RST 3043

RST-3043 8218_05_2003_c1
2003, Cisco Systems, Inc. All rights reserved.
Troubleshooting Catalyst 6000/6500 Switches

Session RST-3043
RST-3043 8218_05_2003_c1
Copyright 2003, Cisco Systems, Inc. All rights reserved. Printed in USA. 8218_05_2003_c1
Prerequisites:
Understanding of Layer 2/3 forwarding Basic knowledge of Multicast routing Basic knowledge of QoS RST-3031 Troubleshooting LAN Protocols
RST-3043 8218_05_2003_c1
Agenda
Hybrid/Native Redundancy Unicast Forwarding Multicast Forwarding Access Control Lists QoS
RST-3043 8218_05_2003_c1
Hybrid/Native
Hybrid vs. Native
Hybrid session 15 show port 4/16 Native One BIG Router show int gig 4/16 Cisco IOS on Both
RST-3043 8218_05_2003_c1
Switch + Router CatOS + Cisco IOS
Hybrid/Native
Software Naming Conventions
Hybrid Native
Start with the Correct Image!

c6msfc2-jsv -mz.121-13.E5 c6msfc2-boot-mz.121-13.E5 cat6000-sup.6-4-3.bin c6sup12-i s-mz.121-13.E5 c6sup12 = Sup1/MSFC2
RST-3043 8218_05_2003_c1
Hybrid/Native
Conversion Process
Set Supervisor and MSFC to boot to ROMMON Reset and Load Native image from slot0: Format slot0: and sup-bootflash: in Native Adjust boot variables
RST-3043 8218_05_2003_c1
Hybrid/Native
ProcessInitial Checks
Native image is on PCMCIA card slot0:
Sup> (enable) dir slot0: -#- -length- ---date/time---name 1 13465088 May 08 2001 23:22:22 c6sup11-is-mz.121-13.E5
MSFC boot image on bootflash of MSFC (not required for MSFC2)

MSFC#dir bootflash: Directory of bootflash: 1 -rw- 1730648 Apr 11 2001 03:50:13 c6msfc-boot-mz.121-13.E5 15990784 bytes total (4458452 bytes free)
Ensure BOOTLDR variable points to this image (not required for MSFC2)
MSFC#show bootvar BOOT variable = bootflash:c6msfc-jsv-mz.121-11b.E1,1; CONFIG_FILE variable does not exist BOOTLDR variable = bootflash: c6msfc-boot-mz.121-13.E5 Configuration register is 0x2102
RST-3043 8218_05_2003_c1
Hybrid/Native
ProcessConfig Registers
Verify config-register is set properly on MSFC
MSFC(config)#config-register 0x0 MSFC(config)#end
MSFC#show bootvar BOOT variable = bootflash:c6msfc-jsv-mz.121-11b.E1,1; CONFIG_FILE variable does not exist BOOTLDR variable = bootflash: c6msfc-boot-mz.121-13.E5 Configuration register is 0x2102(will be 0x0 at next reload)
Change Sups config-register to boot to ROMMON

Sup> (enable) set boot config-register 0x0 Configuration register is 0x0
Boot Native image from slot0: (or Sups bootflash)

rommon 1 > boot slot0:c6sup11-is-mz.121-13.E5
RST-3043 8218_05_2003_c1
Hybrid/Native
ProcessBoot from slot0:
Boot up sequence ends with ROMMON of RP, then boot the MSFC
Cisco Internetwork Operating System Software IOS (tm) c6sup1_sp Software (c6sup1_sp -SPV-M), Version 12.1(13)E5, <output omitted> 00:00:03: %OIR -6-CONSOLE: Changing console ownership to route processor System Bootstrap, Version 12.0(3)XE, RELEASE SOFTWARE Copyright (c) 1998 by cisco Systems, Inc. Cat6k-MSFC platform with 65536 Kbytes of main memory rommon 1>
boot slot0:c6sup11-jsv-mz.121-13.E5
Boot up of MSFC ends in Native mode!!! Format non-Native file systems into Native
RST-3043 8218_05_2003_c1
10
Hybrid/Native
ProcessSet Boot Variables
Set boot variables so router loads the correct image on reload
Router(config)#boot system slot0:c6sup11 -jsv-mz.121-13.E5 Router(config)#config -register 0x2102 Router# write mem
Check the RP
Router# show bootvar BOOT variable = slot0:c6sup11-jsv -mz.121 -13.E5,1; CONFIG_FILE variable does not exist BOOTLDR variable = bootflash:c6msfc -boot-mz.121 -13.E5 Configuration register is 0x0 ( will be 0x2102 at next reload)
Check the SP
Router# remote command switch show bootvar Switch-SP# BOOT variable = slot0:c6sup11-jsv -mz.121 -13.E5,1; CONFIG_FILE variable = BOOTLDR variable does not exist Configuration register is 0x0 ( will be 0x2102 at next reload)
RST-3043 8218_05_2003_c1
11
Hybrid/Native
ConversionWhat if It Doesnt Work?
Look at the boot-up sequence
Does it fail when loading the SP or the RP image?
Verify the filenames

dir slot0:, dir bootflash:
Verify the boot variables

config-register (0x0, 0x2102) file location (slot0:, bootflash:, etc) show bootvar
Refer to Web
http://www.cisco.com/warp/customer/473/81.html
RST-3043 8218_05_2003_c1
12
Agenda
RST-3043 8218_05_2003_c1
13
Redundancy
Hybrid/Native Options
Hybrid HSRP Config Sync SRM HA Native RPR RPR+ EHSA
DRM
RST-3043 8218_05_2003_c1
14
Redundancy
Hybrid with Dual Supervisors
For all Hybrid configurations make sure the supervisor has High-Availability enabled AND that it is ON First introduced in 5.4(1)
CatOS> (enable) show system highavailability Highavailability: enabled Highavailability versioning: disabled Highavailability Operational-status: ON
RST-3043 8218_05_2003_c1
15
Redundancy
Hybrid with Dual MSFCsDRM
Make sure that HSRP is configured and active on both MSFCs

