ASR1000 4L HQoS

IOS XE’de service group adı altında geçiyor.

Henüz deneme şansı bulamadım.

 

REF : http://d2zmdbbm9feqrf.cloudfront.net/2015/usa/pdf/BRKARC-2031.pdf

What are service-groups?

  • Service-groups allow linking multiple L3 sub-interfaces and L2service instances together for the purpose of aggregated QoS
  • Before service-groups
    • QoS policies could be applied to individual L3 sub-interfaces, individual L2 service instances, or to ethernet main interfaces
    • In order to group multiple L3 or L2 entities together for QoS, a “mega- policy” on the main interface which classified multiple vlans in the topmost layer was required.
    • If various groups of vlans on the same physical interface required QoS, the configuration quickly became unmanageable.

Support for service-groups

  • Added in XE3.15, released March 2015
  • Supported on ASR1000, CSR1000V, and ISR4000 series platforms
  • Same functionality across all above platforms
  • Same scalability for all platforms
    • No dependence on ASR1000 RP or ESP version
    • No dependence on ASR1000 fixed chassis version
    • Same scalability for ISR 4300 and ISR4400 platforms

       

      policy-map alpha class-default

      shape average 10000000 !

      interface GigabitEthernet0/0/0 service instance 11 ethernet

      encapsulation dot1q 11

      group 10

      service instance 12 ethernet encapsulation dot1q 12 group 10

      !
      interface GigabitEthernet0/0/0.13

      encapsulation dot1q 13

      group 10

      !
      interface GigabitEthernet0/0/0.14

      encapsulation dot1q 14

      group 10

      !

      service-group 10

      service-policy alpha

      Topology

      Yukarıdaki şekilde kurulan topologylerde merkezi pop noktamızda bir Toplama Noktası içerisinde birden fazla pop uplinkimiz olabiliyor. Bu gibi durumlarda TT tarafından hem Toplama Noktasına bir limit uygulanıyor hemde altındaki her bir uplink için ayrı ayrı limit uygulanıyor. Biz her bir pop noktası içinde ayrıca trafik türüne göre QoS uyguluyoruz.

      Bu ihtiyaçlarımıza göre QoS uygulamasını IOS-XE 3.15 den önce yapamıyorduk. Sonraki IOS lerde ise bu isteklerimizi karşılayabiliyoruz. Bir Toplama Noktası altındaki Layer2/Layer3 subinterfaceler grouplanarak service group altına grand policy uygulanarak QoS gerçekleştirilir.

      Test Networkü aşağıdaki şekilde ayarlanmıştır. Toplama Noktası-1 için yapılan işlemlerin aynısı Toplama Noktası-2 içinde yapılabilir.

      ASR1002 Configuration

      IOS-XE: asr1000rp1-adventerprisek9.03.16.01a.S.155-3.S1a-ext.bin

      Testler sırasında VOIP classı için testerdan çıkan paketlerde DSCP: EF olarak set edilmiştir.

      Toplama Noktası-1 : 150 Mbit içerisinde POP-1 ve POP-2 uplinkleri yer alıyor

      POP-1 ve POP-2 ayrı ayrı 100 er Mbit

      class-map match-any tn_backbone_qos_realtime

      match dscp ef

      class-map match-any TN1_POP1

      match vlan 11

      class-map match-any TN1_POP2

      match vlan 12

      policy-map tn_backbone_qos_out

      class tn_backbone_qos_realtime

      priority percent 40

      class class-default

      bandwidth percent 60

      policy-map TN1_CHILD

      class TN1_POP1

      shape average 100000000

      service-policy tn_backbone_qos_out

      class TN1_POP2

      shape average 100000000

      service-policy tn_backbone_qos_out

      policy-map TN1

      class class-default

      shape average 150000000

      service-policy TN1_CHILD

      service-group 1000

      service-policy output TN1

      interface GigabitEthernet0/0/2.11

      description TN1_POP1

      encapsulation dot1Q 11

      ip address 11.1.1.2 255.255.255.252

      group 1000

      !

      interface GigabitEthernet0/0/2.12

      description TN1_POP2

      encapsulation dot1Q 12

      ip address 12.1.1.2 255.255.255.252

      group 1000

      !

      interface GigabitEthernet0/0/2.21

      description TN2_POP3

      encapsulation dot1Q 21

      ip address 21.1.1.2 255.255.255.252

      group 2000

      !

      interface GigabitEthernet0/0/2.22

      description TN2_POP4

      encapsulation dot1Q 22

      ip address 22.1.1.2 255.255.255.252

      group 2000

      NOT: Toplama Noktası-2 nin group numarası 2000 dir. Bu toplama noktası içinde yukarıdakine benzer farklı bir policy oluşturularak service-group 2000 altına eklenir.

