Jump to content
Калькуляторы

Cisco UBRL Все что связано с UBRL на Cisco

Пробую сделать UBRL на Cisco WS-C6509 + NAT на ACE-модуле. Скорость режется только в одну сторону (исх.).

Помогите пожалуйста с проблемой.

 

sh run

upgrade fpd auto
version 12.2
no service pad
service timestamps debug uptime
service timestamps log datetime localtime show-timezone
service password-encryption
service counters max age 10
!
hostname R7
!
boot-start-marker
boot system flash disk0:s72033-ipservicesk9_wan-mz.122-33.SXI.bin
boot-end-marker
!
aaa new-model
!
!
!
!
!
aaa session-id common
clock timezone Moscow 3
clock summer-time Moscow recurring last Sun Mar 2:00 last Sun Oct 2:00
svclc multiple-vlan-interfaces
svclc module 2 vlan-group 1
svclc vlan-group 1  402
logging event link-status default
ip subnet-zero
no ip source-route
no ip gratuitous-arps
ip icmp rate-limit unreachable 1000
ip rcmd rcp-enable
ip rcmd rsh-enable
ip rcmd remote-host root xx.xx.x.x root enable
!
!
!
no ip bootp server
ip ssh version 2
no ip domain-lookup
ip domain-name lalala.ru
ip name-server 192.168.x.x
ip name-server 192.168.x.x
vtp domain vtp
vtp mode transparent
mls netflow interface
no mls flow ip
no mls flow ipv6
mls qos
mls cef error action freeze
!
!
!
!
!
!
!
!
!
!
spanning-tree mode pvst
no spanning-tree optimize bpdu transmission
no spanning-tree etherchannel guard misconfig
spanning-tree extend system-id
diagnostic bootup level minimal
diagnostic cns publish cisco.cns.device.diag_results
diagnostic cns subscribe cisco.cns.device.diag_commands
no errdisable detect cause gbic-invalid
no errdisable detect cause arp-inspection
fabric timer 15
!
redundancy
main-cpu
  auto-sync running-config
mode sso
!
vlan internal allocation policy ascending
vlan access-log ratelimit 2000
!
vlan 2
!
vlan 3
!
vlan 100
name 2NetVlan
!
vlan 402
name NAT
!
class-map match-all cm-unlim-OUT
  match access-group name unlim-OUT
class-map match-all cm-unlim-IN
  match access-group name unlim-IN
!
!
policy-map police-traffic-out
  class cm-unlim-OUT
     police flow mask src-only 2000000 64000 conform-action transmit exceed-action drop
policy-map police-traffic-in
  class cm-unlim-IN
     police flow mask dest-only 8000000 248000 conform-action transmit exceed-action drop
!
!
!
interface GigabitEthernet4/1
description Internet
switchport
switchport access vlan 402
switchport mode access
mls qos vlan-based
storm-control broadcast level 10.00
storm-control multicast level 10.00
storm-control unicast level 10.00
!
interface GigabitEthernet4/2
description 2Net
switchport
switchport access vlan 100
switchport mode access
mls qos vlan-based
!
/skip/
!
interface Vlan1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
!
interface Vlan3
ip address 10.x.x.x 255.255.255.0
no ip unreachables
no ip proxy-arp
!
interface Vlan100
ip address 192.168.x.x 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
service-policy input police-traffic-out
!
interface Vlan402
description NAT ACE
ip address xx.xx.xx.16 255.255.254.0
no ip redirects
no ip unreachables
no ip proxy-arp
service-policy input police-traffic-in
!
ip classless
ip route 0.0.0.0 0.0.0.0 xx.xx.126.19
ip route 10.0.0.0 255.0.0.0 Null0
ip route 127.0.0.0 255.0.0.0 Null0
ip route 172.16.0.0 255.240.0.0 Null0
ip route 192.168.0.0 255.255.0.0 Null0
!
!
no ip http server
no ip http secure-server
!
ip access-list extended unlim-IN
permit ip any host 192.168.33.33
ip access-list extended unlim-OUT
permit ip host 192.168.33.33 any
!
control-plane
!
!
dial-peer cor custom
!
!
!
banner motd ^CWelcome to "$(hostname)"...^C
!
/skip/
!
ntp clock-period 17179953
ntp server xx.xx.xx.xx
!
end

 

sh mod

Mod Ports Card Type                              Model              Serial No.
--- ----- -------------------------------------- ------------------ -----------
  2    1  Application Control Engine Module      ACE20-MOD-K9       SADXXXXXXX
  4   48  CEF720 48 port 10/100/1000mb Ethernet  WS-X6748-GE-TX     SALXXXXXXX
  5   48  CEF720 48 port 1000mb SFP              WS-X6748-SFP       SALXXXXXXX
  6    2  Supervisor Engine 720 (Active)         WS-SUP720-3B       SADXXXXXXX

