Shaping on physical and sub interface

Similar Messages

• 5540 and sub interfaces

  One of my client has a 5540 security appliance where I have configured DMZ and other few things . Currently it has 4 workable interfaces excluding management interface . 3 of them are used for data connectivity because 1 port is for failover .
  Now with 3 physical interface we have 4 zones using sub interfaces ( vlans ) . Recently there has been a change in network where they have introduced few other types of servers and now there is a request to make more zones
  Avaliable Data interfaces are 3
  Required Zones are 7
  Now this is possible using sub interfaces ( vlan ) but I want to know if this is a recommended solution to use subinterfaces at such large scale and dividing every possible interface . It is a company of 1000 users , other option could be to put an 4GE-SSM card but please let me know if the subinterfaces solution is recommended one for enterprizes ?

  Hello,
  Sub-interfaces will work fine for you, but just keep in mind that it is still a shared physical medium. Therefore, the sum of the aggregate traffic in all of the VLANs cannot exceed the capacity of the single physical interface. I would suggest ramping up the traffic slowly and monitoring for any performance issues, but otherwise you should be fine.
  -Mike

• Main Interface and Sub Interface

  Hello,
  I'm fairly new to ASA firewalls so some help is appreciated. Can anyone explain the point of the below config. I thought that normally when using Vlan's there would be no point on configuring a nameif & security level on the main interface? In this case what would configuring an ACL based NAT exemption on the Trunk interface do to traffic on the sub interfaces?
  interface GigabitEthernet1/0
  nameif Trunk
  security-level 100
  no ip address
  interface GigabitEthernet1/0.100
  vlan 100
  nameif VLAN100
  security-level 100
  ip address 192.168.100.1 255.255.255.0 standby 192.168.100.2
  interface GigabitEthernet1/0.101
  vlan 101
  nameif VLAN101
  security-level 90
  ip address 192.168.101.1 255.255.255.0 standby 192.168.101.2
  interface GigabitEthernet1/0.102
  vlan 102
  nameif VLAN102
  security-level 80
  ip address 192.168.102.1 255.255.255.0 standby 192.168.102.2
  Thanks Steve

  You're right about the main interface.
  If you use subinterfaces, you typically do not also want the physical interface to pass traffic, because the physical interface passes untagged packets. Because the physical interface must be enabled for the subinterface to pass traffic, ensure that the physical interface does not pass traffic by leaving out the nameif command. If you want to let the physical interface pass untagged packets, you can configure the nameif command as usual.
  http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/intrface.html#wp1044006
  Hope that helps

• Etherchannel Simultaneous Primary and Sub-Interface Config

  Hello Cisco Experts:
  Question: Can I run layer 2 traffic across EtherChannel and layer 3 traffic simultaneously across the same etherchannel on a subinterface?  If not, and considering the background information below, is there an advisable alternative?  The documentation I've been reading isn't clear on the subject.
  Background
  I'd like to split my VLans across (2x) L3 3560 switches interconnected by EtherChannel.  I'll use SVI's for the routing - but if Switch #1 SVI must route to another SVI on Switch #2, I'd like this traffic to cross the EtherChannel instead of heading to another L3 Device before continuing its route to the destination switch.  (I.E. I prefer direct switch to switch routing.)
  Design Preference:
  I don't want my etherchannel to become a 100% routed channel.  
  I don't want to add another connection between the switches - ports are at a premium and budget is tapped.
  No access level switches are being used at this time.
  Physical Topology
  Thank you for your time,
  Mike

  Hi Jon:
  First, I didn't begin to think you were criticizing my design.  I just wanted to relieve your confusion.
  I tested your ideas this morning, and everything checked out and worked fine.  After some more investigation, I remembered why I was asking the question about using EtherChannel with an encapsulated Subinterface & IP Addr. for switch-to-switch routing.
  Regrettably it had nothing to do with Intervlan routing, which was working fine.  But it does have something to do with routing between the two switches.  
  Link Failure and High Availability
  When I began to consider each case of link failure, I discovered 4 cases of link failure that created problematic results.  Two of the cases led to an extra hop, and two of the cases result in a black hole.  These ideas were tested with packet tracer to verify I had a problem.
  These instances occur because I'm routing 3 vlans out of each switch.  Each problem could be resolved by a complete HSRP fail-over to the other switch.  But maybe the more elegant decision is a switch-to-switch route with an appropriate administrative distance (preferably using the EtherChannel)? 
  Note: Primary is the primary WAN connection and Backup is the backup WAN connection.
  Scenario 1: Extra Hop
  Scenario 2: Extra Hop
  Scenario 3: Black Hole
  Scenario 4: Black Hole
  Let me know what you think the ideal solution is: 1) use HSRP tracking to failover to the other switch, 2) create a direct switch to switch route using EtherChannel Subinterface with IP, or 3) some third option.
  Thank you for your time,
  Mike

• The difference between IEEE802.1Q Native VLAN sub-interface and Physical interface?