      Test Senaryoları:

      Tester stream-1: POP-1 VOIP

      Tester stream-2: POP-1 DEFAULT

      Tester stream-3: POP-2 VOIP

      Tester stream-4: POP-2 DEFAULT

      Test-1: Sadece default classta, TN1 de POP-1 ve POP-2 kendi limitlerine göre satüre değil ancak bağlı oldukları toplama noktası satüre olduğunda, default classtaki trafiklerin eşit oranda drop olması bekleniyor.

      Test-2: TN ve POP uplinkler satüre edildiğinde, hatlarda hem VOIP hem default trafik olduğunda, VOIP için belirlenen değer aşılmadığı sürece VOIP classlarında drop olması beklenmiyor, Default classlardaki trafikte drop bekleniyor.

      Test-3: TN ve POP uplinkler satüre iken, Hatlar üzerinde hem VOIP hemde Default classta trafik varken, VOIP classında priority ile belirlenen değerden yüksek trafik gönderilir ise, priority değeri ile belirtilen miktarın üzerinde gelen trafik drop edilir.

      Test-4: TN ve POP-2 satüre değil, POP-1 satüre, bu durumda TN satüre olana kadar POP-1 VOIP classında drop oluşmuyor

      IOS-XE üzerinde kullanılabilecek sh komutları

      show policy-map target service-group 1000

      show service-group interface gigabitEthernet 0/0/2 detail

      show service-group stats

      show service-group state

      show service-group traffic-stats

      Notlar:

      -İnterfacelerde second dot1q kullanılabilir. Bu durumda second vlan headerı nedeni ile policyde belirtilen limit bir miktar aşağıya çekilmelidir. Aksi takdirde tam limite ulaşıldığında drop oluşabilir.

      -Ana interface altında ikinci bir toplama noktası için ikinci bir service group oluşturmak gerekiyor

ASR 1000 Parameterized QoS

ASR 1000 Parameterized QoS

Generally two types of QoS is supported;

  1. Per-Session : Per-session policing is applied to the session, all the data flow. It can be initially applied with subscriber access-accept or later applied or changed via COA. Cisco-Session-Info avp is used for this purpose. Example Cisco-Session-Info=QU;512000;256000; D;512000;256000. Search for Cisco RADIUS CoA Interface Guide, Appendix-A contains detailed information about this attribute. This method means using general policing to all session. You can not prioritize some kind of traffic (voip etc).
  2. Per-Flow : Per-Flow is applied via regular policy-map. QoS policy-map is defined and applied with the following methods : Deploying the Quality of Service (QoS)Configuring ISG Policies for Regulating Network Access
          • Define and apply the QoS policy from CLI.
          • Define the QoS policy in CLI, but apply it from RAIDUS.
          • Define and apply the QoS policy from RAIDUS. It is also called Parameterized QoS.

You can not apply per-session and per-flow simultaneously.

Also QoS order of operation is changed for ASR 1K or on IOS XE. Please read Hierarchical Color-Aware Policing carefully.

For more detailed information :

Deploying the Quality of Service (QoS)

Configuring RADIUS-Based Policing, IOS XE 3S

Hierarchical Color-Aware Policing

Examples :

General Config (Only related config)

aaa server radius dynamic-author
client X.X.X.X server-key X
port 1645
auth-type any
ignore session-key
!
policy-map type service INTERNET
service local
ip unnumbered Loopback10
!
policy-map type control PPPOE_TEST
……
class type control INTERNET event service-start
1 service-policy type service unapply name UNAUTH_PPP_SERVICE
2 service-policy type service identifier service-name
!
class type control INTERNET event service-stop
1 service-policy type service unapply identifier service-name
2 service-policy type service name UNAUTH_PPP_SERVICE
!
……
class type control always event session-start
1 service-policy type service name PBHK
2 authenticate aaa list pppoe
!
aaa policy interface-config allow-subinterface
!
bba-group pppoe yapa
virtual-template 3
!
interface Virtual-Template3
mtu 1492
ip unnumbered Loopback10
ip verify unicast reverse-path
no ip split-horizon
ip tcp adjust-mss 1452
no logging event link-status
load-interval 30
no peer default ip address
ppp authentication pap pppoe
ppp authorization pppoe
ppp accounting pppoe
service-policy type control PPPOE_TEST
end
!

