IE CCIE Tech: HIERARCHICAL POLICY-MAPS FOR TRAFFIC POLICING ON

From: Theo M (theorack@gmail.com)
Date: Fri Jul 13 2007 - 07:05:56 ART

• Next message: Djerk Geurts: "RE: Class-default contradiction"
• Previous message: Carlos G Mendioroz: "Re: Class-default contradiction"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hello, sorry I post again, but my last post got clipped by Gmail.

All the following pertains to the IE CCIE Technologies "USING HIERARCHICAL
POLICY-MAPS FOR TRAFFIC POLICING ON 3560",
in the "Bridging and Switching" PDF.

The solution worked, but seemed convoluted at first, so I asked myself why.
After I found out why, I asked myself some more questions.
All this is below, it's a rather lengthy read.
I would appreciate if any one could read it and give me their opinion
afterwards.
Have fun !

[o]-> My first try, the natural (?) way:

Ideea:

>>>
policy-map PMAP203
 class match-all CMAP203 [ match IIF & match IP ]
  set precedence 3
  police 64000 32000
<<<

Rack1SW2#sh run
Building configuration...

Current configuration : 2719 bytes
!
version 12.2
no service pad
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
no service password-encryption
!
hostname Rack1SW2
!
!
no aaa new-model
ip subnet-zero
no ip domain-lookup
!
!
mls qos
!
!
!
!
no file verify auto
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
class-map match-all IP_TRAFFIC
  match access-group name IP
class-map match-all INPUT_INTERFACES
  match input-interface FastEthernet0/13 - FastEthernet0/15
class-map match-all CMAP203
  match input-interface FastEthernet0/13 - FastEthernet0/15
  match access-group name IP
!
!
policy-map POLICE_32K
  class INPUT_INTERFACES
    police 32000 16000 exceed-action drop
policy-map POLICE_64K
  class INPUT_INTERFACES
    police 64000 32000 exceed-action drop
policy-map PMAP203
  class CMAP203
    police 64000 32000 exceed-action drop
   set precedence 3
policy-map VLAN201_POLICY
  class IP_TRAFFIC
   set precedence 5
   service-policy POLICE_64K
policy-map VLAN202_POLICY
  class IP_TRAFFIC
   set precedence 4
   service-policy POLICE_32K
!
!
!
interface FastEthernet0/1
!
interface FastEthernet0/2
 shutdown
!
interface FastEthernet0/3
!
interface FastEthernet0/4
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 201,202
 switchport mode trunk
 switchport nonegotiate
 spanning-tree portfast
 spanning-tree bpduguard enable
!
interface FastEthernet0/5
!
interface FastEthernet0/6
 shutdown
!
interface FastEthernet0/12
!
interface FastEthernet0/13
 mls qos vlan-based
!
interface FastEthernet0/14
 mls qos vlan-based
!
interface FastEthernet0/15
 mls qos vlan-based
!
interface FastEthernet0/16
 shutdown
!
interface FastEthernet0/17
 shutdown
!
interface FastEthernet0/18
 shutdown
!
interface FastEthernet0/19
 shutdown
!
interface FastEthernet0/20
 shutdown
!
interface FastEthernet0/21
 shutdown
!
interface FastEthernet0/22
!
interface FastEthernet0/23
!
interface FastEthernet0/24
 shutdown
!
interface Vlan1
 no ip address
 shutdown
!
interface Vlan201
 no ip address
 service-policy input VLAN201_POLICY
!
interface Vlan202
 no ip address
 service-policy input VLAN202_POLICY
!
interface Vlan203
 no ip address
!
ip classless
ip http server
ip http secure-server
!
!
ip access-list extended IP
 permit ip any any
!
!
control-plane
!
!
line con 0
 exec-timeout 0 0
line vty 0 4
 exec-timeout 0 0
 password cisco
 login
line vty 5 15
 exec-timeout 0 0
 password cisco
 login
!
end

