- Configuring Basic Performance Routing
- Understanding Performance Routing
- Configuring Advanced Performance Routing
- BGP Inbound Optimization Using Performance Routing
- Configuring Performance Routing Cost Policies
- Using Performance Routing to Control EIGRP Routes with mGRE DMVPN Hub-and-Spoke Support
- Performance Routing Link Groups
- Performance Routing with NAT
- Performance Routing - Protocol Independent Route Optimization (PIRO)
- PfR Simplification Phase 1
- Static Application Mapping Using Performance Routing
- Performance Routing Traceroute Reporting
- PfR Voice Traffic Optimization Using Active Probes
- Index
- Finding Feature Information
- Prerequisites for Configuring Advanced Performance Routing
- Information About Advanced Performance Routing
- How to Configure Advanced Performance Routing
- Profiling Phase Tasks
- Measuring Phase Tasks
- Modifying the PfR Link Utilization for Outbound Traffic
- Modifying the PfR Exit Link Utilization Range
- Configuring and Verifying PfR Passive Monitoring
- Configuring PfR Active Probing Using the Longest Match Target Assignment
- Configuring PfR Voice Probes with a Forced Target Assignment
- Configuring PfR Voice Probes for Fast Failover
- Configuring the Source Address of an Active Probe
- Apply Policy Phase Tasks
- Enforce Phase Tasks
- Verify Phase Task
- Profile Phase Tasks Examples
- Example Defining a Learn List for Automatically Learned Prefix-Based Traffic Classes
- Example Defining a Learn List for Automatically Learned Application Traffic Classes Using an Access List
- Example Manually Selecting Prefix-Based Traffic Classes Using a Prefix List
- Example Manually Selecting Application Traffic Classes Using an Access List
- Measure Phase Tasks Examples
- Example Modifying the PfR Link Utilization for Outbound Traffic
- Example Modifying the PfR Exit Link Utilization Range
- Example TCP Probe for Longest Match Target Assignment
- UDP Probe for Forced Target Assignment Example
- Example Configuring PfR Voice Probes for Fast Failover
- Example Configuring the Source Address of an Active Probe
- Apply Policy Phase Tasks Examples
- Example Configuring and Applying a PfR Policy to Learned Traffic Classes
- Example Configuring and Applying a PfR Policy to Configured Traffic Classes
- Example Preventing PfR Optimization of Learned Prefixes
- Example Configuring Policy Rules for PfR Maps
- Example Configuring Multiple PfR Policy Conflict Resolution
- Example Configuring an Exit Link Load Balancing PfR Policy
- Example Configuring Black Hole Routing Using a PfR Map
- Example Configuring Sinkhole Routing Using a PfR Map
- Enforce Phase Tasks Examples
- Verify Phase Task Example
Configuring Advanced Performance Routing
After configuring the Performance Routing (PfR) master controller and border routers (see the “Configuring Basic Performance Routing” module), additional configuration is required to activate the full optimization capabilities of PfR. Tasks and configuration examples that represent each of the PfR phases are documented here to help you learn how to configure and verify some of the advanced options for each PfR phase.
- Finding Feature Information
- Prerequisites for Configuring Advanced Performance Routing
- Information About Advanced Performance Routing
- How to Configure Advanced Performance Routing
- Configuration Examples for Advanced Performance Routing
- Where to Go Next
- Additional References
- Feature Information for Configuring Advanced Performance Routing
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the Feature Information Table at the end of this document.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Prerequisites for Configuring Advanced Performance Routing
- Before configuring the tasks in this module, you must configure a master controller and at least two border routers using the "Configuring Basic Performance Routing" module.
- Before configuring the tasks in this module, you must be familiar with the concepts contained in the "Understanding Performance Routing" module.
- Either routing protocol peering must be established on your network or static routing must be configured before route control mode is enabled.
If you have configured internal Border Gateway Protocol (iBGP) on the border routers, BGP peering must be either established and consistently applied throughout your network or redistributed into an Interior Gateway Protocol (IGP). The following IGPs are supported: Enhanced Interior Gateway Routing Protocol (EIGRP), Open Shortest Path First (OSPF), Intermediate System-to-Intermediate System (IS-IS), or Routing Information Protocol (RIP).
If an IGP is deployed in your network, static route redistribution must be configured with the redistribute command unless iBGP is configured. IGP or static routing should also be applied consistently throughout a PfR-managed network; the border router should have a consistent view of the network.
 Caution |
Caution must be applied when redistributing PfR static routes into an IGP. The routes injected by PfR may be more specific than routes in the IGP, and it will appear as if the PfR border router is originating these routes. To avoid routing loops, the redistributed PfR static routes should never be advertised over a WAN by a PfR border router or any other router. Route filtering and stub network configuration can be used to prevent advertising the PfR static routes. If the PfR static routes are redistributed to routers terminating the PfR external interfaces, routing loops may occur. |
Information About Advanced Performance Routing
To configure advanced PfR, you should understand the following concepts:
- Performance Routing Overview
- Advanced Performance Routing Deployment
- PfR Active Probing Target Reachability
- ICMP Echo Probes
- Jitter
- MOS
Performance Routing Overview
Performance Routing (PfR) is an advanced Cisco technology to allow businesses to complement classic routing technologies with additional serviceability parameters to select the best egress or ingress path. It complements these classic routing technologies with additional intelligence. PfR can select an egress or ingress WAN interface based upon parameters like reachability, delay, cost, jitter, MOS score, or it can use interface parameters like load, throughput and monetary cost. Classic routing (for example, EIGRP, OSPF, RIPv2, and BGP) generally focuses upon creating a loop-free topology based upon the shortest or least cost path.
PfR gains additional intelligence using measurement instrumentation. It uses interface statistics, Cisco IP SLA for active monitoring, and NetFlow for passive monitoring. No prior knowledge or experience of IP SLA or NetFlow is required, PfR automatically enables these technologies without any manual configuration.
Cisco Performance Routing selects an egress or ingress WAN path based on parameters that affect application performance, including reachability, delay, cost, jitter, and Mean Opinion Score (MOS). This technology can reduce network costs by facilitating more efficient load balancing and by increasing application performance without WAN upgrades.
PfR is an integrated Cisco IOS solution that allows you to monitor IP traffic flows and then define policies and rules based on traffic class performance, link load distribution, link bandwidth monetary cost, and traffic type. PfR provides active and passive monitoring systems, dynamic failure detection, and automatic path correction. Deploying PfR enables intelligent load distribution and optimal route selection in an enterprise network.
Advanced Performance Routing Deployment
Advanced PfR is configured on Cisco routers using Cisco IOS command-line interface (CLI) configurations. The PfR infrastructure includes a performance routing protocol that is communicated in a client-server messaging mode. The routing protocol employed by PfR runs between a network controller called a master controller and performance-aware devices called border routers. This performance routing protocol creates a network performance loop in which the network profiles which traffic classes have to be optimized, measures and monitors the performance metrics of the identified traffic classes, applies policies to the traffic classes, and routes the identified traffic classes based on the best performance path.
The PfR performance loop starts with the profile phase followed by the measure, apply policy, control, and verify phases. The flow continues after the verify phase back to the profile phase to update the traffic classes and cycle through the process.
Advanced PfR requires configuring tasks to address each of the following PfR Phases:
Profile Phase
In medium to large networks there are hundreds of thousands of routes in the RIB to which a device is trying to route traffic. Because performance routing is a means of preferring some traffic over another, a subset of the total routes in the RIB has to be selected to optimize for performance routing. PfR profiles traffic in one of two ways, automatic learning or manual configuration.
- Automatic Learning—The device profiles the traffic that has to be performance routed (optimized) by learning the flows that pass through the device and by selecting those flows that have the highest delay or the highest throughput.
- Manual configuration—In addition to, or instead of learning, you can configure a class of traffic to performance route.
Measure Phase
After profiling traffic classes that are to be performance routed, PfR measures the performance metrics of these individual traffic classes. There are two mechanisms--passive monitoring and active monitoring--to measure performance metrics, and one or both could be deployed in the network to accomplish this task. Monitoring is the act of measuring at periodic intervals.
Passive monitoring is the act of measuring the performance metrics of the traffic flow as the flow is traversing the device in the data path. Passive monitoring uses NetFlow functionality and cannot be employed for measuring performance metrics for some traffic classes, and there are some hardware or software limitations.
Active monitoring consists of generating synthetic traffic using IP Service Level Agreements (SLAs) to emulate the traffic class that is being monitored. The synthetic traffic is measured instead of the actual traffic class. The results of the synthetic traffic monitoring are applied to performance route the traffic class represented by the synthetic traffic.
Both passive and active monitoring modes can be applied to the traffic classes. The passive monitoring phase may detect traffic class performance that does not conform to an PfR policy, and then active monitoring can be applied to that traffic class to find the best alternate performance path, if available.
Support for NetFlow or IP SLAs configuration is enabled automatically.
Apply Policy Phase
After collecting the performance metrics of the class of traffic to be optimized, PfR compares the results with a set of configured low and high thresholds for each metric configured as a policy. When a metric, and consequently a policy, goes out of bounds, it is an Out-of-Policy (OOP) event. The results are compared on a relative basis--a deviation from the observed mean--or on a threshold basis--the lower or upper bounds of a value--or a combination of both.
There are two types of policies that can be defined in PfR: traffic class policies and link policies. Traffic class policies are defined for prefixes or for applications. Link policies are defined for exit or entrance links at the network edge. Both types of PfR policies define the criteria for determining an OOP event. The policies are applied on a global basis in which a set of policies is applied to all traffic classes, or on a more targeted basis in which a set of policies is applied to a selected (filtered) list of traffic classes.
With multiple policies, many performance metric parameters, and different ways of assigning these policies to traffic classes, a method of resolving policy conflicts was created. The default arbitration method uses a default priority level given to each performance metric variable and each policy. Different priority levels can be configured to override the default arbitration for all policies, or a selected set of policies.
Enforce Phase
In the PfR enforce phase (also called the control phase) of the performance loop, the traffic is controlled to enhance the performance of the network. The technique used to control the traffic depends on the class of traffic. For traffic classes that are defined using a prefix only, the prefix reachability information used in traditional routing can be manipulated. Protocols such as Border Gateway Protocol (BGP) or RIP are used to announce or remove the prefix reachability information by introducing or deleting a route and its appropriate cost metrics.
For traffic classes that are defined by an application in which a prefix and additional packet matching criteria are specified, PfR cannot employ traditional routing protocols because routing protocols communicate the reachability of the prefix only and the control becomes device specific and not network specific. This device specific control is implemented by PfR using policy-based routing (PBR) functionality. If the traffic in this scenario has to be routed out to a different device, the remote border router should be a single hop away or a tunnel interface that makes the remote border router look like a single hop.
Verify Phase
During the PfR enforce phase if a traffic class is OOP, then PfR introduces controls to influence (optimize) the flow of the traffic for the traffic class that is OOP. A static route and a BGP route are examples of controls introduced by PfR into the network. After the controls are introduced, PfR will verify that the optimized traffic is flowing through the preferred exit or entrance links at the network edge. If the traffic class remains OOP, PfR will drop the controls that were introduced to optimize the traffic for the OOP traffic class and cycle through the network performance loop.
