monitor port rx and tx

Traffic Types

SPAN sessions include these traffic types:

•Receive (Rx) SPAN—The goal of receive (or ingress) SPAN is to monitor as much as possible all packets received by the source interface or VLAN before any modification or processing is performed by the switch. A copy of each packet received by the source is sent to the destination port for that SPAN session. You can monitor a series or range of ingress ports or VLANs in a SPAN session.

On tagged packets (Inter-Switch Link [ISL] or IEEE 802.1Q), the tagging is removed at the ingress port. At the destination port, if tagging is enabled, the packets appear with the ISL or 802.1Q headers. If no tagging is specified, packets appear in the native format.

Packets that are modified because of routing are copied without modification for Rx SPAN; that is, the original packet is copied. Packets that are modified because of quality of service (QoS)—for example, modified Differentiated Services Code Point (DSCP)—are copied without modification for Rx SPAN.

Some features that can cause a packet to be dropped during receive processing have no effect on SPAN; the destination port receives a copy of the packet even if the actual incoming packet is dropped. These features include IP standard and extended input access control lists (ACLs), IP standard and extended output ACLs for unicast and ingress QoS policing, VLAN maps, ingress QoS policing, and policy-based routing. Switch congestion that causes packets to be dropped also has no effect on SPAN.

•Transmit (Tx) SPAN—The goal of transmit (or egress) SPAN is to monitor as much as possible all packets sent by the source interface after the switch performs all modification and processing. After the packet is modified, the source sends a copy of each packet to the destination port for that SPAN session. You can monitor a range of egress ports in a SPAN session.

Packets that are modified because of routing—for example, with a time-to-live (TTL) or MAC-address modification—are duplicated at the destination port. On packets that are modified because of QoS, the modified packet might not have the same DSCP (IP packet) or CoS (non-IP packet) as the SPAN source.

Some features that can cause a packet to be dropped during transmit processing might also affect the duplicated copy for SPAN. These features include VLAN maps, IP standard and extended output ACLs on multicast packets, and egress QoS policing. In the case of output ACLs, if the SPAN source drops the packet, the SPAN destination would also drop the packet. In the case of egress QoS policing, if the SPAN source drops the packet, the SPAN destination might not drop it. If the source port is oversubscribed, the destination ports have different dropping behavior.

•Both—In a SPAN session, you can monitor a single port series or a range of ports for both received and sent packets.