MSFC#show standby vlan 2 Vlan2 - Group 0 Local state is Active, priority 110, may preempt Hellotime 3 holdtime 10 Next hello sent in 00:00:00.628 Hot standby IP address is 172.10.1.254 configured Active router is local Standby router is 172.10.1.3 expires in 00:00:09 Standby virtual mac address is 0000.0c07.ac00 2 state changes, last state change 00:00:13
RST-3043 8218_05_2003_c1
16
Redundancy
Hybrid with Dual MSFCsDRM
Check which MSFC is designated
MSFC#show redundancy Designated Router: 1 Non-designated Router: 2 Redundancy Status: designated Config Sync AdminStatus : disabled Config Sync RuntimeStatus: disabled Single Router Mode AdminStatus : disabled Single Router Mode RuntimeStatus: disabled
RST-3043 8218_05_2003_c1
17
Redundancy
Hybrid with Config-SyncDRM
Config-Sync makes the designated MSFC sync its configuration to the non-designated MSFC Available in 12.1(3a)E1
redundancy high-availability config -sync ! interface Serial4/0/0 ip address 10.1.1.2 255.255.255.0 dsu bandwidth 44210 framing c-bit ! interface Vlan2 ip address 172.10.1.2 255.255.255.0 alt ip address 172.10.1.3 255.255.255.0 ip pim dense-mode standby priority 110 preempt alt standby priority 90 preempt standby ip 172.10.1.1 alt standby ip 172.10.1.1
RST-3043 8218_05_2003_c1
18
Redundancy
Hybrid with Config-SyncDRM
In a dual supervisor chassis utilizing config-sync here is what steady-state should look like
CatOS> (enable) show system highavailability Highavailability: enabled Highavailability versioning: disabled Highavailability Operational-status: ON MSFC#show redundancy Designated Router: 1 Non-designated Router: 2 Redundancy Status: designated Config Sync AdminStatus : enabled Config Sync RuntimeStatus: enabled Single Router Mode AdminStatus : disabled Single Router Mode RuntimeStatus: disabled
RST-3043 8218_05_2003_c1
19
Redundancy
Hybrid with Single-Router-ModeSRM
redundancy high-availability single -router -mode ! interface Serial4/0/0 ip address 10.1.1.2 255.255.255.0 dsu bandwidth 44210 framing c-bit ! interface Vlan2 ip address 172.10.1.2 255.255.255.0 ip pim dense-mode standby priority 110 preempt standby ip 172.10.1.1
Single-Router-Mode makes the designated MSFC sync its configuration to the non-designated MSFC and then puts it into standby mode Available in 12.1(8a)E4 / 6.3(1)
RST-3043 8218_05_2003_c1
20
Redundancy
Hybrid with SRM Utilizing single-router-mode, here is how steady-state should look
CatOS> (enable) Mod Slot Ports --- ---- ----1 1 2 15 1 1 2 2 2 16 2 1 show module Module-Type ------------------------1000BaseX Supervisor Multilayer Switch Feature 1000BaseX Supervisor Multilayer Switch Feature Model Sub Status -----------------------------WS-X6K-SUP1A-2GE yes ok WS-F6K-MSFC no ok WS-X6K-SUP1A-2GE yes standby WS-F6K-MSFC no standby
CatOS> (enable) show system highavailability Highavailability: enabled Highavailability versioning: disabled Highavailability Operational -status: ON MSFC#show redundancy Designated Router: 1 Non-designated Router: 2 Redundancy Status: designated Config Sync AdminStatus : enabled Config Sync RuntimeStatus: enabled Single Router Mode AdminStatus : enabled Single Router Mode RuntimeStatus: enabled
RST-3043 8218_05_2003_c1
21
Redundancy
Native with RPR+
Route Processor Redundancy Plus provides for much faster failover as cards are no longer reset on failover Provides for approximately 3060 second failover times independent of what cards are in the chassis Available in 12.1(11b)EX and 12.1(13)E
RST-3043 8218_05_2003_c1
22
Redundancy
Native with RPR+
Utilizing RPR+, here is what steady-state should look like
Native(6k)# show redundancy states my state = 13 -ACTIVE peer state = 8 -STANDBY HOT Mode = Duplex Unit = Primary Unit ID = 1 Redundancy Mode (Operational) = Route Processor Redundancy Plus Redundancy Mode (Configured) = Route Processor Redundancy Plus Split Mode = Disabled Manual Swact = Enabled Communications = Up <some output deleted>
RST-3043 8218_05_2003_c1
23
Agenda
RST-3043 8218_05_2003_c1
24
Unicast Forwarding
MLS
Used on Supervisor I Both the Candidate Packet and the Enabler Packet must be present for a flow to be built
Candidate Packet
Enabler Packet
Layer 3 Forwarded Packet

RST-3043 8218_05_2003_c1
25
Unicast Forwarding
Connectivity LossMLS
MSFCx
Vlan 1 10.1.1.1 Vlan 2 10.1.2.1
Sup1
X
10.1.1.5
PC-A Vlan 1
PC-B Vlan 2
10.1.2.5
PC-A cant ping PC-B

RST-3043 8218_05_2003_c1
26
Unicast Forwarding
MLS
MSFC Sup1
A B
Routing ARP
CEF ADJ
Layer 3 Flow
Check the routing, ARP, CEF, ADJ info in the MSFC Check the Supervisor to see if flow is installed
RST-3043 8218_05_2003_c1
27
Unicast Forwarding
Check the Routing and ARPMLS First, check the software routing tables and ARP caches to verify full IP connectivity
MSFC# show ip route 10.1.1.5 Routing entry for 10.1.1.0/24 Known via "connected", distance 0, metric 0 (connected, via in terface) Routing Descriptor Blocks: * directly connected, via Vlan1 Route metric is 0, traffic share count is 1 MSFC# show ip route 10.1.2.5 Routing entry for 10.1.2.0/24 Known via "connected", distance 0, metric 0 (connected, via in terface) Routing Descriptor Blocks: * directly connected, via Vlan2 Route metric is 0, traffic share count is 1 MSFC# show ip arp 10.1.1.5 Protocol Address Age (min) Internet 10.1.1.5 18 MSFC# show ip arp 10.1.2.5 Protocol Address Age (min) Internet 10.1.2.5 14
RST-3043 8218_05_2003_c1
Hardware Addr 0000.0c5d.143c Hardware Addr 00e0.b064.23fa
Type ARPA Type ARPA
Int erface Vlan1 Int erface Vlan2

28
Unicast Forwarding
Check the CEF and ADJMLS
Second, verify that the CEF and adjacency table match the routing table and ARP cache
Router# show ip cef 10.1.1.5 10.1.1.5/32, version 78, epoch 0, connected, cached adjacency 10 .1.1.5 0 packets, 0 bytes via 10.1.1.5, Vlan1 , 0 dependencies next hop 10.1.1.5, Vlan1 valid cached adjacency Router# sho adj vlan 1 det Protocol Interface IP Vlan1
Address 10.1.1.5 (5) 2 packets, 228 bytes 00000C5D143C 000652614102 0800 ARP 03:55:06 Epoch: 0
RST-3043 8218_05_2003_c1
29
Unicast Forwarding
Hardware CheckMLS
Next, verify the hardware has the vlan configured and that the hardware tables are not overflowing
CatOS(enable) sho mls Total packets switched = 7036256 Total Active MLS entries = 2 Long-duration flows aging time = 1920 seconds IP Multilayer switching aging time = 256 seconds IP Multilayer switching fast aging time = 0 seconds, packet thre shold = 0 IP Current flow mask is Destination flow Active IP MLS entries = 2 Netflow Data Export version: 7 Netflow Data Export disabled Netflow Data Export port/host is not configured. Total packets exported = 0 IP MSFC ID Module XTAG MAC Vlans --------------- ------ ---- ----------------- ---------------10.1.1.1 15 1 00-06-52-61-41-02 1,2
RST-3043 8218_05_2003_c1
30
Unicast Forwarding
Flow BuiltMLS (Hybrid)
Then check to see if the flow has been installed into the MLS cache and matches the CEF information
CatOS(enable) show mls entry ip Destination-IP Source -IP --------------- --------------MSFC 10.1.1.1 (Module 15): 10.1.1.5 10.1.2.5 10.1.2.5 10.1.1.5 Total entries displayed: 2 DPort SPort Stat-Pkts Stat-Bytes Uptime Age --------- --------- ---------- ----------- -------- -------2/2 2/1 2/1 2/2 829 861 82900 86100 00:00:04 00:00:00 00:00:05 00:00:00 Prot DstPrt SrcPrt Destination-Mac Vlan EDst ESrc ----- ------ ------ ----------------- ---- ---- ---ICMP ICMP 0 0 0 0 00-00-0c-5d-14-3c 1 00-e0-b0-64-23-fa 2 ARPA ARPA ARPA ARPA
RST-3043 8218_05_2003_c1
31
Unicast Forwarding
Flow builtMLS (Native)
Verify that the hardware tables are not overflowing and that a flow has been installed into the MLS cache and matches the CEF information
Native(6k)# sh mls ip count Displaying Netflow entries in Supervisor Earl Number of shortcuts = 1 Native(6k)# show mls ip destination 192.168.50.1 Displaying Netflow entries in Supervisor Earl DstIP SrcIP Prot:SrcPort:DstPort -------------------- ---------------------192.168.50.1 0.0.0.0 0 :0 :0
Src i/f:AdjPtr --------------0 : 0
Pkts ---5
RST-3043 8218_05_2003_c1
Bytes -----500
Age ---18
LastSeen -------14:17:13
Attributes -----------L3 - Dynamic