PfR Active Probing Target Reachability
The active probe is sourced from the border router and transmitted through an external interface (the external interface may or may not be the preferred route for an optimized prefix). When creating an active probe through an external interface for a specified target, the target should be reachable through the external interface. To test the reachability of the specified target, PfR performs a route lookup in the BGP and static routing tables for the specified target and external interface.
ICMP Echo Probes
Configuring an ICMP echo probe does not require knowledgeable cooperation from the target device. However, repeated probing could trigger an IDS alarm in the target network. If an IDS is configured in a target network that is not under your administrative control, we recommend that you notify the target network administration entity.
The following defaults are applied when active monitoring is enabled:
- The border router collects up to five host addresses from the traffic class for active probing when a traffic class is learned or aggregated.
- Active probes are sent once per minute.
- ICMP probes are used to actively monitor learned traffic classes.
Jitter
Jitter means interpacket delay variance. When multiple packets are sent consecutively from source to destination, for example, 10 ms apart, and if the network is behaving ideally, the destination should be receiving them 10 ms apart. But if there are delays in the network (like queuing, arriving through alternate routes, and so on) the arrival delay between packets might be greater than or less than 10 ms. Using this example, a positive jitter value indicates that the packets arrived more than 10 ms apart. If the packets arrive 12 ms apart, then positive jitter is 2 ms; if the packets arrive 8 ms apart, then negative jitter is 2 ms. For delay-sensitive networks like VoIP, positive jitter values are undesirable, and a jitter value of 0 is ideal.
MOS
Mean Opinion Score (MOS) is a quantitative quality metric for voice traffic that can be measured using PfR active probes. With all the factors affecting voice quality, many people ask how voice quality can be measured. Standards bodies like the ITU have derived two important recommendations: P.800 (MOS) and P.861 (Perceptual Speech Quality Measurement [PSQM]). P.800 is concerned with defining a method to derive a Mean Opinion Score of voice quality. MOS scores range between 1 representing the worst voice quality, and 5 representing the best voice quality. A MOS of 4 is considered "toll-quality" voice.
How to Configure Advanced Performance Routing
This section contains the following tasks:
- Profiling Phase Tasks
- Measuring Phase Tasks
- Apply Policy Phase Tasks
- Enforce Phase Tasks
- Verify Phase Task
Profiling Phase Tasks
The following tasks show how to configure elements of the PfR profiling phase:
- Defining a Learn List for Automatically Learned Application Traffic Classes Using an Access List
- Manually Selecting Prefix-Based Traffic Classes Using a Prefix List
- Displaying and Resetting Traffic Class and Learn List Information
Defining a Learn List for Automatically Learned Application Traffic Classes Using an Access List
Perform this task at the master controller to define a learn list that will contain traffic classes that are automatically learned by PfR using an access list to create customized application traffic classes. In this task, an access list is created that defines custom application traffic classes. Every entry in the access list defines one application. A learn list is then defined, the access list is applied, and an aggregation method is configured. Using the count (PfR) command, 50 traffic classes can be learned during one learning session for the learn list named LEARN_USER_DEFINED_TC, with a maximum specified number of 90 traffic classes for this learn list. The master controller is configured to learn the top prefixes based on highest delay for the filtered traffic and the resulting traffic classes are added to the PfR application database.
A learn list is activated using a PfR map and the last few steps in this task demonstrate how to configure a PfR map to activate the learn list defined in this task and create the custom traffic class.
For an example of defining a learn list for automatically learned prefix-based traffic classes using a prefix list, see the “Example: Defining a Learn List for Automatically Learned Prefix-Based Traffic Classes” section.
1. enable
2. configure terminal
3. ip access-list {standard | extended} access-list-name
4. [sequence-number] permit udp source source-wildcard [operator [port]] destination destination-wildcard [operator [port]] [dscp dscp-value]
5. Repeat Step 4 for more access list entries, as required.
6. exit
7. pfr master
8. learn
9. list seq number refname refname
10. count number max max-number
11. traffic-class access-list access-list-name [filter prefix-list-name]
12. aggregation-type {bgp non-bgp prefix-length} prefix-mask
13. delay
14. exit
15. Repeat Step 14 twice to return to global configuration mode.
16. pfr-map map-name sequence-number
17. match traffic-class access -list access-list-name
18. end
DETAILED STEPS
Manually Selecting Prefix-Based Traffic Classes Using a Prefix List
Perform this task on the master controller to manually select traffic classes based only on destination prefixes. Use this task when you know the destination prefixes that you want to select for the traffic classes. An IP prefix list is created to define the destination prefixes and using a PfR map, the traffic classes are profiled.
1. enable
2. configure terminal
3. ip prefix-list list-name [seq seq-value] {deny network/length | permit network/length}
4. Repeat Step 3 for more prefix list entries, as required.
5. pfr-map map-name sequence-number
6. match traffic-class prefix-list prefix-list-name
7. end
DETAILED STEPS
| Command or Action | Purpose | |
|---|---|---|
| Step 1 | enable Example: Router> enable |
Enables privileged EXEC mode. |
| Step 2 | configure terminal Example: Router# configure terminal |
Enters global configuration mode. |
| Step 3 | ip prefix-list list-name [seq seq-value] {deny network/length | permit network/length} Example: Router(config)# ip prefix-list PREFIX_TC permit 172.16.1.0/24 |
Creates a prefix list to specify destination prefix-based traffic classes. |
| Step 4 | Repeat Step 3 for more prefix list entries, as required. | -- |
| Step 5 | pfr-map map-name sequence-number Example: Router(config)# pfr-map PREFIX_MAP 10 |
Enters PfR map configuration mode to configure a PfR map. |
| Step 6 | match traffic-class prefix-list prefix-list-name Example: Router(config-pfr-map)# match traffic-class prefix-list PREFIX_TC |
Manually configures a prefix list as match criteria used to create traffic classes using a PfR map. |
| Step 7 | end Example: Router(config-pfr-map)# end |
(Optional) Exits PfR map configuration mode and returns to privileged EXEC mode. |
Displaying and Resetting Traffic Class and Learn List Information
Perform this task to display traffic class and learn list information and optionally, to reset some traffic class information. These commands can be entered on a master controller after learn lists are configured and traffic classes are automatically learned, or when traffic classes are manually configured using a PfR map. The commands can be entered in any order and all the commands are optional.
1. enable
2. show pfr master traffic-class [access-list access-list-name| application application-name[prefix] | inside | learned[delay | inside | list list-name| throughput] | prefix prefix| prefix-list prefix-list-name] [active| passive| status] [detail]
3. show pfr master learn list [list-name]
4. clear pfr master traffic-class [access-list access-list-name| application application-name[prefix]| inside | learned[delay | inside | list list-name| throughput]| prefix prefix| prefix-list prefix-list-name]
DETAILED STEPS
| Step 1 |
enable Enables privileged EXEC mode. Enter your password if prompted. Example: Router> enable |
| Step 2 |
show pfr master traffic-class [access-list access-list-name| application application-name[prefix] | inside | learned[delay | inside | list list-name| throughput] | prefix prefix| prefix-list prefix-list-name] [active| passive| status] [detail] This command is used to display information about traffic classes learned or manually configured under PfR learn list configuration mode. Example:
Router# show pfr master traffic-class
OER Prefix Statistics:
Pas - Passive, Act - Active, S - Short term, L - Long term, Dly - Delay (ms),
P - Percentage below threshold, Jit - Jitter (ms),
MOS - Mean Opinion Score
Los - Packet Loss (packets-per-million), Un - Unreachable (flows-per-million),
E - Egress, I - Ingress, Bw - Bandwidth (kbps), N - Not applicable
U - unknown, * - uncontrolled, + - control more specific, @ - active probe all
# - Prefix monitor mode is Special, & - Blackholed Prefix
% - Force Next-Hop, ^ - Prefix is denied
DstPrefix Appl_ID Dscp Prot SrcPort DstPort SrcPrefix
Flags State Time CurrBR CurrI/F Protocol
PasSDly PasLDly PasSUn PasLUn PasSLos PasLLos EBw IBw
ActSDly ActLDly ActSUn ActLUn ActSJit ActPMOS
--------------------------------------------------------------------------------
10.1.1.0/24 N defa N N N N
# OOPOLICY 32 10.11.1.3 Gi0/0/0 BGP
N N N N N N N IBwN
130 134 0 0 N N
|
| Step 3 |
show pfr master learn list [list-name] This command is used to display one or all of the configured PfR learn lists. In this example, the information about two learn lists is displayed. Example:
Router# show pfr master learn list
Learn-List LIST1 10
Configuration:
Application: ftp
Aggregation-type: bgp
Learn type: thruput
Policies assigned: 8 10
Stats:
Application Count: 0
Application Learned:
Learn-List LIST2 20
Configuration:
Application: telnet
Aggregation-type: prefix-length 24
Learn type: thruput
Policies assigned: 5 20
Stats:
Application Count: 2
Application Learned:
Appl Prefix 10.1.5.0/24 telnet
Appl Prefix 10.1.5.16/28 telnet
|
| Step 4 |
clear pfr master traffic-class [access-list access-list-name| application application-name[prefix]| inside | learned[delay | inside | list list-name| throughput]| prefix prefix| prefix-list prefix-list-name] This command is used to clear PfR controlled traffic classes from the master controller database. The following example clears traffic classes defined by the Telnet application and the 10.1.1.0/24 prefix: Example: Router# clear pfr master traffic-class application telnet 10.1.1.0/24 |
Measuring Phase Tasks
The following tasks show how to configure elements of the PfR measure phase:
- Modifying the PfR Link Utilization for Outbound Traffic
- Modifying the PfR Exit Link Utilization Range
- Configuring and Verifying PfR Passive Monitoring
- Configuring PfR Active Probing Using the Longest Match Target Assignment
- Configuring PfR Voice Probes with a Forced Target Assignment
- Configuring PfR Voice Probes for Fast Failover
- Configuring the Source Address of an Active Probe
Modifying the PfR Link Utilization for Outbound Traffic
Perform this task at the master controller to modify the PfR exit (outbound) link utilization threshold. After an external interface has been configured for a border router, PfR automatically monitors the utilization of external links on a border router every 20 seconds. The utilization is reported back to the master controller and, if the utilization exceeds 75 percent, PfR selects another exit link for traffic classes on that link. An absolute value in kilobytes per second (kbps), or a percentage, can be specified.
For more details about the configuration of measuring inbound traffic, see the “BGP Inbound Optimization Using Performance Routing” module.
