EoMPLS : QinQ, Vlan-based

Similar Messages

• GE cards supported for port- vlan based EoMPLS on 7600/sup720

  Hi,
  Can anyone explain/point where I can find de proper documentation where I can find the support for port- vlan based EoMPLS support cards on a 7600 with a sup720 engine on the CCO site ?
  WHich GE port cards are supporting EoMPLS and which GE cards will support it not.

  try
  www.cisco.com/go/fn
  -Waris

• Tcl script to change access vlan based on MAC address

  Hello all.  I'm looking for some input on how best to handle this situation. I have a large nework with a lot of remote offices where we have limited control over users moving around patch cables. We're using vlan-based QoS in these office to mark voice, video, data. etc. The problem I'm having is that our users are moving video conferencing equipment to different interfaces on our swithes, which puts the VTC unit in a different vlan, fouling our QoS policy.  They then call and complain about poor video quality.
  I'm trying to come up with a way to automate putting the interface in the video vlan if a VTC unit is connected. All of our video conferencing units are from the same vendor, so they have same OUI in the MAC address. The script I've been working on looks for a line protocol up event, then checks to see what access vlan is configured on the interface. If the interface is already in the video vlan, the script exits.  if the interface is not in the video vlan, the script looks at the MAC address table for the interface and if the OUI matches a VTC unit, the script changes interface configuration. My question is, is there a better event to trigger script execution? Maybe a MAC notification trap, or something else? Line protocol transitions when the access vlan is changed, so the current script runs twice: once when the interface first comes up with a new connection, and again when the vlan is changed. 
  Script is attached.  Any help or advice is appreciated!

  Does your video equipment use CDP?  If so, then you can use the neighbor-discovery event detector to only react when you see a media endpoint being connected to a port.  Yes, MAC address notifications (the mat ED) can also work if you know the MACs of your media endpoints.

• VLAN-based policer on Cat6500

  Hi,
  I'm trying to implement policer on Cat 6500 running CatOS 8.4.
  The configuration is as such:
  set qos enable
  set port qos 1/7 vlan-based
  set qos policer aggregate 2Mbps rate 2000 policed-dscp erate 2000 drop burst 26 eburst 26
  set qos acl mac vlan10 dscp 0 aggregate 2Mbps any any
  commit qos acl all
  set qos acl map vlan10 10
  Port 1/7 is in trunking mode that's why I'm using MAC ACL.
  But nothing is working. The output of the command 'show qos statistics aggregate-policer 2Mbps' is:
  QoS aggregate-policer statistics:
  Aggregate policer Allowed byte Bytes exceed
  count excess rate
  2Mbps 0 0
  I tried to use port-based QoS with no success.
  Am I doing something wrong? Any help will be appreciated.

  Ooops, thanks for the reminder.
  I configured IP ACL but again the output was the same.
  I changed the policer to port-based and it worked.
  Is this something to do with the fact that the port is in trunking mode?

• 7609 RSP vlan based internet bandwidth rate limit

  Hi,
  I have a requirements to restrict the bandwidth for CORP internet users in our metro network, Could you check this template is good to go for to restrict the download and upload speed in Users WAN interface which is VLAN, my bandwidth limitations is 5  Mbps downlink and 5 Mbps uplink.
  class-map match-all corp_traffic1
    match access-group name corp_traffic
  policy-map CORP_ingress
    class corp_traffic1
      police 5000000 500000 conform-action transmit exceed-action drop
  ip access-list extended corp_traffic
  permit ip 172.25.5.0 0.0.0.255 any
  permit ip any 172.25.5.0 0.0.0.255
  Interface vl 351
  service-policy input CORP_ingress
  service-policy output CORP_ingress
  Thanks&Regards
  -Saji

