Shaping on physical and sub interface
Hello,
I currently have a few sub interfaces on my router for various reasons. I have a service policy applied to those sub interfaces and the service policy has the shaping command in it, and its all working fine. My physcial interface G0/0 is where I have an EIGRP neighbor and all of the routes are populated.
The problem is I want to apply a service policy to the physical interface and I am not able do so.
I get this:
router(config-if)#service-policy output g0-shape-out
user-defined classes with queueing features are not allowed in a service-policy at sub-interface/pvc
in conjunction with user-defined classes with queueing features in a service-policy at sub-interface/pvc
This is becuase the shaping command is already used in the service policy on the existing sub interfaces.
What I am wondering is, would it be best practice for me to not use the physical interface eg G0/0 when I have sub interfaces? For example my existing subinterfaces are g0/0.802, g0/0.803 ,g0/0.804. Should I setup a new sub interfaced call g0/0.100 and move the config from G0/0 to this new sub interface and use that as my main eigrp neighbor interface so that I can apply shaping to that sub interface? Or is there a better way to apply multiple services policies that include shaping?
Thanks,
Dan.
I can't put it as input because :
gw-a(config-subif)#service-policy input policy_upload
Traffic Shaping feature not supported in input policy.
Here's a show during a bandwidth test. You can see the offered rate is properly measured and is _way_ above the target shape rate.
gw-a#show policy-map interface Port-channel 1.2
Port-channel1.2
Service-policy output: policy_upload
Class-map: class-default (match-any)
624006 packets, 842239036 bytes
5 minute offered rate 12774000 bps, drop rate 0 bps
Match: any
Queueing
queue limit 64 packets
(queue depth/total drops/no-buffer drops) 0/0/0
(pkts output/bytes output) 0/0
shape (average) cir 100000, bc 400, be 400
target shape rate 100000
Similar Messages
-
One of my client has a 5540 security appliance where I have configured DMZ and other few things . Currently it has 4 workable interfaces excluding management interface . 3 of them are used for data connectivity because 1 port is for failover .
Now with 3 physical interface we have 4 zones using sub interfaces ( vlans ) . Recently there has been a change in network where they have introduced few other types of servers and now there is a request to make more zones
Avaliable Data interfaces are 3
Required Zones are 7
Now this is possible using sub interfaces ( vlan ) but I want to know if this is a recommended solution to use subinterfaces at such large scale and dividing every possible interface . It is a company of 1000 users , other option could be to put an 4GE-SSM card but please let me know if the subinterfaces solution is recommended one for enterprizes ?Hello,
Sub-interfaces will work fine for you, but just keep in mind that it is still a shared physical medium. Therefore, the sum of the aggregate traffic in all of the VLANs cannot exceed the capacity of the single physical interface. I would suggest ramping up the traffic slowly and monitoring for any performance issues, but otherwise you should be fine.
-Mike -
Main Interface and Sub Interface
Hello,
I'm fairly new to ASA firewalls so some help is appreciated. Can anyone explain the point of the below config. I thought that normally when using Vlan's there would be no point on configuring a nameif & security level on the main interface? In this case what would configuring an ACL based NAT exemption on the Trunk interface do to traffic on the sub interfaces?
interface GigabitEthernet1/0
nameif Trunk
security-level 100
no ip address
interface GigabitEthernet1/0.100
vlan 100
nameif VLAN100
security-level 100
ip address 192.168.100.1 255.255.255.0 standby 192.168.100.2
interface GigabitEthernet1/0.101
vlan 101
nameif VLAN101
security-level 90
ip address 192.168.101.1 255.255.255.0 standby 192.168.101.2
interface GigabitEthernet1/0.102
vlan 102
nameif VLAN102
security-level 80
ip address 192.168.102.1 255.255.255.0 standby 192.168.102.2
Thanks SteveYou're right about the main interface.