1 – Per-Session Example :

Subscriber AAA Profile :

testdsl3@testadsl Cisco-Service-Info += QU;512000;256000;D;512000;256000
testdsl3@testadsl cisco-avpair += ip:addr-pool=xdslpool
testdsl3@testadsl Cisco-Account-Info += AINTERNET

show subscriber session username testdsl3@testadsl
……….
Policing:
Class-id Dir Avg. Rate Normal Burst Excess Burst Source
0 In 512000 256000 0 Peruser
1 Out 512000 256000 0 Peruser………

Update Session via COA

radpwtst -s 192.168.1.1 -secret XXXX -noauth -noacct -code Change-Filter-Request -trace 4 Cisco-Account-Info=”S1.1.1.1:vrf-id=INTERNET”  Cisco-Service-Info=”QU;100000;256000;D;100000;256000

show subscriber session username testdsl3@testadsl
……….
Policing:
Class-id Dir Avg. Rate Normal Burst Excess Burst Source
0 In 100000 256000 0 Peruser
1 Out 100000 256000 0 Peruser
……….

2- Per-Flow Example :

2.1 Define and apply the QoS policy from CLI : It’s simple apply the policy-map under virtual-template etc which will be applied to all sessions. Not very useful as long as you find a way to change policy parameters according to each customer via radius etc.

2.2 Define the QoS policy in CLI, but apply it from RAIDUS : You can change or add new config to the policy-map via radius (but the ACL, and class-maps should be configured locally on the ISG).

Example 1 : Simple setup. Policy-map is defined in the CLI. Radius sends the policy-map name for each customer in access-accept messaged. So for every customer or speed group different policy-map is required that is configured with customers download/upload speeds and service classes. I don’t put any configuration for this kind of a setup as its very simple. 

Example 2 : Like the example 1, a generic policy map is defined. It can be dynamically changed via radius attributes (add/modify classes). 

MQC CLI Configuration :

access-list 102 remark BB_QoS_UP
access-list 102 permit ip any host X.X.X.X

access-list 101 remark BB_QoS_DOWN
access-list 101 permit ip host X.X.X.X any

class-map match-all BB_QoS_VOIP_DOWN
match access-group 101

class-map match-all BB_QoS_VOIP_UP
match access-group 102

policy-map BB_GENERIC_PARENT_DOWN
class class-default
shape average 200000
service-policy BB_QoS_VOIP_DOWN

policy-map BB_QoS_VOIP_DOWN
class BB_QoS_VOIP_DOWN
priority percent 30

policy-map BB_GENERIC_PARENT_UP
class class-default
police cir 5120000 bc 160000 conform-action transmit exceed-action drop
service-policy BB_QoS_VOIP_UP

policy-map BB_QoS_VOIP_UP
class BB_QoS_VOIP_UP
set mpls experimental imposition 0
class class-default
set mpls experimental imposition 0

Subscriber Profile :

testdsl3@testadsl cisco-avpair += ip:sub-qos-policy-in=BB_GENERIC_PARENT_UP
testdsl3@testadsl cisco-avpair += ip:sub-qos-policy-out=BB_GENERIC_PARENT_DOWN
testdsl3@testadsl cisco-avpair += ip:addr-pool=xdslpool
testdsl3@testadsl Cisco-Account-Info += AINTERNET

Update Session via COA : Chaining the class-default of parent policy value (ISG apply the twice the value in the COA message to the configuration, this is result of subscriber service police percent-factor 100, if qos contains policing or subscriber service shaper percent-factor 100, if qos contains shaping). Also you can change the other policy-map class values.

radpwtst -s X.X.X.X -secret X -noauth -noacct -code Change-Filter-Request -trace 4 Cisco-Account-Info=”S1.1.1.1:vrf-id=INTERNET” cisco-avpair=”ip:qos-policy-in=add-class(sub,(class-default),police(220000))”

radpwtst -s X.X.X.X -secret X -noauth -noacct -code Change-Filter-Request -trace 4 Cisco-Account-Info=”S1.1.1.1:vrf-id=INTERNET” cisco-avpair=”ip:qos-policy-out=add-class(sub,(class-default),shape(150400))”
show policy-map interface Vi2.1

