C3750-48ts Service-Policy Output Like Command

Similar Messages

• Service-policy output not working in Cisco 3560 switch

  We got some Cisco catalyst 3560 that we want to control the bandwidth
  on the ports. Can this be done, and how do i do it?
  Ive got 3550s that can do policy-map with the interface command;
  service-policy output(and input) <policyname>
  But 3560 only seems to handle service-policy input.
  If i try to configure output, it says the following:
  SW(config-if)#service-policy output 4mbit-out
  police command is not supported for this interface
  Configuration failed!
  Warning: Assigning a policy map to the output side of an interface not
  supported
  Any workarounds or new ways to accomplish bandwith-control on a 3560 ?
  regards,
  Rajib

  The 3560 & 3750 (& 2960) don't support egress policy-maps. They do however support queueing so it is possible to achieve similar results by applying an ingress policer to your user ports to classify (& police?) the traffic, at the egress port you can then queue the traffic based on it's DSCP or CoS value that it was classified with (same as 3550).
  It is also possible to restrict the bandwidth in use at an egress port with the interface command 'srr-queue bandwidth limit <10-90>' where 10-90 represents a percentage of the links bandwidth. For example if you want to restrict a 100Mbps port to 10Mbps you would use the command 'srr-queue bandwidth limit 10'
  HTH
  Andy

• Cisco cat 3560 service-policy output problem

  I have just use the 3560 to replace 3550 switchs, but the cat3560 does not support the command "service-policy output" which was supported by 3550,
  we have already use this command in 3550 to control the network traffic.
  so there somebody knows if there an schedule to implement this command?
  Thank you very much.

  "service-policy output" is not supported in 3560/3750 due to ASIC limitation. See if "srr-queue bandwidth limit" command will work for you
  http://www.cisco.com/univercd/cc/td/doc/product/lan/cat3560/12225sed/scg/swqos.htm#wp1253412

• Service-policy output voice-only

  Hi, when i enter "service-policy output voice-only" in int BVI1 on a Cisco 878 (G.SHDSL), it throws an error saying, "Class Based Weighted Fair Queueing not supported"
  Can i put this line in int ATM0 ?

  Hi,
  It should be done as follows:
  Remove BVI and "bridge irb". Configure an ATM subinterface point-to-point with the IP address, "atm route-bridging" and PVC. Under PVC apply the service policy.
  please rate post if it helps!

• Service-policy output statement interface vs interface .500 point-to-point

  We are running AutoQoS but have recently migrated our WAN service that puts our IP connectivity to a sub-interface (interface serial0/1:0.500 point-to-point and a frame-relay interface-DLCI). In our prior WAN configuration we bound the IP address directly to the interface s0/1:0.
  After the migration, the auto qos statement service-policy output AutQoS is still on the interface serial 0/1:0 . Should this service-policy statement be moved down to the serial 0/1:0.500 point-to-point in order to be effective? We have been experiencing QoS problems but I understand it could be many different places, but I wanted to start here.
  Thanks
  ryan

  as a rule those are applied in a frame relay policy map.
  Create the LLC policy
  Create the Frame Relay Policy map (and refer to the LLC policy map in the Frame Relay Config)
  Apply the Frame Relay Policy Map to the subinterface (to the DLCI).

