Policy map/ class map/ service policy for IOS xr
Hi,
I need to create a policy map and class map/service policy to limit the amount of bandwidth that can be used on one interface both in and out.
I need the cap for the bandwidth to traverse this circuit to ne 10 Meg.
the IOS xr version we are using is 4.3.4
I was hoping someone could help me out by giving me a configuration example I could follow.
Thank you.
for instance like this:
policy-map police-in
class class-default
police rate 10 mpbs <optionally set burst>
policy-map shape-out-parent
class class-default
shape 10 mpbs <optional burst config>
service-policy shape-out-child
policy-map shape-out-child
class class-default
queue-limit 10 packets
int g 0/0/0/0
service-policy police-in in
service-policy shape-out-parent out
also have a look at CL 2013/2014 (orlando/sanfran) ID 2904 for more QOS details
and the support forum article of "asr9000 quality of service architecture"
xander
Similar Messages
-
Map-class frame-relay , policy map
Does a service-policy output have to be applied to an interface for qos to work?
here is the config but there is nothing applied to the serial interface..
Thanks for your help
policy-map 256/128KVoice
class 256/128KVoice
priority 112
class class-default
fair-queue
map-class frame-relay 256/128KVoice
frame-relay cir 128000
frame-relay bc 1280
frame-relay be 600
frame-relay mincir 128000
no frame-relay adaptive-shaping
frame-relay fair-queue
frame-relay fragment 150
frame-relay ip rtp priority 16384 16380 210
interface Serial0/0
bandwidth 1544
ip address xxx.xxx.xxx.xxx 255.255.255.255
ip route-cache flow
no fair-queue
service-module t1 timeslots 1-24Hello,
Will QOS will work in this way where class is put on WAN interface where it should be service policy.
router#sh run interface Se0/0/0.1
Building configuration...
Current configuration : 239 bytes
interface Serial0/0/0.1 point-to-point
bandwidth 2048
ip address XXXX
ip nat outside
frame-relay interface-dlci 555
class COS-OUT-S0/0/0.1
end
COS-OUT-S0/0/0.1 is defined as policy map with class of voice and video.
When checking on WAN int #sh policy-map interface Se0/0/0.1 , can see output of service policy input/output with policy map recpective classes and packets match entries.Is QOS working with this configuration?
Appreciate any input on this.
Regards,
Brajesh. -
ACE: Policy-Map, Class-Map, Parameter-Maps, Service-Policy
Hi,
I'm new to the ACE module/appliance. I'm looking for a beginners level tutorial or a clear/concise explanation of how all these fit together, when there used, etc. Or a URL where it's explained in a simple fashion.
Thanks in advance for the feedback.HI Manjit,
Kindly find below the required url which contains all the configuration guides withh well defined concepts regarding all what you are looking for:
http://www.cisco.com/en/US/products/ps6906/tsd_products_support_model_home.html
http://www.unix.com.ua/univercd/cc/td/doc/product/webscale/ace_4700/ace_171/index.htm
Thanks and regards,
Sachin Garg
Senior Specialist Security
HCL Comnet Ltd.
Email: [email protected] -
Adobe AIR Alarm Services ANE for IOS and Android
I want to make an Adobe AIR app for android and ios platforms and i should use alarm services of these platforms (ios & android) for several scheduled times in a day when app is not running.
Could you suggest free or commercial ANE for this operation?
thanks.Well nothing prevent you from mixing flascc with native extension.
Also, I think that you can also use domain memory in AS3 with the Bytearray class (not sure about that).
Flascc vs normal as3 is mostly a question of language (portability) Do you want to write as3 or c++?
Native extension give you speed and native platform access(platform specific feature).
So, you should think about it this way:
AS3, run in flash and air. Is sandboxed. Can use domain memory, but it's a bit harder to leverage than flascc.
Flascc, run in flash and air. Is sandboxed, Can use domain memory. Give you the potential of leveraging the hundreds of opensources lib already out there.
Native extension, run ONLY in air. Is not sandboxed. Native memory management. Also let you leverage the c++ lib.
The best (in my opinion) is to write native code for mobile and desktop (no air or flascc involve) and use flascc for the flash/web platform. It's harder, because you have write portable native code (lots of abstraction), but you mostly have the same problem with native extension. -
Assign variant class to service material for preconfigured service package
Hi,
Could somebody help with the steps on how to create a service material with variant. The requirement is to create a preconfigured service package.
I'm trying to create a service material and assign a variant class to it. Based on some examples in IDES, i see that in MRP 3 view there is a plant-specific configuration view which holds the variant check box and configurable material reference.
I'm unable to get that view while creating the material.
Regards
RasheedHi Vishal,
From the PS perspective only one document type is allowed to be used for purchase requisitions. Therefore you can only maintain one in TA OPTT.
However, the SAP note no. 114213 gives an explanation of about how the document type is determined and shows where a modification to change this could be implemented.
Hope it helps.
Regards,
Rachel -
Class-Map and Policy-Map Configuration in CM Confusion
Hi,
I'm implementing a green field WAAS deployment for a customer. We currently have a Proof-of-Concept up and running.