32
Unicast Forwarding
CEF
Routing ARP ADJ
MSFC2
FIB
Sup2
FIB
ADJ
The hardware forwarding engine on the Sup2 is programmed by the software on the MSFC2 with a copy of the software FIB and adjacency table The Sup2 depends on the MSFC2 for routing and ARP information corresponding to FIB and adjacency updates
RST-3043 8218_05_2003_c1
33
Unicast Forwarding
Connectivity LossCEF
MSFC2
Vlan 1 10.1.1.1 Vlan 2 10.1.2.1
Sup2
X
10.1.1.5
PC-A Vlan 1
PC-B Vlan 2
10.1.2.5
PC-A cant ping PC-B MSFC can ping both

RST-3043 8218_05_2003_c1
34
Unicast Forwarding
Look for InconsistenciesCEF
Routing ARP ADJ
MSFC2(RP)
FIB
Sup2(SP)
FIB
ADJ
Check the routing, ARP, CEF, ADJ info in the MSFC Check the CEF and ADJ info in the Supervisor
RST-3043 8218_05_2003_c1
35
Unicast Forwarding
Check the Routing and ARP (Native)CEF
First, check the software routing tables and ARP caches to verify full IP connectivity
Native# sho ip route 10.1.1.5 Routing entry for 10.1.1.0/24 Known via "connected", distance 0, metric 0 (connected, via in terface) Routing Descriptor Blocks: * directly connected, via Vlan1 Route metric is 0, traffic share count is 1 Native# sho ip route 10.1.2.5 Routing entry for 10.1.2.0/24 Known via "connected", distance 0, metric 0 (connected, via in terface) Routing Descriptor Blocks: * directly connected, via Vlan2 Route metric is 0, traffic share count is 1 Native# sho ip arp 10.1.1.5 Protocol Address Age (min) Internet 10.1.1.5 0 Native# sho ip arp 10.1.2.5 Protocol Address Age (min) Internet 10.1.2.5 2
RST-3043 8218_05_2003_c1
Hardware Addr 0000.0c5d.143c Hardware Addr 00e0.b064.23fa
Type ARPA Type ARPA
Int erface Vlan1 Int erface Vlan2

36
Unicast Forwarding
Check the CEF and ADJ (Native)CEF
Second, verify that the CEF and adjacency table match the routing table and ARP cache
Native# sho ip cef 10.1.1.5 10.1.1.5/32, version 33, epoch 0, connected, cached adjacency 10 .1.1.5 0 packets, 0 bytes via 10.1.1.5, Vlan1 , 0 dependencies next hop 10.1.1.5, Vlan1 valid cached adjacency Native# sho adj vlan 1 det Protocol Interface IP Vlan1
Address 10.1.1.5 (5) 4 packets, 400 bytes 00000C5D143C 00D079550C0A 0800 ARP 03:57:16 Epoch: 0
RST-3043 8218_05_2003_c1
37
Unicast Forwarding
FIB and ADJ info in SP (Native)CEF
Verify that the entries in the hardware tables have been installed correctly and match the CEF information from the RP
Native# sho mls cef ip 10.1.1.5 Native-sp# Index Prefix 12 10.1.1.5
Mask 255.255.255.255
Adjacency 0000.0c5d.143c
Native# sho mls cef adj mac-address 0000.0c5d.143c Native-sp# Index 17418 :
mac-sa: 00d0.7955.0c0a, mac-da: 0000.0c5d.143c interface: Vl1, mtu: 1514 packets: 0000000000000000, bytes: 000000000000000 0
RST-3043 8218_05_2003_c1
38
Unicast Forwarding
FIB and ADJ info in PFC (Hybrid)CEF
Verify that the entries in the hardware tables have been installed correctly and match the CEF information from the MSFC
CatOS> (enable) sh mls entry cef ip 192.168.50.0/24 Mod FIB-Type Destination -IP Destination -Mask NextHop -IP --- ------------------------------------- ------------15 resolved 192.168.50.0 255.255.255.0 192.168.1.50 CatOS> (enable) sh mls entry cef ip 192.168.1.50/32 adjacency Mod: 15 Destination -IP: 192.168.1.50 Destination -Mask: 255.255.255.255 FIB-Type: resolved AdjType ------Connect NextHop -IP -----------192.168.1.50 NextHop-Mac ----------------00-07-0e-8f-08-8a Vlan ---10 Encp ---ARPA Tx -Packets ---------0 Tx -Octets ---------0 Weight -------1
RST-3043 8218_05_2003_c1
39
Unicast Forwarding
FIB and ADJ info in LC (Native)CEF
If traffic is ingress on card which is DFC equipped, then the HW-switching for that card is performed by the local PFC2 equipped on the LC; so, you have to check the HW-entries on the DFC card itself
Native# remote login module 3 Trying Switch ... Entering CONSOLE for Switch Type "^C^C^C" to end this session Native-dfc3#
Use the same commands on the DFC that were used on the SP
show mls cef <destination ip> show mls cef adjacency mac -address < adj mac address>
RST-3043 8218_05_2003_c1
40
Unicast Forwarding
TCAM ConsistencyCEF
If all the output is consistent, but packets are not flowing in the proper direction then there is probably an inconsistency in the Layer 3 TCAMs Recovery can usually be achieved by clearing the IP route table
RST-3043 8218_05_2003_c1
41
Unicast Forwarding
TCAM ResourceSup1
There are 32K MLS cache entries (Sup1), these are shared with the QoS microflow policer The following IP packets cannot be forwarded in hardware
Packets with IP options set Packets with TTL<=1 Packets that are fragments or require fragmentation
RST-3043 8218_05_2003_c1 42
Unicast Forwarding
TCAM ResourceSup2
There are 256K route entries (Sup2), which are cut in half, if Unicast RPF is enabled The following IP packets cannot be forwarded in hardware
Packets with IP options set Packets with TTL<=1 Packets that require fragmentation
RST-3043 8218_05_2003_c1
43
Agenda
RST-3043 8218_05_2003_c1
44
Multicast
World of Multicast
IGMP Snooping CGMP
Multicast Routing
PIM
IGMP
IGMPRouter ? Source/Receiver CGMPRouter Switch IGMP SnoopingSwitch Eavesdrops on IGMP PIMRouter ? Router
RST-3043 8218_05_2003_c1
45
Multicast
Forwarding MechanismMMLS
Hardware switching of IP multicast traffic MMLS is flow-based in Sup1 MMLS is FIB-based in Sup2
RST-3043 8218_05_2003_c1
46
Multicast
Packets Handled in Software
Packets requiring PIM register encapsulation Packets with IP options in the header Non-Ethernet II encapsulation Packets requiring fragmentation Partial switched flows
A single multicast flow, with some OIFs handled in hardware, some in software
RST-3043 8218_05_2003_c1
47
Multicast
Path Verification
MSFC
Vlan 1 10.1.1.1 Vlan 2 10.1.2.1
Sup
10.1.1.5
10.1.2.5
Source
Receiver
Vlan 1
224.1.1.1
Vlan 2
RST-3043 8218_05_2003_c1
48
Multicast
Path VerificationHybrid
MSFC# show ip mroute IP Multicast Routing Table Flags: D - Dense, S - Sparse, s - SSM Group, C - Connected, L - Local, P - Pruned, R - RP-bit set, F - Register flag, T - SPT-bit set, J - Join SPT, M - MSDP created entry, X - Proxy Join Timer Running A - Advertised via MSDP, U - URD, I - Received Source Specific Host Report Outgoing interface flags: H - Hardware switched Timers: Uptime/Expires Interface state: Interface, Next-Hop or VCD, State/Mode (*, 224.1.1.1), 00:00:17/stopped, RP 0.0.0.0, flags: DJC Incoming interface: Null, RPF nbr 0.0.0.0 Outgoing interface list: Vlan2, Forward/Sparse-Dense, 00:00:02/00:00:00 (10.1.1.5, Incoming Outgoing Vlan2, 224.1.1.1), 00:00:17/00:02:42, flags: T interface: Vlan1, RPF nbr 0.0.0.0, RPF-MFD interface list: Forward/Sparse-Dense, 00:00:02/00:00:00, H
(*, 224.0.1.40), 00:02:59/00:02:51, RP 0.0.0.0, flags: DJCL Incoming interface: Null, RPF nbr 0.0.0.0 Outgoing interface list: Vlan1, Forward/Sparse-Dense, 00:02:59/00:00:00
RST-3043 8218_05_2003_c1
49
Multicast
Path VerificationHybrid
MSFC# show mls ip multicast Multicast hardware switched flows: (10.1.1.5, 224.1.1.1) Incoming interface: Vlan1, Packets switche d: 30 Hardware switched outgoing interfaces: Vlan2 RPF-MFD installed Total hardware switched flows : 1 Switch (enable) show multicast group 01-00-5e-01-01-01 VLAN Dest MAC/Route Des [CoS] Destination Ports or VCs / [P rotocol Type] ---- ---------------------- ------------------------------------------1 01-00-5e-01-01-01 15/1 2 01-00-5e-01-01-01 1/1,15/1 Total Number of Entries = 2 Switch (enable) Router IP --------------10.1.1.1 Total Entries: 1 show mls multicast entry group 224.1.1.1 Dest IP Source IP Pkts Bytes InVlans --------------- --------------- ---------- ---------- ------224.1.1.1 10.1.1.5 135 13500 1
OutVlans -------2
RST-3043 8218_05_2003_c1
50
Multicast
Path VerificationNative
Native# show ip mroute IP Multicast Routing Table Flags: D - Dense, S - Sparse, s - SSM Group, C - Connected, L - Local, P - Pruned, R - RP-bit set, F - Register flag, T - SPT-bit set, J - Join SPT, M - MSDP created entry, X - Proxy Join Timer Running A - Advertised via MSDP, U - URD, I - Received Source Specific Host Report Outgoing interface flags: H - Hardware switched Timers: Uptime/Expires Interface state: Interface, Next-Hop or VCD, State/Mode (*, 224.1.1.1), 00:00:24/stopped, RP 0.0.0.0, flags: DC Incoming interface: Null, RPF nbr 0.0.0.0 Outgoing interface list: Vlan2, Forward/Sparse-Dense, 00:00:03/00:00:00 (10.1.1.5, Incoming Outgoing Vlan2, 224.1.1.1), 00:00:24/00:02:35, flags: T interface: Vlan1, RPF nbr 0.0.0.0, RPF-MFD interface list: Forward/Sparse-Dense, 00:00:03/00:00:00, H
(*, 224.0.1.40), 00:03:11/00:02:44, RP 0.0.0.0, flags: DCL Incoming interface: Null, RPF nbr 0.0.0.0 Outgoing interface list: Vlan2, Forward/Sparse-Dense, 00:03:11/00:00:00
RST-3043 8218_05_2003_c1
51
Multicast
Path VerificationNative
Native# show mls ip multicast group 224.1.1.1 Multicast hardware switched flows: (10.1.1.5, 224.1.1.1) Incoming interface: Vlan1, Packets switched: 99 Hardware switched outgoing interfaces: Vlan2 RPF-MFD installed Total hardware switched flows : 1 Native# show mls ip multicast summary 1 MMLS entries using 140 bytes of memory Number of partial hardware-switched flows: 0 Number of complete hardware-switched flows: 1 Directly connected subnet entry install is enabled Hardware CEF based rate-limiting of RPF failures is enabled Aggregation of routed oif is enabled Native# show mac-address-table multicast vlan 2 vlan mac address type learn qos ports -----+---------------+--------+-----+---+-------------------------------2 0100.5e00.0128 static Yes -- Router 2 0100.5e01.0101 static Yes -- Gi1/1,Router Native# show ip igmp group IGMP Connected Group Membership Group Address Interface 224.0.1.40 Vlan2 224.1.1.1 Vlan2
RST-3043 8218_05_2003_c1
Uptime 00:30:40 00:00:10
Expires 00:02:42 00:02:49
La st Reporter 10 .1.2.1 10.1.2.5

