Cisco 6500 QOS

By enabling ‘mls qos’ you’re splitting your already small buffer space on this platform into 4 pieces and using just one of them for normal traffic “mls qos” activates QoS, and that includes _ALL_ of the default QoS configs including automatic classify and remark, and all the default queues.

This lets the interfaces use (almost) as much as possible from the common buffers on the switch.

mls qos queue-set output 1 threshold 1 3100 3100 100 3200 
mls qos queue-set output 1 threshold 2 3100 3100 100 3200 
mls qos queue-set output 1 threshold 3 3100 3100 100 3200 
mls qos queue-set output 1 threshold 4 3100 3100 100 3200 
mls qos
Voorbeeld:
http://ampere.rathlev.dk/3560-3750-QoS-basis-template.txt

The “QoS Overview” chapter of the “Cisco Catalyst 3750 QoS  Configuration Examples” document explains the architecture:

http://www.cisco.com/c/en/us/support/docs/switches/catalyst-3750-series-switches/91862-cat3750-qos-config.html#topic1

Any one ever worked on Cisco 6500 QOS specifically 6503 or 6524(help) needed
The 6500 series switch has unique, complex and restrictive hardware QOS compared to a software based router/switch.http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SX/configuration/guide/book/qos.html6748 is a switch based line card. It has limited qos features supported as
compared to a routed platform such as ISR router.
On 12 Oct 2014 10:45, “Ahsan Rasheed” <ahsanrasheed9@gmail.com> wrote:> Hi All,
>
> I am having issue specifically doing QOS configuration on 6503 or 6524 or
> 6509 switches. I am unable to match any EF(voice) traffic for eompls(vlan
> based) on 6503 cisco switch. If i use any other router as 2811 or 2821 my
> QOS configuration works perfect but if i put 6503 as PE2 it does not work.i
> am using vlan based eompls.
>
> Below is the scenario & configuration which i am having issue.
>
>
> CE1(2821 router)(dot1Q)———>PE1(2821 router)——->P(6524
> switch)——–>PE2(6503 switch)——->(dot1Q)(2821 switch)CE2.
>
> On CE1 i can match ip-precedence 5 traffic and mark that traffic to cos5 on
> outbound port.On PE1 i can match cos5 packet and mark with mpls exp top5 on
> inbound port, on outbound port i can match mpls exp 5.
>
> On PE2(6503) i am unable to match that mpls exp5 packet on inbound port.
> none of the configuration worked on 6500 series switches with mls qos, ,mls
> qos trust dscp,mls qos trust cos etc. Although i can match cos5 traffic on
> CE2 on inbound interface.i can not match mpls exp 5 traffic on 6503 and all
> i can see traffic as default-class on 6503 switch. I tried many things and
> many configurations on 6503 but nothing worked.If i put 2821 router as PE2
> instead of 6503 my qos configuration works. but why if i put 6503 my same
> qos configuration does not work?
>
> —match means=classification or classify
>
> Can anyone tell me how qos works on 6500 series switches or where i am
> having issue in my scenario.
> i am using this ios on 6503: s72033-advipservicesk9_wan-mz.122-33.SXI3.bin.
>
> below r my questions for 6503 qos:
>
> 1.do i need to use some other map tables,am i  using correct map tables on
> 6503 as cos-dscp,dscp-cos,exp-dscp etc.