1. enable
2. configure terminal
3. pfr master
4. border ip-address [key-chain key-chain-name]
5. interface type number external
6. max-xmit-utilization {absolute kbps | percentage value
7. end
DETAILED STEPS
| Command or Action | Purpose | |||
|---|---|---|---|---|
| Step 1 | enable Example: Router> enable |
Enables privileged EXEC mode. |
||
| Step 2 | configure terminal Example: Router# configure terminal |
Enters global configuration mode. |
||
| Step 3 | pfr master Example: Router(config)# pfr master |
Enters PfR master controller configuration mode to configure a router as a master controller and to configure global operations and policies. |
||
| Step 4 | border ip-address [key-chain key-chain-name] Example: Router(config-pfr-mc)# border 10.1.1.2 |
Enters PfR-managed border router configuration mode to establish communication with a border router.
|
||
| Step 5 | interface type number external Example: Router(config-pfr-mc-br)# interface Ethernet 1/0 external |
Configures a border router interface as a PfR-managed external interface and enters PfR border exit interface configuration mode.
|
||
| Step 6 | max-xmit-utilization {absolute kbps | percentage value Example: Router(config-pfr-mc-br-if)# max-xmit-utilization absolute 500000 |
Configures the maximum utilization on a single PfR managed exit link. |
||
| Step 7 | end Example: Router(config-pfr-mc-br-if)# end |
Exits PfR border exit interface configuration mode and returns to privileged EXEC mode. |
Modifying the PfR Exit Link Utilization Range
Perform this task at the master controller to modify the maximum exit link utilization range threshold over all the border routers. By default, PfR automatically monitors the utilization of external links on a border router every 20 seconds, and the border router reports the utilization to the master controller. If the utilization range between all the exit links exceeds 20 percent, the master controller tries to equalize the traffic load by moving some traffic classes to another exit link. The maximum utilization range is configured as a percentage.
PfR uses the maximum utilization range to determine if exit links are in-policy. PfR will equalize outbound traffic across all exit links by moving traffic classes from overutilized or out-of-policy exits to in-policy exits.
 Note |
If you are configuring link grouping, configure the no max-range-utilization command because using a link utilization range is not compatible with using a preferred or fallback set of exit links configured for link grouping. With CSCtr33991, this requirement is removed and PfR can perform load balancing within a PfR link group. |
For more details about the configuration of measuring inbound traffic, see the “BGP Inbound Optimization Using Performance Routing” module.
1. enable
2. configure terminal
3. pfr master
4. max-range-utilization percent maximum
5. end
DETAILED STEPS
| Command or Action | Purpose | |
|---|---|---|
| Step 1 | enable Example: Router> enable |
Enables privileged EXEC mode. |
| Step 2 | configure terminal Example: Router# configure terminal |
Enters global configuration mode. |
| Step 3 | pfr master Example: Router(config)# pfr master |
Enters PfR master controller configuration mode to configure a router as a master controller and to configure global operations and policies. |
| Step 4 | max-range-utilization percent maximum Example: Router(config-pfr-mc)# max-range-utilization percent 25 |
Sets the maximum utilization range for all PfR-managed exit link.s. |
| Step 5 | end Example: Router(config-pfr-mc)# end |
Exits PfR master controller configuration mode and returns to privileged EXEC mode. |
Configuring and Verifying PfR Passive Monitoring
PfR enables passive monitoring by default when a PfR managed network is created, but there are times when passive monitoring is disabled. Use this task to configure passive monitoring and then verify that the passive monitoring is being performed. Perform the first five steps on a master controller and then move to a border router to display passive measurement information collected by NetFlow for monitored prefixes or application traffic flows. The show commands are entered on a border router through which the application traffic is flowing. The show commands can be entered in any order.
1. enable
2. configure terminal
3. pfr master
4. mode monitor {active | both| fast| passive}
5. end
6. Move to one of the border routers.
7. enable
8. show pfr border passive cache {learned[application| traffic-class]}
9. show pfr border passive prefixes
DETAILED STEPS
| Step 1 | enable Enables privileged EXEC mode. Enter your password if prompted. Example: Router> enable |
| Step 2 | configure terminal Enters global configuration mode. Example: Router# configure terminal |
| Step 3 | pfr master Enters PfR master controller configuration mode to configure a router as a master controller and to configure global operations and policies. Example: Router(config)# pfr master |
| Step 4 | mode monitor {active | both| fast| passive} Configures route monitoring or route control on a PfR master controller. The monitor keyword is used to configure active monitoring, passive monitoring, or both active and passive monitoring. Passive monitoring is enabled when either the both or passive keywords are specified. In this example, passive monitoring is enabled. Example: Router(config-pfr-mc)# mode monitor passive |
| Step 5 | end Exits PfR master controller configuration mode and returns to privileged EXEC mode. Example: Router(config-pfr-mc)# end |
| Step 6 | Move to one of the border routers. |
| Step 7 | enable Enables privileged EXEC mode. Enter your password if prompted. Example: Router> enable |
| Step 8 | show pfr border passive cache {learned[application| traffic-class]} This command is used to display real-time passive measurement information collected by NetFlow from the border router for PfR monitored prefixes and traffic flows. The following example uses the learned and application keywords to display measurement information about monitored application traffic classes that have been learned by PfR. In this example for voice traffic, the voice application traffic is identified by the User Datagram Protocol (UDP) protocol, a DSCP value of ef, and port numbers in the range from 3000 to 4000. Example:
Router# show pfr border passive cache learned application
OER Learn Cache:
State is enabled
Measurement type: throughput, Duration: 2 min
Aggregation type: prefix-length, Prefix length: 24
4096 oer-flows per chunk,
8 chunks allocated, 32 max chunks,
5 allocated records, 32763 free records, 4588032 bytes allocated
Prefix Mask Pkts B/Pk Delay Samples Active
Prot Dscp SrcPort DstPort
Host1 Host2 Host3 Host4 Host5
dport1 dport2 dport3 dport4 dport5
10.1.3.0 /24 873 28 0 0 13.3
17 ef [1, 65535] [3000, 4000]
10.1.3.1 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
3500 0 0 0 0
10.1.1.0 /24 7674 28 0 0 13.4
17 ef [1, 65535] [3000, 4000]
10.1.1.1 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
3600 0 0 0 0
|
| Step 9 | show pfr border passive prefixes This command is used to display passive measurement information collected by NetFlow for PfR monitored prefixes and traffic flows. The following output shows the prefix that is being passively monitored by NetFlow for the border router on which the show pfr border passive prefixes command was run: Example: Router# show pfr border passive prefixes OER Passive monitored prefixes: Prefix Mask Match Type 10.1.5.0 /24 exact |
Configuring PfR Active Probing Using the Longest Match Target Assignment
Perform this task at the master controller to configure active probing using the longest match target assignment. Active monitoring is enabled with the mode monitor activeormode monitor both commands, and the type of active probe is specified using the active-probe (PfR) command. Active probes are configured with a specific host or target address and the active probes are sourced on the border router. The active probe source external interface may, or may not, be the preferred route for an optimized prefix. In this example, both active and passive monitoring are enabled and the target IP address of 10.1.5.1 is to be actively monitored using Internet Control Message Protocol (ICMP) echo (ping) messages. This task does not require an IP SLA responder to be enabled.
1. enable
2. configure terminal
3. pfr master
4. mode monitor {active | both | passive}
5. active-probe {echo ip-address | tcp-conn ip-address target-port number | udp-echo ip-address target-port number}
6. end
DETAILED STEPS
| Command or Action | Purpose | |
|---|---|---|
| Step 1 | enable Example: Router> enable |
Enables privileged EXEC mode.
|
| Step 2 | configure terminal Example: Router# configure terminal |
Enters global configuration mode. |
| Step 3 | pfr master Example: Router(config)# pfr master |
Enters PfR master controller configuration mode to configure a router as a master controller and to configure global operations and policies. |
| Step 4 | mode monitor {active | both | passive} Example: Router(config-pfr-mc)# mode monitor both |
Configures route monitoring on a PfR master controller.
|
| Step 5 | active-probe {echo ip-address | tcp-conn ip-address target-port number | udp-echo ip-address target-port number} Example: Router(config-pfr-mc)# active-probe echo 10.1.5.1 |
Configures an active probe for a target prefix.
|
| Step 6 | end Example: Router(config-pfr-mc)# end |
Exits PfR master controller configuration mode and returns to privileged EXEC mode. |
Configuring PfR Voice Probes with a Forced Target Assignment
Perform this task to enable active monitoring using PfR jitter probes. In this example, the traffic to be monitored is voice traffic, which is identified using an access list. The active voice probes are assigned a forced target for PfR instead of the usual longest match assigned target. This task also demonstrates how to modify the PfR probe frequency.
Before configuring the PfR jitter probe on the source device, the IP SLAs Responder must be enabled on the target device (the operational target). The IP SLAs Responder is available only on Cisco IOS software-based devices. Start this task at the network device that runs the IP SLAs Responder.
Note |
The device that runs the IP SLAs Responder does not have to be configured for PfR. |
Before configuring this task, an access list must be defined. For an example access list and more details about configuring voice traffic using active probes, see the “PfR Voice Traffic Optimization Using Active Probes” solution module.
1. enable
2. configure terminal
3. ip sla monitor responder
4. exit
5. Move to the network device that is the PfR master controller.
6. enable
7. configure terminal
8. pfr master
9. mode monitor {active | both | passive}
10. exit
11. pfr-map map-name sequence-number
12. match ip address {access-list access-list-name| prefix-list prefix-list-name}
13. set active-probe probe-type ip-address [target-port number] [codec codec-name] [dscp value]
14. set probe frequency seconds
15. set jitter threshold maximum
16. set mos {threshold minimum percent percent}
17. set delay {relative percentage | threshold maximum}
18. end
19. show pfr master active-probes [appl| forced]
DETAILED STEPS
| Command or Action | Purpose | |
|---|---|---|
| Step 1 | enable Example: Router> enable |
Enables privileged EXEC mode. |
| Step 2 | configure terminal Example: Router# configure terminal |
Enters global configuration mode. |
| Step 3 | ip sla monitor responder Example: Router(config)# ip sla monitor responder |
Enables the IP SLAs Responder. |
| Step 4 | exit Example: Router(config)# exit |
Exits global configuration mode and returns to privileged EXEC mode. |
| Step 5 | Move to the network device that is the PfR master controller. | -- |
| Step 6 | enable Example: Router> enable |
Enables privileged EXEC mode. |
| Step 7 | configure terminal Example: Router# configure terminal |
Enters global configuration mode. |
| Step 8 | pfr master Example: Router(config)# pfr master |
Enters PfR master controller configuration mode to configure a router as a master controller and to configure global operations and policies. |
| Step 9 | mode monitor {active | both | passive} Example: Router(config-pfr-mc)# mode monitor active |
Configures route monitoring on a PfR master controller. |
| Step 10 | exit Example: Router(config-pfr-mc)# exit |
Exits PfR master controller configuration mode and returns to global configuration. |
| Step 11 | pfr-map map-name sequence-number Example: Router(config)# pfr-map TARGET_MAP 10 |
Enters PfR map configuration mode to configure a PfR map to apply policies to selected IP prefixes. |
| Step 12 | match ip address {access-list access-list-name| prefix-list prefix-list-name} Example: Router(config-pfr-map)# match ip address access-list VOICE_ACCESS_LIST |
References an extended IP access list or IP prefix as match criteria in a PfR map. |
| Step 13 | set active-probe probe-type ip-address [target-port number] [codec codec-name] [dscp value] Example: Router(config-pfr-map)# set active-probe jitter 10.20.22.1 target-port 2000 codec g729a |
Creates a set clause entry to assign a target prefix for an active probe.
|
| Step 14 | set probe frequency seconds Example: Router(config-pfr-map)# set probe frequency 10 |
Creates a set clause entry to set the frequency of the PfR active probe. |
| Step 15 | set jitter threshold maximum Example: Router(config-pfr-map)# set jitter threshold 20 |
Creates a set clause entry to configure the jitter threshold value. |
| Step 16 | set mos {threshold minimum percent percent} Example: Router(config-pfr-map)# set mos threshold 4.0 percent 30 |
Creates a set clause entry to configure the MOS threshold and percentage values used to decide whether an alternate exit is be selected.
|
| Step 17 | set delay {relative percentage | threshold maximum} Example: Router(config-pfr-map)# set delay threshold 100 |
Creates a set clause entry to configure the delay threshold.
|
| Step 18 | end Example: Router(config-pfr-map)# end |
Exits PfR map configuration mode and enters privileged EXEC mode. |
| Step 19 | show pfr master active-probes [appl| forced] Example: Router# show pfr master active-probes forced |
Displays connection and status information about active probes on a PfR master controller.
|
Examples
This example shows output from the show pfr master active-probes forced command. The output is filtered to display only connection and status information about the active probes generated for voice traffic configured with a forced target assignment.