52
Multicast
IGMP Snooping on a Routerless Segment
Multicast Router Port? IGMP Membership Report
IGMP Snooping Switch Original Multicast Stream
3/45
Source
Client
IGMP Snooping forwards IGMP Membership Reports to the multicast router port
RST-3043 8218_05_2003_c1
53
Multicast
IGMP Snooping on a Routerless Segment
To get around the first issue, static multicast router ports will need to be configured toward the multicast sources
CatOS> (enable) set multicast router 3/45
Native(6k)(config)# interface vlan 1 Native(6k)(config-if)#ip igmp snooping mrouter interface gigabitEthernet 1/2
RST-3043 8218_05_2003_c1
54
Multicast
IGMP Querier by Switch
Hybrid Support7.1(1)
Switch> (enable) set igmp querier enable 1 IGMP switch querier enabled for VLAN 1 CatOS> (enable) show igmp querier information VLAN Querier State Query Tx Count QI (seconds) ---- ------------- ------------------------1 QUERIER 0 125
OQI (seconds) ------------300
Native Support12.1(8a)E
interface Vlan1 ip address 10.1.1.1 255.255.255.0 ip igmp snooping querier end Native# show ip igmp int vlan 1 Vlan1 is up, line protocol is up Internet address is 10.1.1.1/24 IGMP is disabled on interface Multicast routing is disabled on interface Multicast TTL threshold is 0 No multicast groups joined IGMP snooping is globally enabled IGMP snooping is enabled on this interface IGMP snooping fast-leave is disabled on this interface IGMP snooping querier is enabled on this interface IGMP snooping last member query interval on this interface is 1000 ms
RST-3043 8218_05_2003_c1
55
Multicast
Stream Loss to Groups of Clients
Non CGMP/IGMP Snooping Switch IGMP Leave IGMP Fast Leave Enabled
Original Multicast Stream
A Sup1 may delete any layer 2 group that matches the layer 3 address, a Sup2 will not As soon as one of the clients leave the multicast group, all the clients on the access switch loose multicast stream
RST-3043 8218_05_2003_c1
56
Multicast
High CPU on Non-DR Router
Multicast Source
DR
Non-DR Non-RPF Traffic Multicast Receiver
In a redundant routed multicast environment, the multicast non-designated router will see high CPU utilization due to non-reverse path forwarding
RST-3043 8218_05_2003_c1
57
Multicast
High CPU on Non-DR Router
Sup 1
Drop (filter) SM non-RPF multicast traffic on non-DR12.1(8)E
MSFC(config)#mls ip multicast stub
or netflow-based filter non-RPF multicast traffic

MSFC(config)#mls ip multicast non-rpf netflow
Sup 2
Rate-limit (CEF-based) non-RPF multicast trafficdefault
MSFC(config)#mls ip multicast non-rpf cef
Sup2 uses the non-RPF Multicast Fast Drop (MFD) featuredefault 6.2(1) Sup1 doesnt have the MFD feature, requiring the ACL solution above
RST-3043 8218_05_2003_c1
58
Agenda
RST-3043 8218_05_2003_c1
59
Access Control Lists

Types
RACLIn
RACLOut
VACL
VACL
Vlan 1
Vlan 2
QACL
Treat this Type of Traffic Differently
RST-3043 8218_05_2003_c1
60