I've got some questions regarding custom class-map and policy-map configuration in the CM. I'd like to nail-down the custom class-map and policy-map configuration (and understanding) in the PoC before cutting over the PoC branches to the production WAAS environment.
Assuming a typical WAAS Deployment using WCCP for off-path interception, branch to DC.
==> 61 in LAN (BRANCH ROUTER) <== 62 in WAN (WAN CLOUD) ==> 61 in WAN (DC ROUTER) <== 62 in LAN
We are using two distinct device groups, BRANCH and DATA CENTER.
If the customer has traffic that we need to classify in order to provide TFO only optimisation, should the single class-map include the traffic in both directions? Ie., (assume the SERVER is 10.1.1.1 TCP Port 443). Should the class-map be configured as:
Class-Map
Line 1: DST IP 10.1.1.1 DST Port 443
Line 2: SRC IP 10.1.1.1 SRC Port 443
Or in this case is only the DST line required? And in which Device Group should the custom policy be applied? Or should it be applied to both Device Groups? If it should be applied to both Device Groups, then would it make more sense to have the policy-map in the Branch DG configured to match the DST traffic, and on the Data Center DG have a different class-map match the SRC traffic?
My confusion is how to classify the traffic (SRC or DST or Both - Separate classes for each or different lines within the same class-map), and where to apply the appropriate policy (both Device Groups, just Branch, just DC) and why...
I tried to apply a custom policy and the impact in the PoC was that the TCP Summary report stopped reporting the individual traffic classes showed 'other traffic' only. Can anyone explain why this may have occurred?
I hope this makes sense.for instance like this:
policy-map police-in
class class-default
police rate 10 mpbs <optionally set burst>
policy-map shape-out-parent
class class-default
shape 10 mpbs <optional burst config>
service-policy shape-out-child
policy-map shape-out-child
class class-default
queue-limit 10 packets
int g 0/0/0/0
service-policy police-in in
service-policy shape-out-parent out
also have a look at CL 2013/2014 (orlando/sanfran) ID 2904 for more QOS details
and the support forum article of "asr9000 quality of service architecture"
xander -
Using class of service to manage password policy
We implemented password policy on our old DS across the board, which entailed finding all of the special administrative accounts used by software and setting an expiration date at the end of the epoch. I was wondering if a smarter way to do this is to create a class of service template for normal and special accounts and tie those into our user accounts. Has anyone done this?
Thanks.Sun DS 5.2 supposedly has support for the latest LDAP password policy internet draft which allows you to explicitly setup password policy on a subtree or user basis. It uses roles and class of service under the covers. I would use that instead of rolling your own.
-
Default class map is dropping all Packets
Hello I have a Cisco 871 router that used to have Access list based security. now I am trying the ZBFW for the first time. I thought I had a pretty good program until I found all my traffic was getting dropped. This is my first stab at ZBFWs and I am a bit confused esp with the default class part. Any help is greatly appreciated!!!!
The router is for my house and thus also has to have priority for gaming. I will add the gaming and voice QOS once I get it working,
Guest VLAN has access to 2 IP's in Data for printing.
Cisco871#sh run
Building configuration...
Current configuration : 8005 bytes
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service sequence-numbers
hostname Cisco871
boot-start-marker
boot-end-marker
logging buffered 4096
no logging console
aaa new-model
aaa authentication login default local
aaa authorization exec default local
aaa session-id common
clock summer-time PST recurring
crypto pki trustpoint TP-self-signed-4004039535
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-4004039535
revocation-check none
rsakeypair TP-self-signed-4004039535
crypto pki certificate chain TP-self-signed-4004039535
certificate self-signed 01
3082024C 308201B5 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 34303034 30333935 3335301E 170D3038 30323037 30373532
32375A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D34 30303430
33393533 3530819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100CEC2 7B89C73F AB4860EE 729C3B64 82139630 239A2301 8EA8B4C4 05505E25
B0F24E7F 26ECEC53 3E266E80 F3104F61 BDDC5592 40E12537 2262D272 08D38F8E
147F5059 7F632F5E 635B9CDF 652FFE82 C2F45C60 5F619AF0 72E640E0 E69EA9EF
41C6B06C DD8ACF4B 0A1A33CF AF3C6BFB 73AD6BE0 BD84DD7F 435BD943 0A22E0E5
F4130203 010001A3 74307230 0F060355 1D130101 FF040530 030101FF 301F0603
