Sunday, February 24, 2008

How to match CoS on a 3750

During the last 2 days i have been trying to limit ingress PPPoE traffic passing through a 3750 switch. In order to be as strict as possible, i didn't want to drop any PPP/PPPoE control packets, like PPP keepalives/LCP auth or PADI/PADO/PADR/PADS, otherwise there was a high possibility that the PPPoE connections of some users would be dropped (because of missed PPP keepalives) or would not be established (because of missed PPPoE discovery packets).

The PPPoE connections start from the user's CPE and end at a 10000 router (bras). A rough network diagram is the following:

CPE --- DSLAM --- ME-3400 ----------|
CPE --- DSLAM --- ME-3400 ------- 3750 --- 7600 --- 10000 --- internet
CPE --- DSLAM --- ME-3400 ----------|

Double-tagging happens between the 3750 and the 10000 router (each ME-3400 represents a S-VLAN).

Since normal LAN cards (67xx) on the 7600 cannot do egress shaping/policing on L2 ports and PRE-2 on 10000 doesn't support hierarchical ethernet QoS, i though i should try to limit the downstream traffic (from internet to CPE) on the 3750.

Here comes the fun part...

3750 doesn't support (direct) classification based on CoS.


3750(config)#class-map TEST
3750(config-cmap)#match ?
access-group Access group
input-interface Select one or more input interfaces to match
ip IP specific values

That would be the best solution, because the 10000 marks by default all the PPP/PPPoE control packet with CoS 7, so it would be very easy to distinguish them from the normal/data packets (that have CoS 0).

Then i though of using the ethertype field to differentiate the 2 PPPoE classes. PPPoE uses 2 different ethertypes, one for its discovery stage and one for its session stage.


mac access-list extended PPPoE-DISCOVERY
permit any any 0x8863 0x0
mac access-list extended PPPoE-SESSION
permit any any 0x8864 0x0

class-map match-any PPPoE-DATA-CLASS
match access-group name PPPoE-SESSION
class-map match-any PPPoE-CONTROL-CLASS
match access-group name PPPoE-DISCOVERY


That would also be a good solution, although i would miss the PPP control packets. But there is a major problem here. The PPPoE ethertype is hidden inside the double-tagged frame so it cannot be checked.

PPPoE : Dest-MAC | Source-MAC | Ethertype | Payload
0x8863

single-tagged PPPoE : Dest-MAC | Source-MAC | Ethertype | Tag | Ethertype | Payload
0x8100 0x8863

double-tagged PPPoE : Dest-MAC | Source-MAC | Ethertype | Tag | Ethertype | Tag | Ethertype | Payload
0x8100 0x8100 0x8863

0x8100 is the ethertype used by the 802.1q standard. Cisco uses what i would call a "hack" in order to implement 802.1q tunneling (or QinQ). It uses the same value (0x8100) for the inner and outer ethertype.

There is an option to change the outer ethertype from the 10000's side (making it -among other choices- 802.1ad compliant), but you have to change it for all the subinterfaces of a main interface and of course you cannot define it explicitly for PPPoE control packets.


10000(config-if)#dot1q tunneling ethertype ?
0x88A8 dot1q tunneling etype 0x88A8
0x9100 dot1q tunneling etype 0x9100
0x9200 dot1q tunneling etype 0x9200


So what solved my problem? The following very simple config:

mac access-list extended PPPoE-DISCOVERY
permit any any cos 7
mac access-list extended PPPoE-SESSION
permit any any cos 0

That way we can have indirect classification based on CoS.

Like we have DSCP & IP Prec match for ip access-lists, we can have a CoS match for mac access-lists. Just keep in mind that CoS (like most things) in switches is only checked by hardware. Packets forwarded or bridged by software are treated as having a CoS of 0 in ACL matches.

Here is an interesting question for all of you: How do you match IP traffic based on CoS?

14 comments:

  1. Good Afternoon Tassos I like your blog and plan on using your path to Ace my CCIE after i finish my CCNP. Where can i find your email i just wanted a list of books you used to pass you never mentioned which?

    ReplyDelete
  2. Hi stewie,

    I have included the book titles in various posts, but you're right; they are not clearly written somewhere.

    So, here they are:

    Routing TCP/IP Vol I
    Routing TCP/IP Vol II
    CCIE Official Exam Certification Guide
    CCIE Practical Studies Vol I
    CCIE Practical Studies Vol II

    Besides the above 5, i have used some other too (especially about multicast, LAN switching, DSL), but before my CCIE exam. They where mainly used for my job.

    ReplyDelete
  3. If i pass my CCIE written exam would i get any certificate for that or i must pass the la in order to get the ccie certificate

    ReplyDelete
  4. If i pass my CCIE written exam would i get any certificate for that or i must pass the lab exam too in order to get the ccie certificate

    plz help me i am in so much tension plz let me know on my email address if possible

    saman112233@yahoo.com

    ReplyDelete
  5. You must pass both written and lab in order to get the CCIE certificate.

    The written exam is just your passport for the booking the lab.

    ReplyDelete
  6. Hi Tassos,

    I am Richard Bannister, the man behind http://rbcciequest.wordpress.com. I am a regular reader of your blog. I have been unable to find a link to contact you so I have had to use a post comment (sorry). Would you mind adding a link to my blog on your "Blog Links" list (feel free to check that the posts are of a good enough standard).

    A very clever way of matching CoS by the way, I'd never have thought of that! (I seem to recall the standard method relying on manipulating DSCP to CoS/Cos to DSCP mappings?)

    Many thanks in advance

    Richard

    ReplyDelete
  7. Thanks for the link

    Richard

    ReplyDelete
  8. Is it possible to pass exam of ccie in three months ?

    ReplyDelete
  9. I am learning CCNA now.

    ReplyDelete
  10. Great thought! I was thinking about the above figure and the S-Vlan which the ME3400 sends to 3750. Are you doing this in order DSLAM to send any vlan and you just map those in the S-vlan?

    ReplyDelete
  11. Exactly. All DSLAMs are sending the same vlans and 3750 is putting a different S-VLAN on each one of them.

    ReplyDelete
  12. ok!You mean 3400 adds the S-vlan? if you mean that then if the number of the mac addresses on 3400 gets low, there is a possibility for multiple broadcasts from the NNI ports to the UNIs in order for the switch to find out in which DSLAM to forward the frame. How tolerate this can be?

    ReplyDelete
  13. No, the 3750 adds a different S-VLAN for each 3400. All 3400 have the same vlans.
    If tcam (where mac-addresses are stored) gets full, then it's obvious that flooding occurs and cpu gets high. You can disable mac-learning for a vlan if you only have 2 ports belonging to it, otherwise it's time to start looking at another platform.
    ME-3600X and ME-3800X will solve such issues.

    ReplyDelete
  14. If i pass my CCIE written exam would i get any certificate for that or i must pass the la in order to get the ccie certificate

    ReplyDelete

 
Creative Commons License
This work is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 United States License.
Creative Commons License
This work is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Greece License.