• CBWFQ: Question about the output of "show policy-map interface" command

  Hi everyone,
  I have a question about the output of "show policy-map interface" command.
  The following is the output of this command and lower side of the output shows
  (total queued/total drops/no-buffer drops) 0/342/0
  If the packets drop occur due to the situation of no enough buffer,
  "no-buffer drops" counted up. But "no-buffer drops" has not been counted up.
  The "no-buffer drops" is 0 (zero) but "total drops" are counted as 342.
  I guess there are other factors except "no-buffer drops" to add "total drops".
  But I can not find any information about "other factors".
  So I would like to know the "other factors" added to "total drops".
  reserch-3725#sh policy-map interface fastethernet0/1
  FastEthernet0/1
  Service-policy output: shaping
  Class-map: kdpc (match-all)
  146956873 packets, 115209221595 bytes
  5 minute offered rate 156000 bps, drop rate 0 bps
  Match: access-group name YOKOHAMA_to_CHINO
  Traffic Shaping
  Target/Average Byte Sustain Excess Interval Increment
  Rate Limit bits/int bits/int (ms) (bytes)
  9360000/9360000 58500 234000 234000 25 29250
  Adapt Queue Packets Bytes Packets Bytes Shaping
  Active Depth Delayed Delayed Active
  - 0 146956724 3539850811 2960247 3851843541 no
  Class-map: class-default (match-any)
  552458414 packets, 249687580329 bytes
  5 minute offered rate 242000 bps, drop rate 0 bps
  Match: any
  Traffic Shaping
  Target/Average Byte Sustain Excess Interval Increment
  Rate Limit bits/int bits/int (ms) (bytes)
  3072000/3072000 19200 76800 76800 25 9600
  Adapt Queue Packets Bytes Packets Bytes Shaping
  Active Depth Delayed Delayed Active
  - 0 552453209 573909865 30358216 2926188156 no
  Service-policy : policy1
  Class-map: dlsw (match-all)
  979578 packets, 264843255 bytes
  5 minute offered rate 0 bps, drop rate 0 bps
  Match: access-group name acl-dlsw
  Queueing
  Output Queue: Conversation 137
  Bandwidth 128 (kbps) Max Threshold 64 (packets)
  (pkts matched/bytes matched) 20922/17371500
  (depth/total drops/no-buffer drops) 0/0/0
  Class-map: telnet (match-all)
  29938 packets, 1806058 bytes
  5 minute offered rate 0 bps, drop rate 0 bps
  Match: access-group name acl-telnet
  Queueing
  Output Queue: Conversation 138
  Bandwidth 64 (kbps) Max Threshold 64 (packets)
  (pkts matched/bytes matched) 639/38900
  (depth/total drops/no-buffer drops) 0/0/0
  Class-map: class-default (match-any)
  551448911 packets, 249420939729 bytes
  5 minute offered rate 242000 bps, drop rate 0 bps
  Match: any
  Queueing
  Flow Based Fair Queueing
  Maximum Number of Hashed Queues 128
  (total queued/total drops/no-buffer drops) 0/342/0
  Your information would be appreciated.

  Details infomatiuon regarding show policy-map interface
  http://www.cisco.com/en/US/tech/tk543/tk545/technologies_tech_note09186a008010dd6a.shtml
  http://www.cisco.com/en/US/tech/tk543/tk760/technologies_tech_note09186a0080108e2d.shtml
  http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123cgcr/qos_r/qos_s2g.htm#wp1146884

• Service policy counters not working..

  I have a service policy on a 6509 interface so I can see what the packets per second of a video stream coming out of a DVR (digital video recorder) is. This DVR has 16 security cameras attached and I'm concerned that when someone views all 16 cameras the video stream is going to be huge.
  So I create a service policy to match an access list for all IP from the DVR. But no counters increment unless I add in some other match statement. I added in a match protocol telnet and the service policy counters started to work. I removed the match on telnet and the counters stopped. Telnet has nothing to do with the DVR. Here is the config of the class map, policy map and show commands: (By the way video is streaming through this interface continually during this excercise)
  MATCHING ACCESS LIST ONLY:
  class-map match-any DVR
  match access-group 130
  policy-map DVR-test
  class DVR
  ROC-6509-DU-A#sh access-list 130
  Extended IP access list 130
  10 permit ip host 164.72.2.125 any
  ROC-6509-DU-A#sh policy-map int
  GigabitEthernet2/5
  Service-policy output: DVR-test
  Class-map: DVR (match-any)
  0 packets, 0 bytes
  30 second offered rate 0 bps
  Match: access-group 130
  0 packets, 0 bytes
  30 second rate 0 bps
  Class-map: class-default (match-any)
  0 packets, 0 bytes
  30 second offered rate 0 bps, drop rate 0 bps
  Match: any
  ADDING IN TELNET:
  class-map match-any DVR
  match access-group 130
  match protocol telnet
  policy-map DVR-test
  class DVR
  ROC-6509-DU-A#sh policy-map int
  GigabitEthernet2/5
  Service-policy output: DVR-test
  Class-map: DVR (match-any)
  524025 packets, 70724866 bytes
  30 second offered rate 3991000 bps
  Match: access-group 130
  523896 packets, 70689220 bytes
  30 second rate 3991000 bps
  Match: protocol telnet
  129 packets, 35646 bytes
  30 second rate 0 bps
  Class-map: class-default (match-any)
  18696 packets, 11180265 bytes
  30 second offered rate 129000 bps, drop rate 0 bps
  Match: any
  If I remove the 'match protocol telnet' and clear the counters, no longer do the counters for the access-list 130 increment - put back in match telnet and they start to increment.
  This is a Sup720 with IOS 12.2(18)SXE3
  Is this a bug or do I not have my class map or policy map correct?