Mod MAC addresses                       Hw    Fw           Sw           Status
--- ---------------------------------- ------ ------------ ------------ -------
  2  xxxx.xxxx.xxxx to xxxx.xxxx.xxxx   2.4   8.7(0.22)ACE 3.0(0)A1(6.3 Ok
  4  xxxx.xxxx.xxxx to xxxx.xxxx.xxxx   2.5   12.2(14r)S5  12.2(33)SXI  Ok
  5  xxxx.xxxx.xxxx to xxxx.xxxx.xxxx   1.8   12.2(14r)S5  12.2(33)SXI  Ok
  6  xxxx.xxxx.xxxx to xxxx.xxxx.xxxx   4.3   8.1(3)       12.2(33)SXI  Ok

Mod  Sub-Module                  Model              Serial       Hw     Status
---- --------------------------- ------------------ ----------- ------- -------
  4  Centralized Forwarding Card WS-F6700-CFC       SALxxxx  2.0    Ok
  5  Distributed Forwarding Card WS-F6700-DFC3BXL   SADxxxx  3.0    Ok
  6  Policy Feature Card 3       WS-F6K-PFC3BXL     SALxxxx  1.6    Ok
  6  MSFC3 Daughterboard         WS-SUP720          SADxxxx  2.3    Ok

Mod  Online Diag Status
---- -------------------
  2  Pass
  4  Pass
  5  Pass
  6  Pass

 

Я подозреваю, что это из-за этого:

 

sh ip cache flow

-------------------------------------------------------------------------------

Displaying software-switched flow entries on the MSFC in Module 6:

IP packet size distribution (0 total packets):
   1-32   64   96  128  160  192  224  256  288  320  352  384  416  448  480
   .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000

    512  544  576 1024 1536 2048 2560 3072 3584 4096 4608
   .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000

IP Flow Switching Cache, 0 bytes
  0 active, 0 inactive, 0 added
  0 ager polls, 0 flow alloc failures
  Active flows timeout in 30 minutes
  Inactive flows timeout in 15 seconds
  last clearing of statistics 04:13:01
Protocol         Total    Flows   Packets Bytes  Packets Active(Sec) Idle(Sec)
--------         Flows     /Sec     /Flow  /Pkt     /Sec     /Flow     /Flow

SrcIf         SrcIPaddress    DstIf         DstIPaddress    Pr SrcP DstP  Pkts

-------------------------------------------------------------------------------

Displaying hardware-switched flow entries in the PFC (Standby) Module 5:
SrcIf            SrcIPaddress     DstIf            DstIPaddress    Pr SrcP DstP  Pkts




Displaying hardware-switched flow entries in the PFC (Active) Module 6:
SrcIf            SrcIPaddress     DstIf            DstIPaddress    Pr SrcP DstP  Pkts

--               192.168.33.33     ---              0.0.0.0         00 0000 0000     0
--               0.0.0.0          ---              0.0.0.0         00 0000 0000    18K

 

Edited by raveren

Share this post


Link to post
Share on other sites

Работает именно для исходящего из интерфейса трафика?

Потому что:

...

On a PFC3x-based supervisor, the aggregate policer can be applied on ingress or egress, whereas the microflow policer can only be applied on ingress.

...

Edited by nnm

Share this post


Link to post
Share on other sites
Работает именно для исходящего из интерфейса трафика?

Потому что:

...

On a PFC3x-based supervisor, the aggregate policer can be applied on ingress or egress, whereas the microflow policer can only be applied on ingress.

...

Работает только на входе во Vlan100,

 

interface Vlan100
ip address 192.168.x.x 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
service-policy input police-traffic-out

 

а вот на входе во Vlan402 не работает.

 

interface Vlan402
description NAT ACE
ip address xx.xx.xx.16 255.255.254.0
no ip redirects
no ip unreachables
no ip proxy-arp
service-policy input police-traffic-in

 

Заметьте, что политики назначены на вход. При назначении на выход получим:

 

police flow command is not supported for this interface in the output direction.
Configuration failed!

 

Думаю, что это и имеется ввиду в цитате.

 

...

On a PFC3x-based supervisor, the aggregate policer can be applied on ingress or egress, whereas the microflow policer can only be applied on ingress.

...

Edited by raveren

Share this post


Link to post
Share on other sites

Столкнулся с такой же проблемой, так как на interface Vlan402 у вас приходит проначеный пакет и он не попадает под правило.

Если кто может подсказать как решить проблему буду очень рпизнателен.

 

Стоит cisco catalyst 6500 с FWSM, в данный момент работает как Бордер + НАТ (на FWSM).

Как можно организовать полисинг для 5к аббонентов.

Share this post


Link to post
Share on other sites

FWSM cколько траффика тянет у Вас в гбпс и сколько трансляций в пике?

Share this post


Link to post
Share on other sites

FWSM# sh xlate count
65238 in use, 82399 most used

В пиках пока проходит 800-900 Мbps.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this