Cisco IOS QoS – Catalyst 3560 Policingの設定

スポンサーリンク

Catalyst 3560にはルータとは異なる独自のQoSが存在します。Catalyst 3560でのPolicingの動作確認をします。

はじめに

Catalyst 3560のPolicingについてまとめます。

コマンド一覧

このシナリオで重要なコマンド一覧は以下の通りです。

Switch(config)# mls qos map policed-dscp <before_dscp> to <after_dscp>
Switch(config)# mls qos aggregate-policer <aggregate_name> <bps> <burst> exceed-action {[ drop | policed-dscp-transmit ]}

Switch(config)# policy-map <policy_map>
Switch(config-pmap)# class <class_map>
Switch(config-pmap-c)# police <bps> <burst> exceed-action {[ drop | policed-dscp-transmit ]}
Switch(config-pmap-c)# police aggregate <aggregate_name>

Switch(config)# interface <interface>
Switch(config-if)# mls qos vlan-based

構成図

以下の構成で動作確認を行います。

 [physical diagram]
    +------+f0/0    +------+f0/13   +------+f0/2    +------+
    |  R1  +--------+ SW 1 +--------+ SW 2 +--------+  R2  |
    +------+    f0/1+------+   f0/13+------+    f0/0+------+

 [logical diagram]
           192.168.12.0/24
          f0/0        f0/0
    +------+.1        .1+------+
    |      +------------+      |
    |  R1  |            |  R2  |
    |      +------------+      |
    +------+.2        .2+------+
         f0/0.21    f0/0.21
          192.168.21.0/24

 [R1]
ipx routing
!
interface FastEthernet0/0
 ip address 192.168.12.1 255.255.255.0
!
interface FastEthernet0/0.21
 encapsulation dot1Q 21
 ip address 192.168.21.1 255.255.255.0
 ipx network 21 encapsulation SNAP
!
line vty 0 4
 password cisco
 login

 [R2]
ipx routing
!
interface FastEthernet0/0
 ip address 192.168.12.2 255.255.255.0
!
interface FastEthernet0/0.21
 encapsulation dot1Q 21
 ip address 192.168.21.2 255.255.255.0
 ipx network 21 encapsulation SNAP
!
line vty 0 4
 password cisco
 login

 [SW1]
vlan 12,21
!
interface FastEthernet0/1
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 12
 switchport mode trunk
!
interface FastEthernet0/13
 switchport trunk encapsulation dot1q
 switchport mode trunk
!
interface range FastEthernet0/14 - 21
 shutdown

 [SW2]
vlan 12,21
!
interface FastEthernet0/2
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 12
 switchport mode trunk
!
interface FastEthernet0/13
 switchport trunk encapsulation dot1q
 switchport mode trunk
!
interface range FastEthernet0/14 - 21
 shutdown