  Hello
  I think the following topologies are supported for Cisco Routers
  And the Physical interface also can be using as Native VLAN interface right? 
  Topology 1.
   R1 Gi0.1 ------ IEEE802.1Q Tunneling  L2SW ------ Gi0 R2
  R1 - configuration
  interface GigabitEthernet0.1
   encapsulation dot1Q 1 native
   ip address 10.0.0.1 255.255.255.0
  Topology 2.
  R1 Gi0 ------ IEEE802.1Q Tunneling L2SW ------ Gi0 R2
  interface GigabitEthernet0
  ip address 10.0.0.1 255.255.255.0
   And is it ok to use the physical interface and sub-interface with dynamic routing such as EIGRP or OSPF etc?
  R1 Gi 0 ---- Point to Multipoint EIGRP or OSPF ---- Gi0 R2 / R3 
        Gi 0.20--- Point to Point EIGRP or OSPF --- Gi0.10 R4  (same VLAN-ID) 
  R1 - configuration
  interface GigabitEthernet0
   ip address 10.0.0.1 255.255.255.0
  interface GigabitEthernet8.20
   encapsulation dot1Q 20
   ip address 20.0.0.1 255.255.255.0
  Any information is very appreciated. but if there is any CCO document please let me know.
  Thank you very much and regards,
  Masanobu Hiyoshi

  Hello,
  The diagram is helpful.
  If I am getting you correctly, you have three routers interconnected by a switch, and you want them to operate in a hub-and-spoke fashion even though the switch is capable of allowing direct communication between any of these routers.
  Your first scenario is concerned with all three routers being in the same VLAN, and by using neighbor commands, you force these routers to establish targeted EIGRP adjacencies R1-R2 and R1-R3, with R1 being the hub.
  Your second scenario is concerned with creating one VLAN per spoke, having subinterfaces for each spoke VLAN created on R1 as the router, and putting each spoke just in its own VLAN.
  Your scenarios are not really concerned with the concept of native VLAN or the way it is configured, to be honest. Whether you use a native VLAN in either of your scenarios, or whether you configure the native VLAN on a subinterface or on the physical interface makes no difference. There is simply no difference to using or not using a native VLAN in any of your scenarios, and there is no difference to the native VLAN configuration being placed on a physical interface or a subinterface. It's as plain as that. Both your scenarios will work.
  My personal opinion, though, is that forcing routers on a broadcast multi-access segment such as Ethernet to operate in a hub-and-spoke fashion is somewhat artificial. Why would you want to do this? Both scenarios have drawbacks: in the first scenario, you need to add a neighbor statement for each spoke to the hub, limiting the scalability. In the second scenario, you waste VLANs and IP subnets if there are many spokes. The primary question is, though: why would you want an Ethernet segment to operate as a hub-and-spoke network? Sure, these things are done but they are motivated by specific needs so I would like to know if you have any.
  Even if you needed your network to operate in a hub-and-spoke mode, there are more efficient means of achieving that: Cisco switches support so-called protected ports that are prevented from talking to each other. By configuring the switch ports to spokes as protected, you will prevent the spokes from seeing each other. You would not need, then, to configure static neighbors in EIGRP, or to waste VLANs for individual spokes. What you would need to do would be deactivating the split horizon on R1's interface, and using the ip next-hop-self eigrp command on R1 to tweak the next hop information to point to R1 so that the spokes do not attempt to route packets to each other directly but rather route them over R1.
  I do not believe I have seen any special CCO documents regarding the use of physical interfaces or subinterfaces for native VLAN or for your scenarios.
  Best regards,
  Peter

• Export physical and logical details on ASA 5520 and 8.0 software

  Hello...does anybody know if there is any way to export details of the physical and logical interface details (including interface descriptions) to Excel, PDF or and other format from the command line or ASDM? 
  Thanks,
  John