Router# show pfr master active-probes forced OER Master Controller active-probes Border = Border Router running this Probe Policy = Forced target is configure under this policy Type = Probe Type Target = Target Address TPort = Target Port N - Not applicable The following Forced Probes are running: Border State Policy Type Target TPort 10.20.20.2 ACTIVE 40 jitter 10.20.22.1 3050 10.20.21.3 ACTIVE 40 jitter 10.20.22.4 3050
Configuring PfR Voice Probes for Fast Failover
Perform this task to enable fast monitoring using PfR jitter probes. In fast failover monitoring mode, all exits are continuously probed using active monitoring and passive monitoring. The probe frequency can be set to a lower frequency in fast failover monitoring mode than for other monitoring modes, to allow a faster failover capability. Fast failover monitoring can be used with all types of active probes: ICMP echo, jitter, TCP connection, and UDP echo.
Fast failover monitoring is designed for traffic classes that are very sensitive to performance issues or congested links, and voice traffic is very sensitive to any dropped links. In this example, the fast failover monitoring mode is enabled and the voice traffic to be monitored is identified using an IP prefix list. To reduce some of the overhead that fast failover monitoring produces, the active voice probes are assigned a forced target for PfR. The PfR probe frequency is set to 2 seconds. In the examples section after the task table, the show pfr master prefix command is used to show the policy configuration for the prefix specified in the task steps and some logging output is displayed to show that fast failover is configured.
Note |
In fast monitoring mode, probe targets are learned as well as learned prefixes. To avoid triggering large numbers of probes in the network, use fast monitoring mode only for real time applications and critical applications with performance sensitive traffic. |
Before configuring the PfR jitter probe on the source device, the IP SLAs Responder must be enabled on the target device (the operational target). The IP SLAs Responder is available only on Cisco IOS software-based devices. Start this task at the network device that runs the IP SLAs Responder.
Note |
The device that runs the IP SLAs Responder does not have to be configured for PfR. |
1. enable
2. configure terminal
3. ip sla monitor responder
4. exit
5. Move to the network device that is the PfR master controller.
6. enable
7. configure terminal
8. ip prefix-list list-name [seq seq-value] {deny network/length| permit network/length}
9. Repeat Step 4 for more prefix list entries, as required.
10. pfr-map map-name sequence-number
11. match traffic-class prefix-list prefix-list-name
12. set mode monitor {active | both| fast| passive}
13. set jitter threshold maximum
14. set mos {threshold minimum percent percent}
15. set delay {relative percentage | threshold maximum}
16. set active-probe probe-type ip-address [target-port number] [codec codec-name] [dscp value]
17. set probe frequency seconds
18. end
19. show pfr master prefix [prefix[detail| policy| traceroute[exit-id| border-address| current]]]
DETAILED STEPS
| Command or Action | Purpose | |||
|---|---|---|---|---|
| Step 1 | enable Example: Router> enable |
Enables privileged EXEC mode. |
||
| Step 2 | configure terminal Example: Router# configure terminal |
Enters global configuration mode. |
||
| Step 3 | ip sla monitor responder Example: Router(config)# ip sla monitor responder |
Enables the IP SLAs Responder. |
||
| Step 4 | exit Example: Router(config)# exit |
Exits global configuration mode and returns to privileged EXEC mode. |
||
| Step 5 | Move to the network device that is the PfR master controller. | -- |
||
| Step 6 | enable Example: Router> enable |
Enables privileged EXEC mode. |
||
| Step 7 | configure terminal Example: Router# configure terminal |
Enters global configuration mode. |
||
| Step 8 | ip prefix-list list-name [seq seq-value] {deny network/length| permit network/length} Example: Router(config)# ip prefix-list VOICE_FAIL_LIST permit 10.1.0.0/24 |
Creates an IP prefix list. |
||
| Step 9 | Repeat Step 4 for more prefix list entries, as required. | — |
||
| Step 10 | pfr-map map-name sequence-number Example: Router(config)# pfr-map FAST_FAIL_MAP 10 |
Enters PfR map configuration mode to configure a PfR map to apply policies to selected IP prefixes. |
||
| Step 11 | match traffic-class prefix-list prefix-list-name Example: Router(config-pfr-map)# match traffic-class prefix-list VOICE_FAIL_LIST |
References an IP prefix list as traffic class match criteria in a PfR map. |
||
| Step 12 | set mode monitor {active | both| fast| passive} Example: Router(config-pfr-map)# set mode monitor fast |
Creates a set clause entry to configure route monitoring on a PfR master controller. |
||
| Step 13 | set jitter threshold maximum Example: Router(config-pfr-map)# set jitter threshold 12 |
Creates a set clause entry to configure the jitter threshold value. |
||
| Step 14 | set mos {threshold minimum percent percent} Example: Router(config-pfr-map)# set mos threshold 3.6 percent 30 |
Creates a set clause entry to configure the MOS threshold and percentage values used to decide whether an alternate exit is be selected.
|
||
| Step 15 | set delay {relative percentage | threshold maximum} Example: Router(config-pfr-map)# set delay relative 50 |
Creates a set clause entry to configure the delay threshold.
|
||
| Step 16 | set active-probe probe-type ip-address [target-port number] [codec codec-name] [dscp value] Example: Router(config-pfr-map)# set active-probe jitter 10.120.120.1 target-port 20 codec g729a |
Creates a set clause entry to assign a target prefix for an active probe.
|
||
| Step 17 | set probe frequency seconds Example: Router(config-pfr-map)# set probe frequency 2 |
Creates a set clause entry to set the frequency of the PfR active probe.
|
||
| Step 18 | end Example: Router(config-pfr-map)# end |
Exits PfR map configuration mode and enters privileged EXEC mode. |
||
| Step 19 | show pfr master prefix [prefix[detail| policy| traceroute[exit-id| border-address| current]]] Example: Router# show pfr master prefix 10.1.1.0/24 policy |
(Optional) Displays the status of monitored prefixes. |
Examples
This example shows output from the show pfr master prefixcommand when a prefix is specified with the policy keyword to display the policy configured for the prefix 10.1.1.0/24. Note that the mode monitor is set to fast, which automatically sets the select-exit to best, and allows the probe frequency to be set at 2.
Router# show pfr master prefix 10.1.1.0/24 policy
* Overrides Default Policy Setting
pfr-map MAP 10
sequence no. 8444249301975040, provider id 1, provider priority 30
host priority 0, policy priority 10, Session id 0
match ip prefix-lists: VOICE_FAIL_LIST
backoff 90 90 90
delay relative 50
holddown 90
periodic 0
*probe frequency 2
mode route control
*mode monitor fast
*mode select-exit best
loss relative 10
*jitter threshold 12
mos threshold 3.60 percent 30
unreachable relative 50
next-hop not set
forwarding interface not set
resolve jitter priority 1 variance 10
resolve utilization priority 12 variance 20
Forced Assigned Target List:
active-probe jitter 10.120.120.1 target-port 20 codec g729a
Configuring the Source Address of an Active Probe
Perform this task on a border router to specify the source interface for active probing. The active probe source interface is configured on the border router with the active-probe address source ((PfR) in PfR border router configuration mode. The active probe source interface IP address must be unique to ensure that the probe reply is routed back to the specified source interface.
The following is default behavior:
- The source IP address is used from the default PfR external interface that transmits the active probe when this command is not enabled or if the no form is entered.
- If the interface is not configured with an IP address, the active probe will not be generated.
- If the IP address is changed after the interface has been configured as an active probe source, active probing is stopped, and then restarted with the new IP address.
- If the IP address is removed after the interface has been configured as an active probe source, active probing is stopped and not restarted until a valid primary IP address is configured.
1. enable
2. configure terminal
3. pfr border
4. active-probe address source interface type number
5. end
6. show pfr border active-probes
DETAILED STEPS
| Command or Action | Purpose | |
|---|---|---|
| Step 1 | enable Example: Router> enable |
Enables privileged EXEC mode. |
| Step 2 | configure terminal Example: Router# configure terminal |
Enters global configuration mode. |
| Step 3 | pfr border Example: Router(config)# pfr border |
Enters PfR border router configuration mode to configure a router as a border router. |
| Step 4 | active-probe address source interface type number Example: Router(config-pfr-br)# active-probe address source interface FastEthernet 0/0 |
Configures an interface on a border router as the active-probe source. |
| Step 5 | end Example: Router(config-pfr-br)# end |
Exits PfR border router configuration mode and enters privileged EXEC mode. |
| Step 6 | show pfr border active-probes Example: Router# show pfr border active-probes |
Displays connection and status information about active probes on a PfR border router. |
Apply Policy Phase Tasks
The following tasks show how to configure elements of the PfR apply policy phase:
- Configuring and Applying a PfR Policy to Learned Traffic Classes
- Preventing PfR Optimization of Learned Prefixes
- Configuring Policy Rules for PfR Maps
- Configuring Multiple PfR Policy Conflict Resolution
- Configuring Black Hole Routing Using a PfR Map
- Configuring Sinkhole Routing Using a PfR Map
Configuring and Applying a PfR Policy to Learned Traffic Classes
Perform this task at the master controller to configure and apply a PfR policy to learned traffic classes. After configuring the router as a PfR master controller using the pfr master command, most of the commands in this task are all optional. Each step configures a performance policy that applies to learned traffic classes on a global basis. In this example, PfR is configured to select the first in-policy exit.
In this task some PfR timers are modified. When adjusting PfR timers note that a newly configured timer setting will immediately replace the existing setting if the value of the new setting is less than the time remaining. If the value is greater than the time remaining, the new setting will be applied when the existing timer expires or is reset.