  The hardware ASICs do not support collecting the individual policer information.
  Try:
  http://www.cisco.com/univercd/cc/td/doc/product/lan/c3550/1216ea1/3550scg/swqos.htm#xtocid1990743

• Error while applying the Service Policy

  Hi,
  I am getting the below error while applying the service policy to the Interface.
  I have set the mpls exp 4 as well as want to limit the bandwidth to 1Mbps
  PE#sh policy-map setexp-GBoIP
    Policy Map setexp-GBoIP
      Class GBoIP-traffic
        set mpls experimental imposition 4
       police cir 1024000 bc 32000
         conform-action transmit
         exceed-action drop
  PE(config-if)#int vlan 2007
  PE(config-if)#service-policy input setexp-GBoIP
  QoS-ERROR: Addition/Modification made to policymap setexp-GBoIP and class GBoIP-traffic is not valid, command is rejected
  As well as I have created new clas--map with priority and Bandwidth and applied in output direction, I got the belwo error while applying the Service policy in
  PE(config-if)#service-policy out TEST
  bandwidth command is not supported in output direction for this interface
  PE(config-if)#service-policy output TEST
  priority command is not supported in output direction for this interface
  Any idea why so ?
  Thanks in Advance.
  Regards,
  Nilesh

  Check the current value of IGW_AWARDS_S sequence and make sure the MINVALUE in the patch (i.e. 10000) is not greater than the current one.
  OERR: ORA 4007 MINVALUE cannot be made to exceed the current value (Doc ID 19824.1)
  You may also log a SR.
  Thanks,
  Hussein

• Service Policy won't attach to interface - NO error

  Hi,
  Am doing some simple CE VoIP QoS for a IPSEC/GRE Customer. I try to ATTACH the policy to the tunnel outbound and the command is accepted without any error but nothing appears in the config.
  Here's the base config:
  class-map match-all IPSEC-VPN
  match access-group name IKE_ACL
  class-map match-all ROUTING
  match ip dscp cs6
  class-map match-all NETWORK-MANAGEMENT
  match ip dscp cs2
  class-map match-any VOICE-SIGNAL
  match protocol rtp
  match ip precedence 3
  match ip dscp cs3
  match ip dscp af31
  match ip dscp af32
  class-map match-any VOICE-BEARER
  match ip precedence 5
  match ip dscp ef
  match ip dscp cs5
  policy-map SHAPE-ADSL-UPLINK
  class class-default
  bandwidth remaining percent 50
  random-detect
  random-detect ecn
  policy-map VoIP-QoS
  class VOICE-BEARER
  priority percent 34
  class VOICE-SIGNAL
  bandwidth percent 5
  class ROUTING
  bandwidth percent 2
  class NETWORK-MANAGEMENT
  bandwidth percent 2
  class IPSEC-VPN
  bandwidth percent 2
  class class-default
  (config)# int t203
  (config-if)#service-policy output SHAPE-ADSL-UPLINK
  NOTHING appears in the config and sh policy-map int t100 shows an unapplied policy.
  Using:
  c836-k9o3s8y6-mz.123-8.T5
  Another bug?
  Thx

  Policy should read (nested):
  policy-map SHAPE-ADSL-UPLINK
  class class-default
  bandwidth remaining percent 50
  random-detect
  random-detect ecn
  service-policy VoIP-QoS

