Jump to content
Калькуляторы

Cisco 6500 как bridge + UBRL

Есть ли у кого-нибудь опыт по настройке Cisco 6509 как прозрачного моста? Если не трудно скиньте пожалуйста в тему часть конфига, отвечающего за его работу.

Edited by raveren

Share this post


Link to post
Share on other sites

Это же свитч, чего там специального настраивать???

Share this post


Link to post
Share on other sites

6509 - это шасси. Трудно настроить в режим моста.....

Share this post


Link to post
Share on other sites

Cisco 6509 (WS-SUP720-3B, IOS 12.2(33)SXI, RELEASE SOFTWARE (fc2)).

 

Делаю так:

 

bridge irb

bridge 1 protocol dec
bridge 1 route ip

interface GigabitEthernet4/20
no ip address
no cdp enable
bridge-group 1
bridge-group 1 spanning-disabled
end

interface GigabitEthernet4/21
no ip address
no cdp enable
bridge-group 1
bridge-group 1 spanning-disabled
end

 

 

sh bridge 1

Total of 300 station blocks, 299 free
Codes: P - permanent, S - self

Bridge Group 1:

    Address       Action   Interface       Age   RX count   TX count
00xx.xxxx.fcce   forward   Gi4/20            0          1          0
00xx.xxxx.8217   forward   Gi4/21            0          9          0

 

MAC-адреса устройств видны, но пинг и другой обмен информацией не проходит.

Edited by raveren

Share this post


Link to post
Share on other sites

Кто-нибудь сталкивался с подобным?

Share this post


Link to post
Share on other sites

Извините, а что Вам мешает порты GigabitEthernet4/20 и GigabitEthernet4/21 просто включить в один влан?

Share this post


Link to post
Share on other sites

Ничего не мешает. Хотел UBRL настроить. На Vlan'е не получается.

Share this post


Link to post
Share on other sites

The microflow policer differs in that it applies a rate-limiting policy on a per-flow basis. Whereas the aggregate policer limits the total amount of traffic entering that VLAN, the same microflow policer would only limit each flow to the stated rate. If a microflow policer were applied to the same VLAN enforcing a policing rule of 2 Mb, then no one flow entering any port in that VLAN could exceed 2 Mb. It is worth noting that although a microflow policer limits traffic for specific flows, it does not limit the number of flows that can be active in that VLAN.

 

См. тут:

http://www.cisco.com/en/US/prod/collateral...cd803e5017.html

Share this post


Link to post
Share on other sites

См. тут - это самое первое, что я прочитал по этому поводу.

Не получается на одном влане (состоящем из двух физ. интерфейсов) ограничивать скорость вх. и исх. трафика. Делаю по Cisco'вскому примеру, но ограничивается либо только входящий, либо только исходящий. Помогите пожалуйста с реально работающим примером, а то уже мозг вынес с этой циской.

Edited by raveren

Share this post


Link to post
Share on other sites

Там же:

Figure 7. Bidirectional UBRL Scenario Example

In this example (Figure 7), two flow masks will be combined to limit traffic to and from users in the computer science faculty. Each user (student) will be limited to uploading or downloading no more than 1 Mb of data. The computer science faculty uses the 202.25.1.0/24 subnet. In order to achieve this, the following configuration could be applied:

6500(config)# access-list 142 permit ip 202.25.1.0 0.0.0.255 any

6500(config)# access-list 143 permit ip any 202.25.1.0 0.0.0.255

6500(config)# class-map identify-outbound-student

6500(config-cmap)# match access-group 142

6500(config)# class-map identify-inbound-student

6500(config-cmap)# match access-group 143

6500(config)# policy-map police-student-traffic-outbound

6500(config-pmap)# class identify-outbound-student

6500(config-pmap-c)# police flow mask src-only 1000000 1000 conform-action transmit exceed action drop