> 2.any other configuration of qos needed on 6503?
> 3.i am unable to match anything on outbound port of 6503.
> 4.on 6503 i am using sup720 and PFC3BXL.any specific configuration needed
> for PFC3bxl.
> 5. 6503 not allowing me to match qos-group on inbound interface, not
> allowing me to set cos5 on outbound interface. not allowing me to set cos5
> as an inbound interface.
>
>
> CE1(2821) config:
> ————————
> !
> class-map match-any EF
>  match ip precedence 5
> class-map match-any data
>  match ip precedence 3
> !
> !
> policy-map ip2mpls
>  class EF
>   set cos 5
>  class data
>   set cos 3
> !
> interface FastEthernet0/0
>  no ip address
>  duplex auto
>  speed auto
> !
> interface FastEthernet0/0.455
>  encapsulation dot1Q 455
>  ip address 172.16.15.1 255.255.255.252
>  service-policy output EF
> !
>
> PE1(2821) config:
> ————————-
> ————————-
> mls qos map cos-dscp 0 8 16 24 32 40 48 56
> !
> class-map match-all exp_3
>  match mpls experimental topmost 3
> class-map match-all mpls_exp
>  match mpls experimental topmost 5
> class-map match-any cos3
>  match cos  3
> class-map match-any LOO1
>  match cos  5
> !
> !
> policy-map EF
>  class LOO1
>   set mpls experimental imposition 5
>  class cos3
>   set mpls experimental imposition 3
> policy-map QOS_G_5
>  class mpls_exp
>   priority
>  class exp_3
>   bandwidth 500
> !
> interface Loopback0
>  ip address 3.3.3.3 255.255.255.255
> !
> interface FastEthernet0/0
>  ip address 192.168.23.2 255.255.255.0
>  ip ospf network point-to-point
>  duplex auto
>  speed auto
>  mpls ip
>  service-policy output QOS_G_5
> !
> interface FastEthernet0/1.455
>  encapsulation dot1Q 455
>  xconnect 5.5.5.5 455 encapsulation mpls
>  service-policy input EF
> !
> ——————————
> ——————————
> PE2(6503 qos):
> R1#show module
> Mod Ports Card Type                              Model              Serial
> No.
> — —– ————————————– ——————
> ———–
>   1    4  CEF720 4 port 10-Gigabit Ethernet      WS-X6704-10GE
>  SAL09401U2L
>   2   48  CEF720 48 port 10/100/1000mb Ethernet  WS-X6748-GE-TX
> SAL114247YN
>   3   16  16 port 1000mb GBIC ethernet           WS-X6416-GBIC
>  SAL0712AM69
>   4   24  CEF720 24 port 1000mb SFP              WS-X6724-SFP
> SAL10019J4N
>   5    2  Supervisor Engine 720 (Hot)            WS-SUP720-3BXL
> SAD102805VM
>   6    2  Supervisor Engine 720 (Active)         WS-SUP720-BASE
> SAD0846060F
>
> Mod  Sub-Module                  Model              Serial       Hw
> Status
> —- ————————— —————— ———– ——-
> ——-
>   1  Distributed Forwarding Card WS-F6700-DFC3BXL   SAD102504EF  5.3    Ok
>   2  Centralized Forwarding Card WS-F6700-CFC       SAD111300PD  3.1    Ok
>   4  Centralized Forwarding Card WS-F6700-CFC       SAL1004BQ2A  2.0    Ok
>   5  Policy Feature Card 3       WS-F6K-PFC3BXL     SAD10270189  1.8    Ok
>   5  MSFC3 Daughterboard         WS-SUP720          SAD102801G5  2.5    Ok
>   6  Policy Feature Card 3       WS-F6K-PFC3BXL     SAL1415FE95  1.11   Ok
>   6  MSFC3 Daughterboard         WS-SUP720          SAD08440794  2.4    Ok
>
> R1#show mls qos maps
>    Normal Burst Policed-dscp map:                                  (dscp=
> d1d2)