QOS:Police-Shaping

QOS:Police-Shaping

Shaping implies the existence of a queue and of sufficient memory to buffer delayed packets, while policing does not. Queueing is an outbound concept; packets going out an interface get queued and can be shaped. Only policing can be applied to inbound traffic on an interface. Examples of scheduling functions are Class Based Weighted Fair Queuing (CBWFQ) and Low Latency Queuing (LLQ). Shaping Policing Objective Buffer and queue excess packets above the committed rates. Drop (or remark) excess packets above the committed rates. Does not buffer.* Token Refresh Rate Incremented at the start of a time interval. (Minimum number of intervals is required.) Continuous based on formula: 1 / committed information rate Token Values Configured in bits per second. Configured in bytes. Configuration Options shape command in the modular quality of service command-line interface (MQC) to implement class-based shaping. frame-relay traffic-shape command to implement Frame Relay Traffic Shaping (FRTS). traffic-shape command to implement Generic Traffic Shaping (GTS). police command in the MQC to implement class-based policing. rate-limit command to implement committed access rate (CAR). Applicable on Inbound No Yes Applicable on Outbound Yes Yes Bursts Controls bursts by smoothing the output rate over at least eight time intervals. Uses a leaky bucket to delay traffic, which achieves a smoothing effect. Propagates bursts. Does no smoothing. Advantages Less likely to drop excess packets since excess packets are buffered. (Buffers packets up to the length of the queue. Drops may occur if excess traffic is sustained at high rates.) Typically avoids retransmissions due to dropped packets. Controls the output rate through packet drops. Avoids delays due to queuing. Disadvantages Can introduce delay due to queuing, particularly deep queues. Drops excess packets (when configured), throttling TCP window sizes and reducing the overall output rate of affected traffic streams. Overly aggressive burst sizes may lead to excess packet drops and throttle the overall output rate, particularly with TCP-based flows. Optional Packet Remarking No Yes (with legacy CAR feature).  The value of Tc defines the time interval during which you send the Bc bits in order to maintain the average rate of the CIR in seconds.     Tc = Bc/CIR (in seconds) Example using a CIR (or policer rate) of 8000 bps and a normal burst of 1000 bytes. Router(config)# policy-map police-setting Router(config-pmap)# class access-match Router(config-pmap-c)# police 8000 1000 conform-action transmit exceed-action drop The token buckets starts full at 1000 bytes. If a 450 byte packet arrives, the packet conforms because enough bytes are available in the token bucket.  The conform action (transmit) is taken by the packet and 450 bytes are removed from the token bucket (leaving 550 bytes).  If the next packet arrives .25 seconds later, 250 bytes are added to the token bucket as per the following formula: (0.25 * 8000)/8 The calculation leaves 700 bytes in the token bucket.  If the next packet is 800 bytes, the packet exceeds and the exceed action (drop) is taken. No bytes are taken from the token bucket. Both the shape and police commands restrict the output rate to a maximum kbps value. Importantly, neither mechanism provides a minimum bandwidth guarantee during periods of congestion.  Use the bandwidth or priority command to provide such guarantees. Traffic Policing Command Purpose Router(config-pmap-c)# police bps burst-normal burst-maxconform-action action exceed-action action violate-actionaction Specifies a maximum bandwidth usage by a traffic class. In this particular example, traffic policing is configured with the average rate at 8000 bits per second, the normal burst size at 2000 bytes, and the excess burst size at 4000 bytes. Packets coming into Fast Ethernet interface 0/0 are evaluated by the token bucket algorithm to analyze whether packets conform exceed, or violate the specified parameters. Packets that conform are transmitted, packets that exceed are assigned a QoS group value of 4 and are transmitted, and packets that violate are dropped. Router(config)# class-map acgroup2Router(config-cmap)# match access-group 2Router(config-cmap)# exitRouter(config)# policy-map policeRouter(config-pmap)# class acgroup2Router(config-pmap-c)# police 8000 2000 4000 conform-action transmit exceed-action set-qos-transmit 4 violate-action dropRouter(config-pmap-c)# exitRouter(config-pmap)# exitRouter(config)# interface fastethernet 0/0Router(config-if)# service-policy input police Token Bucket Algorithm with One Token Bucket The one token bucket algorithm is used when the violate-action option is not specified in the police command CLI. The conform bucket is initially set to the full size (the full size is the number of bytes specified as the normal burst size). When a packet of size B bytes arrives at time t the following actions occur: a. Tokens are updated in the conform bucket. If the previous arrival of the packet was at t1 and the current time is t, the bucket is updated with (t-t1) worth of bits based on the token arrival rate. The token arrival rate is calculated as follows: (time between packets<which is equal to t-t1> * policer rate)/8 bytes b. If the number of bytes in the conform bucket - B is greater than or equal to 0, the packet conforms and the conform action is taken on the packet. If the packet conforms, B bytes are removed from the conform bucket and the conform action is completed for the packet. c. If the number of bytes in the conform bucket - B is less than 0, the exceed action is taken. Example:  Router(config-pmap-c)# police 8000 1000 conform-action transmit exceed-action drop Token Bucket Algorithm with Two Token Buckets The two token bucket algorithm is used when the violate-action is specified in the police command CLI. The conform bucket is initially full (the full size is the number of bytes specified as the normal burst size). The exceed bucket is initially full (the full exceed bucket size is the number of bytes specified in the maximum burst size). The tokens for both the conform and exceed token buckets are updated based on the token arrival rate (or CIR). When a packet of size B bytes arrives at time t the following actions occur: a. Tokens are updated in the conform bucket. If the previous arrival of the packet was at t1 and the current arrival of the packet is at t, the bucket is updated with t-t1 worth of bits based on the token arrival rate. The refill tokens are placed in the conform bucket. If the tokens overflow the conform bucket, the overflow tokens are placed in the exceed bucket. The token arrival rate is calculated as follows: (time between packets<which is equal to t-t1> * policer rate)/8 bytes b. If the number of bytes in the conform bucket - B is greater than or equal to 0, the packet conforms and the conform action is taken on the packet. If the packet conforms, B bytes are removed from the conform bucket and the conform action is taken. The exceed bucket is unaffected in this scenario. c. If the number of bytes in the conform bucket - B is less than 0, the excess token bucket is checked for bytes by the packet. If the number of bytes in the exceed bucket - B is greater than or equal to 0, the exceed action is taken and B bytes are removed from the exceed token bucket. No bytes are removed from the conform bucket. d. If the number of bytes in the exceed bucket - B is less than 0, the packet violates and the violate action is taken. The action is complete for the packet. Example: Router(config-pmap-c)# police 8000 1000 1000 conform-action transmit exceed-action set-qos-transmit 1 violate-action drop Source:   http://www.cisco.com/en/US/tech/tk543/tk545/technologies_tech_note09186a00800a3a25.shtml http://www.cisco.com/en/US/docs/ios/12_2t/12_2t2/feature/guide/ftpoli.html