  Riccardo,
  Thank you for your response..
  I have RSP as SUP and ES20 as uplink card..
  but I have clarfication...Is service policy input is realy required...
  It seems input position is not working from this below logs..It is not matching the same
  ABR#sh policy-map interface vlan 3xx
    Service-policy input: CORP_ingress
      class-map: corp_traffic1 (match-all)
        Match: access-group name corp_traffic
        police :
          5000000 bps 156000 limit 156000 extended limit
        Earl in slot 1 :
          0 bytes
          5 minute offered rate 0 bps
          aggregate-forwarded 0 bytes action: transmit
          exceeded 0 bytes action: drop
          aggregate-forward 0 bps exceed 0 bps
        Earl in slot 2 :
          0 bytes
          5 minute offered rate 0 bps
          aggregate-forwarded 0 bytes action: transmit
          exceeded 0 bytes action: drop
          aggregate-forward 0 bps exceed 0 bps
        Earl in slot 3 :
          0 bytes
          5 minute offered rate 0 bps
          aggregate-forwarded 0 bytes action: transmit
          exceeded 0 bytes action: drop
          aggregate-forward 0 bps exceed 0 bps
        Earl in slot 5 :
          0 bytes
          5 minute offered rate 0 bps
          aggregate-forwarded 0 bytes action: transmit
          exceeded 0 bytes action: drop
          aggregate-forward 0 bps exceed 0 bps
      Class-map: class-default (match-any)
        0 packets, 0 bytes
        5 minute offered rate 0000 bps, drop rate 0000 bps
        Match: any
          0 packets, 0 bytes
          5 minute rate 0 bps
    Service-policy output: CORP_ingress
      class-map: corp_traffic1 (match-all)
        Match: access-group name corp_traffic
        police :
          5000000 bps 156000 limit 156000 extended limit
        Earl in slot 1 :
          3739884 bytes
          5 minute offered rate 20576 bps
          aggregate-forwarded 3739884 bytes action: transmit
          exceeded 0 bytes action: drop
          aggregate-forward 17464 bps exceed 0 bps
        Earl in slot 2 :
          0 bytes
          5 minute offered rate 0 bps
          aggregate-forwarded 0 bytes action: transmit
          exceeded 0 bytes action: drop
          aggregate-forward 0 bps exceed 0 bps
        Earl in slot 3 :
          105048931 bytes
          5 minute offered rate 539032 bps
          aggregate-forwarded 105048931 bytes action: transmit
          exceeded 0 bytes action: drop
          aggregate-forward 545760 bps exceed 0 bps
        Earl in slot 5 :
          0 bytes
          5 minute offered rate 0 bps
          aggregate-forwarded 0 bytes action: transmit
          exceeded 0 bytes action: drop
          aggregate-forward 0 bps exceed 0 bps
  I will post more update on this...as I am waiting for the clients to test the same..

• Vlan based default gateway

  Alteon Web OS allows you to assign different default gateways for each VLAN. You can effectively map multiple customers to specific gateways on a single switch.
  do cisco load balancers support different default gateway for each vlan?

  one way of doing it today would be to define a serverfarm for each gateway, and have a vserver match_all for every vlan.
  For example,
  serverfarm gateway_1
  no nat client
  no nat server
  real
  x.x.x.x
  serverfarm gateway_2
  <...>
  vserver gateway_vlan1
  virtual 0.0.0.0 /0 any
  serverfarm gateway_1
  vlan
  vserver gateway_vlan2
  virtual 0.0.0.0 /0 any
  serverfarm gateway_2
  vlan

• VLAN-Based SPAN

  hello everybody,
  why can i only monitoring received (rx) traffic on a VLAN ?
  thanks for an answer...

  Hi again:
  Ingress/Egress SPAN
  In the example in the section Monitor VLANs with SPAN, traffic that enters and leaves the specified ports is monitored. The field Direction: transmit/receive shows this. The Catalyst 4500/4000, 5500/5000, and 6500/6000 series switches allow you to collect only egress (outbound) or only ingress (inbound) traffic on a particular port. Add the keyword rx (receive) or tx (transmit) to the end of the command. The default value is both (tx and rx).
  set span source_port destination_port [rx | tx | both]
  Have you defined only rx keyword?
  I hope this help. Please rate if it does.
  Best regards
  Alberto Giorgi from spain.