Virtual-Access2.1

SSS session identifier 887 –

Service-policy input: BB_GENERIC_PARENT_UP$class-default;police=440000,0,0$BB_QoS_VOIP_UP$class-default

Class-map: class-default (match-any)
0 packets, 0 bytes
30 second offered rate 0000 bps, drop rate 0000 bps
Match: any
police:
cir 440000 bps, bc 13750 bytes, be 13750 bytes
conformed 0 packets, 0 bytes; actions:
transmit
exceeded 0 packets, 0 bytes; actions:
drop
violated 0 packets, 0 bytes; actions:
drop
conformed 0000 bps, exceeded 0000 bps, violated 0000 bps

Service-policy : BB_QoS_VOIP_UP

Class-map: BB_QoS_VOIP_UP (match-all)
0 packets, 0 bytes
30 second offered rate 0000 bps, drop rate 0000 bps
Match: access-group 102
QoS Set
mpls experimental imposition 0
Marker statistics: Disabled

Class-map: class-default (match-any)
0 packets, 0 bytes
30 second offered rate 0000 bps, drop rate 0000 bps
Match: any
QoS Set
mpls experimental imposition 0
Marker statistics: Disabled

Virtual-Access2.1

SSS session identifier 887 –

Service-policy output: BB_GENERIC_PARENT_DOWN$class-default;shape=300800$BB_QoS_VOIP_DOWN$class-default

Class-map: class-default (match-any)
0 packets, 0 bytes
30 second offered rate 0000 bps, drop rate 0000 bps
Match: any
Queueing
queue limit 64 packets
(queue depth/total drops/no-buffer drops) 0/0/0
(pkts output/bytes output) 0/0
shape (average) cir 300800, bc 1204, be 1204
target shape rate 300800

Service-policy : BB_QoS_VOIP_DOWN

queue stats for all priority classes:
Queueing
queue limit 512 packets
(queue depth/total drops/no-buffer drops) 0/0/0
(pkts output/bytes output) 0/0

Class-map: BB_QoS_VOIP_DOWN (match-all)
0 packets, 0 bytes
30 second offered rate 0000 bps, drop rate 0000 bps
Match: access-group 101
Priority: 30% (90 kbps), burst bytes 9216, b/w exceed drops: 0

Class-map: class-default (match-any)
0 packets, 0 bytes
30 second offered rate 0000 bps, drop rate 0000 bps
Match: any

queue limit 64 packets
(queue depth/total drops/no-buffer drops) 0/0/0
(pkts output/bytes output) 0/0

Also the policy-map parameters can be changed in initial Access-Accept. A general policy-map must be configured on the ISG and the policy-map values changed according to subscriber bandwidth profile ( a kind usage of dynamic template).

testdsl3@testadsl cisco-avpair += ip:addr-pool=xdslpool
testdsl3@testadsl cisco-avpair += ip:qos-policy-out=add-class(sub,(class-default),shape(160000))
testdsl3@testadsl Cisco-Account-Info += AINTERNET
testdsl3@testadsl cisco-avpair += ip:sub-qos-policy-in=BB_GENERIC_PARENT_UP
testdsl3@testadsl cisco-avpair += ip:qos-policy-in=add-class(sub,(class-default),police(220000))
testdsl3@testadsl cisco-avpair += ip:sub-qos-policy-out=BB_GENERIC_PARENT_DOWN

sh policy-map interface Vi2.1

Virtual-Access2.1

SSS session identifier 888 –

Service-policy input: BB_GENERIC_PARENT_UP$class-default;police=440000,0,0$BB_QoS_VOIP_UP$class-default

Class-map: class-default (match-any)
27 packets, 1240 bytes
30 second offered rate 0000 bps, drop rate 0000 bps
Match: any
police:
cir 440000 bps, bc 13750 bytes, be 13750 bytes
conformed 27 packets, 1240 bytes; actions:
transmit
exceeded 0 packets, 0 bytes; actions:
drop
violated 0 packets, 0 bytes; actions:
drop
conformed 0000 bps, exceeded 0000 bps, violated 0000 bps