Note |
Overly aggressive timer settings can keep an exit link or traffic class entry in an out-of-policy state. |
1. enable
2. configure terminal
3. pfr master
4. backoff min-timer max-timer [step-timer]
5. delay {relative percentage | threshold maximum}
6. holddown timer
7. loss {relative average | threshold maximum}
8. periodic timer
9. unreachable {relative average | threshold maximum}
10. mode select-exit {best | good}}
11. end
12. show pfr master policy [sequence-number|policy-name | default]
DETAILED STEPS
| Command or Action | Purpose | |||
|---|---|---|---|---|
| Step 1 | enable Example: Router> enable |
Enables privileged EXEC mode. |
||
| Step 2 | configure terminal Example: Router# configure terminal |
Enters global configuration mode. |
||
| Step 3 | pfr master Example: Router(config)# pfr master |
Enters PfR master controller configuration mode. |
||
| Step 4 | backoff min-timer max-timer [step-timer] Example: Router(config-pfr-mc)# backoff 400 4000 400 |
(Optional) Sets the backoff timer to adjust the time period for policy decisions.
|
||
| Step 5 | delay {relative percentage | threshold maximum} Example: Router(config-pfr-mc)# delay relative 80 |
(Optional) Sets the delay threshold as a relative percentage or as an absolute value.
|
||
| Step 6 | holddown timer Example: Router(config-pfr-mc)# holddown 600 |
(Optional) Configures the traffic class entry route dampening timer to set the minimum period of time that a new exit must be used before an alternate exit can be selected.
|
||
| Step 7 | loss {relative average | threshold maximum} Example: Router(config-pfr-mc)# loss relative 20 |
(Optional) Sets the relative or maximum packet loss limit that PfR will permit for a traffic class entry.
|
||
| Step 8 | periodic timer Example: Router(config-pfr-mc)# periodic 300 |
(Optional) Configures PfR to periodically select the best exit link when the periodic timer expires.
|
||
| Step 9 | unreachable {relative average | threshold maximum} Example: Router(config-pfr-mc)# unreachable relative 10 |
(Optional) Sets the maximum number of unreachable hosts.
|
||
| Step 10 | mode select-exit {best | good}} Example: Router(config-pfr-mc)# mode select-exit good |
Enables the exit link selection based on performance or policy. |
||
| Step 11 | end Example: Router(config-pfr-mc)# end |
Exits PfR master controller configuration mode and enters privileged EXEC mode. |
||
| Step 12 | show pfr master policy [sequence-number|policy-name | default] Example: Router# show pfr master policy |
Displays policy settings on a PfR master controller.
|
Examples
This example shows output from the show pfr master policy command. Default policy settings are displayed except where the configuration in this task has overwritten specific policy settings.
Router# show pfr master policy Default Policy Settings: backoff 400 4000 400 delay relative 80 holddown 600 periodic 300 probe frequency 56 mode route observe mode monitor both mode select-exit good loss relative 20 unreachable relative 10 resolve delay priority 11 variance 20 resolve utilization priority 12 variance 20 *tag 0
Preventing PfR Optimization of Learned Prefixes
Perform this task at the master controller to configure and apply a PfR policy to prevent PfR from attempting to optimize specified learned prefixes. This task is useful when you know a few prefixes that you want to exclude from the PfR optimization, but these prefixes will be learned automatically by PfR. In this task, an IP prefix list is configured with two entries for different prefixes that are not to be optimized. A PfR map is configured with two entries in a sequence that will prevent PfR from optimizing the prefixes specified in the prefix list, although the prefixes may be learned. If the sequence numbers of the PfR map entries are reversed, PfR will learn and attempt to optimize the prefixes.
1. enable
2. configure terminal
3. ip prefix-list list-name [seq seq-value] {deny network / length| permit network / length}
4. ip prefix-list list-name [seq seq-value] {deny network / length| permit network / length}
5. pfr-map map-name sequence-number
6. match ip address {access-list access-list-name| prefix-list prefix-list-name}
7. exit
8. pfr-map map-name sequence-number
9. match pfr learn {delay| inside| throughput}
10. end
DETAILED STEPS
| Command or Action | Purpose | |
|---|---|---|
| Step 1 | enable Example: Router> enable |
Enables privileged EXEC mode. |
| Step 2 | configure terminal Example: Router# configure terminal |
Enters global configuration mode. |
| Step 3 | ip prefix-list list-name [seq seq-value] {deny network / length| permit network / length} Example: Router(config)# ip prefix-list DENY_LIST deny 10.1.1.0/24 |
Creates an IP prefix list.
|
| Step 4 | ip prefix-list list-name [seq seq-value] {deny network / length| permit network / length} Example: Router(config)# ip prefix-list DENY_LIST deny 172.20.1.0/24 |
Creates an IP prefix list.
|
| Step 5 | pfr-map map-name sequence-number Example: Router(config)# pfr-map DENY_MAP 10 |
Enters PfR map configuration mode to configure a PfR map to apply policies to selected IP prefixes. |
| Step 6 | match ip address {access-list access-list-name| prefix-list prefix-list-name} Example: Router(config-pfr-map)# match ip address prefix-list DENY_LIST |
References an extended IP access list or IP prefix list as match criteria in a PfR map. |
| Step 7 | exit Example: Router(config-pfr-map)# exit |
Exits PfR map configuration mode and returns to global configuration mode. |
| Step 8 | pfr-map map-name sequence-number Example: Router(config)# pfr-map DENY_MAP 20 |
Enters a PfR map entry. |
| Step 9 | match pfr learn {delay| inside| throughput} Example: Router(config-pfr-map)# match pfr learn throughput |
Creates a match clause entry in a PfR map to match PfR learned prefixes. |
| Step 10 | end Example: Router(config-pfr-map)# end |
(Optional) Exits PfR map configuration mode and returns to privileged EXEC mode. |
Configuring Policy Rules for PfR Maps
Perform this task to select a PfR map and apply the configuration under PfR master controller configuration mode. The policy-rules (PfR) command provides an improved method to switch between predefined PfR maps.
At least one PfR map must be configured before you can enable policy-rule support.
1. enable
2. configure terminal
3. pfr master
4. policy-rules map-name
5. end
DETAILED STEPS
| Command or Action | Purpose | |
|---|---|---|
| Step 1 | enable Example: Router> enable |
Enables privileged EXEC mode.
|
| Step 2 | configure terminal Example: Router# configure terminal |
Enters global configuration mode. |
| Step 3 | pfr master Example: Router(config)# pfr master |
Enters PfR master controller configuration mode to configure global prefix and exit link policies. |
| Step 4 | policy-rules map-name Example: Router(config-pfr-mc)# policy-rules TARGET_MAP |
Applies a configuration from a PfR map to a master controller configuration in PfR master controller configuration mode.
|
| Step 5 | end Example: Router(config-pfr-mc)# end |
Exits PfR master controller configuration mode and enters privileged EXEC mode. |
Configuring Multiple PfR Policy Conflict Resolution
Perform this task to use the PfR resolve function to assign a priority to a PfR policy to avoid any conflict over which policy to run first. Each policy is assigned a unique value, and the policy with the highest value is selected as the highest priority. By default, a delay policy has the highest priority and a traffic load (utilization) policy has the second highest priority. Assigning a priority value to any policy will override default settings.
1. enable
2. configure terminal
3. pfr master
4. resolve {cost priority value| delay priority value variance percentage | loss priority value variance percentage | range priority value | utilization priority value variance percentage}
5. Repeat Step 4 to assign a priority for each required PfR policy.
6. end
DETAILED STEPS
| Command or Action | Purpose | |||
|---|---|---|---|---|
| Step 1 | enable Example: Router> enable |
Enables privileged EXEC mode.
|
||
| Step 2 | configure terminal Example: Router# configure terminal |
Enters global configuration mode. |
||
| Step 3 | pfr master Example: Router(config)# pfr master |
Enters PfR master controller configuration mode. |
||
| Step 4 | resolve {cost priority value| delay priority value variance percentage | loss priority value variance percentage | range priority value | utilization priority value variance percentage} Example: Router(config-pfr-mc)# resolve loss priority 2 variance 10 |
Sets policy priority or resolves policy conflicts.
|
||
| Step 5 | Repeat Step 4 to assign a priority for each required PfR policy. | -- |
||
| Step 6 | end Example: Router(config-pfr-mc)# end |
Exits PfR master controller configuration mode, and enters privileged EXEC mode. |
Configuring Black Hole Routing Using a PfR Map
Perform this task to configure a PfR map to filter packets to be forwarded to a null interface, meaning that the packets are discarded in a “black hole.” The prefix list is configured after an IP prefix is identified as the source of the attack on the network. Some protocols such as BGP allow the redistribution of black hole routes, but other protocols do not.
This optional task can help prevent and mitigate attacks on your network.
1. enable
2. configure terminal
3. ip prefix-list list-name [seq seq-value] {deny network/length| permit network/length}
4. pfr-map map-name sequence-number
5. match ip address {access-list access-list-name | prefix-list prefix-list-name}
6. set interface null0
7. end
DETAILED STEPS
| Command or Action | Purpose | |
|---|---|---|
| Step 1 | enable Example: Router> enable |
Enables privileged EXEC mode. |
| Step 2 | configure terminal Example: Router# configure terminal |
Enters global configuration mode. |
| Step 3 | ip prefix-list list-name [seq seq-value] {deny network/length| permit network/length} Example: Router(config)# ip prefix-list BLACK_HOLE_LIST seq 10 permit 10.20.21.0/24 |
Creates an IP prefix list.
|
| Step 4 | pfr-map map-name sequence-number Example: Router(config)# pfr-map BLACK_HOLE_MAP 10 |
Enters PfR map configuration mode to configure a PfR map to apply policies to selected IP prefixes. |
| Step 5 | match ip address {access-list access-list-name | prefix-list prefix-list-name} Example: Router(config-pfr-map)# match ip address prefix-list BLACK_HOLE_LIST |
References an extended IP access list or IP prefix as match criteria in a PfR map. |
| Step 6 | set interface null0 Example: Router(config-pfr-map)# set interface null0 |
Creates a set clause entry to forward packets to the null interface, meaning that they are discarded. |
| Step 7 | end Example: Router(config-pfr-map)# end |
(Optional) Exits PfR map configuration mode and returns to privileged EXEC mode. |
Configuring Sinkhole Routing Using a PfR Map
Perform this task to configure a PfR map to filter packets to be forwarded to a next hop. The next hop is a router where the packets can be stored, analyzed, or discarded (the sinkhole analogy). The prefix list is configured after an IP prefix is identified as the source of an attack on the network.
This optional task can help prevent and mitigate attacks on your network
1. enable
2. configure terminal
3. ip prefix-list list-name [seq seq-value] {deny network/length| permit network/length}
4. pfr-map map-name sequence-number
5. match ip address {access-list access-list-name | prefix-list prefix-list-name}
6. set next-hop ip-address
7. end
DETAILED STEPS
| Command or Action | Purpose | |
|---|---|---|
| Step 1 | enable Example: Router> enable |
Enables privileged EXEC mode. |
| Step 2 | configure terminal Example: Router# configure terminal |
Enters global configuration mode. |
| Step 3 | ip prefix-list list-name [seq seq-value] {deny network/length| permit network/length} Example: Router(config)# ip prefix-list SINKHOLE_LIST seq 10 permit 10.20.21.0/24 |
Creates an IP prefix list.
|
| Step 4 | pfr-map map-name sequence-number Example: Router(config-pfr-mc)# pfr-map SINKHOLE_MAP 10 |
Enters PfR map configuration mode to configure a PfR map to apply policies to selected IP prefixes. |
| Step 5 | match ip address {access-list access-list-name | prefix-list prefix-list-name} Example: Router(config-pfr-map)# match ip address prefix-list SINKHOLE_LIST |
References an extended IP access list or IP prefix as match criteria in a PfR map. |
| Step 6 | set next-hop ip-address Example: Router(config-pfr-map)# set next-hop 10.20.21.6 |
Creates a set clause entry specifying that packets are forwarded to the next hop. |
| Step 7 | end Example: Router(config)# end |
(Optional) Exits PfR map configuration mode and returns to privileged EXEC mode. |
Enforce Phase Tasks
The following tasks show how to configure elements of the PfR configure and apply policy phase:
Controlling Application Traffic
Perform this task on a master controller to control application traffic. This task shows how to use policy-based routing (PBR) to allow PfR to control specified application traffic classes. Use application-aware policy routing to configure application traffic that can be filtered with a permit statement in an extended IP access list.
