cbwfq and atm/dsl bridging, 3620, ios12.3

Discussion in 'Cisco' started by Carl Byington, Jan 24, 2004.

  1. -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    The following config runs on a 3620 with a frame relay

    circuit and an atm/dsl circuit. Load balancing is done with

    multiple default routes and 'no ip route-cache' and it can

    saturate both pipes.


    The problem is that I cannot get either priority queueing,

    or cbwfq to apply to any of

    the bridge interface, BVI1

    the main atm interface, atm0/0

    the dsl pvc, pvc Isp 0/35

    For the first two, we get an error message about cbwfq not

    supported on that interface. For the pvc, it accepts the

    policy map, but 'show run' does not show it, and neither

    does 'show queueing'.


    Is there something incompatible between queueing (anything

    other than fifo) and either bridging or atm/dsl?




    version 12.3

    no service timestamps debug uptime

    no service timestamps log uptime

    no service password-encryption

    no service dhcp

    !

    hostname gw

    !

    boot-start-marker

    boot-end-marker

    !

    no logging console

    !

    clock timezone PST -8

    no aaa new-model

    ip subnet-zero

    no ip source-route

    !

    !

    no ip domain lookup

    !

    ip inspect alert-off

    ip inspect max-incomplete low 300

    ip inspect max-incomplete high 400

    ip inspect one-minute low 500

    ip inspect one-minute high 600

    ip inspect name Internet_cbac http

    ip inspect name Internet_cbac tcp

    ip inspect name Internet_cbac udp

    ip inspect name Internet_cbac rcmd

    ip inspect name Internet_cbac ftp

    ip inspect name Internet_cbac tftp

    ip inspect name Ethernet_cbac http

    ip inspect name Ethernet_cbac tcp

    ip inspect name Ethernet_cbac udp

    ip inspect name Ethernet_cbac ftp

    ip inspect name Ethernet_cbac tftp

    ip audit attack action alarm drop

    ip audit notify log

    ip audit po max-events 100

    ip audit signature 2004 list 10

    ip audit signature 3103 disable

    ip audit signature 6053 disable

    ip audit signature 6063 disable

    ip audit name AUDIT info action alarm

    ip audit name AUDIT attack action alarm drop

    !



    class-map local-llq

    match access-group 111

    !

    policy-map local

    class local-llq

    priority 10

    class class-default

    fair-queue 32

    queue-limit 30

    !

    bridge irb

    !

    interface ATM0/0

    description Isp DSL connection

    bandwidth 768

    no ip address

    ip access-group Internet_Firewall in

    ip inspect Internet_cbac in

    ip audit AUDIT in

    no atm ilmi-keepalive

    pvc Isp 0/35

    service-policy output local

    encapsulation aal5snap

    !

    dsl operating-mode auto

    bridge-group 1

    !

    interface FastEthernet0/0

    description local LAN

    ip address xxx.xxx.40.33 255.255.255.224

    ip access-group Ethernet_Firewall in

    no ip proxy-arp

    ip inspect Ethernet_cbac in

    no ip mroute-cache

    duplex auto

    speed auto

    no keepalive

    !

    interface Serial0/0

    description Frame Relay (Verizon:10.QRDB.000030)

    no ip address

    service-policy output local

    encapsulation frame-relay IETF

    no ip route-cache

    no ip mroute-cache

    service-module t1 timeslots 1-4

    !

    interface Serial0/0.1 point-to-point

    description Isp Internet connection

    ip unnumbered FastEthernet0/0

    ip access-group Internet_Firewall in

    no ip proxy-arp

    ip inspect Internet_cbac in

    ip audit AUDIT in

    no ip route-cache

    no ip mroute-cache

    no cdp enable

    frame-relay interface-dlci 16 IETF

    !

    interface BVI1

    ip address xxx.xxx.8.15 255.255.255.192

    ip access-group Internet_Firewall in

    ip inspect Internet_cbac in

    ip audit AUDIT in

    no ip route-cache

    no ip mroute-cache

    !

    no ip http server

    no ip http secure-server

    ip classless

    ip route 0.0.0.0 0.0.0.0 xxx.xxx.1.1

    ip route 0.0.0.0 0.0.0.0 xxx.xxx.8.1

    ip route xxx.xxx.1.1 255.255.255.255 Serial0/0.1

    ip route xxx.xxx.1.1 255.255.255.255 BVI1

    !

    no ip access-list extended Ethernet_Firewall

    ip access-list extended Ethernet_Firewall

    permit tcp any any eq ftp

    permit tcp any any eq ftp-data

    permit tcp any any eq www

    permit tcp any any eq 443

    permit icmp any any

    deny ip any any log

    !

    no ip access-list extended Internet_Firewall

    ip access-list extended Internet_Firewall

    ! *** servers

    permit tcp any host xxx.xxx.40.50 eq www

    permit tcp any host xxx.xxx.40.51 eq www

    permit tcp any host xxx.xxx.40.52 eq www

    deny ip any any log

    !