  Export directly in xls, xlsx or pdf - no.
  The output of "show run interface" or "show interface" is pretty structured however and easily parsed by Excel - either manually or via a macro. See output below (you can omit the interface identifier to get all interfaces. I used one for brevity.)
  One can build a script to log in, perform an arbitrary command logging the output to a file which can then be massaged to extract the information you want in a suitable format (csv, etc.). Once in Excel it can be saved as pdf if you're so inclined.
  Of couse, some of the full-featured network management tools do a lot of this (and lots more) if you have them.
  ASA-1# sh run int eth0/0
  interface Ethernet0/0
  nameif outside
  security-level 0
  ip address x.x.x.x 255.255.255.224
  ASA-1#
  ASA-1# sh int eth0/0
  Interface Ethernet0/0 "outside", is up, line protocol is up
    Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec
  Auto-Duplex(Full-duplex), Auto-Speed(1000 Mbps)
  Input flow control is unsupported, output flow control is unsupported
  MAC address 0013.c480.6b50, MTU 1500
  IP address x.x.x.x, subnet mask 255.255.255.224
  14156274 packets input, 16095096189 bytes, 0 no buffer
  Received 44764 broadcasts, 0 runts, 0 giants
  0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
  0 pause input, 0 resume input
  0 L2 decode drops
  8548524 packets output, 1006461151 bytes, 0 underruns
  0 pause output, 0 resume output
  0 output errors, 64 collisions, 6 interface resets
  95 late collisions, 627 deferred
  0 input reset drops, 0 output reset drops, 0 tx hangs
  input queue (blocks free curr/low): hardware (255/230)
  output queue (blocks free curr/low): hardware (255/125)
    Traffic Statistics for "outside":
  14156267 packets input, 15839536990 bytes
  8548619 packets output, 820243613 bytes
  39502 packets dropped
        1 minute input rate 2 pkts/sec,  349 bytes/sec
        1 minute output rate 2 pkts/sec,  425 bytes/sec
        1 minute drop rate, 0 pkts/sec
        5 minute input rate 2 pkts/sec,  2091 bytes/sec
        5 minute output rate 1 pkts/sec,  352 bytes/sec
        5 minute drop rate, 0 pkts/sec

• Disable BFD in multiple Router Sub interfaces that participates in OSPF

  Hi team,
  Please help me on this. Here is the scenario:
  We are on an enterprise set up and running on 100+ routers.
  We have 200 to 300+ sub interfaces for virtual circuits
  Our protocol is OSPF over MPLS
  One of our provider in LA encountered link flaps on SONET causing our LA router that is directly connected to that link to recalculate multiple times.
  Recalculation of OSPF routes caused disconnection of users in LA VM's.
  We were advised by our provider in LA to disable BFD so minor link flaps will no affect recalculation of routes.
  We are now tasked by our design team to Disable BFD in multiple Router Sub interfaces that participates in OSPF.
  My questions are:
  What is the implication in disabling all BFD in routers' interface and sub interface?
  Will this improve recalculation of OSPF routes in cause of link flaps or it will totally ignore the link flaps?
  Will the routers only recognize a "full down" status of the interface?
  How can we Disable BFD in multiple Router Sub interfaces that participates in OSPF in a faster way? Or do we have to do this one by one?
  Please advise before we present this to the CAB and implementation. Thank you.

  My questions are:
  What is the implication in disabling all BFD in routers' interface and sub interface?
  Answer:  the implication would be eliminating sub-second millisecond convergence.
  BFD detect failure at the link layer very fast , once detected it informs the upper layer protocol about the failure causing it to converge immediately. 
  Will this improve recalculation of OSPF routes in cause of link flaps or it will totally ignore the link flaps?
  Answer: if your Provider experiencing intermittent flaps, then yes it will be advisable to turn BFD off. this however doesn't totally ignore the link flaps, once the upper protocol detect the failure based on the dead interval parameter on OSPF, it will recalculate OSPF routes again.  Keep in mind, if you have redundant or more links to your provider , then I wouldn't recommend disabling BFD , as it should improve Convergence and you shouldn't notice the failure. 
  Will the routers only recognize a "full down" status of the interface?
  Answer: disabling BFD allows the router recognize a full down status once the upper protocol dead interval occurs or full down status of interface. which ever occurs the earliest.
  How can we Disable BFD in multiple Router Sub interfaces that participates in OSPF in a faster way? Or do we have to do this one by one?
  You can disable it one by one. or if you have configuration management software, it allows you to do it for all nodes at a time. but this depends if you have it or not.
  Please consider not to disable BFD if you have multiple OSPF links towards your provider from any branch, as it shouldn't impact your VMs, it should rather improve Convergence at milliseconds which is absolutely not noticeable.
  BR,
  Mohamed 

• How to make ASR9000 bridge domain forward traffic between sub interfaces of same physical interface?