• ME 3800 X - QinQ across service instance

  I realize a test rig of ME-3800-X.
  I use the MPLS and QinQ.
  EoMPLS for pseudowire is Ok in test rig.
  QinQ also.
  In fact, everything is ok.
  But, in documentation, it is not said that we can forward the frame QinQ across a Service Instance.
  Header:vlan+eth+data                     >>ingress 3800 -A >> evc bridge-domain 100 >>>>>> Vlan 100 and rewite imposition and Xconnect to B>>
                                        egress 3800 -A  >> Eompls+QinQ+Vlan+eth+data >>>>
                                                                                                                     |
                                                                                                                     |
                                                                                                      BACKBONE MPLS
                                                                                                                     |
                                                                                                                     |
  >>>ingress 3800- B >>>> Vlan 100 (not rewite) + xconnect to A >>>> evc bridge-domain 100 >>>>egress 3800 - B >  Header QinQ+ETH+DATA
  It has QinQ frames within the bridge domaine not frame Vlan.
  Question:
  Is what I can do this even if the documentation does not indicate.
  Thanks for your comment.
  I am french, sorry for my bad english language.
  Cdlt,

  Hello Cdlt.
  but what is the  question? Is it something like "how come that even if my configuration does not match the guide my setup is working?"
  Is that one?
  Also, does it work when your config is matching the EVC guide instead (the one in green on your pdf)?
  Quick notation is that even if the configuration is not matching the guide  the final result is the same as you moved the pop operation of the outmost dot1q tag from the ingress PE (the one on top) to egress one by configuring 'platform rewrite imposition tag push 1 symmetric' on the SVIs.
  So you either strip the qinq tag on ingress or on egress the frame looks like the same way when the last mpls label is popped.
  Does this answer to your question or am I still missing the point?
  Riccardo

• 802.1x dynamic vlan assignment based on MAC?

  Hello,
  I am using Catalyst3750 and Widows AD Authentication.
  Our customers' pc is runnnig Windows (isn't 802.1x capable) that is connected to the catalyst switch.
  Is it possible to dynamic assign a Vlan based on MAC?
  When possible, we want to make it without using VMPS.
  and, is there any document relating to the above.
  Thanks a lot for you help.
  Tomoyuki

  Hello Tomoyuki,
  which Radius Server are you using to authenticate your Clients?
  For the Secure ACS you can configure a feature called "MAC-Authentication-Bypass" which fullfils your requirements.
  This Feature must be configured on the Switch and on the Radius Server (which does the vlan assigment based on the MAC-Address of the Client)
  An Overwiew of this feature can be found here:
  http://www.cisco.com/univercd/cc/td/doc/solution/macauthb.pdf
  I hope this helps,
  Kind regards,
  Chris

• Policy-map based rate-limiting per vlan

  Hi
  I was thinking if someone could help me to come up with solution to a problem. Scenario as follow:
  I have a trunk interface with multiple vlans on:
  interface GigabitEthernet2/0/3
  description TRUNK-to-*********
  switchport trunk encapsulation dot1q
  switchport trunk allowed vlan 415,416,610,1191-1193,1195
  switchport mode trunk
  duplex full
  storm-control broadcast level pps 1k
  storm-control multicast level pps 3k
  storm-control unicast level pps 250k
  storm-control action trap
  spanning-tree portfast trunk
  spanning-tree bpdufilter enable
  I'm trying to rate limit two of the vlans that are present on this trunk interface - vlan 415 and vlan 1192.
  So I'm putting the class-map (to be later applied under the policy-map which is not significant here):
  (config)#class-map match-any 120-mbps-class
  (config-cmap)#match input-interface vlan 415
  (config-cmap)#match input-interface vlan 1192
  Now, when you show the class-map I created, I can see this:
  sh class-map 120-mbps-class
  Class Map match-any 120-mbps-class (id 1)
     Match input-interface  Vlan415
     Match input-interface  FastEthernet0
  For some bizzare reason class-map is matching the Fa0. I have researched this, and this is most probably because you can only match 1 vlan instance under the class-map.
  And here's my problem - I can't police whole interface as the other vlans should not be policed - how can I police those two vlans ?
  Any thoughts ? All help appreciated as always.
  Rob.