設定全文は下記ファイルです。詳細設定は下記を参照ください。

R1
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
no network-clock-participate slot 1
no network-clock-participate wic 0
ip cef
!
!
!
!
!
ipx routing 000f.8f4f.ad60
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0/0
 ip address 192.168.12.1 255.255.255.0
 duplex auto
 speed auto
!
interface FastEthernet0/0.21
 encapsulation dot1Q 21
 ip address 192.168.21.1 255.255.255.0
 ipx network 21 encapsulation SNAP
!
interface Serial0/0
 no ip address
 shutdown
!
interface Serial0/1
 no ip address
 shutdown
!
!
!
ip http server
no ip http secure-server
!
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
 logging synchronous level 0 limit 20
line aux 0
line vty 0 4
 login
!
!
end
R2
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R2
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
no network-clock-participate slot 1
no network-clock-participate wic 0
ip cef
!
!
!
!
!
ipx routing 000d.655b.9740
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0/0
 ip address 192.168.12.2 255.255.255.0
 duplex auto
 speed auto
!
interface FastEthernet0/0.21
 encapsulation dot1Q 21
 ip address 192.168.21.2 255.255.255.0
 ipx network 21 encapsulation SNAP
!
interface Serial0/0
 no ip address
 shutdown
!
interface Serial0/1
 no ip address
 shutdown
!
!
!
ip http server
no ip http secure-server
!
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
 logging synchronous level 0 limit 20
line aux 0
line vty 0 4
 password cisco
 login
!
!
end
SW1
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname SW1
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
system mtu routing 1500
ip subnet-zero
!
!
!
!
!
!
!
!
!
!
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
!
!
!
interface FastEthernet0/1
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 12
 switchport mode trunk
!
interface FastEthernet0/2
!
interface FastEthernet0/3
!
interface FastEthernet0/4
!
interface FastEthernet0/5
!
interface FastEthernet0/6
!
interface FastEthernet0/7
!
interface FastEthernet0/8
!
interface FastEthernet0/9
!
interface FastEthernet0/10
!
interface FastEthernet0/11
!
interface FastEthernet0/12
!
interface FastEthernet0/13
 switchport trunk encapsulation dot1q
 switchport mode trunk
!
interface FastEthernet0/14
 shutdown
!
interface FastEthernet0/15
 shutdown
!
interface FastEthernet0/16
 shutdown
!
interface FastEthernet0/17
 shutdown
!
interface FastEthernet0/18
 shutdown
!
interface FastEthernet0/19
 shutdown
!
interface FastEthernet0/20
 shutdown
!
interface FastEthernet0/21
 shutdown
!
interface FastEthernet0/22
!
interface FastEthernet0/23
!
interface FastEthernet0/24
!
interface GigabitEthernet0/1
!
interface GigabitEthernet0/2
!
interface Vlan1
 no ip address
 shutdown
!
ip classless
ip http server
ip http secure-server
!
!
!
control-plane
!
!
line con 0
 logging synchronous level 0 limit 20
line vty 0 4
 login
line vty 5 15
 login
!
end
SW2
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname SW2
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
system mtu routing 1500
ip subnet-zero
!
!
!
!
!
!
!
!
!
!
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
!
!
!
interface FastEthernet0/1
!
interface FastEthernet0/2
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 12
 switchport mode trunk
!
interface FastEthernet0/3
!
interface FastEthernet0/4
!
interface FastEthernet0/5
!
interface FastEthernet0/6
!
interface FastEthernet0/7
!
interface FastEthernet0/8
!
interface FastEthernet0/9
!
interface FastEthernet0/10
!
interface FastEthernet0/11
!
interface FastEthernet0/12
!
interface FastEthernet0/13
 switchport trunk encapsulation dot1q
 switchport mode trunk
!
interface FastEthernet0/14
 shutdown
!
interface FastEthernet0/15
 shutdown
!
interface FastEthernet0/16
 shutdown
!
interface FastEthernet0/17
 shutdown
!
interface FastEthernet0/18
 shutdown
!
interface FastEthernet0/19
 shutdown
!
interface FastEthernet0/20
 shutdown
!
interface FastEthernet0/21
 shutdown
!
interface FastEthernet0/22
!
interface FastEthernet0/23
!
interface FastEthernet0/24
!
interface GigabitEthernet0/1
!
interface GigabitEthernet0/2
!
interface Vlan1
 no ip address
 shutdown
!
ip classless
ip http server
ip http secure-server
!
!
!
control-plane
!
!
line con 0
 logging synchronous level 0 limit 20
line vty 0 4
 login
line vty 5 15
 login
!
end

仕様説明

policy-map

Catalyst 3560のpolicingは、以下のようなコマンドを用いて設定する事ができます。超過パケットについては、dropするかマークダウンするかを選択する事ができます。

Switch(config)# policy-map <policy_map>
Switch(config-pmap)# class <class_map>
Switch(config-pmap-c)# police <bps> <burst> exceed-action {[ drop | policed-dscp-transmit ]}
Switch(config)# interface <interface>
Switch(config-if)# service-policy input <policy_map>

以下のコマンドで、超過パケットのDSCPをいくつからいくつにマークダウンするかを定義します。

Switch(config)# mls qos map policed-dscp <before_dscp> to <after_dscp>

per vlan policing

per vlan policingはややトリッキーです。catalyst 3560のper vlan policingは、親ポリシーマップに対するpolicingをサポートしません親ポリシーでプロトコルによる分類を行い子ポリシーでinterfaceを限定します。設定例は以下の通りです。

class-map CMAP_HOST_INTERFACES
 match input-interface FastEthernet 0/1 - FastEthernet 0/6
!
policy-map PMAP_POLICE_INTERFACE
 class CMAP_HOST_INTERFACES
  police 8000 8000 exceed-action drop
!
policy-map PMAP_POLICE
 class CMAP_ICMP
  set dscp af11
  service-policy PMAP_POLICE_INTERFACE
!
interface FastEthernet 0/1
 mls qos vlan-based
!
interface Vlan 21
 service-policy input PMAP_POLICE