Service-policy : BB_QoS_VOIP_UP

Class-map: BB_QoS_VOIP_UP (match-all)
0 packets, 0 bytes
30 second offered rate 0000 bps, drop rate 0000 bps
Match: access-group 102
QoS Set
mpls experimental imposition 0
Marker statistics: Disabled

Class-map: class-default (match-any)
27 packets, 1240 bytes
30 second offered rate 0000 bps, drop rate 0000 bps
Match: any
QoS Set
mpls experimental imposition 0
Marker statistics: Disabled

Virtual-Access2.1

SSS session identifier 888 –

Service-policy output: BB_GENERIC_PARENT_DOWN$class-default;shape=320000$BB_QoS_VOIP_DOWN$class-default

Class-map: class-default (match-any)
6 packets, 340 bytes
30 second offered rate 0000 bps, drop rate 0000 bps
Match: any
Queueing
queue limit 64 packets
(queue depth/total drops/no-buffer drops) 0/0/0
(pkts output/bytes output) 1/150
shape (average) cir 320000, bc 1280, be 1280
target shape rate 320000

Service-policy : BB_QoS_VOIP_DOWN

queue stats for all priority classes:
Queueing
queue limit 512 packets
(queue depth/total drops/no-buffer drops) 0/0/0
(pkts output/bytes output) 0/0

Class-map: BB_QoS_VOIP_DOWN (match-all)
0 packets, 0 bytes
30 second offered rate 0000 bps, drop rate 0000 bps
Match: access-group 101
Priority: 30% (96 kbps), burst bytes 9216, b/w exceed drops: 0

Class-map: class-default (match-any)
6 packets, 340 bytes
30 second offered rate 0000 bps, drop rate 0000 bps
Match: any

queue limit 64 packets
(queue depth/total drops/no-buffer drops) 0/0/0
(pkts output/bytes output) 1/150

Example 3 :

More complex QoS deployment with radius integration. Generally subscribers have different up/down speed combination. Defining a different policy-map will increase configuration file. Also some customers may have Voice service some do not. In the example 2, child policy has default voice service applied. In this example I have applied empty child policy (this is required for adding additional classes to the customer parent policy-map).

I tried to define one general default policy map via CLI for each QoS customer and add/change class map’s to this default policy map via radius according to subscriber QoS requirements.

General policy-map definition : This will be used for all subscribers. Radius will change the generic shaping and policing value according to the customer’s service speed. But be careful with this kind of a usage as the physical interface speed and the customers service speed may be different (Like broadband xddl configuration, read broadband from TR-147 section 6.1 6.2). So actually there is no problem as long as the customer physical access speed is more or equal to the customer service speed (what the customer bought). If its below customer service speed, there will be problem in QoS deployment. There will congestion on the physical level before the customer reach its service speed. For example;

Customer service speed = 10MB download and 1 MB upload. But DSLAM and the customer may sync on 4MB. With this method you regulate the customer on 10MB, there is no problem with that. But if you are also deploying QoS, QoS mechanism whats line to be congested which is 10MB that is never going to happen.

You have to tell BGN or radius this physical speed. This can be done via pppoe tags, DSLAM may  set pppoe tags with line’s psychical speed. And the radius can use this information for setting customer speed, QoS parameters also for reporting. Another method can be ANCP.

policy-map BB_GENERIC_CHILD_DOWN ! Empty child policy is required to add additional classes via radius
policy-map BB_GENERIC_PARENT_DOWN
class class-default
shape average 20000000
service-policy BB_GENERIC_CHILD_DOWN

policy-map BB_GENERIC_CHILD_UP ! Empty child policy is required to add additional classes via radius
policy-map BB_GENERIC_PARENT_UP
class class-default
police cir 512000 bc 16000 conform-action set-mpls-exp-topmost-transmit 0 exceed-action drop violate-action drop
service-policy BB_GENERIC_CHILD_UP

For IN (CE to PE) : added one qos group, BB_QoS_VOIP_UP, which is not defined in the CLI defined class BB_GENERIC_PARENT_UP (although class map must previously defined via CLI). Some qos actions is not supported like set-mpls-exp-topmost-transmit etc. Read carefully

Hierarchical Color-Aware Policing for detail information about input policing feature.