Application traffic such as Telnet traffic is delay sensitive and long TCP delays can make Telnet sessions difficult to use. In this task, an extended IP access list is configured to permit Telnet traffic. A PfR map is configured with an extended access list that references a match clause to match Telnet traffic that is sourced from the 192.168.1.0/24 network. PfR route control is enabled and a delay policy is configured to ensure that Telnet traffic is sent out through exit links with a response time that is equal to, or less than, 30 milliseconds. The configuration is verified with the show pfr master appl command.
Note |
1. enable
2. configure terminal
3. ip access-list {standard | extended} access-list-name}
4. [sequence-number] permit protocol source source-wildcard destination destination-wildcard [option option-name][precedence precedence][tos tos] [ttl operator value] [log ][time-range time-range-name][fragments]
5. exit
6. pfr-map map-name sequence-number
7. match ip address {access-list name| prefix-list name}
8. set mode route control
9. set delay {relative percentage | threshold maximum}
10. set resolve {cost priority value | delay priority value variance percentage | loss priority value variance percentage | range priority value | utilization priority value variance percentage}
11. end
12. show pfr master appl [access-list name] [detail] | [tcp | udp] [protocol-number] [min-port max-port] [dst | src] [detail | policy]
DETAILED STEPS
| Command or Action | Purpose | |
|---|---|---|
| Step 1 | enable Example: Router> enable |
Enables privileged EXEC mode. |
| Step 2 | configure terminal Example: Router# configure terminal |
Enters global configuration mode. |
| Step 3 | ip access-list {standard | extended} access-list-name} Example: Router(config)# ip access-list extended TELNET_ACL |
Creates an extended access list and enters extended access list configuration mode. |
| Step 4 | [sequence-number] permit protocol source source-wildcard destination destination-wildcard [option option-name][precedence precedence][tos tos] [ttl operator value] [log ][time-range time-range-name][fragments] Example: Router(config-ext-nacl)# permit tcp 192.168.1.0 0.0.0.255 any eq telnet |
Defines the extended access list. |
| Step 5 | exit Example: Router(config-ext-nacl)# exit |
Exits extended access list configuration mode, and returns to global configuration mode. |
| Step 6 | pfr-map map-name sequence-number Example: Router(config# pfr-map BLUE |
Enters PfR map configuration mode to configure a PfR map. |
| Step 7 | match ip address {access-list name| prefix-list name} Example: Router(config-pfr-map)# match ip address access-list TELNET |
References an extended IP access list or IP prefix as match criteria in a PfR map. |
| Step 8 | set mode route control Example: Router(config-pfr-map)# set mode route control |
Creates a set clause entry to configure route control for matched traffic. |
| Step 9 | set delay {relative percentage | threshold maximum} Example: Router(config-pfr-map)# set delay threshold 30 |
(Optional) Configures a PfR map to configure PfR to set the delay threshold. |
| Step 10 | set resolve {cost priority value | delay priority value variance percentage | loss priority value variance percentage | range priority value | utilization priority value variance percentage} Example: Router(config-pfr-map)# set resolve delay priority 1 variance 20 |
(Optional) Configures a PfR map to set policy priority for overlapping policies. |
| Step 11 | end Example: Router(config-pfr-map)# end |
Exits PfR map configuration mode and returns to privileged EXEC mode. |
| Step 12 | show pfr master appl [access-list name] [detail] | [tcp | udp] [protocol-number] [min-port max-port] [dst | src] [detail | policy] Example: Router# show pfr master appl tcp 23 23 dst policy |
(Optional) Displays information about applications monitored and controlled by a PfR master controller. |
Examples
The following example output from the show pfr master appl command shows TCP application traffic filtered based on port 23 (Telnet):
Router# show pfr master appl tcp 23 23 dst policy Prefix Appl Prot Port Port Type Policy -------------------------------------------------------------------------------- 10.1.1.0/24 tcp [23, 23] src 10
Verify Phase Task
The following task shows how to configure elements of the PfR verify phase:
Manually Verifying the PfR Route Enforce Changes
PfR automatically verifies route enforce changes in the network using NetFlow output. PfR monitors the NetFlow messages and uncontrols a traffic class if a message does not appear to verify the route enforce change. Perform the steps in this optional task if you want to manually verify that the traffic control implemented by the PfR enforce phase actually changes the traffic flow, and brings the OOP event to be in-policy. All the steps are optional and are not in any order. The information from these steps can verify that a specific prefix associated with a traffic class has been moved to another exit or entrance link interface, or that it is being controlled by PfR. The first three commands are entered at the master controller, the last two commands are entered at a border router. For more details about other PfR show commands, see the Cisco IOS Performance Routing Command Reference.
1. enable
2. show logging [slot slot-number | summary]
3. show pfr master prefix prefix [detail]
4. Move to a border router to enter the next step.
5. enable
6. show pfr border routes {bgp | cce | eigrp [parent] | rwatch | static}
DETAILED STEPS
| Step 1 |
enable Enables privileged EXEC mode. Enter your password if prompted. Example: Router> enable |
||
| Step 2 |
show logging [slot slot-number | summary] This command is used to display the state of system logging (syslog) and the contents of the standard system logging buffer. Using optional delimiters, this example shows the logging buffer with PfR messages for the prefix 10.1.1.0 that is OOP and has a route change.
Example: Router# show logging | I 10.1.1.0 *Apr 26 22:58:20.919: %OER_MC-5-NOTICE: Discovered Exit for prefix 10.1.1.0/24, BR 10.10.10.1, I/f Et9/0 *Apr 26 23:03:14.987: %OER_MC-5-NOTICE: Route changed 10.1.1.0/24, BR 10.10.10.1, I/f Se12/0, Reason Delay, OOP Reason Timer Expired *Apr 26 23:09:18.911: %OER_MC-5-NOTICE: Passive REL Loss OOP 10.1.1.0/24, loss 133, BR 10.10.10.1, I/f Se12/0, relative loss 23, prev BR Unknown I/f Unknown *Apr 26 23:10:51.123: %OER_MC-5-NOTICE: Route changed 10.1.1.0/24, BR 10.10.10.1, I/f Et9/0, Reason Delay, OOP Reason Loss |
||
| Step 3 |
show pfr master prefix prefix [detail] This command is used to display the status of monitored prefixes. The output from this command includes information about the source border router, current exit interface, prefix delay, and egress and ingress interface bandwidth. In this example, the output is filtered for the prefix 10.1.1.0 and shows that the prefix is currently in a holddown state. Only syntax relevant to this task, is shown in this step. Example:
Router# show pfr master prefix 10.1.1.0
Prefix State Time Curr BR CurrI/F Protocol
PasSDly PasLDly PasSUn PasLUn PasSLos PasLLos
ActSDly ActLDly ActSUn ActLUn EBw IBw
--------------------------------------------------------------------------------
10.1.1.0/24 HOLDDOWN 42 10.10.10.1 Et9/0 STATIC
16 16 0 0 0 0
U U 0 0 55 2
|
||
| Step 4 |
Move to a border router to enter the next step. The next command is entered on a border router, not the master controller. |
||
| Step 5 |
enable Enables privileged EXEC mode. Enter your password if prompted. Example: Router> enable |
||
| Step 6 |
show pfr border routes {bgp | cce | eigrp [parent] | rwatch | static} This command is entered on a border router. This command is used to display information about PfR controlled routes on a border router. In this example, the output shows that prefix 10.1.1.0 is being controlled by PfR. Example:
Router# show pfr border routes bgp
OER BR 10.10.10.1 ACTIVE, MC 10.10.10.3 UP/DOWN: UP 00:10:08,
Auth Failures: 0
Conn Status: SUCCESS, PORT: 3949
BGP table version is 12, local router ID is 10.10.10.1
Status codes: s suppressed, d damped, h history, * valid, > best, I - internal,
r RIB-failure, S Stale
Origin codes: I - IGP, e - EGP, ? - incomplete
OER Flags: C - Controlled, X - Excluded, E - Exact, N - Non-exact, I - Injected
Network Next Hop OER LocPrf Weight Path
*> 10.1.1.0/24 10.40.40.2 CE 0 400 600 I
|
Configuration Examples for Advanced Performance Routing
- Profile Phase Tasks Examples
- Measure Phase Tasks Examples
- Apply Policy Phase Tasks Examples
- Enforce Phase Tasks Examples
- Verify Phase Task Example
Profile Phase Tasks Examples
- Example Defining a Learn List for Automatically Learned Prefix-Based Traffic Classes
- Example Defining a Learn List for Automatically Learned Application Traffic Classes Using an Access List
- Example Manually Selecting Prefix-Based Traffic Classes Using a Prefix List
- Example Manually Selecting Application Traffic Classes Using an Access List
Example Defining a Learn List for Automatically Learned Prefix-Based Traffic Classes
The following example configured on the master controller, defines a learn list that will contain traffic classes that are automatically learned based only on a prefix list. In this example, there are three branch offices and the goal is to optimize all the traffic going to branch offices A and B using one policy (Policy1), and to optimize traffic going to branch office C using a different policy (Policy2).
Branch A is defined as any prefix that matches 10.1.0.0./16, Branch B is defined as any prefix that matches 10.2.0.0./16, and Branch C is defined as any prefix that matches 10.3.0.0./16.