また、per vlan policingはデフォルトで無効になっていますので、per vlan policingを行いたいinterfaceに対して以下のような設定を投入します。

Switch(config)# interface <interface>
Switch(config-if)# mls qos vlan-based

aggregate policing

複数種類のパケットの合計に対してpolicingを設定する事もできます。設定例は以下の通りです。

Switch(config)# mls qos aggregate-policer <aggregate_name> <bps> <burst> exceed-action {[ drop | policed-dscp-transmit ]}
Switch(config)# 
Switch(config)# policy-map <policy_name>
Switch(config-pmap)# class <class_name_1>
Switch(config-pmap-c)# police aggregate <aggregate_name>
Switch(config-pmap-c)# exit
Switch(config-pmap)# class <class_name_2>
Switch(config-pmap-c)# police aggregate <aggregate_name>

policing per port

mls qos 設定

port単位のpolicing設定について考察します。以下は、ICMPの超過パケットをAF11(DSCP 10)からCS1(DSCP 8)にマークダウンし、, IPXの超過パケットをdropする設定例です。

 [SW1]
mls qos
mls qos map policed-dscp 10 to 8
!
mac access-list extended ACL_IPX
 permit any any 0x8137 0x0
ip access-list extended ACL_ICMP
 permit icmp any any
!
class-map CMAP_IPX
 match access-group name ACL_IPX
class-map CMAP_ICMP
 match access-group name ACL_ICMP
!
policy-map PMAP_POLICE
 class CMAP_IPX
  set dscp af11
  police 8000 8000 exceed-action drop
 class CMAP_ICMP
  set dscp af11
  police 8000 8000 exceed-action policed-dscp-transmit
!
interface FastEthernet 0/1
 service-policy input PMAP_POLICE

パケット送信

IPX, IPのpingを送信します。IPはdropなく疎通可能であるものの、IPXは超過パケットがdropされている事が読み取れます。

 [R1]
R1#ping 192.168.12.2 repeat 100 size 1500

Type escape sequence to abort.
Sending 100, 1500-byte ICMP Echos to 192.168.12.2, timeout is 2 seconds:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Success rate is 100 percent (100/100), round-trip min/avg/max = 4/4/8 ms
R1#
R1#
R1#ping
Protocol [ip]: ipx
Target IPX address: 21.0012.d9a2.4940
Repeat count [5]: 50
Datagram size [100]: 200
Timeout in seconds [2]: 1
Verbose [n]:
Type escape sequence to abort.
Sending 50, 200-byte IPX Novell Echoes to 21.0012.d9a2.4940, timeout is 1 seconds:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!.!!!!!.!!!!.!!!
Success rate is 94 percent (47/50), round-trip min/avg/max = 1/2/4 ms
R1#

動作確認

SW1のカウンタを確認します。超過パケットがAF11(DSCP 10)からCS1(DSCP 8)にマークダウンされている事が分かります。

 [SW1]
SW1#sho mls qos interface f0/13 statistics
FastEthernet0/13 (All statistics are in packets)

 <omitted>

  dscp: outgoing
-------------------------------

  0 -  4 :           0            0            0            0            0
  5 -  9 :           0            0            0           95            0
 10 - 14 :           5            0            0            0            0
 15 - 19 :           0            0            0            0            0
 20 - 24 :           0            0            0            0            0
 25 - 29 :           0            0            0            0            0
 30 - 34 :           0            0            0            0            0

 <omitted>

SW1#

policing per vlan

mls qos 設定

vlan単位のpolicing設定について考察します。以下はvlan21を経由するICMPのみをpolicingする設定例です。

 [SW1]
clear mls qos interface statistics
!
interface FastEthernet 0/1
 no service-policy input PMAP_POLICE
no policy-map PMAP_POLICE
!
mls qos
!
ip access-list extended ACL_ICMP
 permit icmp any any
!
class-map CMAP_ICMP
 match access-group name ACL_ICMP
!
class-map CMAP_ALL_INTERFACES
 match input-interface FastEthernet 0/1 - FastEthernet 0/24
!
policy-map PMAP_POLICE_INTERFACE
 class CMAP_ALL_INTERFACES
  police 8000 8000 exceed-action drop
!
policy-map PMAP_POLICE
 class CMAP_ICMP
  set dscp af11
  service-policy PMAP_POLICE_INTERFACE
!
interface FastEthernet 0/1
 mls qos vlan-based
!
interface Vlan 21
 service-policy input PMAP_POLICE