Examples
VACL QACL
set security acl ip IPACL1 permit host 172.20.53.4 0.0.0.0 set security acl ip IPACL1 permit host 172.20.53.5 0.0.0.0 set qos acl TEST_ACL trust-dscp ip any any ip access-list extended TestACL permit udp host 10.1.1.3 host 224.0.0.2 eq 1985
RACL
permit icmp any any permit tcp 10.1.1.0 0.0.0.63 range 3000 3100 172.16.0.0 0.0 .255.255 gt 1023
ACE
L4OPs
ACL Labels512 system wide ( Sup 1 or Sup2 ), consumed by ACL in (1), ACL out (1), VACL (2) QACL to vlan (1), QACL to port (1) LOU32 system wide (Sup 1 or Sup2), consumed by L4OPS gt (1/2), lt (1/2), neq (1/2), range (1) that appear in RACL, VACL or QACL L4OP9 per ACL (Sup1), 10 per ACL (Sup2) ACEmaximum depends on MASKS, PATTERNS that can fit in TCAM TCAMnext slide
RST-3043 8218_05_2003_c1
61

TCAM Refresher
Memory structure of MASK values and PATTERN values
10.1.1.1 Pattern Value 2 Mask Value 1 Pattern Value 3 Pattern Value 4 32 bits Pattern Value 5 Pattern Value 6 Pattern Value 7 Pattern Value 8 10.1.1.0 Pattern Value 2 Mask Value 2 Pattern Value 3 Pattern Value 4 24 bits Pattern Value 5 Pattern Value 6 Pattern Value 7 Pattern Value 8
access-list 101 permit ip 10.1.1.1 255.255.255.255 any access-list 101 deny ip 10.1.1.0 255.255.255.0 any
Sup 12000 MASKS, 16000 PATTERNS shared b/w RACLs, VACLs, QACLs Sup 24000 MASKS, 32000 PATTERNS shared b/w RACLs, VACLs + 4000 MASKS, 32000 PATTERNS for QACLs
RST-3043 8218_05_2003_c1
Mask
Patterns
62

ACL Features Compilation and Merge
User configurationvia CLI
(config)#access-list 101 permit IP any any (config-if)#IP access-group 101 input Configure ACL Features
Processor engine
Access list configuration is compiled in software by the CPU Access list entries used by different features on a single interface are merged into a single set of ACEs Compile and Merge ACLs
Hardware engine
The ACEs which were generated in software are now programmed into the hardware table Install in TCAMs
RST-3043 8218_05_2003_c1
63

Merge Algorithms
Change the algorithm used to merge all the programmed ACLs together into hardware TCAM
Order Independent Mergethe original merge algorithm based on Binary Decision Diagrams (BDD) Order Dependent Merge (ODM)a new merge algorithm available in CatOS 7.1(1)/12.1(11b)E and Native IOS 12.1(8a)EX based on Value, Mask, Result (VMR)
CatOS(6k)> (enable) set aclmerge algorithm odm Acl merge algorithm set to odm. MSFC(config)# mls aclmerge algorithm odm Native(6k)(config)#mls aclmerge algorithm odm The algorithm chosen will take effect for new ACLs which are being applied, not for already applied ACLs
RST-3043 8218_05_2003_c1
64

Errors MESSAGES
When you apply an access-list to a VLAN interface one of the following messages appear:
IOS(6k)(config)# interface vlan 1 IOS(6k)(config -if)# ip access -group 100 in <router>%ACL-3-NOLOU:Acl engine is out of logical operation unit <router>%ACL-3-RACLMAPCOMMITFAIL:Failed to map Router ACL to VLAN 1 <switch>%FM -4-TCAM_LOU: Hardware TCAM LOU capacity exceeded <switch>%FM -4-RACL_REDUCED: Interface Vlan1 routed traffic will be software switched in ingress direction(s) OR <router>%ACL-3-TCAMFULL:Acl engine TCAM table is full <router>%ACL-3-RACLMAPCOMMITFAIL:Failed to map Router ACL to VLAN 1 <switch>%FM -4-TCAM-ENTRY: Hardware TCAM entry capacity exceeded <switch>%FM -4-RACL_REDUCED: Interface Vlan1 routed traffic will be software switched in ingress direction(s)
RST-3043 8218_05_2003_c1
65

Show Commands
Order Independent Merge Native# show tcam counts Used Labels: ACL_TCAM Masks: Entries: 3 136 187 Free 509 3960 32581
Order Dependent Merge Native# show tcam counts Used Labels: ACL_TCAM Masks: Entries: 3 21 104 Free 509 4075 32664
CatOS> (enable) show security acl resource-usage Security ACL resource usage: ACL storage (mask/value): 5.21%/1.9% ACL to switch interface mapping table: 0.98% ACL layer 4 port operators: 26.56%
RST-3043 8218_05_2003_c1
66

Additional Information
Understanding ACL Merge Algorithms and ACL Hardware Resources in Catalyst 6000 Family Switches
http://www.cisco.com/warp/customer/cc/pd/si/casi/ca6000/tech/65acl_wp.pdf
RST-3043 8218_05_2003_c1
67

RACL Is Being Software Switched
Higher CPU
Sup1
Sup2
interface Vlan2 no ip unreachables ip access-group 105 in ! access-list 105 deny ip any 10.1.1.1 255.255.255.255 access-list 105 permit ip any 10.1.1.2 255.255.255.255 log access-list 105 permit ip any any
Sup 1log keyword, hits on the ACE go to the MSFC Sup 1ip unreachables, hits on the deny ACE, ICMP unreachable sent by the MSFC Sup 2rate-limits both to the MSFC
RST-3043 8218_05_2003_c1
68

Is ACL in Hardware?
Make sure that the ACL was programmed into hardware by the MSFC and is ACTIVE
MSFC#show fm summary Current global ACL merge algorithm: ODM ODM optimizations disabled Interface: Vlan20 is up ACL merge algorithm used: inbound direction: ODM
outbound direction: ODM TCAM screening for features is ACTIVE inbound MSFC#
RST-3043 8218_05_2003_c1
69

Policy-Based Routing
Sup 1
Requires mls ip pbr command Behavior is non-deterministic Based on traffic flow and order in which flows are established and removed
Sup 2
Only match ip address <acl> and set ip next-hop are supported in hardware Other match and set operations processed in software Policy routing ACL programmed in hardwareACE results point to next-hop adjacency information
RST-3043 8218_05_2003_c1
70

VACL Overview VLAN Access Control Lists
VACLs also called VLAN access-maps in IOS Apply to all traffic on the VLAN Filter on IP, IPX, or bridged (based on EtherType and MAC address) traffic
NoteIP and IPX traffic NOT access controlled by MAC VACLs!!!
Implicit deny any any at the end
RST-3043 8218_05_2003_c1
71

VACL Overview
Three VACL actions:

Permit Redirect Deny (with logging, supervisor 2 only)
VACL capture option copies traffic to specified capture ports VACL ACEs installed in hardware, merged with RACLs and other features
RST-3043 8218_05_2003_c1
72

Checking the VACL Configuration
Console> (enable) show security acl map 1 VLAN 1 is mapped to IP ACL IPACL1. VLAN 1 is mapped to IPX ACL IPXACL1. VLAN 1 is mapped to MAC ACL MACACL1. Console> (enable) Console> (enable) show security acl map VACL-A ACL VACL-A is mapped to VLANs: 1
Show VLAN access map show vlan access-map [map_name] Show VACL Mappings show vlan filter [access-map map_name | vlan id ]
RST-3043 8218_05_2003_c1
73
Agenda
RST-3043 8218_05_2003_c1
74
QoS
QoS at Layer 3 and Layer 2
Layer 2 ISL ISL Header 26 Bytes Layer 2 802.1Q/p PREAM. SFD DA SA TCI 4 Bytes Three Bits (3 LSB of User Field) Used for CoS FCS 4 Bytes
Encapsulated Frame 124.5 KBytes
Three Bits Used for CoS (3 MSB = User Priority bits) PT DATA FCS
Layer 3 IPV4
Standard IPV4: Three MSB Called IP Precedence (DiffServ May Use Six D.S. Bits Plus Two for Flow Control) ID Offset TTL Proto FCS IP-SA IP-DA Data
Version ToS Length 1 Byte Len