  Hi Daniel,
  I have labed it and unfortuantely it does not work as expected. I have put 1x 3750 and 1x 2960 trunk between them, each box had an access port for laptop to create some traffic across. All vlan-based qos has been applied on 3750G.
  3750G config
  Interface g1/0/20
  descriprion trunk
  swicthport trunk encapsulation dot1q
  switchport mode trunk
  switchport trunk allowed vlan 100,120
  Interface g1/0/1
  description access
  switchport mode access
  switchport access vlan 100
  Interface vlan 100
  ip address 192.168.100.254
  service-policy input PARENT-POLICER
  Interface vlan 120
  ip address 10.10.10.1
  Policy-map PARENT-POLICER
  class PERMIT-ANY-CLASS
  trust COS
  service-policy CHILD-POLICER
  class-map match-any PERMIT-ANY-CLASS
  match access-group name POLICY-LIST
  Extended IP access list POLICY-LIST
      10 permit ip any any
  Policy-map CHILD-POLICER
  class INTERFACE-POLICE-CLASS
    police 100000 8000 exceed-action drop
  Class Map match-any INTERFACE-POLICE-CLASS
  Match input-interface  GigabitEthernet1/0/20
  2960 config:
  interface g0/20
  switchport mode trunk
  switchport trunk allowed vlan 100,120
  interface g0/1
  switchport mode access
  switchport access vlan 100
  interface vlan 100
  ip address 192.168.100.253
  interface vlan 120
  ip address 10.10.10.2
  So as you can see vlan 100 is the one it need to be rate limited (I have only rate limited to 100kbps just to see if it's working) and vlan 120 is only on the trunk ports to confirm if the traffic  for this one is not affected.
  Unfortunately when the policing is applied on 3750 vlan 100 (and policing is working fine) then I can see the packet loss while pinging between switches on vlan 120 suggesting that the policy is affecting the other vlan as well. When I take the policy out of the vlan 100 I cannot observe the packet loss on vlan 120 meaning is no longer affected.
  Not sure if I have explained this clear enough so far, if not let me know.
  Do you have any suggestions ?
  Thanks!

• Vlan vs port based qos

  Hi,
  I have a question about vlan based qos. I am happy with qos configuration as applied to ports. However, vlan based qos confuses me somewhat.
  Is vlan based qos intended for situations where packets are to cross vlans? In that case, am I correct in assuming that vlan based qos has no effect on packet flows within that vlan? In that case the idea of vlan based qos would be to police/mark traffic leaving/joing that vlan?
  Or, does vlan based qos extend queuing (priority queue etc) down to ports that are members of that vlan are configured with vlan based qos? I think not but I'm not absolutely sure.
  I can't seem to get to the bottom of this on cco.
  Thanks, Steve

  Hi Steve,
  Packets do not have to cross VLANs for you to need VLAN-based QoS.
  VLAN-based QoS gives you an additional layer of queueing hierarchy. With port-based Qos, there is a set of software queues per physical port. As packets are scheduled from these queues, they are emitted from the port.
  With VLAN-based QoS, there is another layer. Each VLAN configured for VLAN-based QoS will have a set of queues associated with it, instead of having a set of queues for the physical port. This comes in useful for providers of Metro Ethernet service who offer multiple classes of service. Such ethernet services are usually sold with a fixed bandwidth per-VLAN. At egress switch ports, the provider will use vlan-based QoS to police/shape traffic in order to conform to the sold rate. Within this shaped rate, queueing will be used to ensure that the higher classes of service get preference.
  In answer to your questio, vlan-based qos does have an effect on packet flows within that vlan.
  Hope that helps - pls rate the post if it does.
  Regards,
  Paresh.

• Selective QinQ in ES20

  Hi,
  I am testing selective QinQ with EoMPLS in ES20.
  I am eceiving vlans 30-200 from customer and tagging with outer vlan 250.Then i need to send this to a remote PE over EoMPLS and outer vlan to be stripped out by a switch connecting to remote PE.
  Customer_SW(vlan30-200)---ES20(7600)------------GSR---SP_Switch-----Customer_SW(Vlan30-200)
  Following is my config in 7600-ES20
  hostname 7600-ES20
  interface GigabitEthernet1/0/0
  ip arp inspection limit none
  no ip address
  mls qos trust dscp
  service instance 11 ethernet
    encapsulation dot1q 30-200
    bridge-domain 250
  interface Vlan250
  no ip address
  xconnect 1.1.1.1 250250 encapsulation mpls
  EoMPLS is Up, but 7600 neither getting remote-CE mac address nor sending local-CE mac-address to remote-side..
  Is this because inner vlan getting stripped out before sending the frame in EoMPLS circuit (Vlan Mode)?
  How this can be achivable?
  Thanks,