If you use subinterfaces, you typically do not also want the physical interface to pass traffic, because the physical interface passes untagged packets. Because the physical interface must be enabled for the subinterface to pass traffic, ensure that the physical interface does not pass traffic by leaving out the nameif command. If you want to let the physical interface pass untagged packets, you can configure the nameif command as usual.
http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/intrface.html#wp1044006
Hope that helps -
Etherchannel Simultaneous Primary and Sub-Interface Config
Hello Cisco Experts:
Question: Can I run layer 2 traffic across EtherChannel and layer 3 traffic simultaneously across the same etherchannel on a subinterface? If not, and considering the background information below, is there an advisable alternative? The documentation I've been reading isn't clear on the subject.
Background
I'd like to split my VLans across (2x) L3 3560 switches interconnected by EtherChannel. I'll use SVI's for the routing - but if Switch #1 SVI must route to another SVI on Switch #2, I'd like this traffic to cross the EtherChannel instead of heading to another L3 Device before continuing its route to the destination switch. (I.E. I prefer direct switch to switch routing.)
Design Preference:
I don't want my etherchannel to become a 100% routed channel.
I don't want to add another connection between the switches - ports are at a premium and budget is tapped.
No access level switches are being used at this time.
Physical Topology
Thank you for your time,
MikeHi Jon:
First, I didn't begin to think you were criticizing my design. I just wanted to relieve your confusion.
I tested your ideas this morning, and everything checked out and worked fine. After some more investigation, I remembered why I was asking the question about using EtherChannel with an encapsulated Subinterface & IP Addr. for switch-to-switch routing.
Regrettably it had nothing to do with Intervlan routing, which was working fine. But it does have something to do with routing between the two switches.
Link Failure and High Availability
When I began to consider each case of link failure, I discovered 4 cases of link failure that created problematic results. Two of the cases led to an extra hop, and two of the cases result in a black hole. These ideas were tested with packet tracer to verify I had a problem.
These instances occur because I'm routing 3 vlans out of each switch. Each problem could be resolved by a complete HSRP fail-over to the other switch. But maybe the more elegant decision is a switch-to-switch route with an appropriate administrative distance (preferably using the EtherChannel)?
Note: Primary is the primary WAN connection and Backup is the backup WAN connection.
Scenario 1: Extra Hop
Scenario 2: Extra Hop
Scenario 3: Black Hole
Scenario 4: Black Hole
Let me know what you think the ideal solution is: 1) use HSRP tracking to failover to the other switch, 2) create a direct switch to switch route using EtherChannel Subinterface with IP, or 3) some third option.
Thank you for your time,
Mike -
The difference between IEEE802.1Q Native VLAN sub-interface and Physical interface?
Hello
I think the following topologies are supported for Cisco Routers
And the Physical interface also can be using as Native VLAN interface right?
Topology 1.
R1 Gi0.1 ------ IEEE802.1Q Tunneling L2SW ------ Gi0 R2
R1 - configuration
interface GigabitEthernet0.1
encapsulation dot1Q 1 native
ip address 10.0.0.1 255.255.255.0
Topology 2.
R1 Gi0 ------ IEEE802.1Q Tunneling L2SW ------ Gi0 R2
interface GigabitEthernet0
ip address 10.0.0.1 255.255.255.0
And is it ok to use the physical interface and sub-interface with dynamic routing such as EIGRP or OSPF etc?
R1 Gi 0 ---- Point to Multipoint EIGRP or OSPF ---- Gi0 R2 / R3
Gi 0.20--- Point to Point EIGRP or OSPF --- Gi0.10 R4 (same VLAN-ID)
R1 - configuration
interface GigabitEthernet0
ip address 10.0.0.1 255.255.255.0
interface GigabitEthernet8.20
encapsulation dot1Q 20
ip address 20.0.0.1 255.255.255.0
Any information is very appreciated. but if there is any CCO document please let me know.
Thank you very much and regards,
Masanobu HiyoshiHello,
The diagram is helpful.
If I am getting you correctly, you have three routers interconnected by a switch, and you want them to operate in a hub-and-spoke fashion even though the switch is capable of allowing direct communication between any of these routers.
Your first scenario is concerned with all three routers being in the same VLAN, and by using neighbor commands, you force these routers to establish targeted EIGRP adjacencies R1-R2 and R1-R3, with R1 being the hub.
Your second scenario is concerned with creating one VLAN per spoke, having subinterfaces for each spoke VLAN created on R1 as the router, and putting each spoke just in its own VLAN.