RST-3043 8218_05_2003_c1
75
QoS
DSCP in IPv4
Layer 3 IPV4 Version ToS Length 1 Byte Len ID Offset TTL Proto FCS IP-SA IP-DA Data
IPprec=4
DSCP=34
RST-3043 8218_05_2003_c1
76
QoS
Sup1 vs. Sup2 (PFCs)
The Catalyst 6500 supports up to 63 microflow policers and up to 1023 aggregate policers Sup 1
Single rate policer Shares the TCAM resource to store QACLS w/ RACLS and VACLS (2000 masks 16000 patterns shared)
Sup 2
Single or dual rate policer Independent TCAM resource to store QACLS (4000 masks 32000 patterns) More granular output to monitor aggregate policing
RST-3043 8218_05_2003_c1
77
Policer Terminology
A policer which acts only on a single flow is called a microflow policer A policer which acts on a summation of multiple flows concurrently is called an aggregate policer Policer Can Be Single-Rate or Dual-Rate (Sup 2 Only) Conform means to flow at or below a Committed Information Rate (CIR) setting Exceed means to flow at a rate greater than the CIR, but below a Peak Information Rate (PIR) Violate means to flow at a rate greater than the allowed PIR
RST-3043 8218_05_2003_c1
78
QoS In Catalyst 6000

Scheduling: Queue and Threshold Select Based on Received CoS through Configurable Map IF TRUSTTRUST- COS Received CoS Can Be Overwritten IF UNTRUSTED Policing via ACLs Police Action: Mark Drop Based on: Byte Rate Burst (Token Bucket) Scheduling: Queue and Threshold Select Based on CoS through Configurable Map Dequeueing Uses WRR between Two Queues
Output Output Port Port

Queue 1
Input Input Port Port RX
Queue
Forwarding Forwarding Engine Engine ARB Classify Police Rewrite
WRR
Queue 2
Priority Q Priority Q Priority Q
ARB
TX
Incoming Encapsulation Can Be 802.1Q, ISL, or None
DSCP Based Classification Port Trusted or default CoS Trust -cos/ipprec/DSCP w/ ACL Set DSCP w/ ACL Map to Internal DSCP Value
Rewrites TOS Field in IP Header and 802.1p/ISL CoS Field
Each Queue Has Configurable Size and Thresholds, Some Have WRED
Outgoing Encapsulation Can Be 802.1Q, ISL, (or None)
RST-3043 8218_05_2003_c1
79
QoS
Classification, Marking and SchedulingExample
CORE Acts on DSCP =32
Switch A 2/1
1/1
1/1 2/1
Switch B
10.1.1.1
Prioritize the Application through the Network

2/1 Is on a 6348 Card 1/1 Is on a Sup 1
20.1.1.1
RST-3043 8218_05_2003_c1
80
QoS in Catalyst 6000

Classification, Marking and Scheduling
6348 = rx-(1q4t),tx-(2q2t)
Forwarding Forwarding Engine Engine
Queue
Sup1 = rx-(1p1q4t),tx-(1p2q2t)
Output Output Port Port Police Rewrite
Queue 1
WRR ARB Classify

Queue 2
RX
ARB
Priority Q Thresholds COS 0,1 50% COS 2,3 60% COS 4,5 80% COS 6,7 100%
TX
Set DSCP w/ ACL Map to Internal DSCP Value
OR
COS 07 100%
Queue 1 COS 0,1 40% 70% WRED COS 2,3 70% 100% WRED Queue 2 COS 4 40% 70% WRED COS 6,7 70% 100% WRED Priority Queue COS 5100%
Tx WRR Ratios Queue 15 Queue 2255 2
RST-3043 8218_05_2003_c1
81
QoS
Console> (enable) set qos enable QoS is enabled. Console> (enable) set port qos 2/1 trust trust-cos Trust type trust -cos not supported on this port. Receive thresholds are enabled on port 2/1. Port 2/1 qos set to untrusted. Console> (enable) set port qos 2/1 cos 4 Port 2/1 qos cos set to 4.
Console (enable) show qos info runtime 2/1 <sod> Default CoS = 4 Queue and Threshold Mapping for 1q4t (rx): Thresholds Queue Threshold CoS COS 0,1 50% ----- --------- --------------COS 2,3 60% 1 1 0 1 COS 4,5 80% 1 2 2 3 COS 6,7 100% 1 3 4 5 1 4 6 7 Rx drop thresholds: Queue # Thresholds - percentage (* abs values) ------- ------------------------------------1 50% (6144 bytes) 60% (7424 bytes) 80% (9984 bytes) 100% (12288 bytes <sod>
RST-3043 8218_05_2003_c1
82
QoS
Classification and Marking
Console> (enable) set qos acl ip myVideo dscp 32 ip host 10.1.1.1 any myVideo editbuffer modified. Use 'commit' command to apply chang es. Console> (enable) commit qos acl myVideo QoS ACL 'myVideo' successfully committed. Console> (enable) set qos acl map myVideo 2/1 ACL myVideo is successfully mapped to port 2/1.
Set DSCP w/ ACL Set DSCP w/ ACL Map to Internal DSCP Value Map to Internal DSCP Value
Classifies the Traffic Marks the Traffic

W2-2.4-C6006-A (enable) show port qos 2/1 <sod> Runtime: Port ACL name Type ----- -------------------------------- ---2/1 myVideo IP
RST-3043 8218_05_2003_c1
83
QoS
Console>(enable) show qos map runtime cos-dscp CoS - DSCP map: CoS DSCP -----0 0 1 8 2 16 3 24 4 32 5 40 6 48 7 56 Queue 1 COS 0,1 40% 70% WRED COS 2,3 70% 100% WRED Queue 2 COS 4 40% 70% WRED COS 6,7 70% 100% WRED Priority Queue COS 5100%
Console> (enable) show qos info runtime 1/1 Queue and Threshold Mapping for 1p2q2t (tx): Queue Threshold CoS ----- --------- --------------1 1 0 1 1 2 2 3 2 1 4 6 2 2 7 3 5
RST-3043 8218_05_2003_c1
84
QoS
Console> (enable) show qos info runtime 1/1 <sod> Tx WRED thresholds: Queue # Thresholds - percentage (* abs values) ------- -----------------------------------------1 40%:70% (124518:217920 bytes) 70%:100% (217907:311168 b ytes) 2 40%:70% (26214:45888 bytes) 70%:100% (45875:61440 bytes) <sod> WRR Configuration of ports with speed 1000Mbps: Queue # Ratios (* abs values) ------- ------------------------------------1 5 (1280 bytes) 2 255 (65280 bytes) Queue 1 COS 0,1 40% 70% WRED COS 2,3 70% 100% WRED Queue 2 COS 4 40% 70% WRED COS 6,7 70% 100% WRED Priority Queue COS 5100%
RST-3043 8218_05_2003_c1
85
QoS in Catalyst 6000

Sup1 = rx-(1p1q4t),tx-(1p2q2t)
Input Input Port Port
Queue
6348 = rx-(1q4t),tx-(2q2t)
Output Output Port Port Police Rewrite
Queue 1
Forwarding Forwarding Engine Engine ARB