• ADSL QOS service policy

  My ISP has said they will set up their side to give 50% policed real time traffic and 30% for our application traffic burstable then 5% anything else burstable.  The QOS below is my attempt to do this but I was advised that to apply it to the Dialer 1 interface I hade to create a second policy-map (ADSLOut) which had the class-default and the child policy (QOSADSL) within that.
  When I did this I can't apply it to the Dialer 1 interface but if I use the child policy then it will allow me to apply that, will this work the same way.
  class-map match-all RealTime
   match ip dscp ef
  class-map match-all General
   match any
  class-map match-any Application
   match ip dscp cs3
   match ip dscp af41
  policy-map QOSADSL
   class RealTime
    bandwidth percent 50
   class Application
    priority percent 30
   class General
    priority percent 5
   class class-default
    shape peak percent 85
  policy-map ADSLOut
   class class-default
     service-policy QOSADSL
  interface Dialer1
  <Snipped>
   bandwidth 1240
   ip nbar protocol-discovery
   ip flow ingress
   ip flow egress
   load-interval 30
   tx-ring-limit 3
   tx-queue-limit 3
   service-policy output QOSADSL
  or
  service-policy output ADSLOut

  Hi @scotlandvisit,
  My first opinion is a recomendation: in the policy-map, when you're configuring LLQ use the priority command for delay-sensitive traffic (Voice) and the bandwidth command for the rest. This is because the priority command is used to indentify a class as a "strict priority class" which in my opinion should be the voice traffic and the bandwidth command is used to allocate bandwidth to nonpriority classes.
  The interface is not letting you apply the service-policy because you have to configure shaping inside the class-default of the parent policy-map. This shape is going to be the value in bps that you want to assing to the traffic classes that you've configured. For example, let's say that you want to allocate 1Mbps for all the classes.
  policy-map QOSADSL
   class RealTime
    priority percent 50
   class Application
    bandwidth percent 30
   class General
    bandwidth percent 5
   class class-default
    shape peak percent 85
  policy-map ADSLOut
   class class-default
    shape average 1000000
    service-policy QOSADSL
  interface Dialer1
   service-policy output ADSLOut
  Try this configuration and let me know.
  HTH.
  Rgrds,
  Martin, IT Specialist

• Cannot configure service-policy on SIP-400

  I have cisco 7606 with SIP-400 on slot1 , and I try to apply service-policy output on the interface pos1/1/0, after enter the command, the system
  generate the error "queue-limit is invalid command w/o other queueing feature".
  Why I cannot apply the service-policy?

  Thanks Marcio.
  I have added failover details to the client's tnsnames file (see below), but still i get the '500 - The Network Adapter could not establish the connection' error:
  TESTDB =
  (DESCRIPTION =
  (ADDRESS = (PROTOCOL = TCP)(HOST = lontestdb01-vip)(PORT = 1526))
  (ADDRESS = (PROTOCOL = TCP)(HOST = lontestdb02-vip)(PORT = 1526))
  (LOAD_BALANCE = TRUE)
  (FAILOVER = TRUE)
  (CONNECT_DATA =
  (SERVER = DEDICATED)
  (SERVICE_NAME = ESTDB)
  (FAILOVER_MODE =
  (BACKUP=lontestdb02-vip)
  (TYPE=select)
  (METHOD=preconnect)
  (RETRIES=180)
  (DELAY=5)
  Bal - the output of crs_stat -t is as follows (please note the listener on node 1 is intentionally down)
  -bash-3.00$ crs_stat -t
  Name Type Target State Host
  ora....B1.inst application ONLINE ONLINE lonestdb01
  ora....B2.inst application ONLINE ONLINE lonestdb02
  ora....DB1.srv application ONLINE ONLINE lonestdb01
  ora....DB2.srv application ONLINE ONLINE lonestdb02
  ora....BOTH.cs application ONLINE ONLINE lonestdb01
  ora....DB1.srv application ONLINE ONLINE lonestdb02
  ora....LIVE.cs application ONLINE ONLINE lonestdb01
  ora....DB2.srv application ONLINE ONLINE lonestdb02
  ora....NDBY.cs application ONLINE ONLINE lonestdb02
  ora.ESTDB.db application ONLINE ONLINE lonestdb02
  ora....01.lsnr application OFFLINE OFFLINE
  ora....b01.gsd application ONLINE ONLINE lonestdb01
  ora....b01.ons application ONLINE ONLINE lonestdb01
  ora....b01.vip application ONLINE ONLINE lonestdb01
  ora....02.lsnr application ONLINE ONLINE lonestdb02
  ora....b02.gsd application ONLINE ONLINE lonestdb02
  ora....b02.ons application ONLINE ONLINE lonestdb02
  ora....b02.vip application ONLINE ONLINE lonestdb02
  Many thanks to everyone that's helped so far
  Rup

• Can't apply service-policy to atm int?