OSPF on CE-PE links

And here it comes a pretty long post. For those without too much free time (I also include myself here), you can take a fast look at the drawing above. If you liked it and want to find out more details, then go ahead and read this till the end (other cool drawings will come as well below:-) ).

Let’s start with some basic comments/features:

• MP-BGP is used to transport the routing info accross the MPLS backbone
• all internal routes (LSA 1, LSA 2, LSA 3) are carried as inter-area summary Type-3 LSAs
• PE routers appear as ABR (OSPF Area Border Routers) for the devices in customer OSPF domains
• there are NO OSPF ADJACENCIES or flooding across the MPLS cloud (except when sham-links are used)
• MP-BGP cloud can be seen as a “superbackbone” / “super area 0″ that gives the following advantages:
•     we may have non-zero areas at different VPN sites without the need of an area 0
•     we may have area 0 at different sites together with non-zero areas attached to the superbackbone
• OSPF information is carried across the MPLS VPN cloud using BGP extended communities

The BGP extended communities used to carry OSPF information are:

• router-id = router ID of the PE in the relevant VRF instance of OSPF
• domain-id
• by default, equal to the OSPF process number
• manually configured via command “domain-id”
• if the domain ID of the route does not match the domain ID on the receiving PE the route is translated to the external OSPF route (LSA Type 5) with metric-type E2
• OSPF route-type
• MED (metric)
•   routes sent across the MP-BGP cloud do not increment their metric
•   MED can be manually manipulated to influence path selection

Loop Prevention Mechanisms

The addition of the super-backbone area also introduces the possibility of routing loops. In order to prevent them, several basic loop prevention rules apply:

1) “DOWN” bit set (to prevent loops in multi-homed sites)
= Automatically set in all summary LSA 3 (not in LSA 5)  when routes are redistributed from MP-BGP into OSPF.
When a prefix with DOWN bit set is received on an interface which is configured with VRF, that LSA is dropped.
(correct sentence is: that LSA is not considered during the SPF calculations)

This feature has undesirable effect when using VRF-lite in the customer cloud:

The solutions to this problem:
A) is to configure the command “capability vrf-lite” on the customer router(s), but this is not supported on all IOS:

router ospf 1 vrf VPN_A
capability vrf-lite

B) configure different domain-IDs as this will force all redistributed routes to become external (LSA 5, thus bypassing the DN bit check)

*  *  *

2) Route Tagging
The DN bit helps preventing routing loops when summary Type-3 LSAs are redistributed, but not when external routes are announced (the DN bit is not set on LSA Type 5/7)
= All routes redistributed via a particular PE will carry the OSPF route tag which by default is the BGP AS number.
This tag is preserved when the external route is propagated across the entire OSPF domain (including redistribution into another OSPF domains). When another PE receives this route and it sees that the local AS number matches the AS number in the tag, it will ignore this LSA.

router ospf 1 vrf VPN_A
 domain-tag 777

or

router ospf 1 vrf VPN_A
 redistribute bgp 100 subnets tag 777

Sham-Link

Situation/problem description: when there is a backup link between sites (backdoor), this link will be always used for inter-site traffic because intra-area routes (LSAs received via backdoor) are preferred to the inter-area (LSA 3 received from PE).
The solution to this problem is the usage of OSPF sham-links = special tunnel similar to virtual-links between PE routers and configured in the same area as the PEs.