Priority Q Priority Q
WRR Classify
Queue 2
RX
ARB
TX
Queue 1 COS 0,1 50% COS 2,3 60% COS 4 80% COS 6,7 100% Priority COS 5 100%
Port Trusted or default CoS Map to Internal DSCP Value
Queue 1 COS 0,1 80% COS 2,3 100% Queue 2 COS 4,5 80% COS 6,7 100%
OR
COS 0 7 100% 0
RST-3043 8218_05_2003_c1
86
QoS
Console> (enable) show qos info runtime 1/1 <sod> Queue and Threshold Mapping for 1p1q4t (rx): All packets are mapped to a single queue. Rx drop thresholds: Rx drop thresholds are disabled . Console> (enable) set port qos 1/1 trust trust-dscp Port 1/1 qos set to trust -dscp .
COS 0-7 100% COS 0- 100% 0-7
Console> (enable) show port qos 1/1 <sod> Port TxPort Type RxPort Type Trust Type Trust Type Def C oS Def CoS config runtime confi g runtime ----- ------------ ------------ ------------ ------------- ------- ------1/1 1p2q2t 1p1q4t trust-dscp trust -dscp 0 0
Port Trusted or Default CoS Port Trusted or Default CoS Map to Internal DSCP Value Map to Internal DSCP Value
RST-3043 8218_05_2003_c1
87
QoS
Console>(enable) show qos map runtime cos-dscp Queue 1 CoS - DSCP map: COS 0,1 80% CoS DSCP COS 2,3 100% -----Queue 2 0 0 COS 4,5 80% 1 8 COS 6,7 100% 2 16 3 24 4 32 5 40 Console> (enable) show qos info runtime 2/1 6 48 Queue and Threshold Mapping for 2q2t (tx): 7 56 Queue Threshold CoS ----1 1 2 2 --------1 2 1 2 --------------0 1 2 3 4 5 6 7
RST-3043 8218_05_2003_c1
88
QoS
Console> (enable) show qos info runtime 2/1 Tx drop thresholds: Queue # Thresholds - percentage (* abs values) ------- ------------------------------------1 80% (72192 bytes) 100% (90112 bytes) 2 80% (14848 bytes) 100% (18432 bytes) Tx WRED thresholds: WRED feature is not supported for this port type. <sod> WRR Configuration of ports with speed 10Mbps: Queue # Ratios (* abs values) ------- ------------------------------------1 5 (1264 bytes) 2 255 (65024 bytes)
Queue 1 COS 0,1 COS 2,3 Queue 2 COS 4,5 COS 6,7
RST-3043 8218_05_2003_c1
80% 100% 80% 100%
89
QoS
Sample of Configurable Parameters (Hybrid):
To Change the RX Queue Thresholds for a 1q4t Port
set qos drop-threshold 1q4t rx queue 1 20 40 75 100
Queue 1 Thresholds: 1 = 20, 2 = 40, 3 = 75, 4 = 100 To Change the WRR TX Ratios for a 1q2q2t Port
set qos wrr 1p2q2t 30 70
Queue 1 Serviced 30% of Time
Queue 2 Serviced 70% of Time
To Change the COS-Queue Mapping for a 1q2q2t port

set to change 1p2q2t size3ratios 5 qos map the Tx tx 1 cos
Queue 3
RST-3043 8218_05_2003_c1
Threshold 1
Cos 5
90
QoS
Native commandlike show qos info runtime 1/1
Native# show queueing int fast 2/1 Interface FastEthernet2/1 queueing strategy: Weighted Round-Robin Port QoS is enabled Port is untrusted Extend trust state: not trusted [COS = 0] Default COS is 0 Transmit queues [type = 2q2t]: Queue Id Scheduling Num of thresholds ----------------------------------------1 WRR low 2 2 WRR high 2 WRR bandwidth ratios: queue -limit ratios: 100[queue 1] 255[queue 2] 70[queue 1] 30[queue 2]
queue tail -drop -thresholds -------------------------1 80[1] 100[2] 2 80[1] 100[2] <sod>
RST-3043 8218_05_2003_c1
91
QoS
Classification and Policing
Police traffic from host to rest of network to 2 Mbps by dropping when exceeded
Native 6500 Network 2/1
10.1.1.5
RST-3043 8218_05_2003_c1
92
QoS
Sample ConfigSingle Rate Policer (Native)
class-map match-all HOSTCHRIS match access -group 101 ! policy-map myPOLICER
Match on Access-Group Associate Policy w/ Class
class HOSTCHRIS police 2000000 4000 4000 conform-action transmit exceed-action drop ! mls qos Required Qos Config ! interface FastEthernet2/1 no ip address service-policy input myPOLICER switchport switchport mode access ! access-list 101 permit ip host 10.1.1.5 any
Apply Policy to Interface
Classify Traffic Here
RST-3043 8218_05_2003_c1
93
QoS
Sample ConfigSingle Rate Policer (Native)
policy-map myPOLICER class HOSTCHRIS police 2000000 4000 4000 conform-action transmit exceed-action drop
Rate = 2M bps Maximum Burst = 4000 Bytes Normal Burst = 4000 Bytes Conform Action
Exceed Action
Set Rate to the Max Amount of Traffic you Want Set Normal Burst >= Rate/4000 or 2 * the Largest Packet (Whichever Is Greater) Maximum Burst Is Automatically Set = Normal Burst by IOS for Single-Rate Policer Conform ActionTransmit or Policed-DSCP-Transmit Exceed ActionPoliced-DSCP or Drop
Sample ConfigSingle Rate Policer (Hybrid)

Switch> (enable) set qos policer aggregate myPOLICER rate 2000 b urst 32 drop
Rate = 2000 Kbps Normal Burst = 32 Kbps

RST-3043 8218_05_2003_c1
94
QoS
VerificationSingle Rate Policer
Native# sho mls qos ip fast 2/1 [In] Policy map is myPOLICER [Out] Default. QoS Summary [IP]: (* - shared aggregates, Mod - switch module, F - install error) Int Mod Dir Cl-map DSCP AgId Trust FlId AgForward-Pk AgPoliced-Pk ---------------------------------------------------------------- ---------------Fa2/1 1 I HOSTCHRIS 0 1 dscp 0 45652 0 <run command again> Fa2/1 1 I HOSTCHRIS 0 1 dscp 0 45835 0
AgForward-Pk Will Increment if Traffic Is Matching the ACL

Native# sho mls qos ip fast 2/1 [In] Policy map is myPOLICER [Out] Default. QoS Summary [IP]: (* - shared aggregates, Mod - switch module, F - install error) Int Mod Dir Cl-map DSCP AgId Trust FlId AgForward-Pk AgPoliced-Pk ---------------------------------------------------------------- ---------------Fa2/1 1 I HOSTCHRIS 0 1 dscp 0 188631 4625 <run command again> Fa2/1 1 I HOSTCHRIS 0 1 dscp 0 198852 5975
AgPoliced-Pk Will Increment if Traffic Is Being Policed

RST-3043 8218_05_2003_c1
95
QoS
Police traffic from host to network
Above 4 Mbpsdrop Above 2 Mbps, but less than 4 Mbpsmark down
Native 6500 Network 1/1
10.1.1.5
RST-3043 8218_05_2003_c1
96
QoS
Sample ConfigDual Rate Policer (Native)
Violate Action = Drop
policy-map myPOLICER class HOSTCHRIS police 2000000 4000 8000 pir 4000000 conform-action transmit exceed-action policeddscp-transmit violate-action drop mls qos map policed-dscp normal-burst 25 26 27 28 29 30 31 32 to 0
Maximum Burst = 8000 Bytes Peak Rate Exceed Action = Police the DSCP Down
Traffic Rate <2Mbps 24Mbps >4Mbps
Action Transmit Markdown Drop
Map DSCP 25-32 => 0

Native# show mls qos maps
Normal Burst Policed -dscp map: (dscp= d1d2) d1 : d2 0 1 2 3 4 5 6 7 8 9 ------------------------------------0 : 00 01 02 03 04 05 06 07 08 09 1 : 10 11 12 13 14 15 16 17 18 19 2 : 20 21 22 23 24 00 00 00 00 00 3 : 00 00 00 33 34 35 36 37 38 39 4 : 40 41 42 43 44 45 46 47 48 49 5 : 50 51 52 53 54 55 56 57 58 59 6 : 60 61 62 63

