This document describes microflow policing on Catalyst 6500 Series switches.
There are no specific requirements for this document.
The information in this document is based on a Cisco Catalyst 6500 Series switch that runs on a Supervisor Engine 720.
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.
Here is a use case for your consideration. There is a university requirement to limit each student to a bandwith of 10Mbps while they use the Internet. If aggregate policing is configured, then there is an unequal distribution of bandwidth among the students. Microflow policer is better able to help us acheive this task.
Microflow policing helps users police traffic based on flows. A flow is usually defined by Source IP (SRC-IP), Destination IP (DST-IP), SRC-DST IP, SRC-DST Port, or SRC-Interface. Here is an example:
Source 10.0.0.1 sending a tcp stream to 15.0.0.1 with a source tcp port of 50
and destination 2000
Source 10.0.0.1 sending a tcp stream to 15.0.0.2 with a source tcp port of 60
and destination 2000.
If classification is done based on the SRC-IP, then the number of flows equals one. If classification is done based on the DST-IP, then the number of flows equals two. If classification is done based on the DST Port, then the number of flows equals one.
When we apply a service policy under an interface, either the physical interface or the Switch Virtual Interface (SVI), the service policy is programmed in the hardware. Quality of Service (QoS) Ternary Content Addressable Memory (TCAM) is used in order to store the entry. Additionally, since the switch must remember the flows, it stores individual flow information in the hardware. NetFlow TCAM is used for this purpose. Hence, there are two places where you can check the programming in the hardware: the Access Control List (ACL) TCAM and the NetFlow TCAM.
Since the same NetFlow TCAM is used by other features, like Network Address Translation (NAT), NetFlow Data Export (NDE), and Web Cache Communication Protocol (WCCP), it is possible that there is a conflict in the microflow policer programming in the hardware. Some TCAM conflict scenarios are provided at the end of this document.
There is a Cisco Catalyst 6500 Series switch engaged in interVLAN routing. The sources of traffic are located in VLAN 20, and have these IP addresses: 20.20.20.2 and 20.20.20.3. Both of the sources try to send traffic towards the IP address 30.30.30.2, which is located in VLAN 30. The goal is to allocate 100Kbps of bandwidth to each source.
ip access-list ext vlan20_30
permit ip 20.20.20.0 0.0.0.255 30.30.30.0 0.0.0.255
class-map POLICE_DIFF_SRC
match access-group name vlan20_30
policy-map POLICE_DIFF_SRC
class POLICE_DIFF_SRC
police flow mask src-only 100000 3000 conform transmit exceed drop
police flow mask ?
dest-only
full-flow
src-only
interface vlan 20
service-policy input POLICE_DIFF_SRC
There is a Catalyst 6500 Series switch engaged in layer 2 switching of the traffic in the same VLAN. This example deomonstrates how to restrict traffic that comes from 10.10.10.2 and goes towards 10.10.10.3 in VLAN to 100Kbps of bandwidth. In order to have the policer affect layer 2-switched traffic, you must enter the mls qos bridged command under the interface VLAN 10.
ip access-list ext VLAN10
permit ip 10.10.10.0 0.0.0.255 10.10.10.0 0.0.0.255
class-map POLICE_SAME
match access-group name VLAN10
policy-map POLICE_SAME
class POLICE_SAME
police flow mask src-only 100000 3000 conform transmit exceed drop
int vlan 10
service-policy in POLICE_SAME
mls qos bridged
There is currently no verification procedure available for this configuration.
6500#show mls qos ip
QoS Summary [IPv4]: (* - shared aggregates, Mod - switch module)
Int Mod Dir Class-map DSCP Ag Trust FL AgForward-By AgPoliced-By
Id Id
---------------------------------------------------------------------------
Fa3/3 1 In POLICE_SAM 0 0* dscp 1 11266001160 0
6500#show tcam interface fa3/3 qos type1 ip
QOS Results: A - Aggregate Policing F - Microflow Policing
M - Mark T - Trust
U - Untrust
------------------------------------------------------
FT ip 10.10.10.0 0.0.0.255 10.10.10.0 0.0.0.255 ==> entry is
programmed correctly
MU ip any any
6500#show mls NetFlow ip qos nowrap
Displaying NetFlow entries in Active Supervisor EARL in module 1
DstIP SrcIP Prot : SrcPort : DstPort Src i/f :AdjPtr Pkts
Bytes LastSeen QoS PoliceCount Threshold Leak Drop Bucket
------------------------------------------------------------------------------------------------------
0.0.0.0 0.0.0.0 0 :0 :0 --
0x0 140394
67383880 15:16:29 0x0 0 0 0
NO 0
0.0.0.0 10.10.10.2 0 :0 :0 --
0x0 227
108506 15:16:22 0x0 35996208 0 0 NO 3386
It is possible that the service policy is not programmed in the hardware in these scenarios. Here are some possible reasons:
6500#show platform hardware capacity qos
QoS Policer Resources
Aggregate policers: Module Total Used %Used
1 1024 102 10%
6 1024 102 10%
Microflow policer configurations: Module Total Used %Used
1 64 32 50%
6 64 32 50%
6500#show fm summary
Interface: Vlan13 is up
TCAM screening for features: INACTIVE inbound
TCAM screening for features: INACTIVE outbound
Interface: Vlan72 is up
TCAM screening for features: ACTIVE inbound
TCAM screening for features: ACTIVE outbound
Interface: Vlan84 is up
TCAM screening for features: ACTIVE inbound
TCAM screening for features: INACTIVE outbound
6500#show fm fie int vlan 10
Interface Vl10:
Feature interaction state created: Yes
Flowmask conflict status for protocol IP :
FIE_FLOWMASK_STATUS_SUCCESS
Flowmask conflict status for protocol OTHER :
FIE_FLOWMASK_STATUS_SUCCESS Interface Vl10 [Ingress]:
Slot(s) using the protocol IP : 1
FIE Result for protocol IP : FIE_SUCCESS_NO_CONFLICT
Features Configured : [empty] - Protocol : IP
FM Label when FIE was invoked : 66 Current FM Label : 66
Last Merge is for slot: 0 num# of strategies tried : 1
num# of merged VMRs in bank 1 = 0
num# of free TCAM entries in Bank1 = Unknown
num# of merged VMRs in bank 2 = 1
num# of free TCAM entries in Bank2 = Unknown
Slot(s) using the protocol OTHER : 1
FIE Result for protocol OTHER : FIE_SUCCESS_NO_CONFLICT
Features Configured : OTH_DEF - Protocol : OTHER
FM Label when FIE was invoked : 66
Current FM Label : 66
Last Merge is for slot: 0
Features in Bank1 = OTH_DEF
+-------------------------------------+
Action Merge Table
+-------------------------------------+
OTH_DEF RSLT R_RSLT COL
+-------------------------------------+
SB HB P 0
X P P 0
+-------------------------------------+
num# of strategies tried : 1
Description of merging strategy used:
Serialized Banks: FALSE
Bank1 Only Features: [empty]
Bank2 Only Features: [empty]
Banks Swappable: TRUE
Merge Algorithm: ODM
num# of merged VMRs in bank 1 = 1
num# of free TCAM entries in Bank1 = 32745
num# of merged VMRs in bank 2 = 0
num# of free TCAM entries in Bank2 = 32744 Interface Vl10 [Egress]:
No Features Configured
No IP Guardian Feature Configured
No IPv6 Guardian Feature Configured
IP QoS Conflict resolution configured, QoS policy name: POLICE_SAME
Revision | Publish Date | Comments |
---|---|---|
1.0 |
26-Sep-2013 |
Initial Release |