Rack1SW2#
Rack1SW2#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Rack1SW2(config)#int vlan203
Rack1SW2(config-if)#ser
Rack1SW2(config-if)#service-policy in
Rack1SW2(config-if)#service-policy input PMAP203
%QoS: policy-map with police action at parent level not supported on Vlan203
interface.
%QoS: policy-map with police action at parent level not supported on Vlan203
interface.
%QoS: policy-map with police action at parent level not supported on Vlan203
interface.
%QoS: policy-map with police action at parent level not supported on Vlan203
interface.
%QoS: policy-map with police action at parent level not supported on Vlan203
interface.
Rack1SW2(config-if)#
Rack1SW2(config-if)#do sh run int vlan203
Building configuration...

Current configuration : 40 bytes
!
interface Vlan203
 no ip address
end

Rack1SW2(config-if)#
Rack1SW2(config-if)#end
Rack1SW2#

I haven't been able to find this exact error message on CCO, but I get the
ideea, so:

[o]-> My second try: let's move the policer to a new PMAP, then call the new
PMAP from the first one:

Ideea:
>>>
policy-map PMAP203
 class CMAP203 [ match IIF & match IP]
  set precedence 3
  service-policy PMAP203_child
!
policy-map PMAP203_child
 class class-default
  police 64000 32000
!
<<<

Rack1SW2#sh run
Building configuration...

Current configuration : 2798 bytes
!
version 12.2
no service pad
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
no service password-encryption
!
hostname Rack1SW2
!
!
no aaa new-model
ip subnet-zero
no ip domain-lookup
!
!
mls qos
!
!
!
!
no file verify auto
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
class-map match-all IP_TRAFFIC
  match access-group name IP
class-map match-all INPUT_INTERFACES
  match input-interface FastEthernet0/13 - FastEthernet0/15
class-map match-all CMAP203
  match input-interface FastEthernet0/13 - FastEthernet0/15
  match access-group name IP
!
!
policy-map PMAP203_child
  class class-default
    police 64000 32000 exceed-action drop
policy-map POLICE_32K
  class INPUT_INTERFACES
    police 32000 16000 exceed-action drop
policy-map POLICE_64K
  class INPUT_INTERFACES
    police 64000 32000 exceed-action drop
policy-map PMAP203
  class CMAP203
   set precedence 3
   service-policy PMAP203_child
policy-map VLAN201_POLICY
  class IP_TRAFFIC
   set precedence 5
   service-policy POLICE_64K
policy-map VLAN202_POLICY
  class IP_TRAFFIC
   set precedence 4
   service-policy POLICE_32K
!
!
!
interface FastEthernet0/1
!
interface FastEthernet0/2
 shutdown
!
interface FastEthernet0/3
!
interface FastEthernet0/4
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 201,202
 switchport mode trunk
 switchport nonegotiate
 spanning-tree portfast
 spanning-tree bpduguard enable
!
interface FastEthernet0/5
!
interface FastEthernet0/6
 shutdown
!
interface FastEthernet0/12
!
interface FastEthernet0/13
 mls qos vlan-based
!
interface FastEthernet0/14
 mls qos vlan-based
!
interface FastEthernet0/15
 mls qos vlan-based
!
interface FastEthernet0/16
 shutdown
!
interface FastEthernet0/17
 shutdown
!
interface FastEthernet0/18
 shutdown
!
interface FastEthernet0/19
 shutdown
!
interface FastEthernet0/20
 shutdown
!
interface FastEthernet0/21
 shutdown
!
interface FastEthernet0/22
!
interface FastEthernet0/23
!
interface FastEthernet0/24
 shutdown
!
interface Vlan1
 no ip address
 shutdown
!
interface Vlan201
 no ip address
 service-policy input VLAN201_POLICY
!
interface Vlan202
 no ip address
 service-policy input VLAN202_POLICY
!
interface Vlan203
 no ip address
!
ip classless
ip http server
ip http secure-server
!
!
ip access-list extended IP
 permit ip any any
!
!
control-plane
!
!
line con 0
 exec-timeout 0 0
line vty 0 4
 exec-timeout 0 0
 password cisco
 login
line vty 5 15
 exec-timeout 0 0
 password cisco
 login
!
end