Sham-links have the following characteristics:

• OSPF adjacency established via MPLS cloud
• routes in the OSPF database are now seen as intra-area (even though they are received via the super-backbone)
• the information across the sham-link is ONLY used for SPF calculations – the actual forwarding is being done based on the info learned via MP-BGP

One last note about sham-links: sham endpoints IP addresses should be advertised into the VRF by means other than OSPF (commonly via BGP) – known before creating the sham-links.

I hope you did not fell asleep reading this long post. At least the drawings helped you do a faster “reading”.

OSPF on PE-CE Links and the Understanding the Down Bit

This post represents the solution and explanation for quiz #10. Have a look at the quiz to understand the problem.

This quiz has a detailed solution already presented in one of my very first posts, in 2011, back in the times when I was “experimenting” with the term of “blogging”  For this reason, please have a look at that post to understand the theoretic part and then read this article to get the full picture.

In short, the problem is caused by the fact that the PEs set the Down-bit (DN bit) in all Type-3 LSA sent to the respective CEs. As explained in the above-mentioned post, this is used to prevent a routing loop in situations when this LSA reaches another PE (for example, if there is a backdoor between two CEs, then this LSA will reach other PEs via the backdoor link, thus creating a routing loop).
The consequence of the Down bit is that not only the PEs but any router running VRFs (with or without MPLS = VRF-lite or not) will drop the LSAs having the DN-bit set and in our quiz, CE2(R5) is using VRF-lite to keep separate routing tables for internal network vs. partner routes.
*note that the LSA is not actually dropped, it exists in the OSPF database (as shown in the quiz), but it is not considered for SPF calculations!!


It is interesting to note that Cisco does not fully respect the RFC standards. RFC 4577 (OSPF as the Provider/Customer Edge Protocol for BGP/MPLS IP VPNs) and RFC 4576 (Using a LSA Options Bit to Prevent Looping in BGP/MPLS IP VPNs) say:
<<When a type 3, 5, or 7 LSA is sent from a PE to a CE, the DN bit MUST be set. The DN bit MUST be clear in all other LSA types.>>
but Cisco sets the DN-bit only in the Type-3 LSAs (and it is using route tagging for External Type-5 routing loop prevention).

How does the PE decide what type of LSA to generate when an OSPF route is received over the MPLS cloud ?
This is based on the attributes that travel along with the route within the VPNv4 prefix as BGP extended communities.
Let’s see: Office #1 route 192.168.1.254/32 (lo0 on CE1) reaches PE1 (R2) which sends it over the MPLS/BGP cloud as a VPNv4 and reaches PE2 (R4) as seen below:


PE2/R4 selects it as BGP best route (according to BGP rules) and then it redistributes it into Area 2 (towards R5/CE2), but before doing that, it needs to decide which type of LSA to generate for it. Under normal BGP-to-OSPF redistribution conditions, this route should be sent as a Type-5 External, but this is not true from customer’s perspective – this route is NOT an external-AS one.
Companies, which choose MPLS VPN services to interconnect their offices, expect the routes from other offices to be seen as internal, not external.
For this to happen, the second PE (R4 in our quiz) compares the domain-id contained in the VPNv4 route with the domain-id of the OSPF running with CE2. By default, in Cisco implementations for IPv4 (OSPFv2), the domain-id is set to be the same as the process-id.(note that for OSPFv3, the default value is NULL).

The domain-id can be configured to a non-default value with the following command under the OSPF process:

R4(config)#router ospf 100 vrf CUST_A
R4(config-router)#domain-id ?
  A.B.C.D  OSPF domain ID in IP address format
  Null     Null Domain-ID
  type     OSPF domain ID type in Hex format

If the domain-id contained in the VPNv4 route is different than the one configured/existing in the OSPF process with CE2, then the OSPF route is considered external and it is injected as a Type-5 LSA.