  Attempted to apply service-policy output MPLS-EGRESS to ATM Int:
  class-map match-any GOLD
  match mpls experimental topmost 5
  match ip precedence 5
  class-map match-any BRONZE
  match mpls experimental topmost 3
  match ip precedence 3
  class-map match-any SILVER
  match mpls experimental topmost 4
  match ip precedence 4
  policy-map MPLS-EGRESS
  class GOLD
  priority percent 5
  set mpls experimental topmost 5
  class SILVER
  bandwidth percent 10
  random-detect
  set mpls experimental topmost 4
  class BRONZE
  bandwidth percent 20
  random-detect
  set mpls experimental topmost 3
  class class-default
  set mpls experimental topmost 0
  fair-queue
  random-detect
  interface ATM4/0.102 point-to-point
  description TRUNK LINK TO PE_B
  bandwidth 16000
  ip address xxx.xxx.xxx.xxx 255.255.255.252
  no ip redirects
  no ip proxy-arp
  ip ospf message-digest-key xxx
  no snmp trap link-status
  mpls ip
  pvc PE_B 10/102
  tx-ring-limit 3
  oam-pvc manage
  encapsulation aal5snap
  service-policy output MPLS-EGRESS
  And it *appears* to apply without error, but logs show:
  Jul 28 09:34:32.550 aest: %SCHED-3-SEMLOCKED: Virtual Exec attempted to lock a semaphore, already locked by itself -Traceback= 0x61317864 0x62658A88 0x620F0A4C 0x60DD3668 0x60DD5648 0x6135ABD8 0x61379744 0x62644508 0x626444EC
  Jul 28 09:34:33.870 aest: I/f ATM4/0.102 VC 10/102 class GOLD requested bandwidth 0 (kbps), available only 0 (kbps)
  And ATM4/0.102 does not include the service-policy output MPLS-EGRESS when I do a show run nor when I do a sho policy-map interface?

  Resolved my own issue - I needed:
  vbr-nrt 32000 16000
  under the atm sub int...

• Service-policy on Vlan interface failed

  Hi, All!
  This is my configuration:
  class-map match-any voip_control_trust-CMAP
  match ip dscp cs3
  match ip dscp af31
  class-map match-any voip_rtp_trust-CMAP
  match ip dscp ef
  class-map match-any internetwork-cntrl-CMAP
  match ip dscp cs6
  policy-map output_qos-PMAP
  class voip_rtp_trust-CMAP
    priority 56
  class voip_control_trust-CMAP
    bandwidth percent 2
  class internetwork-cntrl-CMAP
    bandwidth percent 5
  class class-default
    fair-queue
    random-detect
  cisco(config)#int Vlan 2
  cisco(config-if)#service-policy output output_qos-PMAP
  Configuration failed!
  It was tested on 877, 871, 871W, 877W with ios c870-advipservicesk9-mz.124-15.T5.bin, c870-advipservicesk9-mz.124-15.T8.bin, c870-advipservicesk9-mz.124-15.T10.bin, c870-advipservicesk9-mz.124-15.T11.bin, c870-advipservicesk9-mz.124-24.T2.bin
  Strange error. Does anybody know what's the problem?