Rack1SW2#
Rack1SW2#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Rack1SW2(config)#int vlan203
Rack1SW2(config-if)#
Rack1SW2(config-if)#service-policy input PMAP203
Rack1SW2(config-if)#
*Mar 1 12:44:55.859 UTC: %QOSMGR-4-CLASS_NOT_SUPPORTED: Classification is
not supported in classmap CMAP203
*Mar 1 12:44:55.859 UTC: %QOSMGR-4-CLASS_NOT_SUPPORTED: Classification is
not supported in classmap CMAP203
*Mar 1 12:44:55.859 UTC: %QOSMGR-4-CLASS_NOT_SUPPORTED: Classification is
not supported in classmap CMAP203
*Mar 1 12:44:55.859 UTC: %QOSMGR-4-CLASS_NOT_SUPPORTED: Classification is
not supported in classmap CMAP203
*Mar 1 12:44:55.859 UTC: %QOSMGR-4-CLASS_NOT_SUPPORTED: Classification is
not supported in classmap CMAP203
*Mar 1 12:44:55.859 UTC: %QOSMGR-4-CLASS_NOT_SUPPORTED: Classification is
not supported in classmap CMAP203
*Mar 1 12:44:55.859 UTC: %QOSMGR-4-CLASS_NOT_SUPPORTED: Classification is
not supported in classmap CMAP203
*Mar 1 12:44:55.859 UTC: %QOSMGR-4-CLASS_NOT_SUPPORTED: Classification is
not supported in classmap CMAP203
*Mar 1 12:44:55.859 UTC: %QOSMGR-4-CLASS_NOT_SUPPORTED: Classification is
not supported in classmap CMAP203
*Mar 1 12:44:55.859 UTC: %QOSMGR-4-CLASS_NOT_SUPPORTED: Classification is
not supported in classmap CMAP203
Rack1SW2(config-if)#end
Rack1SW2#

Explanation from Cisco, we can find this one w/ Error Message Decoder:

%QOSMGR-4-CLASS_NOT_SUPPORTED: Classification is not supported in classmap
[chars].
This message means that an unsupported match class-map configuration command
was configured in a policy map and attached to an egress interface or that
more than one match class-map command was configured. This is a hardware
limitation. [chars] is the class-map name.
Recommended Action: Reconfigure the class map or the policy map. Use only
the match ip dscp dscp-list class-map configuration command in a policy map
that is attached to an egress interface. Only one match per class map is
supported.

So:

[o]-> My third try: let's move a match statement to the child CMAP (only one
allowed per class), this looks just like the IE solution:

Ideea:
>>>
policy-map PMAP203
 class CMAP203 [match IP]
  set precedence 3
  service-policy PMAP203_child
!
policy-map PMAP203_child
 class CMAP203_child [match IIF]
  police 64000 32000
!
<<<

Rack1SW2#sh run
Building configuration...