Your scenarios are not really concerned with the concept of native VLAN or the way it is configured, to be honest. Whether you use a native VLAN in either of your scenarios, or whether you configure the native VLAN on a subinterface or on the physical interface makes no difference. There is simply no difference to using or not using a native VLAN in any of your scenarios, and there is no difference to the native VLAN configuration being placed on a physical interface or a subinterface. It's as plain as that. Both your scenarios will work.
My personal opinion, though, is that forcing routers on a broadcast multi-access segment such as Ethernet to operate in a hub-and-spoke fashion is somewhat artificial. Why would you want to do this? Both scenarios have drawbacks: in the first scenario, you need to add a neighbor statement for each spoke to the hub, limiting the scalability. In the second scenario, you waste VLANs and IP subnets if there are many spokes. The primary question is, though: why would you want an Ethernet segment to operate as a hub-and-spoke network? Sure, these things are done but they are motivated by specific needs so I would like to know if you have any.
Even if you needed your network to operate in a hub-and-spoke mode, there are more efficient means of achieving that: Cisco switches support so-called protected ports that are prevented from talking to each other. By configuring the switch ports to spokes as protected, you will prevent the spokes from seeing each other. You would not need, then, to configure static neighbors in EIGRP, or to waste VLANs for individual spokes. What you would need to do would be deactivating the split horizon on R1's interface, and using the ip next-hop-self eigrp command on R1 to tweak the next hop information to point to R1 so that the spokes do not attempt to route packets to each other directly but rather route them over R1.
I do not believe I have seen any special CCO documents regarding the use of physical interfaces or subinterfaces for native VLAN or for your scenarios.
Best regards,
Peter -
Export physical and logical details on ASA 5520 and 8.0 software
Hello...does anybody know if there is any way to export details of the physical and logical interface details (including interface descriptions) to Excel, PDF or and other format from the command line or ASDM?
Thanks,
JohnExport directly in xls, xlsx or pdf - no.
The output of "show run interface" or "show interface" is pretty structured however and easily parsed by Excel - either manually or via a macro. See output below (you can omit the interface identifier to get all interfaces. I used one for brevity.)
One can build a script to log in, perform an arbitrary command logging the output to a file which can then be massaged to extract the information you want in a suitable format (csv, etc.). Once in Excel it can be saved as pdf if you're so inclined.
Of couse, some of the full-featured network management tools do a lot of this (and lots more) if you have them.
ASA-1# sh run int eth0/0
interface Ethernet0/0
nameif outside
security-level 0
ip address x.x.x.x 255.255.255.224
ASA-1#
ASA-1# sh int eth0/0
Interface Ethernet0/0 "outside", is up, line protocol is up
Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec
Auto-Duplex(Full-duplex), Auto-Speed(1000 Mbps)
Input flow control is unsupported, output flow control is unsupported
MAC address 0013.c480.6b50, MTU 1500
IP address x.x.x.x, subnet mask 255.255.255.224
14156274 packets input, 16095096189 bytes, 0 no buffer
Received 44764 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 pause input, 0 resume input
0 L2 decode drops
8548524 packets output, 1006461151 bytes, 0 underruns
0 pause output, 0 resume output
0 output errors, 64 collisions, 6 interface resets
95 late collisions, 627 deferred
0 input reset drops, 0 output reset drops, 0 tx hangs
input queue (blocks free curr/low): hardware (255/230)
output queue (blocks free curr/low): hardware (255/125)
Traffic Statistics for "outside":
14156267 packets input, 15839536990 bytes
8548619 packets output, 820243613 bytes
39502 packets dropped
1 minute input rate 2 pkts/sec, 349 bytes/sec
1 minute output rate 2 pkts/sec, 425 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 2 pkts/sec, 2091 bytes/sec
5 minute output rate 1 pkts/sec, 352 bytes/sec
5 minute drop rate, 0 pkts/sec -
Disable BFD in multiple Router Sub interfaces that participates in OSPF
Hi team,
Please help me on this. Here is the scenario:
We are on an enterprise set up and running on 100+ routers.