6500(config)# policy-map police-student-traffic-inbound

6500(config-pmap)# class identify-inbound-student

6500(config-pmap-c)# police flow mask dest-only 1000000 1000 conform-action transmit exceed action drop

6500(config-pmap-c)# interface gig8/22

6500(config-if)# service-policy input police-student-traffic-inbound

6500(config-pmap-c)# interface gig8/23

6500(config-if)# service-policy input police-student-traffic-outbound

In this example, two separate ACLs are defined: one to classify outbound traffic by focusing on the source subnet and the second to classify inbound traffic focusing on the destination subnet (this is return traffic back to the faculty). Two separate policers are configured: one for outbound traffic and one for return traffic. Each policer uses a different flow mask to match on interesting traffic to or from the faculty. For outbound traffic, the policer uses a source only flow mask to match on traffic originating from the faculty. Each unique user will be limited to 1 Mb of upstream bandwidth. Return traffic matching on the inbound policer sues the destination-only IP flow mask. This matches on faculty user addresses and limits their download bandwidth also to 1 Mb.

 

ПыСы. Обратите внимание, обе полиси приколочены на вход)

Share this post


Link to post
Share on other sites

Так как, получилось?

Share this post


Link to post
Share on other sites

Вот как я делал:

upgrade fpd auto
version 12.2
no service pad
service timestamps debug uptime
service timestamps log datetime localtime show-timezone
service password-encryption
service counters max age 10
!
hostname lalala
!
boot-start-marker
boot system flash disk0:s72033-ipservicesk9_wan-mz.122-33.SXI.bin
boot-end-marker
!
logging event link-status default
ip subnet-zero
no ip source-route
no ip gratuitous-arps
ip icmp rate-limit unreachable 1000
ip rcmd rcp-enable
ip rcmd rsh-enable
ip rcmd remote-host lalala xx.xx.xx.xx lalala enable
!
!
!
no ip bootp server
ip ssh version 2
no ip domain-lookup
ip domain-name lalala.ru
ip name-server tyry-pyry
ip name-server tyry-pyry
vtp mode transparent
mls ip slb purge global
no mls acl tcam share-global
mls netflow interface
no mls flow ip
no mls flow ipv6
mls qos
mls cef error action reset
!
!
!
!
!
!
!
!
!
!
spanning-tree mode pvst
no spanning-tree optimize bpdu transmission
diagnostic bootup level minimal
diagnostic cns publish cisco.cns.device.diag_results
diagnostic cns subscribe cisco.cns.device.diag_commands
no errdisable detect cause gbic-invalid
no errdisable detect cause arp-inspection
fabric timer 15
!
redundancy
main-cpu
  auto-sync running-config
mode sso
!
vlan internal allocation policy ascending
vlan access-log ratelimit 2000
!
vlan 2
name XZVlan2
!
vlan 3
name XZVlan3
!
vlan 4
name XZVlan4
!
class-map match-all identify-outbound
  match access-group 142
class-map match-all identify-inbound
  match access-group 143
!
!
policy-map police-traffic-inbound
  class identify-inbound
     police flow mask dest-only 2048000 200000 conform-action transmit exceed-action drop
policy-map police-traffic-outbound
  class identify-outbound
     police flow mask src-only 4000000 100000 conform-action transmit exceed-action drop
!
!
!
!
interface GigabitEthernet4/1
description Internet
switchport
switchport access vlan 2
switchport mode access
!
...
interface GigabitEthernet4/3
switchport
switchport access vlan 4
switchport mode access
no cdp enable
service-policy input police-traffic-inbound
!
...
interface GigabitEthernet4/22
switchport
switchport access vlan 4
switchport mode access
no cdp enable
service-policy input police-traffic-outbound
!
...
interface Vlan4
ip address 192.168.15.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
!
ip classless
ip route 10.0.0.0 255.0.0.0 Null0
ip route 172.16.0.0 255.240.0.0 Null0
ip route 192.168.0.0 255.255.0.0 Null0
!
!
no ip http server
no ip http secure-server
!
access-list 142 permit ip host 192.168.15.15 any
access-list 143 permit ip any host 192.168.5.15
!
!
control-plane
!
!
dial-peer cor custom
!
!
!
end

 

Не работает.