This task configures prefix learning based on the highest outbound throughput.
ip prefix-list BRANCH_A_B permit seq 10 10.1.0.0/16 ip prefix-list BRANCH_A_B permit seq 20 10.2.0.0/16 ip prefix-list BRANCH_C permit seq 30 10.3.0.0/16 pfr master learn list seq 10 refname LEARN_BRANCH_A_B traffic-class prefix-list BRANCH_A_B throughput exit exit learn list seq 20 refname LEARN_BRANCH_C traffic-class prefix-list BRANCH_C throughput exit exit pfr-map POLICY1 10 match learn list LEARN_BRANCH_A_B exit pfr-map POLICY2 10 match learn list LEARN_BRANCH_C end
Example Defining a Learn List for Automatically Learned Application Traffic Classes Using an Access List
The following example creates an access list that defines custom application traffic classes. In this example, the custom application consists of four criteria:
- Any TCP traffic on destination port 500
- Any TCP traffic on ports in the range from 700 to 750
- Any UDP traffic on source port 400
- Any IP packet marked with a DSCP bit of ef
The goal is to optimize the custom application traffic using a learn list that is referenced in a PfR policy named POLICY_CUSTOM_APP. This task configures traffic class learning based on the highest outbound throughput.
ip access-list extended USER_DEFINED_TC permit tcp any any 500 permit tcp any any range 700 750 permit udp any eq 400 any permit ip any any dscp ef exit pfr master learn list seq 10 refname CUSTOM_APPLICATION_TC traffic-class access-list USER_DEFINED_TC aggregation-type prefix-length 24 throughput exit exit pfr-map POLICY_CUSTOM_APP 10 match learn list CUSTOM_APPLICATION_TC end
Example Manually Selecting Prefix-Based Traffic Classes Using a Prefix List
The following example configured on the master controller, manually selects traffic classes based only on destination prefixes. Use this task when you know the destination prefixes that you want to select for the traffic classes. An IP prefix list is created to define the destination prefixes and using a PfR map, the traffic classes are profiled.
ip prefix-list PREFIX_TC permit 10.1.1.0/24 ip prefix-list PREFIX_TC permit 10.1.2.0/24 ip prefix-list PREFIX_TC permit 172.16.1.0/24 pfr-map PREFIX_MAP 10 match traffic-class prefix-list PREFIX_TC
Example Manually Selecting Application Traffic Classes Using an Access List
The following example configured on the master controller, manually selects traffic classes using an access list. Each access list entry is a traffic class that must include a destination prefix and may include other optional parameters.
ip access-list extended ACCESS_TC permit tcp any 10.1.1.0 0.0.0.255 eq 500 permit tcp any 172.17.1.0 0.0.255.255 eq 500 permit tcp any 172.17.1.0 0.0.255.255 range 700 750 permit tcp 192.168.1.1 0.0.0.0 10.1.2.0 0.0.0.255 eq 800any any dscp ef exit pfr-map ACCESS_MAP 10 match traffic-class access-list ACCESS_TC
Measure Phase Tasks Examples
- Example Modifying the PfR Link Utilization for Outbound Traffic
- Example Modifying the PfR Exit Link Utilization Range
- Example TCP Probe for Longest Match Target Assignment
- UDP Probe for Forced Target Assignment Example
- Example Configuring PfR Voice Probes for Fast Failover
- Example Configuring the Source Address of an Active Probe
Example Modifying the PfR Link Utilization for Outbound Traffic
The following example shows how to modify the PfR exit link utilization threshold. In this example, the exit utilization is set to 80 percent. If the utilization for this exit link exceeds 80 percent, PfR selects another exit link for traffic classes that were using this exit link.
Router(config)# pfr master Router(config-pfr-mc)# border 10.1.4.1 Router(config-pfr-mc-br)# interface Ethernet 1/0 external Router(config-pfr-mc-br-if)# max-xmit-utilization percentage 80 Router(config-pfr-mc-br-if)# end
Example Modifying the PfR Exit Link Utilization Range
The following example shows how to modify the PfR exit utilization range. In this example, the exit utilization range for all exit links is set to 10 percent. PfR uses the maximum utilization range to determine if exit links are in-policy. PfR will equalize outbound traffic across all exit links by moving prefixes from overutilized or out-of-policy exits to in-policy exits.
Router(config)# pfr master Router(config-pfr-mc)# max-range-utilization percentage 10 Router(config-pfr-mc)# end
Example TCP Probe for Longest Match Target Assignment
The following example shows how to configure active probing using the TCP probe with the longest match target assignment. The IP SLAs Responder must first be enabled on the target device, and this device does not have to be configured for PfR. A border router can be used as the target device. The second configuration is performed at the master controller.
Target Device
Router> enable Router# configure terminal Router(config)# ip sla monitor responder type tcpConnect port 49152 Router(config)# exit
Master Controller
Router(config)# pfr master Router(config-pfr-mc)# mode monitor active Router(config-pfr-mc)# active-probe tcp-conn 10.4.4.44 target-port 49152
UDP Probe for Forced Target Assignment Example
The following example shows how to configure active probing with a forced target assignment and a configured probe frequency of 20 seconds. This example requires an IP SLAs Responder to be enabled on the target device.
Target Device
Router> enable Router# configure terminal Router(config)# ip sla monitor responder type udpEcho port 1001 Router(config)# exit
Master Controller
Router(config)# pfr master Router(config-pfr-mc)# mode monitor active Router(config-pfr-mc)# exit Router(config)# pfr-map FORCED_MAP 10 Router(config-pfr-map)# match ip address access-list FORCED_LIST Router(config-pfr-map)# set active-probe udp-echo 10.5.5.57 target-port 1001 Router(config-pfr-map)# set probe frequency 20 Router(config-pfr-map)# end
Example Configuring PfR Voice Probes for Fast Failover
The following example, starting in global configuration mode, shows how quickly a new exit can be selected when fast failover is configured.
Note |
Fast monitoring is a very aggressive mode that incurs a lot of overhead with the continuous probing. We recommend that you use fast monitoring only for performance sensitive traffic. |
The first output shows the configuration at the master controller of three border routers. Route control mode is enabled.
Router# show run | sec pfr master pfr master policy-rules MAP port 7777 logging ! border 10.3.3.3 key-chain key1 interface Ethernet9/0 external interface Ethernet8/0 internal ! border 10.3.3.4 key-chain key2 interface Ethernet5/0 external interface Ethernet8/0 internal ! border 10.4.4.2 key-chain key3 interface Ethernet2/0 external interface Ethernet8/0 internal backoff 90 90 mode route control resolve jitter priority 1 variance 10 no resolve delay !
To verify the basic configuration and show the status of the border routers, the show pfr master command is run:
Router# show pfr master OER state: ENABLED and ACTIVE Conn Status: SUCCESS, PORT: 7777 Version: 2.1 Number of Border routers: 3 Number of Exits: 3 Number of monitored prefixes: 1 (max 5000) Max prefixes: total 5000 learn 2500 Prefix count: total 1, learn 0, cfg 1 Border Status UP/DOWN AuthFail Version 10.4.4.2 ACTIVE UP 17:00:32 0 2.1 10.3.3.4 ACTIVE UP 17:00:35 0 2.1 10.3.3.3 ACTIVE UP 17:00:38 0 2.1 Global Settings: max-range-utilization percent 20 recv 20 mode route metric bgp local-pref 5000 mode route metric static tag 5000 trace probe delay 1000 logging Default Policy Settings: backoff 90 90 90 delay relative 50 holddown 90 periodic 0 probe frequency 56 mode route control mode monitor both mode select-exit good loss relative 10 jitter threshold 20 mos threshold 3.60 percent 30 unreachable relative 50 resolve jitter priority 1 variance 10 resolve utilization priority 12 variance 20 Learn Settings: current state : DISABLED time remaining in current state : 0 seconds no throughput no delay no inside bgp no protocol monitor-period 5 periodic-interval 120 aggregation-type prefix-length 24 prefixes 100 expire after time 720
Fast failover is now configured for active voice probes and the probe frequency is set to 2 seconds using a PfR map. The fast failover monitoring mode is enabled and the voice traffic to be monitored is identified using an IP prefix list to specify the 10.1.1.0/24 prefix. To reduce some of the overhead that fast failover monitoring produces, the active voice probes are assigned a forced target for PfR.
Router# show run | sec pfr-map pfr-map MAP 10 match traffic-class prefix-list VOICE_FAIL_LIST set mode select-exit best set mode monitor fast set jitter threshold 12 set active-probe jitter 120.120.120.1 target-port 20 codec g729a set probe frequency 2
The following output from the show pfr master prefixcommand when a prefix is specified with the policy keyword shows the policy configured for the prefix 10.1.1.0/24. Note that the mode monitor is set to fast, which automatically sets the select-exit to best, and allows the probe frequency to be set at 2.
Router# show pfr master prefix 10.1.1.0/24 policy
* Overrides Default Policy Setting
pfr-map MAP 10
sequence no. 8444249301975040, provider id 1, provider priority 30
host priority 0, policy priority 10, Session id 0
match ip prefix-lists: VOICE_FAIL_LIST
backoff 90 90 90
delay relative 50
holddown 90
periodic 0
*probe frequency 2
mode route control
*mode monitor fast
*mode select-exit best
loss relative 10
*jitter threshold 12
mos threshold 3.60 percent 30
unreachable relative 50
next-hop not set
forwarding interface not set
resolve jitter priority 1 variance 10
resolve utilization priority 12 variance 20
Forced Assigned Target List:
active-probe jitter 10.120.120.1 target-port 20 codec g729a
After the master controller is configured for fast failover as shown in this task, and a traffic class goes out of policy, the logging output below shows that the traffic class represented by prefix 10.1.1.0/24 is routed by PfR through a new border router exit at interface 10.3.3.4 within 3 seconds. From the logging output, it appears that the traffic class moved to an out-of-policy state due to the jitter threshold being exceeded.
May 2 10:55:27.355: %OER_MC-5-NOTICE: Active ABS Jitter OOP Prefix 10.1.1.0/24, jitter 15, BR 10.4.4.2, i/f Et2/0 May 2 10:55:27.367: %OER_MC-5-NOTICE: Route changed Prefix 10.1.1.0/24, BR 10.3.3.4, i/f Et5/0, Reason Jitter, OOP Reason Jitter
Example Configuring the Source Address of an Active Probe
The following example, starting in global configuration mode, configures FastEthernet 0/0 as the active-probe source interface.
Router(config)# pfr border Router(config-pfr-br)# active-probe address source interface FastEthernet 0/0
Apply Policy Phase Tasks Examples
- Example Configuring and Applying a PfR Policy to Learned Traffic Classes
- Example Configuring and Applying a PfR Policy to Configured Traffic Classes
- Example Preventing PfR Optimization of Learned Prefixes
- Example Configuring Policy Rules for PfR Maps
- Example Configuring Multiple PfR Policy Conflict Resolution
- Example Configuring an Exit Link Load Balancing PfR Policy
- Example Configuring Black Hole Routing Using a PfR Map
- Example Configuring Sinkhole Routing Using a PfR Map
Example Configuring and Applying a PfR Policy to Learned Traffic Classes
The following example uses learned traffic classes and overwrites many of the default policy settings and configures the master controller to move traffic classes to the best available exit link when any of the configured or default policy settings exceed their thresholds:
enable configure terminal pfr master backoff 200 2000 200 delay threshold 2000 holddown 400 loss threshold 1500 periodic 180 unreachable threshold 1000 mode select-exit best end
Example Configuring and Applying a PfR Policy to Configured Traffic Classes
The following example uses traffic classes filtered by a prefix list and an access list and overwrites some of the default policy settings. The policies are configured using two PfR maps that apply to different traffic classes that represent voice traffic. The master controller is configured to move traffic classes to the first in-policy exit link when any of the configured or default policy settings exceed their thresholds.
enable configure terminal ip prefix-list CONFIG_TRAFFIC_CLASS seq 10 permit 10.1.5.0/24 ip access-list extended VOICE_TRAFFIC_CLASS permit udp any range 16384 32767 10.1.5.0 0.0.0.15 range 16384 32767 dscp ef exit pfr-map CONFIG_MAP 10 match ip address prefix-list CONFIG_TRAFFIC_CLASS set backoff 100 1000 100 set delay threshold 1000 set loss relative 25 set periodic 360 set unreachable relative 20 exit pfr-map VOICE_MAP 10 match ip address access-list VOICE_TRAFFIC_CLASS set active-probe jitter 10.1.5.1 target-port 2000 codec g729a set probe-frequency 20 set jitter threshold 30 set mos threshold 4.0 percent 25 set mode select-exit good end
Example Preventing PfR Optimization of Learned Prefixes
The following example shows how to configure PfR to prevent specified prefixes being optimized. In this example, an IP prefix list is created with two entries for different prefixes that are not to be optimized. A PfR map is configured with two entries in a sequence that will prevent PfR from optimizing the prefixes specified in the prefix list, although the prefixes may be learned. If the sequence numbers of the PfR map entries are reversed, PfR will learn and attempt to optimize the prefixes.