We have 200 to 300+ sub interfaces for virtual circuits
Our protocol is OSPF over MPLS
One of our provider in LA encountered link flaps on SONET causing our LA router that is directly connected to that link to recalculate multiple times.
Recalculation of OSPF routes caused disconnection of users in LA VM's.
We were advised by our provider in LA to disable BFD so minor link flaps will no affect recalculation of routes.
We are now tasked by our design team to Disable BFD in multiple Router Sub interfaces that participates in OSPF.
My questions are:
What is the implication in disabling all BFD in routers' interface and sub interface?
Will this improve recalculation of OSPF routes in cause of link flaps or it will totally ignore the link flaps?
Will the routers only recognize a "full down" status of the interface?
How can we Disable BFD in multiple Router Sub interfaces that participates in OSPF in a faster way? Or do we have to do this one by one?
Please advise before we present this to the CAB and implementation. Thank you.My questions are:
What is the implication in disabling all BFD in routers' interface and sub interface?
Answer: the implication would be eliminating sub-second millisecond convergence.
BFD detect failure at the link layer very fast , once detected it informs the upper layer protocol about the failure causing it to converge immediately.
Will this improve recalculation of OSPF routes in cause of link flaps or it will totally ignore the link flaps?
Answer: if your Provider experiencing intermittent flaps, then yes it will be advisable to turn BFD off. this however doesn't totally ignore the link flaps, once the upper protocol detect the failure based on the dead interval parameter on OSPF, it will recalculate OSPF routes again. Keep in mind, if you have redundant or more links to your provider , then I wouldn't recommend disabling BFD , as it should improve Convergence and you shouldn't notice the failure.
Will the routers only recognize a "full down" status of the interface?
Answer: disabling BFD allows the router recognize a full down status once the upper protocol dead interval occurs or full down status of interface. which ever occurs the earliest.
How can we Disable BFD in multiple Router Sub interfaces that participates in OSPF in a faster way? Or do we have to do this one by one?
You can disable it one by one. or if you have configuration management software, it allows you to do it for all nodes at a time. but this depends if you have it or not.
Please consider not to disable BFD if you have multiple OSPF links towards your provider from any branch, as it shouldn't impact your VMs, it should rather improve Convergence at milliseconds which is absolutely not noticeable.
BR,
Mohamed -
Hi,
I regularly use bridge domains to connect sub interfaces on different vlans using this sort of configuration:
interface GigabitEthernet0/0/0/5.21 l2transport
description CUSTOMER A WAN
encapsulation dot1q 21
rewrite ingress tag pop 1 symmetric
interface GigabitEthernet0/0/0/10.3122 l2transport
description CUSTOMER A CORE
encapsulation dot1q 3122
rewrite ingress tag pop 1 symmetric
l2vpn
bridge group WANLINKS
bridge-domain CUSTOMERA
interface GigabitEthernet0/0/0/5.21
interface GigabitEthernet0/0/0/10.3122
When I try to use the same method to bridge two sub interfaces on the same physical interface so as to create a L2 VPN no data flows:
interface GigabitEthernet0/0/0/5.21 l2transport
description CUSTOMER A WAN
encapsulation dot1q 21
rewrite ingress tag pop 1 symmetric
interface GigabitEthernet0/0/0/5.22 l2transport
description CUSTOMER A WAN2
encapsulation dot1q 22
rewrite ingress tag pop 1 symmetric
l2vpn
bridge group WANLINKS
bridge-domain CUSTOMERA
interface GigabitEthernet0/0/0/5.21
interface GigabitEthernet0/0/0/5.22
If I add a BVI interface to the bridge domain then the CE devices at the remote end of the WAN interface can both ping the BVI IP but they remain unable to ping each other.
Is this because tag rewrites are not happening since packets don't leave the physical interface?
How can I work around this and establish a L2 connection between the two subinterfaces?
Thank youa vlan is usually the equivalent of an l3 subnet, so linking 2 vlans together in the same bridge domain, likely needs to come with some sort of routing (eg a BVI interface).