  Ok, i tried to make workaround solution:
  policy-map OUTPUT_QOS_PMAP
  class VOIP_RTP_TRUST_CMAP
      priority 56
  class VOIP_CTRL_TRUST_CMAP
      bandwidth percent 2
  class INETWORK-CTRL-CMAP
      bandwidth percent 5
  class class-default
      fair-queue
       random-detect
    service-policy OUTPUT_QOS_PMAP
  service-policy output OUTPUT_QOS_PMAP
  interface Vlan2
  description *** WAN SVI ***
  bandwidth 256
  no ip address
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  ip virtual-reassembly
  bridge-group 1
  end
  interface BVI1
  description *** WAN BVI ***
  bandwidth 256
  ip address 10.96.0.57 255.255.255.0
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  ip virtual-reassembly
  service-policy output OUTPUT_QOS_PMAP
  end
  sh policy-map interface
  BVI1
    Service-policy output: OUTPUT_QOS_PMAP
      queue stats for all priority classes:
        queue limit 64 packets
        (queue depth/total drops/no-buffer drops) 0/0/0
        (pkts output/bytes output) 0/0
      Class-map: VOIP_RTP_TRUST_CMAP (match-any)
        0 packets, 0 bytes
        5 minute offered rate 0 bps, drop rate 0 bps
        Match: ip dscp ef (46)
          0 packets, 0 bytes
          5 minute rate 0 bps
        Priority: 56 kbps, burst bytes 1500, b/w exceed drops: 0
      Class-map: VOIP_CTRL_TRUST_CMAP (match-any)
        0 packets, 0 bytes
        5 minute offered rate 0 bps, drop rate 0 bps
        Match: ip dscp cs3 (24)
          0 packets, 0 bytes
          5 minute rate 0 bps
        Match: ip dscp af31 (26)
          0 packets, 0 bytes
          5 minute rate 0 bps
        Queueing
        queue limit 64 packets
        (queue depth/total drops/no-buffer drops) 0/0/0
        (pkts output/bytes output) 0/0
        bandwidth 2% (5 kbps)
      Class-map: INETWORK-CTRL-CMAP (match-any)
        6 packets, 896 bytes
        5 minute offered rate 0 bps, drop rate 0 bps
        Match: ip dscp cs6 (48)
          6 packets, 896 bytes
          5 minute rate 0 bps
        Match: access-group name IKE
          0 packets, 0 bytes
          5 minute rate 0 bps
        Queueing
        queue limit 64 packets
        (queue depth/total drops/no-buffer drops) 5/0/0
        (pkts output/bytes output) 6/1120
        bandwidth 5% (12 kbps)
      Class-map: class-default (match-any)
        11 packets, 660 bytes
        5 minute offered rate 0 bps, drop rate 0 bps
        Match: any
        Queueing
        queue limit 64 packets
        (queue depth/total drops/no-buffer drops/flowdrops) 10/0/0/0
        (pkts output/bytes output) 11/660
        Fair-queue: per-flow queue limit 16
          Exp-weight-constant: 9 (1/512)
          Mean queue depth: 0 packets
          class     Transmitted       Random drop      Tail/Flow drop Minimum Maximum Mark
                    pkts/bytes    pkts/bytes       pkts/bytes    thresh  thresh  prob
          0              11/660             0/0              0/0                 20            40  1/10
          1               0/0               0/0              0/0                 22            40  1/10
          2               0/0               0/0              0/0                 24            40  1/10
          3               0/0               0/0              0/0                 26            40  1/10
          4               0/0               0/0              0/0                 28            40  1/10
          5               0/0               0/0              0/0                 30            40  1/10
          6               0/0               0/0              0/0                 32            40  1/10
          7               0/0               0/0              0/0                 34            40  1/10
  BUT! Until service-policy is on interface works nothing.
  sh int bvi1
  BVI1 is up, line protocol is up
    Hardware is BVI, address is 0025.454a.940d (bia 0024.c495.6780)
    Description: *** WAN BVI ***
    Internet address is 10.96.0.57/24
    MTU 1500 bytes, BW 256 Kbit/sec, DLY 5000 usec,
       reliability 255/255, txload 1/255, rxload 1/255
    Encapsulation ARPA, loopback not set
    Keepalive set (10 sec)
    ARP type: ARPA, ARP Timeout 04:00:00
    Last input never, output never, output hang never
    Last clearing of "show interface" counters never
    Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 74
    Queueing strategy: Class-based queueing
    Output queue: 33/1000/0 (size/max total/drops)
    5 minute input rate 0 bits/sec, 0 packets/sec
    5 minute output rate 0 bits/sec, 0 packets/sec
       0 packets input, 0 bytes, 0 no buffer
       Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
       0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
       114 packets output, 11034 bytes, 0 underruns
       0 output errors, 0 collisions, 0 interface resets
       0 unknown protocol drops
       0 output buffer failures, 0 output buffers swapped out
  ping 10.96.0.1 source bvi1
  Type escape sequence to abort.
  Sending 5, 100-byte ICMP Echos to 10.96.0.1, timeout is 2 seconds:
  Packet sent with a source address of 10.96.0.57
  Success rate is 0 percent (0/5)