  Hi,
  From your topology, it seems on the GSR side you are in QinQ mode and on the 7600 side you are in single .1Q mode.
  To make it works, we need to be sure the GSR pop the SP VLAN 250 before transmitting the packet to the PW and we need to be sure the 7600 send the traffic with the customer tag into the PW. To do that, we need to configure the PW with VC-Type 5 on the GSR so it will behave as expected (cmd interworking ethernet). There is nothing to do on the 7600 as it negotiates VC-Type 5 by default. On the 7600, you need to remove the bridge-domain and apply the xconnect on the service-instance directly. EVC interface doesn't touch the packet so there is nothing else to do.
  The solution explained above assumes the GSR is configured with a .1Q interface.
  HTH
  Laurent.

• EoMPLS Vc type 4 and 5 output

  Hi All,
  I understand that there are two types of EoMPLS, VLAN based (VC type 4) and port based (VC type 5). However, I am a little confused on the configuration and the show command output on the router.
  I tried to configure port based EoMPLS using below configuration between the PEs:
  int gig0/1
  service instance 10 eth
    encap dot1q 10
    rewrite ingress tag pop 1 sym
    xconnect PE2 10 encap mpls
  the output of show mpls l2transport vc 10 det is below:
  CGR-NPE-01#sh mpls l2transport vc
  Local intf     Local circuit              Dest address    VC ID      Status   
  Gi2/17         Eth VLAN 888               10.1.0.15       888        UP       

  Sorry this is incorrect post that I created. I could not find a way to delete it. Please ignore this. Thanks.

• Does the 76xx routers supports EoMPLS without SIP installed?

  Dear Sir!
  Can you tell to me, does the 7600 series of routers supports EoMPLS without shared port adapters (SPAs) and SPA interface processors (SIPs)?
  I.e. if we have 7606S-RSP720C-R, WS-X6704-10GE ports connected to backbone and
  WS-X6408A-GBIC with WS-X6148A-GE-TX ports connected to our DataCenter
  (without any SIPs and SPAs installed on board).
  Can we make EoMPLS for such clients, which are should connected
  to our DataCenter through remote CAT3750-METRO?
  Best regards,
  Maxim

  Hello,
  There are generally two modes of EoMPLS:
  (1) PFC Based MPLS and related applications
  mode
  (2) WAN Based MPLS (SIP/SPA/OSM/ES20) and related applications mode
  (1) Is only dependent on which Sup do you have
  and generally works with most of the Ethernet (LAN) ports... If you have PFC-3B or later along with Sup-720, Sup-32 (which is PFC-3B) you can do it.
  (1) Has some disadvantages - for example you cannot having L2 switching AND MPLS EoMPLS...
  I.e. if you want to do local switching on Vlan 200 and part of the traffic to be switched part of the traffic to be EoMPLS you cannot do it without SIP/SPA/OSM/ES20
  (2) In this case you need to check very well what you're looking for. These are expensive and they support MPLS and its Applications and even support VPLS, which is not possible with (1)....
  I hope this answer your quesiton...

• EoMPLS issue

  Hi all,
  I have seen a few questions posted on the forum about EoMPLS issues, but the one I have is different to those already posted and responded too.
  I have attached a document which includes the topology, configurations and output from commands to show the problem.
  Basically between the two PE routers concerned with the EoMPLS tunnel, I'm receiving labels for the VC from the egress PE, as well as the next hop label. However, the VC will not become active and the next-hop address (shown in one of the outputs) is stating it is an invalid address.
  Any ideas?
  Thanks

  Harold,
  Many thanks with your reply. Changing it from a VLAN-based EoMPLS configuration to a Port-Based EoMPLS configuration brought the VC up.
  I was hoping on using VLAN based so I could try to do VLAN re-writing on the 6509. But not being classed as a router, I wasn't sure if this would even be possible anyway. Any suggestions on the best way to renumber the VLAN over an MPLS network? I'm work for the enterprise and this is a self managed MPLS network so either way the re-mapping of VLANs falls into my basket if we have to do it outside the MPLS network. It is just alot cleaner with MPLS...
  Regards
  Steve