If these 2 vlans are still in the same subnet, then there is still arp going on, from one host to the other that traverses the bD.
you will need to verify the state of the AC, the forwarding in the BD and see if something gets dropped somewhere and follow the generic packet troubleshooting guides (see support forums for that also).
that might give a hint to what the precise issue in your forwarding is.
regards
xander -
Traffic Shaping on Sub-interfaces
Hi all,
On my network i am trying to give preference to certain traffic type A over another traffice type B over a VSAT link.
the VSAT link is about 64Kbps/64Kbps and this link is connected to a router subinterface.
I initially thought of CBWFQ to reserve bandwidth for the differenct traffic types but there are restrictions to using CBWFQ on Sub interfaces.
Hence I tot of the option of shaping the less preffered traffic to a less than half the bandwidth say 24K will be a good idea however i worry that the contents of the shaping queue will constitute both the preffered traffic and the less preffered traffic hence introducing more delay to the more preffered traffic. which is not required.
Any other better ways to achieve this?You can use hierarchical qos:
http://www.cisco.com/en/US/tech/tk543/tk545/technologies_tech_note09186a0080114326.shtml -
Could I configure local switching between sub-interface and global interface on ASR9k?
Could I configure local switching between sub-interface and global interface on ASR9k?
For 2 interfaces it is probably best to use an xconnect. It is faster and saves system resources (eg mac learning doesnt apply to xconnect).
Config example:
l2vpn
xconnect group link
p2p link
interface Bundle-Ether100.4321
interface Bundle-Ether500.4321
EFP config:
interface Bundle-Ether100.4321 l2transport
encapsulation dot1q 4000
rewrite ingress tag pop 1 symmetric
interface Bundle-Ether500.4321 l2transport
encapsulation dot1q 2000
rewrite ingress tag pop 1 symmetric
This example shows that you can link 2 EFP's with different vlan's together if you'd pop the tags.
If the EFP's are of the same vlan, then popping the tag can be done but not a must. In general it is recommended to always pop vlan tags so there is a standard EFP design, but not for any technical reasons.
When you use a bridge domain and using a BVI, you MUST pop the tags as the BVI has no notion of a vlan tag and wants to see "plain ethernet".
regards
xander -
Vrf lite and PBR on the same sub interface
Hi,
I have a connection point to point on subinterface between PE and CE and use EBGP as routing protocol. The CE are router Cisco7609 and on the subinterface i apply "ip vrf forwarding WAP". Inside this vpn / vrf that I defined before I want to do pbr, so to route the traffic based on the source Ip address. I cannot use the "vrf select" because it is not supported on this platform. So I would like to know if I can do pbr on this subinterface and how can I do it, just only configuring the "ip policy route-map WAP" under the same sub interface where I confgure ip vrf forwarding?
Thanks
IraUse the route map as a noraml thing.
To match the all the ip address there should not be any match statement in the route map. -
Issue in Sub-interface traffic on cisco 7609-s router
Hello please support,
I configured sub-interfaces and it is working properly, but some time sub-interface show traffic more then physical interface .
Like
int gi 3/32 0.13 Mbps 12:00 PM
int gi 3/32.11 855 Mbps 12:00 PM
as per my knowledge physical interface have cumulative traffic of all sub-interfaces.
interface GigabitEthernet3/32
no ip address
interface GigabitEthernet3/32.10
encapsulation dot1Q 10
ip address 172.20.128.77 255.255.255.252
ip ospf network point-to-point
ip ospf bfd
bfd interval 50 min_rx 50 multiplier 5
no bfd echo
no cdp enable
interface GigabitEthernet3/32.11
description interlink MPLS
encapsulation dot1Q 11
ip address 172.20.129.73 255.255.255.252
ip ospf network point-to-point
mpls ip
mpls label protocol ldp
Regards,
Damodar NagarI have not that graph so I am just guessing that you are noticing the difference between policing and shaping. It seems to me you are applying these techniques on each platform on a different way. Try to shape/police in the same order or only to shape.