• Command "service-policy input policy-name permit-any" will not work

  Hi all,
  have a SG500 with latest Firmware, but this command will not work.
  service-policy input QoS_01 permit-any
  i get this error message:
  % Wrong number of parameters or invalid range, size or characters entered
  without the option "permit-any or deny-any" the command is successfully.
  What is the reason?
  It is important, directly to specify this options. Otherwise to lose the access to the switch.
  Regards
  Stefan

  Hi Tom,
  i have a ACL / ACE and create a QoS "policy table" put the "policy class map" (with class mappings) in it.
  And now i will bind this QoS policy to a Ethernet port.
  cli tutorial example say:
  Use the service-policy Interface Configuration (Ethernet, Port-channel) mode command to bind a policy map to a port/port-channel. Use the no form of this command to detach a policy map from an interface.
  This command is only available in QoS advanced mode.
  Syntax
  service-policy input policy-map-name default-action [permit-any | deny-any]
  no service-policy input
  Example:
  witchxxxxxx(config-if)# service-policy input policy1 permit-any
  A cisco support open a ticket for me.
  -Stefan

• Fundamental ACL & Service Policy related questions

  Hi All,
  apologies in advance for seemingly stupid questions but I was forced to ask them as I have ALWAYS had great difficulty in using debug on Cisco platforms. Nothing ever shows up when I set up debug despite configuring "logging console" and setting the level to 7 etc. I have no clue why that is and if it's because all debugging messages go to the debug log instead of being prnted on the console, or what it is...I just don't get it. When I'm saying logging console...please print it on the console! Anyway, that rant aside...
  I have a VERY simple topology like so
                                                                                      A few servers in this VLAN
  ISP <---> 3560G (Physical Routed Port) <--> SVI (VLAN)
                                                                                      ASA5520 <--> Internal VLAN
  With regards to ACLs and their direction, when an ACL is applied to a physical port (or in cases where QoS is enabled and a service-policy) is applied to either a routed physical port on the 3560, saying that the policy is applied in the "in" direction (or 'input' in case of service-policy) does that mean 'inbound' in either direction? As in IF that routed port is my direct connection to the ISP, and I set up "ip access-group myacl in" (or service-policy input myPolicymap) ...will that be applicable if the traffic enters that port from the ISP side OR from the internal network side, or "IN" for it is always JUST the ISP side because it's assuming that all traffic generated from inside the network going out to the Internet is implcitly allowed UNLESS an ACL somewhere in the network restricts that?
  then, in case of an SVI...I believe just like the physical routed port, I can ONLY implement an "Inbound" ACL on this as well. So when I implement either a Heirarchical policy-map or just an access-group "in", then what is "IN" ...traffic entering this VLAN from the internal network and those public servers going out to the Internet AND Traffic entering this VLAN from the ISP/Internet via the physical routed Port OR is it JUST the latter, or is it just the former?
  Now Lastly, when I have the physical ports to which the ASA and each of those physical servers are connected to sitting on the public VLAN, if I apply port-based ACLs or service-policies to them, then again, what direction is the "IN" ACL applied? Both? i.e. traffic coming into it from the public servers and the Internal network through the ASA, and the Internet OR just the traffic coming into it from the Internet, but the traffic going out from the servers to the Internet is not subjected to this ACL or service-policy
  Again, very sorry for a dumb question but I'm seeing bizzare things in my network so was just wondering before I decide on what kind of security I want to plan/design
  Thanks in advance

  The mystical difference between debug output going to the console versus showing up in syslog is "logging debug-trace".  On goes to syslog, "no logging debug-trace" goes to console.  I've been bit by this one myself.
  ACLs on physical ports have directionality like the cable plug: "in" is from the cable entering into the switch or firewall, "out" is leaving the device to run along the cable to somewhere else.  On Catalyst switches port ACLs are inbound (receiving packets) only.  Obviously, on directly connected devices, one devices out is the other devices in.
  ACLs on SVI's depend on whether your are running a base image or services image; services images can do IPv4 and IPv6 in both directions.  However, port ACL's trump routed ACL's; if both exist, the port ACL is the only one applied.  I think if a directly connected port has no port ACL, no ACL is applied at all; routed ACL's on SVI's only apply to transitions between VLANs inside the switch, not to traffic entering physical ports.
  -- Jim Leinweber, WI State Lab of Hygiene