    !

    !

    logging facility local1

    logging xxx.xxx.40.34

    !

    no access-list 10

    access-list 10 deny xxx.xxx.0.0 0.0.0.255

    access-list 10 deny xxx.xxx.39.138 0.0.0.0

    access-list 10 permit any

    !

    ! acl to define low latency queueing

    !

    no access-list 111

    access-list 111 permit udp any any eq ntp

    access-list 111 deny any

    !

    !

    bridge 1 protocol ieee

    bridge 1 route ip

    no call rsvp-sync

    !

    dial-peer cor custom

    !

    !

    !

    !

    !

    line con 0

    exec-timeout 0 0

    logging synchronous

    speed 115200

    line aux 0

    line vty 0 4

    exec-timeout 30 0

    logging synchronous

    login

    !

    ntp clock-period 17179857

    ntp server xxx.xxx.40.34

    end


    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.0.7 (GNU/Linux)

    iD8DBQFAEuRCL6j7milTFsERAtQ8AJ99ca/2a26KxgJEKXIMhaAJaZWe4wCfQr6y
    bDnFVibXBLVdNuS+5OFkYJU=
    =t8Mw
    -----END PGP SIGNATURE-----
     
    Carl Byington, Jan 24, 2004
    #1
    1. Advertisements

  2. Carl Byington

    JC Guest

    You probably won't be able to do CBWFQ with a BVI. I would suggest you try
    route-bridged encapsulation (rbe). This will allow the ATM interface to
    provide enhanced layer 3 functionality while accepting bridge formatted
    packets. The only caveat is that I'm not sure if rbe will allow you to
    bridge those other pesky protocols while routing ip.

    Here is a fairly good link showing this functionality.

    http://www.cisco.com/en/US/tech/tk39/tk824/technologies_configuration_example09186a00800c96e5.shtml

    Good luck!
    JC

    --
     
    JC, Jan 25, 2004
    #2
    1. Advertisements

  3. -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    [snip]

    Thanks for the link. I have shifted to rbe with the
    following config, but it still accepts (and does not act
    upon) the policy map on the dsl pvc. The link above uses a
    policy map on the ethernet side to set precedence values,
    that are then acted upon with another random-detect policy
    on the atm/pvc side. Is there any way to use that scheme to
    achieve LLQ, especially the strict priority queue for
    voice/ntp packets?


    interface Loopback1
    ip address xxx.xxx.8.15 255.255.255.192
    !
    interface ATM0/0
    no ip address
    no ip route-cache
    no ip mroute-cache
    no atm ilmi-keepalive
    dsl operating-mode auto
    !
    interface ATM0/0.1 point-to-point
    bandwidth 768
    ip unnumbered Loopback1
    ip access-group Internet_Firewall in
    ip inspect Internet_cbac in
    ip audit AUDIT in
    no ip route-cache
    no ip mroute-cache
    atm route-bridged ip
    pvc Isp 0/35
    service-policy output local
    encapsulation aal5snap

    ip route 0.0.0.0 0.0.0.0 xxx.xxx.1.1
    ip route 0.0.0.0 0.0.0.0 xxx.xxx.8.1
    ip route xxx.xxx.1.1 255.255.255.255 Serial0/0.1
    ip route xxx.xxx.1.1 255.255.255.255 ATM0/0.1
    ip route xxx.xxx.8.1 255.255.255.255 ATM0/0.1
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.0.7 (GNU/Linux)

    iD8DBQFAFJPpL6j7milTFsERAl/VAJ9btvBlGf/SIjpHHLYUhHsqt8yp5gCffj/8
    BGHvYy9C2emkSGI4AvN5NXY=
    =qJpu
    -----END PGP SIGNATURE-----
     
    Carl Byington, Jan 26, 2004
    #3
  4. or cbwfq to apply to any of
    I think it is the same problem as with any non-physical
    interface, including subinterfaces.

    CBWFQ is supported on a physical interface only
    (usually). It works by making queuing desititions at
    any time the interface queue has some packets.
    When the interface queue is empty, it just forwards
    any packet, no need to decide who can send and
    who not.

    The key point here is that CBWFQ needs a queue
    agains which to work. If there is no queue (like
    with logical interfaces), it is not accepted.
    Keep in mind that cbwfq is a scheduler only, if
    there is a queue it makes only desitions about
    who is next to get through. With no queue you
    have no way to schedule anything.