  Hi,
  I regularly use bridge domains to connect sub interfaces on different vlans using this sort of configuration:
  interface GigabitEthernet0/0/0/5.21 l2transport
  description CUSTOMER A WAN
  encapsulation dot1q 21
  rewrite ingress tag pop 1 symmetric
  interface GigabitEthernet0/0/0/10.3122 l2transport
  description CUSTOMER A CORE
  encapsulation dot1q 3122
  rewrite ingress tag pop 1 symmetric
  l2vpn
  bridge group WANLINKS
    bridge-domain CUSTOMERA
     interface GigabitEthernet0/0/0/5.21
     interface GigabitEthernet0/0/0/10.3122
  When I try to use the same method to bridge two sub interfaces on the same physical interface so as to create a L2 VPN no data flows:
  interface GigabitEthernet0/0/0/5.21 l2transport
  description CUSTOMER A WAN
  encapsulation dot1q 21
  rewrite ingress tag pop 1 symmetric
  interface GigabitEthernet0/0/0/5.22 l2transport
  description CUSTOMER A WAN2
  encapsulation dot1q 22
  rewrite ingress tag pop 1 symmetric
  l2vpn
  bridge group WANLINKS
    bridge-domain CUSTOMERA
     interface GigabitEthernet0/0/0/5.21
     interface GigabitEthernet0/0/0/5.22
  If I add a BVI interface to the bridge domain then the CE devices at the remote end of the WAN interface can both ping the BVI IP but they remain unable to ping each other.
  Is this because tag rewrites are not happening since packets don't leave the physical interface?
  How can I work around this and establish a L2 connection between the two subinterfaces?
  Thank you

  a vlan is usually the equivalent of an l3 subnet, so linking 2 vlans together in the same bridge domain, likely needs to come with some sort of routing (eg a BVI interface).
  If these 2 vlans are still in the same subnet, then there is still arp going on, from one host to the other that traverses the bD.
  you will need to verify the state of the AC, the forwarding in the BD and see if something gets dropped somewhere and follow the generic packet troubleshooting guides (see support forums for that also).
  that might give a hint to what the precise issue in your forwarding is.
  regards
  xander

• Traffic Shaping on Sub-interfaces

  Hi all,
  On my network i am trying to give preference to certain traffic type A over another traffice type B  over a VSAT link.
  the VSAT link is about 64Kbps/64Kbps and this link is connected to a router subinterface.
  I initially thought of CBWFQ to reserve bandwidth for the differenct traffic types but there are restrictions to using CBWFQ on Sub interfaces.
  Hence I tot of the option of shaping the less preffered traffic to a less than half the bandwidth  say 24K will be a good idea however i worry that the contents of the shaping queue will constitute both the preffered traffic and the less preffered traffic hence introducing more delay to the more preffered traffic. which is not required.
  Any other better ways to achieve this?

  You can use hierarchical qos:
  http://www.cisco.com/en/US/tech/tk543/tk545/technologies_tech_note09186a0080114326.shtml

• Could I configure local switching between sub-interface and global interface on ASR9k?

  Could I configure local switching between sub-interface and global interface on ASR9k?

  For 2 interfaces it is probably best to use an xconnect. It is faster and saves system resources (eg mac learning doesnt apply to xconnect).
  Config example:
  l2vpn
   xconnect group link
    p2p link
     interface Bundle-Ether100.4321
     interface Bundle-Ether500.4321
  EFP config:
  interface Bundle-Ether100.4321 l2transport
   encapsulation dot1q 4000
   rewrite ingress tag pop 1 symmetric
  interface Bundle-Ether500.4321 l2transport
   encapsulation dot1q 2000
   rewrite ingress tag pop 1 symmetric
  This example shows that you can link 2 EFP's with different vlan's together if you'd pop the tags.
  If the EFP's are of the same vlan, then popping the tag can be done but not a must. In general it is recommended to always pop vlan tags so there is a standard EFP design, but not for any technical reasons.
  When you use a bridge domain and using a BVI, you MUST pop the tags as the BVI has no notion of a vlan tag and wants to see "plain ethernet".
  regards
  xander

• Vrf lite and PBR on the same sub interface

  Hi,
  I have a connection point to point on subinterface between PE and CE and use EBGP as routing protocol. The CE are router Cisco7609 and on the subinterface i apply "ip vrf forwarding WAP". Inside this vpn / vrf that I defined before I want to do pbr, so to route the traffic based on the source Ip address. I cannot use the "vrf select" because it is not supported on this platform. So I would like to know if I can do pbr on this subinterface and how can I do it, just only configuring the "ip policy route-map WAP" under the same sub interface where I confgure ip vrf forwarding?
  Thanks
  Ira

  Use the route map as a noraml thing.
  To match the all the ip address there should not be any match statement in the route map.