Share this post


Link to post
Share on other sites

Попробуйте так:

interface GigabitEthernet4/22

service-policy input police-traffic-inbound

 

no policy-map police-traffic-outbound

no class-map match-all identify-outbound

no access-list 142

no access-list 143

access-list 143 permit ip any 192.168.15.0 0.0.0.255

 

Share this post


Link to post
Share on other sites

Не, мне так не пойдет. Нужно именно для каждого ip-адреса полосу ограничивать.

Share this post


Link to post
Share on other sites
Не, мне так не пойдет. Нужно именно для каждого ip-адреса полосу ограничивать.

service-policy input police-traffic-inbound с flow mask dest-only по листу permit ip any 192.168.15.0 0.0.0.255 ограничит вам полосу от каждого любого хоста в сеть 192.168.15.0/24 к . Т.к. все они в 4 влане, и на все на вход прибита эта полиси.

Share this post


Link to post
Share on other sites

Я понимаю, что он ограничит, но я планирую создать несколько policy-map с access-lista'ами для разных тарифов и в зависимости от тарифа пользователя, помещать его ip-адрес в нужный access-list. На одном vlan'e планируется прохождение данных разных внутренних сетей. 15-я для примера показана.

Edited by raveren

Share this post


Link to post
Share on other sites

Не стоит пытаться сделать брас из свича... Упрётесь рано или поздно(((

Share this post


Link to post
Share on other sites

>> police flow mask src-only

 

Есть подозрение, что это не будет работать если нужен еще NDE (в памяти отложилось, не уверен).

Share this post


Link to post
Share on other sites

Правильное подозрение)))

Share this post


Link to post
Share on other sites

надо включить mls qos bridged

Microflow policing—Microflow policing controls bandwidth of a flow per interface in the switch. By default, microflow policers affect only routed traffic. Issue the mls qos bridged command in the VLAN interface in order to enable microflow policing for bridged traffic.
http://www.cisco.com/en/US/products/hw/swi...08074d6b1.shtml

Current configuration : 6447 bytes
!
version 12.2
!
ipv6 mfib hardware-switching replication-mode ingress
mls ip multicast flow-stat-timer 9
no mls flow ip
no mls flow ipv6
mls qos
no mls acl tcam share-global
mls cef error action reset
!
!
!
!
!
!
!
!
redundancy
mode sso
main-cpu
  auto-sync running-config
!
spanning-tree mode pvst
no spanning-tree vlan 10
system flowcontrol bus auto
diagnostic bootup level minimal
diagnostic cns publish cisco.cns.device.diag_results
diagnostic cns subscribe cisco.cns.device.diag_commands
!
vlan internal allocation policy ascending
vlan access-log ratelimit 2000
!
class-map match-all cm-user-IN
  match access-group name user-IN
class-map match-all cm-user-IN2
  match access-group name user-IN2
class-map match-all cm-user-OUT
  match access-group name user-OUT
class-map match-all cm-user-OUT2
  match access-group name user-OUT2
!
!
policy-map unlim-OUT
  class cm-user-OUT
     police flow mask src-only 64000 2000 conform-action transmit exceed-action drop
  class cm-user-OUT2
     police flow mask src-only 256000 8000 conform-action transmit exceed-action drop
policy-map unlim-IN
  class cm-user-IN
     police flow mask dest-only 128000 4000 conform-action transmit exceed-action drop
  class cm-user-IN2
     police flow mask dest-only 512000 16000 conform-action transmit exceed-action drop
!
! 
!
!
!
interface FastEthernet4/1
switchport
switchport access vlan 10
no ip address
service-policy input unlim-IN
!
!
interface FastEthernet4/13
switchport
switchport access vlan 10
no ip address
service-policy input unlim-OUT
!
interface FastEthernet4/15
switchport
switchport access vlan 10
no ip address
service-policy input unlim-OUT
!
!
interface TenGigabitEthernet6/1
no ip address
shutdown 
!
interface TenGigabitEthernet6/2
no ip address
shutdown
!
interface GigabitEthernet6/3
no ip address
shutdown
!
interface Vlan1
no ip address
shutdown
!
interface Vlan10
ip address 10.10.10.1 255.255.255.0
mls qos bridged
!
ip classless
!
no ip http server
!
ip access-list extended user-IN
permit ip any host 10.10.10.109
ip access-list extended user-IN2
permit ip any host 10.10.10.110
ip access-list extended user-OUT
permit ip host 10.10.10.109 any
ip access-list extended user-OUT2
permit ip host 10.10.10.110 any
!
!
!
!
control-plane
!
!
!
dial-peer cor custom
!
!
!         
!
line con 0
line vty 0 4
login
line vty 5 15
login
!
no cns aaa enable
end