In our quiz, as there’s no special configuration for the domain-id, both PEs (R2 and R4) uses the process-id (100 on both routers), sothe domain-id is the same and in this case the route is considered internal and injected as a Type-3 LSA with the Down-bit (DN-bit) set as per loop prevention requirements:

R5#sh ip ospf data summary 192.168.1.254

            OSPF Router with ID (192.168.2.254) (Process ID 100)

                Summary Net Link States (Area 2)

  LS age: 1119
  Options: (No TOS-capability, DC, Downward)
  LS Type: Summary Links(Network)
  Link State ID: 192.168.1.254 (summary Network Number)
  Advertising Router: 192.168.2.4
  LS Seq Number: 80000004
  Checksum: 0x2BB3
  Length: 28
  Network Mask: /32
        TOS: 0  Metric: 2

As I mentioned above, these LSAs with DN-bit set are not considered for SPF calculations by any OSPF router running VRFs => that summary LSA does not appear in the RIB on CE2/R5 router!

Solutions

Now, let’s see what solutions exists for this quiz:

1. Using “capability vrf-lite” Command

Cisco introduces an “elegant” solution for exactly this type of problem: command “capability vrf-lite” configured on the router running VRF-lite, which is not a PE, in order to make him consider that LSA (with DN-bit set) for the SPF calculations.


Note that the OSPF adjacency gets reset when this command is configured! 

2. Setting Different Domain-IDs

Another solution is to manually configure different OSPF domain-ids on the PEs (using command “domain-id”) in order to force the OSPF routes learned over the MP-BGP to be injected as external Type-5 LSAs.
Cisco implementation does not set the DN-bit in the type-5 LSAs (which represents a candidate solution for scenarios with VRF-lite on CE, as in our quiz):

Let’s set a different domain-id on PE2/R4 and see the result on CE2/R5:

Notice the routes learned as external “O E2″ 

R5#sh ip osp data ex 192.168.1.254

            OSPF Router with ID (192.168.2.254) (Process ID 100)

                Type-5 AS External Link States

  Routing Bit Set on this LSA
  LS age: 302
  Options: (No TOS-capability, DC)
  LS Type: AS External Link
  Link State ID: 192.168.1.254 (External Network Number )
  Advertising Router: 192.168.2.4
  LS Seq Number: 80000001
  Checksum: 0x9C6B
  Length: 36
  Network Mask: /32
        Metric Type: 2 (Larger than any link state path)
        TOS: 0
        Metric: 2
        Forward Address: 0.0.0.0
        External Route Tag: 3489660929

Notice that there’s no DN bit set on type-5 LSA (contrary to what the RFC says !) but there’s a route tag of 
3489660929 = 11010000.00000000.00000000.00000001 (in binary) which is according to the RFC 4577 (section 4.2.5.2):
“1 1 0 1 0 0 0 0 0 0 0 0 0 0 0 0 _AS number of the VPN Backbone_” (in our case 1)

2.1 Setting Different Process-IDs

Since, by default, the OSPF domain-id for OSPFv2 (in Cisco Implementation) is set equal to the Process-ID number, then configuring different process-ids on the PEs (under the relevant OSPF VRF instances) will get us in the exact situation as above solution 2.

3. Using a Sham-Link (??)

Configuring a sham-link between PEs was indicated by a lot of readers as a possible solution to this quiz.
Unfortunately, it does not represent a solution right away because of 2 thinks that appear in the quiz:

• the “network 0.0.0.0 255.255.255.255 area X” that is configured on both PEs — remember: Sham-Links Endpoint Addresses MUST NOT be advertised by OSPF
• the bigger impediment is the difference in the Area numbers on the PE-CE Areas of the offices (Area 1 on R1-R2 vs Area 2 on R4-R5)
  Of course, nothing stops you from choosing one of the area number (let’s say 1) and use this number in command “area 1 sham-link x.x.x.x y.y.y.y) on both PEs => thus the sham-link and the adjacency will go up, but if you continue to use a different Area (area 2) towards the CE2/R5 then the PE2/R4 will still send those routes as summary Type-3 and, of course, the DN-bit will still be set on them!

In order to make this solution to work, we need to solve these two above “extra”-issues and here is the final configuration:


As a result, due to the sham-link, the customer CE2/R5 (now configured in new Area 1) will see the OSPF routes redistributed by PE2/R4 as intra-area, which solves the quiz (since there is no DN-bit in type-1 LSAs):

R5#sh ip route vrf MY_NETWORK ospf
     192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks
O       192.168.1.0/31 [110/3] via 192.168.2.4, 00:40:44, FastEthernet0/0
O       192.168.1.254/32 [110/4] via 192.168.2.4, 00:40:44, FastEthernet0/0