• Issue in Sub-interface traffic on cisco 7609-s router

  Hello please support,
  I configured sub-interfaces and it is working properly, but some time sub-interface show traffic more then physical interface .
  Like 
  int gi 3/32              0.13 Mbps  12:00 PM
  int gi 3/32.11       855 Mbps   12:00 PM
  as per my knowledge physical interface have cumulative traffic of all sub-interfaces. 
  interface GigabitEthernet3/32
   no ip address
  interface GigabitEthernet3/32.10
   encapsulation dot1Q 10
   ip address 172.20.128.77 255.255.255.252
   ip ospf network point-to-point
   ip ospf bfd
   bfd interval 50 min_rx 50 multiplier 5
   no bfd echo
   no cdp enable
  interface GigabitEthernet3/32.11
   description interlink MPLS
   encapsulation dot1Q 11
   ip address 172.20.129.73 255.255.255.252
   ip ospf network point-to-point
   mpls ip
   mpls label protocol ldp
  Regards,
  Damodar Nagar

  I have not that graph so I am just guessing that you are noticing the difference between policing and shaping. It seems to me you are applying these techniques on each platform on a different way. Try to shape/police in the same order or only to shape.
  Hope to help
  Alessio
  Sent from Cisco Technical Support iPad App

• Policy maps on port-channel sub-interfaces

  We're trying to implement an enterprise QoS policy and I'm wondering how we can apply our QoS policy maps to several different sub-interfaces on a port-channel. In our case, we have both LAN and WAN connections that connect as VLANs on a switch and terminate as sub-interfaces on a port-channel that combines two Gigabit Ethernet interfaces on our router. The LAN connection will need to have a ingress service-policy to classify traffic as it comes from a customer LAN, and the WAN connections will have to have an egress service-policy to place the traffic classes into LLQ and CBWFQ queues as it leaves the router. Could I put both the ingress and egress service-policies on the physical router interface, or should I put them on the port-channel interface? Or should I apply them to the individual sub-interfaces? For example, I could put the ingress classification service-policy on the LAN sub-interface connection.
  Any thoughts or insight would be helpful. Thanks.

  I can't put it as input because :
  gw-a(config-subif)#service-policy input policy_upload                     
  Traffic Shaping feature not supported in input policy.
  Here's a show during a bandwidth test. You can see the offered rate is properly measured and is _way_ above the target shape rate.
  gw-a#show policy-map interface Port-channel 1.2
  Port-channel1.2
    Service-policy output: policy_upload
      Class-map: class-default (match-any)
        624006 packets, 842239036 bytes
        5 minute offered rate 12774000 bps, drop rate 0 bps
        Match: any
        Queueing
        queue limit 64 packets
        (queue depth/total drops/no-buffer drops) 0/0/0
        (pkts output/bytes output) 0/0
        shape (average) cir 100000, bc 400, be 400
        target shape rate 100000

• IPSec tunnel on sub-interface on ASA 5510

  Hello All,
  I working on a security solution using ASA firewall and need some technical advice on ASA. Is it possible to setup a IPSec tunnels  on each subinterface of a physical interface on ASA 5510?
  I would be greatul if someone please reply post this with some details.
  Regards,
  Muds

  Hi Jennifer,
  Thanks very much for your reply. I understand where you coming from, but the reason of using sub-interfaces is that, we have only one physical interface on the firewall connected to the MPLS cloud, and we need to setup a seperate IPSec tunnels for each client for security and integrity. In the current scenario, I have static peers and we can easily setup a static route to peer address.
  Many thanks for your assistance, please feel free to to advise if you have any other suggestion.
  Regards,
  Muds 

• Sub-interfaces on n5k

  Hi, I am trying to connect N5k (layer-3) and ASA, there is a requirement where some of the security-sensitive vlans have their layer-3 on the ASA and for those vlans who are less-sensitive have their svis on the N5k. I am doing a POC in my lab gear first. The n5k and the ASA are connected by 1 physical link having sub-interfaces on both the ends. There is a sub-int with vlan 10 (10.1.1.0/30) on both sides and the ASA injects a default-route to the N5k over this. so in case a non-secure vlan needs to talks to a secure-vlan it goes through via this path. My issue is that, if i create a sub-intf on the ASA, give it a vlan tag of 20, and on my N5k i add a port in that same vlan, i cannot ping my GW (ASA) from the laptop. I have also created a similar sub-int on the N5k side as well with tag 20, BUT still does not work.
  attached visio.
  Any clues??
  Thnx
  Sandev

  Hello Sande,
  That is correct! Please mark this question as answered so future users having a similar problem can learn from your
  solution.
  Regards,
  Julio