Router#sh mls qos
  QoS is enabled globally
  Policy marking depends on port_trust
  QoS ip packet dscp rewrite enabled globally
  Input mode for GRE Tunnel is Pipe mode
  Input mode for MPLS is Pipe mode

  Bridged QoS is enabled on the following interfaces:
    Vl10 
  Vlan or Portchannel(Multi-Earl) policies supported: Yes
  Egress policies supported: Yes


----- Module [6] -----
  QoS global counters:
    Total packets: 2386
    IP shortcut packets: 0
    Packets dropped by policing: 588
    IP packets with TOS changed by policing: 0
    IP packets with COS changed by policing: 0
    Non-IP packets with COS changed by policing: 0
    MPLS packets with EXP changed by policing: 0

Router#sh ip cac flow

-------------------------------------------------------------------------------
MSFC:
IP packet size distribution (0 total packets):
   1-32   64   96  128  160  192  224  256  288  320  352  384  416  448  480
   .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000

    512  544  576 1024 1536 2048 2560 3072 3584 4096 4608
   .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000

IP Flow Switching Cache, 0 bytes
  0 active, 0 inactive, 0 added
  0 ager polls, 0 flow alloc failures
  Active flows timeout in 30 minutes
  Inactive flows timeout in 15 seconds
  last clearing of statistics never
Protocol         Total    Flows   Packets Bytes  Packets Active(Sec) Idle(Sec)
--------         Flows     /Sec     /Flow  /Pkt     /Sec     /Flow     /Flow

SrcIf         SrcIPaddress    DstIf         DstIPaddress    Pr SrcP DstP  Pkts

-------------------------------------------------------------------------------
PFC:

Displaying Hardware entries in Module 6
SrcIf            SrcIPaddress          DstIPaddress      Pr       SrcP      DstP      Pkts
--               10.10.10.109          0.0.0.0           0        0         0         427          
--               0.0.0.0               10.10.10.109      0        0         0         435          
--               10.10.10.110          0.0.0.0           0        0         0         10391        
--               0.0.0.0               0.0.0.0           0        0         0         1033         
--               0.0.0.0               10.10.10.110      0        0         0         1419

 

sup32-10ge 12.2SXF13

Edited by D^2

Share this post


Link to post
Share on other sites

Подниму чужую тему, столкнулся с подобным.

Вопрос - то есть про QoS и сбор статистики по netflow на одной железке можно забыть?

Share this post


Link to post
Share on other sites

на разных интерфейсах начиная с SXH можно включать и NDE и UBRL.

в режиме бриджа, на сколько я знаю, у ребят работает NDE на любых интерфейсах.

Edited by D^2

Share this post


Link to post
Share on other sites

Как раз задача - на одном порту порезать скорость на входе и посчитать трафик.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this