Current configuration : 2832 bytes
!
version 12.2
no service pad
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
no service password-encryption
!
hostname Rack1SW2
!
!
no aaa new-model
ip subnet-zero
no ip domain-lookup
!
!
mls qos
!
!
!
!
no file verify auto
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
class-map match-all IP_TRAFFIC
  match access-group name IP
class-map match-all CMAP203_child
  match input-interface FastEthernet0/13 - FastEthernet0/15
class-map match-all INPUT_INTERFACES
  match input-interface FastEthernet0/13 - FastEthernet0/15
class-map match-all CMAP203
  match access-group name IP
!
!
policy-map PMAP203_child
  class CMAP203_child
    police 64000 32000 exceed-action drop
policy-map POLICE_32K
  class INPUT_INTERFACES
    police 32000 16000 exceed-action drop
policy-map POLICE_64K
  class INPUT_INTERFACES
    police 64000 32000 exceed-action drop
policy-map PMAP203
  class CMAP203
   set precedence 3
   service-policy PMAP203_child
policy-map VLAN201_POLICY
  class IP_TRAFFIC
   set precedence 5
   service-policy POLICE_64K
policy-map VLAN202_POLICY
  class IP_TRAFFIC
   set precedence 4
   service-policy POLICE_32K
!
!
!
interface FastEthernet0/1
!
interface FastEthernet0/2
 shutdown
!
interface FastEthernet0/3
!
interface FastEthernet0/4
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 201,202
 switchport mode trunk
 switchport nonegotiate
 spanning-tree portfast
 spanning-tree bpduguard enable
!
interface FastEthernet0/5
!
interface FastEthernet0/6
 shutdown
!
interface FastEthernet0/12
!
interface FastEthernet0/13
 mls qos vlan-based
!
interface FastEthernet0/14
 mls qos vlan-based
!
interface FastEthernet0/15
 mls qos vlan-based
!
interface FastEthernet0/16
 shutdown
!
interface FastEthernet0/17
 shutdown
!
interface FastEthernet0/18
 shutdown
!
interface FastEthernet0/19
 shutdown
!
interface FastEthernet0/20
 shutdown
!
interface FastEthernet0/21
 shutdown
!
interface FastEthernet0/22
!
interface FastEthernet0/23
!
interface FastEthernet0/24
 shutdown
!
interface Vlan1
 no ip address
 shutdown
!
interface Vlan201
 no ip address
 service-policy input VLAN201_POLICY
!
interface Vlan202
 no ip address
 service-policy input VLAN202_POLICY
!
interface Vlan203
 no ip address
!
ip classless
ip http server
ip http secure-server
!
!
ip access-list extended IP
 permit ip any any
!
!
control-plane
!
!
line con 0
 exec-timeout 0 0
line vty 0 4
 exec-timeout 0 0
 password cisco
 login
line vty 5 15
 exec-timeout 0 0
 password cisco
 login
!
end

Rack1SW2#
Rack1SW2#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Rack1SW2(config)#int vlan203
Rack1SW2(config-if)#
Rack1SW2(config-if)#service-policy input PMAP203
Rack1SW2(config-if)#exit
Rack1SW2(config)#
Rack1SW2(config)#
Rack1SW2(config)#end
Rack1SW2#
Rack1SW2#sh run int vl203
Building configuration...

Current configuration : 70 bytes
!
interface Vlan203
 no ip address
 service-policy input PMAP203
end

Rack1SW2#

This works fine and can be verified as per the IE solution.

[o]-> And now, some questions:

(i) Is putting two matches in the same CMAP the same with putting one in
the "parent" CMAP and one in the "child" CMAP (the IE solution) ?

(ii) Is the order of the 2 "match ..." statements important, or not ?

(iii)What about if we need 3 of them ?

 I will try to answer:

(i)

Let's draw a Venn diagram: { IP and NOT IF }{ IP and IF } { NOT IP and IF
}
                                    (1) (2) (3)

Let's pick an example from each of the 3 partitions, and see what happens.

(1)
Let's suppose that another port gets configured, and it transports VLAN 203;
what if some IP packets come in the new interface, will they get their IP
Precedence set, even if they won't match the child class in the child policy
?
Well, the answer is NO: the policy won't act on that interface, because the
new interface doesn't have "mls qos vlan-based" configured.
So, "mls qos vlan-based" acts as a safeguard here.

(2)
It's OK, of course :-)

(3)
What about some non-IP traffic that gets in on VLAN 203 ? It wont't match
the first CMAP, so it's also OK, it won't get marked or policed.
What if we switch the two "match ..." statments between the two CMAPs ?