>      d1 :  d2 0  1  2  3  4  5  6  7  8  9
>      ————————————-
>       0 :    01 01 02 03 04 05 06 07 08 09
>       1 :    10 11 12 13 14 15 16 17 18 19
>       2 :    20 21 22 23 24 25 26 27 28 29
>       3 :    30 31 32 33 34 35 36 37 38 39
>       4 :    40 41 42 43 44 45 01 47 48 49
>       5 :    50 51 52 53 54 55 56 57 58 59
>       6 :    60 61 62 63
>
>    Maximum Burst Policed-dscp map:                                  (dscp=
> d1d2)
>      d1 :  d2 0  1  2  3  4  5  6  7  8  9
>      ————————————-
>       0 :    00 01 02 03 04 05 06 07 08 09
>       1 :    10 11 12 13 14 15 16 17 18 19
>       2 :    20 21 22 23 24 25 26 27 28 29
>       3 :    30 31 32 33 34 35 36 37 38 39
>       4 :    40 41 42 43 44 45 46 47 48 49
>       5 :    50 51 52 53 54 55 56 57 58 59
>       6 :    60 61 62 63
>
>    Dscp-cos map:                                  (dscp= d1d2)
>      d1 :  d2 0  1  2  3  4  5  6  7  8  9
>      ————————————-
>       0 :    00 00 00 00 00 00 00 00 01 01
>       1 :    01 01 01 01 01 01 02 02 02 02
>       2 :    02 02 02 02 03 03 03 03 03 03
>       3 :    03 03 04 04 04 04 04 04 04 04
>       4 :    05 05 05 05 05 05 05 05 06 06
>       5 :    06 06 06 06 06 06 07 07 07 07
>       6 :    07 07 07 07
>
>    Dscp-exp map:                                  (dscp= d1d2)
>      d1 :  d2 0  1  2  3  4  5  6  7  8  9
>      ————————————-
>       0 :    00 00 00 00 00 00 00 00 01 01
>       1 :    01 01 01 01 01 01 02 02 02 02
>       2 :    02 02 02 02 03 03 03 03 03 03
>       3 :    03 03 04 04 04 04 04 04 04 04
>       4 :    05 05 05 05 05 05 05 05 06 06
>       5 :    06 06 06 06 06 06 07 07 07 07
>       6 :    07 07 07 07
>
> Cos-dscp map:
>          cos:   0  1  2  3  4  5  6  7
>      ————————————
>         dscp:   0 10 18 24 34 46 48 56
>
>    IpPrecedence-dscp map:
>       ipprec:   0  1  2  3  4  5  6  7
>      ————————————
>         dscp:   0  8 16 24 32 40 48 56
>
>    Exp-dscp map:
>          exp:   0  1  2  3  4  5  6  7
>      ————————————
>         dscp:   0  8 16 24 32 40 48 56
>
>
> mls netflow interface
> mls qos map cos-dscp 0 10 18 24 34 46 48 56
> mls qos
> !
> class-map match-all exp_3
>  match mpls experimental topmost 3
> class-map match-all EXP_5
>  match mpls experimental topmost 5
> class-map match-all QOS_GROUP_5
>  match qos-group 5
> class-map match-all prec5
>  match ip precedence 5
> class-map match-all cos5
>  match cos  5
> !
> policy-map mpls2ip
> class QOS_GROUP_5
>  set cos 5
> !
> policy-map IN_FROM_R3
>  class EXP_5
>   set qos-group 5
> !
> interface Loopback0
>  ip address 5.5.5.5 255.255.255.255
> !
> interface GigabitEthernet2/2
>  mls qos trust cos
> or <———— (tried both individually but none worked)
>  mls qos trust dscp
> !
> interface GigabitEthernet2/2.455
>  encapsulation dot1Q 455
>  xconnect 3.3.3.3 455 encapsulation mpls
>  service-policy output mpls2ip
> !
> interface GigabitEthernet2/1
>  ip address 192.168.34.4 255.255.255.0
>  ip ospf network point-to-point
>  mls qos trust cos
> or <———— (tried both individually but none worked)
>  mls qos trust dscp
>  mpls ip
>  service-policy input IN_FROM_R4
> !
> Thanks & regards,
> Ahsan Rasheed