97
RST-3043 8218_05_2003_c1
QoS
Sample ConfigDual Rate Policer (Hybrid)
Maximum Burst = 64 Kbps Peak Rate = 4000 Kbps
Switch> (enable) set qos policer aggregate myPOLICER rate 2000 p oliced -dscp erate 4000 drop burst 32 eburst 64 Switch> (enable) set qos policed-dscp-map normal-rate 25-32:0
Traffic Rate <2Mbps 24Mbps >4Mbps
Action Transmit Markdown Drop
Map DSCP 25-32 = 0
Console> (enable) show qos maps runtime policed-dscp-map normal-rate DSCP - Policed DSCP map normal-rate: DSCP Policed DSCP -------------------------------- -----------0,25-32 0 1 1 2 2
RST-3043 8218_05_2003_c1
98
QoS
VerificationDual Rate Policer (Native)
Native# sho mls qos ip gig 1/1 [In] Policy map is myPOLICER [Out] Default. QoS Summary [IP]: (* - shared aggregates, Mod - switch module, F - install error) Int Mod Dir Cl-map DSCP AgId Trust FlId AgForward-Pk AgPoliced-Pk ---------------------------------------------------------------- ---------------Gi1/1 1 I HOSTCHRIS 0 1 dscp 0 14478 0 <run command again> Gi1/1 1 I HOSTCHRIS 0 1 dscp 0 27838 0 Native# sho mls qos ip gig 1/1 [In] Policy map is myPOLICER [Out] Default. QoS Summary [IP]: (* - shared aggregates, Mod - switch module, F - install error) Int Mod Dir Cl-map DSCP AgId Trust FlId AgForward-Pk AgPoliced-Pk ---------------------------------------------------------------- ---------------Gi1/1 1 I HOSTCHRIS 0 1 dscp 0 197349 2899 <run command again> Gi1/1 1 I HOSTCHRIS 0 1 dscp 0 218985 7863
RST-3043 8218_05_2003_c1
99
QoS
VerificationDual Rate Policer (Native)
Native# sho mls qos <sod> QoS global counters: Total packets: 549639 IP shortcut packets: 0 Packets dropped by policing: 0 IP packets with TOS changed by policing: 39183 IP packets with COS changed by policing: 42587 Native# sho mls qos last Packet was transmitted Packet L3 Prot: 0, packet length: 46, dont_plc: No Input COS: 0, TOS/DSCP: 0x80/32 Output TOS/DSCP: 0x0/0[rewritten] Output COS: 0[unchanged] <sod> NT&NS: l3_prot: 0(1), 10.1.1.5.0x0000 ==> 10.1.2.5.0x0000 <run command again> Packet was transmitted Packet L3 Prot: 0, packet length: 46, dont_plc: No Input COS: 0, TOS/DSCP: 0x80/32 Output TOS/DSCP: 0x80/32[unchanged] Output COS: 4[rewritten] <sod> NT&NS: l3_prot: 0(1), 10.1.1.5.0x0000 ==> 10.1.2.5.0x0000
RST-3043 8218_05_2003_c1
100
QoS
To Verify Policing Action on Sup1 (Hybrid)
Console> (enable) show qos statistics l3stats Packets dropped due to policing: 0 IP packets with ToS changed: 377218 IP packets with CoS changed: 22405 Non-IP packets with CoS changed: 0
To Verify Policing Action on Sup2 (Hybrid)

Console> (enable) show qos statistics aggregate -policer user1Mbps QoS aggregate-policer statistics: Aggregate policer Allowed packet Packets exceed Pa ckets exceed count normal rate ex cess rate ------------------------------- -------------- -------------- -------------user1Mbps 115728 884731 884731
RST-3043 8218_05_2003_c1
101
Recommended Reading
Cisco Catalyst QoS: Quality of Service in Campus Networks
ISBN: 1587051206
Cisco Field Manual: Catalyst Switch Configuration

ISBN: 1587050439
Available on-site at the Cisco Company Store

RST-3043 8218_05_2003_c1
102
Recommended Reading
Cisco Internetwork Troubleshooting
ISBN: 1578700922
Internetworking Troubleshooting Handbook, Second Ed.

ISBN: 1578700056
Available on-site at the Cisco Company Store

RST-3043 8218_05_2003_c1
103
Please Complete Your Evaluation Form

Session RST-3043
RST-3043 8218_05_2003_c1
104
RST-3043 8218_05_2003_c1
105

RST 3043

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

RST 3043

Uploaded by

Copyright:

Available Formats

RST-3043 8218_05_2003_c1

2003, Cisco Systems, Inc. All rights reserved.

Troubleshooting Catalyst 6000/6500 Switches

2003, Cisco Systems, Inc. All rights reserved.

2003, Cisco Systems, Inc. All rights reserved.

2003, Cisco Systems, Inc. All rights reserved.

Switch + Router CatOS + Cisco IOS

Start with the Correct Image!

2003, Cisco Systems, Inc. All rights reserved.

2003, Cisco Systems, Inc. All rights reserved.

MSFC boot image on bootflash of MSFC (not required for MSFC2)

Change Sups config-register to boot to ROMMON

Boot Native image from slot0: (or Sups bootflash)

2003, Cisco Systems, Inc. All rights reserved.

2003, Cisco Systems, Inc. All rights reserved.

2003, Cisco Systems, Inc. All rights reserved.

Verify the filenames

Verify the boot variables

2003, Cisco Systems, Inc. All rights reserved.

2003, Cisco Systems, Inc. All rights reserved.

2003, Cisco Systems, Inc. All rights reserved.

2003, Cisco Systems, Inc. All rights reserved.

Make sure that HSRP is configured and active on both MSFCs

2003, Cisco Systems, Inc. All rights reserved.

Check which MSFC is designated

2003, Cisco Systems, Inc. All rights reserved.

2003, Cisco Systems, Inc. All rights reserved.

2003, Cisco Systems, Inc. All rights reserved.

2003, Cisco Systems, Inc. All rights reserved.

2003, Cisco Systems, Inc. All rights reserved.

Layer 3 Forwarded Packet

PC-A cant ping PC-B

Hardware Addr 0000.0c5d.143c Hardware Addr 00e0.b064.23fa

Type ARPA Type ARPA

Int erface Vlan1 Int erface Vlan2

2003, Cisco Systems, Inc. All rights reserved.

2003, Cisco Systems, Inc. All rights reserved.

2003, Cisco Systems, Inc. All rights reserved.

Src i/f:AdjPtr --------------0 : 0

Attributes -----------L3 - Dynamic

2003, Cisco Systems, Inc. All rights reserved.

PC-A cant ping PC-B MSFC can ping both

Hardware Addr 0000.0c5d.143c Hardware Addr 00e0.b064.23fa

Type ARPA Type ARPA

Int erface Vlan1 Int erface Vlan2

2003, Cisco Systems, Inc. All rights reserved.

2003, Cisco Systems, Inc. All rights reserved.

2003, Cisco Systems, Inc. All rights reserved.

2003, Cisco Systems, Inc. All rights reserved.

2003, Cisco Systems, Inc. All rights reserved.

2003, Cisco Systems, Inc. All rights reserved.

2003, Cisco Systems, Inc. All rights reserved.

2003, Cisco Systems, Inc. All rights reserved.

2003, Cisco Systems, Inc. All rights reserved.

2003, Cisco Systems, Inc. All rights reserved.

2003, Cisco Systems, Inc. All rights reserved.

2003, Cisco Systems, Inc. All rights reserved.

2003, Cisco Systems, Inc. All rights reserved.

2003, Cisco Systems, Inc. All rights reserved.

2003, Cisco Systems, Inc. All rights reserved.

Uptime 00:30:40 00:00:10

Expires 00:02:42 00:02:49