enable configure terminal ip prefix-list DENY_PREFIX deny 172.17.10.0/24 ip prefix-list DENY_PREFIX deny 172.19.10.0/24 pfr-map DENY_PREFIX_MAP 10 match ip address prefix-list DENY_PREFIX exit pfr-map DENY_PREFIX_MAP 20 match pfr learn throughput end
Example Configuring Policy Rules for PfR Maps
The following example shows how to configure the policy-rules (PfR) command to apply the PfR map configuration named BLUE under PfR master controller mode:
enable configure terminal pfr-map BLUE 10 match pfr learn delay set loss relative 90 exit pfr master policy-rules BLUE exit
Example Configuring Multiple PfR Policy Conflict Resolution
The following example configures a PfR resolve policy that sets delay to the highest priority, followed by loss, and then utilization. The delay policy is configured to allow a 20 percent variance, the loss policy is configured to allow a 30 percent variance, and the utilization policy is configured to allow a 10 percent variance.
enable configure terminal pfr master resolve delay priority 1 variance 20 resolve loss priority 2 variance 30 resolve utilization priority 3 variance 10 end
Example Configuring an Exit Link Load Balancing PfR Policy
The following example configures a PfR load balancing policy for traffic class flows over the border router exit links. This example task is performed at the master controller and configures an exit link utilization range and an exit link utilization threshold with policy priorities set for utilization and range policies. Performance policies, delay and loss, are disabled. PfR uses both the utilization and range thresholds to load balance the traffic flow over the exit links.
enable configure terminal pfr master max-range-utilization percentage 25 mode select-exit best resolve range priority 1 resolve utilization priority 2 variance 15 no resolve delay no resolve loss border 10.1.4.1 interface Ethernet 1/0 external max-xmit-utilization absolute 10000 exit exit border 10.1.2.1 interface Ethernet 1/0 external max-xmit-utilization absolute 10000 end
Example Configuring Black Hole Routing Using a PfR Map
The following example creates a PfR map named BLACK_HOLE_MAP that matches traffic defined in the IP prefix list named PREFIX_BLACK_HOLE. The PfR map filters packets to be forwarded to a null interface, meaning that the packets are discarded in a “black hole.” The prefix list is configured after an IP prefix is identified as the source of the attack on the network.
enable configure terminal ip prefix-list PREFIX_BLACK_HOLE seq 10 permit 10.1.5.0/24 pfr-map BLACK_HOLE_MAP 10 match ip address prefix-list PREFIX_BLACK_HOLE set interface null0 end
Example Configuring Sinkhole Routing Using a PfR Map
The following example creates a PfR map named SINK_HOLE_MAP that matches traffic defined in the IP prefix list named PREFIX_SINK_HOLE. The PfR map filters packets to be forwarded to a next hop. The next hop is a router where the packets can be stored, analyzed, or discarded (the sinkhole analogy). The prefix list is configured after an IP prefix is identified as the source of an attack on the network.
enable configure terminal ip prefix-list PREFIX_SINK_HOLE seq 10 permit 10.1.5.0/24 pfr-map SINK_HOLE_MAP 10 match ip address prefix-list PREFIX_SINK_HOLE set next-hop 10.1.1.3 end
Enforce Phase Tasks Examples
- Example Setting a Tag Value for Injected PfR Static Routes
- Example Setting a BGP Local Preference Value for PfR Controlled BGP Routes
- Example Controlling Application Traffic
Example Setting a Tag Value for Injected PfR Static Routes
The following example shows how to set a tag value for an injected static route to allow the routes to be uniquely identified. A static route may be injected by PfR to control the traffic defined by a traffic class when it goes out-of-policy. By default, PfR uses a tag value of 5000 for injected static routes. In this task, the PfR route control mode is configured globally with the mode (PfR) command in PfR master controller configuration mode and any injected static routes will be tagged with a value of 15000.
Router(config)# pfr master Router(config-pfr-mc)# mode route control Router(config-pfr-mc)# mode route metric static tag 15000 Router(config-pfr-mc)# end
Example Setting a BGP Local Preference Value for PfR Controlled BGP Routes
The following example shows how to set a BGP local preference attribute value. PfR uses the BGP Local_Pref value to influence the BGP best path selection on internal BGP (iBGP) neighbors as a method of enforcing exit link selection. By default, PfR uses a Local_Pref value of 5000. In this task, route control is enabled for traffic matching a prefix list and the BGP local preference value of 60000 is set.
Router(config)# pfr-map BLUE 10 Router(config-pfr-map)# match ip address prefix-list BLUE Router(config-pfr-map)# set mode route control Router(config-pfr-map)# set mode route metric bgp local-pref 60000 Router(config-pfr-map)# end
Example Controlling Application Traffic
The following example shows how to use policy-based routing (PBR) to allow PfR to control specified application traffic classes. Application traffic such as Telnet traffic is delay sensitive. Long TCP delays can make Telnet sessions difficult to use. This example is configured on a master controller and matches Telnet traffic sourced from the 192.168.1.0/24 network and applies a policy to ensure it is sent out through exit links with that have a response time that is equal to or less than 30 milliseconds:
Router(config)# ip access-list extended TELNET Router(config-ext-nacl)# permit tcp 192.168.1.0 0.0.0.255 any eq telnet Router(config-ext-nacl)# exit Router(config)# pfr-map SENSITIVE Router(config-route-map)# match ip address access-list TELNET Router(config-route-map)# set mode route control Router(config-route-map)# set delay threshold 30 Router(config-route-map)# set resolve delay priority 1 variance 20 Router(config-route-map)# end
The following example shows TCP application traffic filtered based on port 23 (Telnet):
Router# show pfr master appl tcp 23 23 dst policy Prefix Appl Prot Port Port Type Policy -------------------------------------------------------------------------------- 10.1.1.0/24 tcp [23, 23] src 10
Verify Phase Task Example
Example Manually Verifying the PfR Route Control Changes
The following examples show how to manually verify that the traffic control implemented by the PfR enforce phase actually changes the traffic flow and brings the OOP event to be in-policy. On the master controller the show logging command is used to display the state of system logging (syslog) and the contents of the standard system logging buffer. Using optional delimiters, the logging buffer can be displayed with PfR messages for a specific prefix. The show pfr master prefix command displays the status of monitored prefixes. On the border router, the show pfr border routes command displays information about PfR controlled BGP or static routes on the border router. For example output of these commands, see the "Manually Verifying the PfR Route Enforce Changes" section.
Master Controller
Router# show logging | i 10.1.1.0 Router# show pfr master prefix 10.1.1.0 Router# end
Border Router
Router# show pfr border routes static Router# show pfr border routes bgp Router# end
Where to Go Next
For more detailed concepts, see the “Understanding Performance Routing” module.
For information about other Performance Routing features or general conceptual material, see the documents in the “Related Documents” section.
Additional References
Related Documents
| Related Topic |
Document Title |
|---|---|
| Cisco IOS commands |
|
| Cisco PfR commands: complete command syntax, command mode, command history, defaults, usage guidelines and examples |
|
| Basic PfR configuration |
"Configuring Basic Performance Routing" module |
| Concepts required to understand the Performance Routing operational phases |
"Understanding Performance Routing" module |
| Advanced PfR configuration |
"Configuring Advanced Performance Routing" module |
| IP SLAs overview |
IP SLAs Configuration Guide |
PfR home page with links to PfR-related content on our DocWiki collaborative environment |
Technical Assistance
| Description |
Link |
|---|---|
| The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password. |
Feature Information for Configuring Advanced Performance Routing
The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
| Feature Name |
Releases |
Feature Information |
|---|---|---|
| Optimized Edge Routing |
12.3(8)T 12.2(33)SRB |
OER was introduced. Performance Routing is an extension of OER. |
| OER Support for Policy-Rules Configuration |
12.3(11)T 12.2(33)SRB |
The OER Support for Policy-Rules Configuration feature introduced the capability to select a PfR map and apply the configuration under PfR master controller configuration mode, providing an improved method to switch between predefined PfR maps. The following commands were introduced or modified by this feature: policy-rules(PfR). |
| expire after command1 |
12.3(14)T 12.2(33)SRB |
Theexpire after (PfR) command is used to set an expiration period for learned prefixes. By default, the master controller removes inactive prefixes from the central policy database as memory is needed. This command allows you to refine this behavior by setting a time or session based limit. The time based limit is configured in minutes. The session based limit is configured for the number of monitor periods (or sessions). |
| OER Active Probe Source Address |
12.4(2)T 12.2(33)SRB |
The OER Active Probe Source Address feature allows you to configure a specific exit interface on the border router as the source for active probes. The active-probe address source (PfR) command was introduced by this feature. |
| OER Application-Aware Routing: PBR |
12.4(2)T 12.2(33)SRB |
The OER Application-Aware Routing: PBR feature introduces the capability to optimize IP traffic based on the type of application that is carried by the monitored prefix. Independent policy configuration is applied to the subset (application) of traffic. The following commands were introduced or modified by this feature: debug pfr border pbr, debug pfr master prefix, match ip address (PfR),show pfr master active-probes, and show pfr master appl. |
| OER DSCP Monitoring |
12.4(9)T 12.2(33)SRB |
OER DSCP Monitoring introduced automatic learning of traffic classes based on protocol, port numbers, and DSCP value. Traffic classes can be defined by a combination of keys comprising of protocol, port numbers, and DSCP values, with the ability to filter out traffic that is not required, and the ability to aggregate the traffic in which you are interested. Layer 4 information such as protocol, port number, and DSCP information is now sent to the master controller database in addition to the Layer 3 prefix information. The new functionality allows PfR to both actively and passively monitor application traffic. The following commands were introduced or modified by this feature: show pfr border passive applications,show pfr border passive cache, show pfr border passive learn, show pfr master appl, traffic-class aggr egation (PfR), traffic-class filter (PfR), and traffic-class key s (PfR). |
| Performance Routing - Link Groups |
12.4(15)T |
The Performance Routing - Link Groups feature introduces the ability to define a group of exit links as a preferred set of links, or a fallback set of links for PfR to use when optimizing traffic classes specified in a PfR policy. The following commands were introduced or modified by this feature: link-group (PfR), set link-group (PfR), and show pfr master link-group. |
| Support for Fast Failover Monitoring2 |
12.4(15)T |
Fast Failover Monitoring introduced the ability to configure a fast monitoring mode. In fast failover monitoring mode, all exits are continuously probed using active monitoring and passive monitoring. The probe frequency can be set to a lower frequency in fast failover monitoring mode than for other monitoring modes, to allow a faster failover capability. Fast failover monitoring can be used with all types of active probes: ICMP echo, jitter, TCP connection, and UDP echo. The following commands were modified by this feature: mode (PfR), set mode (PfR). |
Feedback