パケット送信

VLAN12経由のICMPはdropなく疎通できるものの、VLAN21経由のICMPは超過パケットがdropされている事が分かります。

 [R1]
R1#ping 192.168.12.2 repeat 50 size 1500

Type escape sequence to abort.
Sending 50, 1500-byte ICMP Echos to 192.168.12.2, timeout is 2 seconds:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Success rate is 100 percent (50/50), round-trip min/avg/max = 4/4/8 ms
R1#
R1#
R1#ping 192.168.21.2 repeat 50 size 1500

Type escape sequence to abort.
Sending 50, 1500-byte ICMP Echos to 192.168.21.2, timeout is 2 seconds:
.!!!!!.!.!.!!.!.!!.!.!.
Success rate is 60 percent (14/23), round-trip min/avg/max = 4/4/4 ms
R1#

aggregate policing

mls qos 設定

aggregate policingについて考察します。以下はICMPとIPXの合計が16000bps以内に抑える設定例です。

 [SW1]
clear mls qos interface statistics
!
interface Vlan 21
 no service-policy input PMAP_POLICE
!
no policy-map PMAP_POLICE_INTERFACE
no policy-map PMAP_POLICE
!
interface FastEthernet 0/1
 no mls qos vlan-based
!
mac access-list extended ACL_IPX
 permit any any 0x8137 0x0
ip access-list extended ACL_ICMP
 permit icmp any any
!
class-map CMAP_IPX
 match access-group name ACL_IPX
class-map CMAP_ICMP
 match access-group name ACL_ICMP
!
mls qos aggregate-policer AGG16000 16000 8000 exceed-action drop
!
policy-map PMAP_POLICE
 class CMAP_IPX
  set dscp af11
  police aggregate AGG16000
 class CMAP_ICMP
  set dscp af11
  police aggregate AGG16000
!
interface FastEthernet 0/1
 service-policy input PMAP_POLICE

パケット送信

R1からR2へパケットを送信します。ICMP, IPXともに超過パケットがdropされている事が読み取れます。

 [R1]
R1#ping 192.168.12.2 size 500 repeat 50

Type escape sequence to abort.
Sending 50, 500-byte ICMP Echos to 192.168.12.2, timeout is 2 seconds:
!!!!!!!!!!!!!!!.!!!!.!!!!.!!!!.!!!!.
Success rate is 86 percent (31/36), round-trip min/avg/max = 1/3/4 ms
R1#
R1#
R1#ping
Protocol [ip]: ipx
Target IPX address: 21.0012.d9a2.4940
Repeat count [5]: 50
Datagram size [100]: 300
Timeout in seconds [2]: 1
Verbose [n]:
Type escape sequence to abort.
Sending 50, 300-byte IPX Novell Echoes to 21.0012.d9a2.4940, timeout is 1 seconds:
!!!!!!!!!!!!!!!!!!!!!!!!.!!!.!!!!.!!!.!!!.!!!.!!!.
Success rate is 86 percent (43/50), round-trip min/avg/max = 1/2/4 ms
R1#

Tips

per vlan policing

per vlan policingはVLAN単位のpolicingはできません。以下のようにvlan全体に対するpolicingを設定すると、エラーメッセージが表示されます。

 [SW1]
SW1(config)# policy-map PMAP_POLICE
SW1(config-pmap)# class CMAP_ICMP
SW1(config-pmap-c)# set dscp af11
SW1(config-pmap-c)# police 8000 8000 exceed-action drop
SW1(config-pmap-c)# exit
SW1(config-pmap)# exit
SW1(config)# 
SW1(config)# 
SW1(config)# interface Vlan 21
SW1(config-if)# service-policy input PMAP_POLICE
%QoS: policy-map with police action at parent level not supported on Vlan21 interface.
%QoS: policy-map with police action at parent level not supported on Vlan21 interface.
%QoS: policy-map with police action at parent level not supported on Vlan21 interface.
SW1(config-if)#
タイトルとURLをコピーしました