Hope to help
Alessio
Sent from Cisco Technical Support iPad App -
Policy maps on port-channel sub-interfaces
We're trying to implement an enterprise QoS policy and I'm wondering how we can apply our QoS policy maps to several different sub-interfaces on a port-channel. In our case, we have both LAN and WAN connections that connect as VLANs on a switch and terminate as sub-interfaces on a port-channel that combines two Gigabit Ethernet interfaces on our router. The LAN connection will need to have a ingress service-policy to classify traffic as it comes from a customer LAN, and the WAN connections will have to have an egress service-policy to place the traffic classes into LLQ and CBWFQ queues as it leaves the router. Could I put both the ingress and egress service-policies on the physical router interface, or should I put them on the port-channel interface? Or should I apply them to the individual sub-interfaces? For example, I could put the ingress classification service-policy on the LAN sub-interface connection.
Any thoughts or insight would be helpful. Thanks.I can't put it as input because :
gw-a(config-subif)#service-policy input policy_upload
Traffic Shaping feature not supported in input policy.
Here's a show during a bandwidth test. You can see the offered rate is properly measured and is _way_ above the target shape rate.
gw-a#show policy-map interface Port-channel 1.2
Port-channel1.2
Service-policy output: policy_upload
Class-map: class-default (match-any)
624006 packets, 842239036 bytes
5 minute offered rate 12774000 bps, drop rate 0 bps
Match: any
Queueing
queue limit 64 packets
(queue depth/total drops/no-buffer drops) 0/0/0
(pkts output/bytes output) 0/0
shape (average) cir 100000, bc 400, be 400
target shape rate 100000 -
IPSec tunnel on sub-interface on ASA 5510
Hello All,
I working on a security solution using ASA firewall and need some technical advice on ASA. Is it possible to setup a IPSec tunnels on each subinterface of a physical interface on ASA 5510?
I would be greatul if someone please reply post this with some details.
Regards,
MudsHi Jennifer,
Thanks very much for your reply. I understand where you coming from, but the reason of using sub-interfaces is that, we have only one physical interface on the firewall connected to the MPLS cloud, and we need to setup a seperate IPSec tunnels for each client for security and integrity. In the current scenario, I have static peers and we can easily setup a static route to peer address.
Many thanks for your assistance, please feel free to to advise if you have any other suggestion.
Regards,
Muds -
Hi, I am trying to connect N5k (layer-3) and ASA, there is a requirement where some of the security-sensitive vlans have their layer-3 on the ASA and for those vlans who are less-sensitive have their svis on the N5k. I am doing a POC in my lab gear first. The n5k and the ASA are connected by 1 physical link having sub-interfaces on both the ends. There is a sub-int with vlan 10 (10.1.1.0/30) on both sides and the ASA injects a default-route to the N5k over this. so in case a non-secure vlan needs to talks to a secure-vlan it goes through via this path. My issue is that, if i create a sub-intf on the ASA, give it a vlan tag of 20, and on my N5k i add a port in that same vlan, i cannot ping my GW (ASA) from the laptop. I have also created a similar sub-int on the N5k side as well with tag 20, BUT still does not work.
attached visio.
Any clues??
Thnx
SandevHello Sande,
That is correct! Please mark this question as answered so future users having a similar problem can learn from your
solution.
Regards,
Julio
Maybe you are looking for
-
Small problem after moving music folder
I moved my music folder to an external drive and used the consolidate library afterwards. All the music was moved with no problems and I have no exclamation points anywhere. My only problem was I had purchased three iPod games. They are still located
-
ML 10.8.2 parental controls "Allow Always" doesn't work
Hi all, I have set up parental control for two kids' accounts with limited application When my kids try to start an App, even though the App is in the allowed list, there is still a pop-up to ask for administrator's permissions. The sad thing is that
-
Adobe Premier Elements10 installation on iMac fails
Why does the installation crash? Photoshop Elements installed with no problem. I get: Your installation encountered errors. Please try restarting your system and installing again. (I did this - it still fails) Exit Code: 7 -------------------------
-
Problem with CAF Core Exercise
Hello All, I am performing the CAF exercise I doing it as per the guide How-to-Guide CAF Core however when I am trying to create a Web Service from the CAF Applications I am getting the following error: Result => deployment aborted : file:/C:/DOCUME~
-
What does "Freed stack:" mean?
Hello, Can anyone explain to me, what "Freed stack:" in the ABAP debugger means? Example: af_t_event_mdata FREED STACK: Thanks and cheers, Rolf