‘cisco-avpair’, ‘ip:qos-policy-in=add-class(sub,(class-default,BB_QoS_VOIP_UP),police(128000),set-qos-grp(43)) ‘ ! This will add voice class
‘cisco-avpair’, ‘ip:sub-qos-policy-in=BB_GENERIC_PARENT_UP’ ! This is the default policy map
‘cisco-avpair’, ‘ip:qos-policy-in=add-class(sub,(class-default),police(1500000))’ ! This will change the police bandwidth of all session.

If you want to change all session bandwidth like for Fair usage reasons but don’t want upper class like voice to be influenced you can add default class to the child policy with the speed you want.

‘cisco-avpair’, ‘ip:qos-policy-in=add-class(sub,(class-default,class-default),police(50000))’ ! This will add default class to the child policy map.

For DOWN (PE to CE) : Similar with IN policy map with more classes.

‘cisco-avpair’, ‘ip:qos-policy-out=add-class(sub,(class-default,BB_QoS_VOIP_DOWN),police(128000),pri-level(1))’
‘cisco-avpair’, ‘ip:qos-policy-out=add-class(sub,(class-default,BB_QoS_IPTV_DOWN),police(1000000),pri-level(2))’
‘cisco-avpair’, ‘ip:qos-policy-out=add-class(sub,(class-default),shape(1500000))’
‘cisco-avpair’, ‘ip:qos-policy-out=add-class(sub,(class-default,class-default),shape(350000))’
‘cisco-avpair’, ‘ip:sub-qos-policy-out=BB_GENERIC_PARENT_DOWN’

with this all customer in traffic will be policed to 3MB and class BB_GENERIC_PARENT_UP will have 256K, and the default class will have which will be 1M which.

Also I write a sub code on radius for solving the physical speed problem.

DSLAM is inserting pppoe tags for dsl-sync-rate.

bba-group pppoe yapa
virtual-template 1
vendor-tag circuit-id service
vendor-tag remote-id service
vendor-tag dsl-sync-rate service

policy-map BB_GENERIC_ERROR_DOWN
class class-default
shape average 1000000
service-policy BB_GENERIC_CHILD_DOWN

policy-map BB_GENERIC_ERROR_UP
class class-default
police cir 512000 bc 16000 conform-action set-mpls-exp-topmost-transmit 0 exceed-action drop violate-action drop
service-policy BB_GENERIC_CHILD_UP

Radius is checking the customers physical speed which is coming via pppoe tags via customer speed. Simply;

If customer speed < physical speed send BB_GENERIC_ERROR policy maps

if defined customer specific policy map sent it (for enterprise customers which may have dedicated QoS policy-maps)

if sum of all classes speed < physical speed send BB_GENERIC_ERROR policy maps

if sum of all classes speed < customer speed send BB_GENERIC_ERROR policy maps

else sent customer class and speed parameters

Also in the CDR’es you can get the applied policy names and report the customer which will have ERROR policy maps.

2.3 Define and apply the QoS policy from RAIDUS : This is explained in ASR 9000 configuration guide (for ASR 1000 it should be defined via CLI, Configuring Parameterized QoS Policy Through RADIUS), so not have chance to try it. However I tried for ASR 1000 but the session never come up. I only tried to configure a simple policy-map via radius, just a shaping under default class;

testdsl3@testadsl cisco-avpair += ip:addr-pool=xdslpool
testdsl3@testadsl Cisco-Account-Info += AINTERNET
testdsl3@testadsl cisco-avpair += ip:qos-policy-out=add-class(sub, (class-default), shape(4000))