(ii)

(1) and (2) are OK

(3) Suppose some non-IP traffic is comming in through one of the interfaces
w/ "mls qos vlan-based" configured.
    The "set precedence" won't do a thing, then the "child" CMAP won't match
it, so it won't get policed.

So the answer for (ii) would be that it is correct in this particular case,
but not always, i.e. the order in which the "match ..." statements are
checked could matter.

(iii)

If we need 3 "match ..." statments, we would have to use 3 PMAPs that would
reference eachother.
First, is it possible ? Can we have 3 levels ? At least we can configure it
:

Rack1SW2#sh run
Building configuration...

Current configuration : 2901 bytes
!
version 12.2
no service pad
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
no service password-encryption
!
hostname Rack1SW2
!
!
no aaa new-model
ip subnet-zero
no ip domain-lookup
!
!
mls qos
!
!
!
!
no file verify auto
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
class-map match-all IP_TRAFFIC
  match access-group name IP
class-map match-all CMAP203_child
  match input-interface FastEthernet0/13 - FastEthernet0/15
class-map match-all INPUT_INTERFACES
  match input-interface FastEthernet0/13 - FastEthernet0/15
class-map match-all CMAP203
  match access-group name IP
!
!
policy-map NULL
policy-map PMAP203_child
  class CMAP203_child
    police 64000 32000 exceed-action drop
   service-policy NULL
policy-map POLICE_32K
  class INPUT_INTERFACES
    police 32000 16000 exceed-action drop
policy-map POLICE_64K
  class INPUT_INTERFACES
    police 64000 32000 exceed-action drop
policy-map PMAP203
  class CMAP203
   set precedence 3
   service-policy PMAP203_child
policy-map VLAN201_POLICY
  class IP_TRAFFIC
   set precedence 5
   service-policy POLICE_64K
policy-map VLAN202_POLICY
  class IP_TRAFFIC
   set precedence 4
   service-policy POLICE_32K
!
!
!
interface FastEthernet0/2
 shutdown
!
interface FastEthernet0/3
!
interface FastEthernet0/4
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 201,202
 switchport mode trunk
 switchport nonegotiate
 spanning-tree portfast
 spanning-tree bpduguard enable
!
interface FastEthernet0/6
 shutdown
!
!
interface FastEthernet0/13
 mls qos vlan-based
!
interface FastEthernet0/14
 mls qos vlan-based
!
interface FastEthernet0/15
 mls qos vlan-based
!
interface FastEthernet0/16
 shutdown
!
interface FastEthernet0/17
 shutdown
!
interface FastEthernet0/18
 shutdown
!
interface FastEthernet0/19
 shutdown
!
interface FastEthernet0/20
 shutdown
!
interface FastEthernet0/21
 shutdown
!
interface Vlan1
 no ip address
 shutdown
!
interface Vlan201
 no ip address
 service-policy input VLAN201_POLICY
!
interface Vlan202
 no ip address
 service-policy input VLAN202_POLICY
!
interface Vlan203
 no ip address
 service-policy input PMAP203
!
ip classless
ip http server
ip http secure-server
!
!
ip access-list extended IP
 permit ip any any
!
!
control-plane
!
!
line con 0
 exec-timeout 0 0
line vty 0 4
 exec-timeout 0 0
 password cisco
 login
line vty 5 15
 exec-timeout 0 0
 password cisco
 login
!
end

Rack1SW2#

The analysis here would have to be done like above, with Venn diagrams, but
with 3 CMAPs you get 7 partitions, so you have 7 cases to analyse... :-)

Hope this helps ! :-P

• Next message: Djerk Geurts: "RE: Class-default contradiction"
• Previous message: Carlos G Mendioroz: "Re: Class-default contradiction"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sat Aug 18 2007 - 08:17:40 ART