    There is sometimes a way around this:
    -make a policy that first shapes traffic (in order to
    generate a queue, the shaping queue instead of
    the normal interface queue)
    -make that policy use a sub-policy that does whatever
    needs a queue
    -make a separate sub-policy which can now
    contain cbwfq because it is working against the
    shaping queue generated by the main policy.

    ie. something like this (sure to have not the exact syntax)
    #
    int fa 0/0.1 ! whoa, a subinterface does not support cbwfq!
    service policy output shape-and-cbwfq

    !! the main policy
    policy-map shape-and-cbwfq
    class all-traffic
    shape 1000000 ! shape all at 1meg
    service-policy cbwfw ! apply a sub-policy after shaping

    !! the sub-policy
    policy-map cbwfq
    ! and the normal policy defined here
    class-map all-traffic
    ! for matching everything

    Unfortunately this requires that you know (and can set)
    the absolute limit. In some cases this is not possible,
    for example if you had to shape on a virtual interface
    according to some aggregate depending on which
    interfaces are up and which down.
     
    Harri Suomalainen, Jan 26, 2004
    #4
  5. -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    [snip]

    Hm, maybe I am doing something wrong, but that does not work
    for me either. I tried the following, and the service
    policy is accepted at the cli for the pvc, but does not show
    up in 'show run' or 'show queueing'. As before, the 'service-policy'
    command is not accepted at the cli for the main ATM0/0 interface.

    Possible issue - this is on a 3620 with the

    ATM0/0 is up, line protocol is up
    Hardware is DSLSAR (with Alcatel ADSL Module)
    Description: Isp dsl
    MTU 4470 bytes, sub MTU 4470, BW 864 Kbit, DLY 2370 usec,
    reliability 255/255, txload 1/255, rxload 2/255
    Encapsulation ATM, loopback not set
    Encapsulation(s): AAL5 AAL2, PVC mode
    23 maximum active VCs, 256 VCs per VP, 1 current VCCs
    VC Auto Creation Disabled.
    VC idle disconnect time: 300 seconds
    Last input 00:00:00, output 00:00:00, output hang never
    Last clearing of "show interface" counters never
    Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops:
    0
    Queueing strategy: Per VC Queueing


    class-map match-all local-llq
    match access-group 111
    !
    class-map match-all all-traffic
    match access-group 11
    !
    policy-map local-shape
    class all-traffic
    shape average percent 100
    service-policy local
    !
    policy-map local
    class local-llq
    priority 10
    class class-default
    fair-queue 32
    queue-limit 30
    !
    interface ATM0/0.1 point-to-point
    description Isp DSL connection
    bandwidth 768
    ip unnumbered Loopback1
    ip access-group Internet_Firewall in
    ip inspect Internet_cbac in
    ip audit AUDIT in
    no ip route-cache
    no ip mroute-cache
    atm route-bridged ip
    pvc Isp 0/35
    service-policy output local-shape
    encapsulation aal5snap
    !
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.0.7 (GNU/Linux)

    iD8DBQFAFfZNL6j7milTFsERAql6AJ4zjDe/KoEouRUG5TOVF9eyZUZ2ggCfRuxy
    GoW28H79wbm6T5ZGOP8sRYM=
    =NzbT
    -----END PGP SIGNATURE-----
     
    Carl Byington, Jan 27, 2004
    #5
  6. Carl Byington

    JC Guest

    What is the output of your sh queueing? When I do it I don't see any
    queueing information on my individual sub-ints. However when I do a show
    policy int I see the policy enforcement information on each of my sub-int
    and PVC.

    Also, I had to enable something other than UBR on my individual PVC's such
    as vbr-rt for the policy statement to take effect.

    Before entering config mode type term mon to display console messages. If
    you are saying that the service policy statement doesn't show up when after
    applying it to the PVC, the cause may show up with the term mon turned on.

    JC

    --

     
    JC, Jan 28, 2004
    #6
  7. -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    Ah, thanks. That shows "GTS : Not supported over ATM VCs". I do have
    "vbr-nrt 864 768 200" applied to the pvc, which is a 768k symmetric
    dsl link.

    gw#sh queueing
    Current fair queue configuration:

    Interface Discard Dynamic Reserved Link Priority
    threshold queues queues queues queues
    Serial0/0 30 32 256 8 1

    Current DLCI priority queue configuration:
    Current priority queue configuration:
    Current custom queue configuration:
    Current random-detect configuration:
    VC 0/35 -
    VC 0/35: Per VC queueing is FIFO.
    Current per-SID queue configuration:

    show policy int only shows the service policy on the serial0/0 frame
    relay interface.

    My current guess is that fancy queueing is just not supported on this
    platform, a 3620 running c3620-ik9o3s7-mz.123-5a.bin, with a
    wic-1adsl card. I need the fw/ids/cbac stuff, and I don't see a
    recent image that provides that and also fancy queueing.
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.0.7 (GNU/Linux)

    iD8DBQFAF+4lL6j7milTFsERAi30AJ9Jl+cxzj/YePdCs3vO47GRQU0a+ACaA0pa
    acJOYzqgfNMzQB2HIKNopmI=
    =0M4S
    -----END PGP SIGNATURE-----
     
    Carl Byington, Jan 28, 2004
    #7
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.