Apply config request set to AAA list
Config: ssg-account-info 0 “AINTERNET”
Config: addr-pool 0 “xdslpool”
Config: qos-policy-out 0 “add-class(sub, (class-default), shape(4000))”
Oct 23 11:52:48 TR: SSS PM [uid:904][425345B0]: Sending testdsl3@testadsl request to AAA
Oct 23 11:52:48 TR: SSS PM [uid:904][425345B0]: SSS PM: Allocating per-user profile info
Oct 23 11:52:48 TR: SSS PM [uid:904][425345B0]: SSS PM: Add per-user profile info to policy context
Oct 23 11:52:48 TR: SSS AAA AUTHOR [uid:904]: Root SIP PPPoE
Oct 23 11:52:48 TR: SSS AAA AUTHOR [uid:904]: Enable PPPoE parsing
Oct 23 11:52:48 TR: SSS AAA AUTHOR [uid:904]: Enable PPP parsing
Oct 23 11:52:48 TR: SSS PM [uid:904][425345B0]: ACTIVE HANDLE[0]: Snapshot captured in Active context
Oct 23 11:52:48 TR: SSS PM [uid:904][425345B0]: ACTIVE HANDLE[0]: Active context created
Oct 23 11:52:48 TR: SSS AAA AUTHOR [uid:904]: Event <make request>, state changed from idle to authorizing
Oct 23 11:52:48 TR: SSS AAA AUTHOR [uid:904]: Active key set to Auth-User
Oct 23 11:52:48 TR: SSS AAA AUTHOR [uid:904]: Authorizing key testdsl3@testadsl
Oct 23 11:52:48 TR: SSS AAA AUTHOR [uid:904]: Spoofed AAA reply sent for key testdsl3@testadsl
Oct 23 11:52:48 TR: SSS AAA AUTHOR [uid:904]: Received an AAA pass
Oct 23 11:52:48 TR: SSS AAA AUTHOR [uid:904]: Could not parse AAA interim interval
Oct 23 11:52:48 TR: COA_CCM:Poisoning session for SHDB 0x3C0002BB.
Oct 23 11:52:48 TR: COA_HA: [ERR] Unable to get coa_ctx from shdb 0x3C0002BB
Oct 23 11:52:48 TR: SSS PM [uid:904][425345B0]: RULE: Service Name = INTERNET Ok
Oct 23 11:52:48 TR: SSS PM [uid:904][425345B0]: Attribute list added to service name INTERNET
Oct 23 11:52:48 TR: SSS AAA AUTHOR [uid:904]: AAA service-policy config for testdsl3@testadsl had errors

LFA, Remote LFA restrictions on Cisco, ASR1000

Only physical interfaces and physical port-channel interfaces are protected. Subinterfaces, tunnels, and virtual interfaces are not protected (http://www.cisco.com/en/US/docs/ios-xml/ios/iproute_isis/configuration/15-s/irs-rmte-lfa-frr.html#GUID-3C5537BF-6FF5-4A7A-A9E1-4ED82AB1280B). 

I guess this is also true for OSPF :). On ASR 1000 (tried just for 1002 and 1004) with igp (OSPF) adjacencies over subinterface, prefixes are not protected (LFA is not working). When I move igp configuration to the main interface, prefiex are protected.

ASR 1000 (1002 ve 1004 için denedim)  IGP, OSPF komşulukları subinterface üzerinden kurulmuş ise prefixler LFA ile korunamıyor. Komşuluğu ana interface üzerine aldığımda ise prefixler korundu. Aslında ISIS için olan anlatımda bunu belirtiyor, sanırım OSPF içinde aynı kısas var.

Aslinda mantikli olanda bu olabilir. LFA yapısını bir üçgen topoliji gibi düşünürsek, anlam kazanıyor. LFA, üçgenin uçlarına yedeklilik sağladığını ve bir uçdan diğer uca olan bağlantının aynı fiziksel interface altındaki subinterface’ler üzerindan yapıldığı düşünülür ise, aslında fiziksel link gittiğinde diger iki uca olan baglantıda gidiyor demektir. Tabi eğer bu subinterfaceler üzerindeki sanal devreler farklı yolları izliyor ise anlamını yitirebilir veya subinterfaceler farklı ana interfaceler altında olabilir bu durumda yine anlamını yitirir. Neden bu şekilde bir sınırlama olduğunu yine tam olarak bulamadım. ASR100 serisi software tabanlı cihazlar, belki bunun ile ilgili bir kısıtlama vardır. Bunun bir bug olduğu bilgisine ulaştım. Hangi IOS XE sürümlerini etkiliyor bilemiyorum.

P : Protection Space , söz konusu link olmadan erişilebilen alan.

Q :

Yapılandırma (Configuration) : 

PE-1,2 ve 3 üçgen yapıda bağlandılar. PE-1,2 and 3 are connected in triangle configuration.

 

IGP with Subinterface : 

No prefix protection

PE-1 :
!
interface GigabitEthernet0/0/0
no ip address
negotiation auto
!
interface GigabitEthernet0/0/0.117
encapsulation dot1Q 117
ip address 192.168.1.213 255.255.255.252
ip ospf network point-to-point
ip ospf 11111 area 0
mpls ip
mpls traffic-eng tunnels
!
interface GigabitEthernet0/0/1
no ip address
negotiation auto
!
interface GigabitEthernet0/0/1.118
encapsulation dot1Q 118
ip address 192.168.1.153 255.255.255.252
ip ospf network broadcast # Also I have tried P2P, and different srig groups
ip ospf 11111 area 0
mpls ip
mpls traffic-eng tunnels
!

router ospf 11111
router-id 192.168.126.232
fast-reroute per-prefix enable prefix-priority low
mpls traffic-eng router-id Loopback0
mpls traffic-eng area 0
!

