is a 768k symmetric
dsl link.

gw#sh queueing
Current fair queue configuration:

Interface Discard Dynamic Reserved Link Priority
threshold queues queues queues queues
Serial0/0 30 32 256 8 1

Current DLCI priority queue configuration:
Current priority queue configuration:
Current custom queue configuration:
Current random-detect configuration:
VC 0/35 -
VC 0/35: Per VC queueing is FIFO.
Current per-SID queue configuration:

show policy int only shows the service policy on the serial0/0 frame
relay interface.

My current guess is that fancy queueing is just not supported on this
platform, a 3620 running c3620-ik9o3s7-mz.123-5a.bin, with a
wic-1adsl card. I need the fw/ids/cbac stuff, and I don't see a
recent image that provides that and also fancy queueing.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFAF+4lL6j7milTFsERAi30AJ9Jl+cxzj/YePdCs3vO47GRQU0a+ACaA0pa
acJOYzqgfNMzQB2HIKNopmI=
=0M4S
-----END PGP SIGNATURE-----