 

Cisco, Netwerk (C-NSP)

Cisco ASA return traffic with explicit deny on outside interfac

I have an ASA running 8.4 in a pretty simple setup with 2 interfaces (inside/outside). I have to 2 ACLs where one is applied inbound on the inside, and one ACL applied inbound on the outside interface. The outside ACL has an explicit deny ip any any statement for logging purposes.

I am wondering, does return traffic (for connections originated on the inside network) get through  the ASA with the explicit deny ip any any statement in the outside ACL?  I know it works without an ACL applied to the outside interface, but the explicit deny got me thinking. I haven’t a device with me to test it unfortunately
Return traffic will be permitted.

Any traffic originating on a network connected to a higher security interface will not need an ACL to ingress.  When the traffic egresses to a lower security interface it will automatically be let back in.

Any traffic originating on a network connected to a lower security interface will need an ACL to allow ingress.  When the traffic egresses to a higher security interface it will also be let back in.

That’s how I remember it anyway.. 🙂

Point 3. In the below link seems to back me up.

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113396-asa-packet-flow-00.html

Cisco, Netwerk (C-NSP), Security

How to troubleshoot input queue drop continuously on Cisco7600?

> k1#sho int te1/4
>
>   Last clearing of “show interface” counters 00:12:35
>
>   Input queue: 0/200/69739/69739 (size/max/drops/flushes); Total
> output
> drops: 0

On this platform those drops could be for traffic forwarded to the CPU.
What does the interface configuration look like? Is it a L3 interface (“no switchport”), or is it a L2 interface? If the latter, and you have SVIs (VLAN interfaces) for some of the VLANs it carries, look for drops on those SVIs.

If they are “microburst” drops on L3-interfaces then you can possibly mitigate it using “hold-queue <N> in” on the L3-interfaces (SVIs or the “no switchport” interface itself). This is a trade-off; don’t use a too high setting for input-queue or you will get other problems.

You could use a SPAN session to look at what traffic might cause this.
The SPAN replication is before traffic is forwarded to the CPU so you should be able to see floods.

>   1    4  CEF720 4 port 10-Gigabit Ethernet      WS-X6704-10GE

This card has rather small queues so it might simply be microbursts. In that case you might have to find a port on another card.

For general info about input queue drops this is a good read:

http://www.cisco.com/c/en/us/support/docs/routers/10000-series-routers/6343-queue-drops.html

Oversubscribing the card would cause output drops, not input queue drops.
As someone else mentioned, this is punted traffic.

I’d suggest using NetDR to find out.
http://www.cisco.com/c/en/us/support/docs/switches/catalyst-6500-series-switches/116475-technote-product-00.html

On Mon, Oct 20, 2014 at 9:42 PM, PlaWanSai RMUTT CPE IX <
pws_admin@thaicpe.com> wrote:

Cisco, Netwerk (C-NSP)

CFC linecards on 7600 – traffic punted to RP

7606s-test#show fm sum

Interface: GigabitEthernet6/2 is up
TCAM screening for features: ACTIVE inbound
Interface: Vlan1600 is up
TCAM screening for features: ACTIVE inbound

Gi6/2 is mnagement port on RSP, Vlan1600 is active on Te4/1 in access mode.

!SVI of VLAN active on Te4/1
interface Vlan1600
ip address 192.168.100.1 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
load-interval 30
end

! null routing of destination IP of packets generated by downstream
device on te4/1
ip route 192.168.115.1 255.255.255.255 null0

7606s-test#show int vlan 1600
Vlan1600 is up, line protocol is up
30 second input rate 48325000 bits/sec, 100677 packets/sec
30 second output rate 0 bits/sec, 0 packets/sec

7606s-test#top
CPU utilization for five seconds: 49%/48%; one minute: 48%; five
minutes: 34%

7606s-test#show ibc
Interface information:
Interface IBC0/0(idb 0x18D112A4)
5 minute rx rate 34956000 bits/sec, 72805 packets/sec
5 minute tx rate 0 bits/sec, 0 packets/sec

7606s-test#show netdr captured-packets
——- dump of incoming inband packet ——-
interface Vl1600, routine process_rx_packet_inline, timestamp 03:14:18.723
dbus info: src_vlan 0x640(1600), src_indx 0xC0(192), len 0x40(64)
bpdu 0, index_dir 0, flood 0, dont_lrn 0, dest_indx 0x380(896)
A8020400 06400000 00C00000 40000000 00110524 0E000040 00000000 03802000
destmac 00.21.D8.CB.4B.00, srcmac 00.1B.21.D7.36.74, protocol 0800
protocol ip: version 0x04, hlen 0x05, tos 0x00, totlen 28, identifier 6692
df 0, mf 0, fo 0, ttl 64, src 192.168.100.2, dst 192.168.115.1
udp src 3854, dst 10000 len 8 checksum 0x102A

>
> On 5 Nov 2014, at 18:32, Jiri Prochazka wrote:
>
>> We will try the same setup with another RSP720-3CXL. I am getting to
>> the point it may be faulty Sup, even it seems very odd for me.
>> Everything works, but uRPF on CFC equipped cards..
>
> What other features do you have turned on which use up TCAM space?
>
> It’s sure sounding like a bug, though.
>
> Also, the output from sh fm sum when the issue is occurring might be
> useful, as well.

Cisco
1 16 17 18 19 20