PE-2 :

interface GigabitEthernet0/0/0
mtu 9216
no ip address
negotiation auto
cdp enable
!
interface GigabitEthernet0/0/0.116
encapsulation dot1Q 116
ip address 192.168.1.209 255.255.255.252
ip mtu 1500
ip ospf network point-to-point
ip ospf 11111 area 0
mpls ip
mpls label protocol ldp
mpls traffic-eng tunnels
!
interface GigabitEthernet0/0/1
no ip address
negotiation auto
!
interface GigabitEthernet0/0/1.118
encapsulation dot1Q 118
ip address 192.168.1.154 255.255.255.252
ip ospf network broadcast # Also I have tried P2P, and different srig groups
ip ospf 11111 area 0
mpls ip
mpls traffic-eng tunnels
!

router ospf 11111
router-id 192.168.126.230
fast-reroute per-prefix enable prefix-priority low
mpls traffic-eng router-id Loopback0
mpls traffic-eng area 0
!

PE-3 :

interface GigabitEthernet0/0/1
mtu 9216
no ip address
load-interval 30
negotiation auto
cdp enable
!

interface GigabitEthernet0/0/1.116
encapsulation dot1Q 116
ip address 192.168.1.210 255.255.255.252
ip mtu 1500
ip ospf network point-to-point
ip ospf 11111 area 0
mpls ip
mpls traffic-eng tunnels
!
interface GigabitEthernet0/0/1.117
encapsulation dot1Q 117
ip address 192.168.1.214 255.255.255.252
ip mtu 1500
ip ospf network point-to-point
ip ospf 11111 area 0
mpls ip
mpls traffic-eng tunnels
!
router ospf 11111
router-id 192.168.126.131
ispf
nsf ietf
fast-reroute per-prefix enable area 0 prefix-priority low
mpls traffic-eng router-id Loopback0
mpls traffic-eng area 0
!

PE-2#show ip ospf fast-reroute prefix-summary

OSPF Router with ID (193.192.126.232) (Process ID 12735)
Base Topology (MTID 0)

Area 0:

Interface Protected Primary paths Protected paths Percent protected
All High Low All High Low All High Low
Lo0 Yes 0 0 0 0 0 0 0% 0% 0%
Gi0/0/1.118 No 2 1 1 0 0 0 0% 0% 0%
Gi0/0/0.117 No 155 76 79 0 0 0 0% 0% 0%

Area total: 157 77 80 0 0 0 0% 0% 0%

Process total: 157 77 80 0 0 0 0% 0% 0%

IGP under main physical interface :

After moved the subinterface configuration under to the main interfaces on PE-1 and PE-2

PE-1 :

no interface GigabitEthernet0/0/1.118
interface GigabitEthernet0/0/1
ip address 192.168.1.154 255.255.255.252
ip ospf network broadcast
ip ospf 11111 area 0
negotiation auto
mpls ip
mpls traffic-eng tunnels
end

PE-2 :

no interface GigabitEthernet0/0/1.118
interface GigabitEthernet0/0/1
ip address 192.168.1.153 255.255.255.252
ip ospf network broadcast
ip ospf 11111 area 0
negotiation auto
mpls ip
mpls traffic-eng tunnels
end

 

All prefixes are protected.

PE-2#show ip ospf fast-reroute prefix-summary

OSPF Router with ID (192.168.126.232) (Process ID 11111)
Base Topology (MTID 0)

Area 0:

Interface Protected Primary paths Protected paths Percent protected
All High Low All High Low All High Low
Lo0 Yes 0 0 0 0 0 0 0% 0% 0%
Gi0/0/1 Yes 2 1 1 2 1 1 100% 100% 100%
Gi0/0/0.117 No 155 76 79 0 0 0 0% 0% 0%

Area total: 157 77 80 2 1 1 1% 1% 1%

Process total: 157 77 80 2 1 1 1% 1% 1%

 

Routing Resiliency – Latest Enhancements