551D1104 18301682 144C7570 696E2E44 61627567 61626F6F 732E6F72 67301F06
03551D23 04183016 801473C6 E0784818 29A89377 23A22F5E BDD430CE E282301D
0603551D 0E041604 1473C6E0 78481829 A8937723 A22F5EBD D430CEE2 82300D06
092A8648 86F70D01 01040500 03818100 299AD241 442F976F 4F030B33 C477B069
D356C518 8132E61B 1220F999 A30A4E0C D337DCE5 C408E3BC 0439BB66 543CF585
8B26AA77 91FA510B 14796239 F272A306 C942490C A44336E0 A9430B81 9FC62524
E55017FA 5C5463D7 B3492753 42315BEC 32B78F24 D10B0CA7 D1844CD5 C3E466B9
3543BD68 A4B2692D 05CBF6DC C93C8142
quit
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 10.0.0.1 10.0.0.5
ip dhcp excluded-address 172.16.15.1 172.16.15.5
ip dhcp excluded-address 172.16.15.14
ip dhcp excluded-address 172.16.17.1 172.16.17.5
ip dhcp excluded-address 192.168.19.1 192.168.19.5
ip dhcp pool MyNetNative
import all
network 10.0.0.0 255.255.255.248
default-router 10.0.0.1
domain-name MyNetNet.org
dns-server 4.2.2.1 4.2.2.6 8.8.8.8 208.67.220.220
lease 0 2
ip dhcp pool MyNetData
import all
network 172.16.15.0 255.255.255.240
dns-server 172.16.15.14 4.2.2.1 4.2.2.6 8.8.8.8 208.67.220.220
default-router 172.16.15.1
domain-name MyDomain.org
ip dhcp pool MyNetVoice
import all
network 172.16.17.0 255.255.255.240
dns-server 172.16.15.14
default-router 172.16.17.1
domain-name MyDomain.org
ip dhcp pool MyNetGuest
import all
network 192.168.19.0 255.255.255.240
default-router 192.168.19.1
domain-name MyNetGuest.org
dns-server 4.2.2.1 4.2.2.6 8.8.8.8 208.67.220.220
ip domain name MyDomain.org
ip name-server 172.16.15.14
ip name-server 4.2.2.4
ip inspect log drop-pkt
multilink bundle-name authenticated
parameter-map type inspect TCP_PARAM
parameter-map type inspect global
username MyAdmin privilege 15 secret 5 MyPassword
archive
log config
hidekeys
class-map type inspect match-all MyNetGuest-access-list
match access-group 110
class-map type inspect match-any Base-protocols
match protocol http
match protocol https
match protocol ftp
match protocol ssh
match protocol dns
match protocol ntp
match protocol ica
match protocol pptp
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-all MyNetGuest-Class
match class-map MyNetGuest-access-list
match class-map Base-protocols
class-map type inspect match-all MyNetNet-access-list
match access-group 100
class-map type inspect match-any Voice-protocols
match protocol h323
match protocol skinny
match protocol sip
class-map type inspect match-any Extended-protocols
match protocol pop3
match protocol pop3s
match protocol imap
match protocol imaps
match protocol smtp
class-map type inspect match-all MyNetNet-Class
match class-map MyNetNet-access-list
match class-map Voice-protocols
match class-map Extended-protocols
match class-map Base-protocols
policy-map type inspect MyNetNet-zone_to_MyNetWAN-zone_policy
class type inspect MyNetNet-Class
inspect
class class-default
policy-map type inspect MyNetNet-zone_to_MyNetGuest-zone_policy
class type inspect MyNetNet-Class
inspect
class class-default
policy-map type inspect MyNetGuest-zone_to_MyNetNet-zone_policy
class type inspect MyNetGuest-access-list
inspect
class class-default
policy-map type inspect MyNetGuest-zone_to_MyNetWAN-zone_policy
class type inspect MyNetGuest-Class
inspect
class class-default
policy-map type inspect MyNetNet-zone
class class-default
pass
zone security MyNetNet-zone
zone security MyNetGuest-zone
zone security MyNetWAN-zone
zone-pair security MyNetNet->MyNetGuest source MyNetNet-zone destination MyNetGuest-zone
service-policy type inspect MyNetNet-zone_to_MyNetGuest-zone_policy
zone-pair security MyNetNet->MyNetWAN source MyNetNet-zone destination MyNetWAN-zone
service-policy type inspect MyNetNet-zone_to_MyNetWAN-zone_policy
zone-pair security MyNetGuest->MyNetWAN source MyNetGuest-zone destination MyNetWAN-zone
service-policy type inspect MyNetGuest-zone_to_MyNetWAN-zone_policy
zone-pair security MyNetGuest->MyNetNet source MyNetGuest-zone destination MyNetNet-zone
service-policy type inspect MyNetGuest-zone_to_MyNetNet-zone_policy
interface FastEthernet0
description Cisco-2849-Switch
switchport mode trunk
speed 100
interface FastEthernet1
interface FastEthernet2
interface FastEthernet3
description SBS-Server
switchport access vlan 10
spanning-tree portfast
interface FastEthernet4
description WAN
no ip address
ip mtu 1492
ip nat outside
ip virtual-reassembly
zone-member security MyNetWAN-zone
ip tcp adjust-mss 1452
duplex auto
speed auto
no cdp enable
interface Vlan1
description MyNetNative
ip address 10.0.0.1 255.255.255.248
ip nat inside
ip virtual-reassembly
zone-member security MyNetNet-zone
ip tcp adjust-mss 1452
interface Vlan10
description MyNetData
ip address 172.16.15.1 255.255.255.240
ip nat inside
ip virtual-reassembly
zone-member security MyNetNet-zone
interface Vlan20
description MyNetVoice
ip address 172.16.17.1 255.255.255.240
ip nat inside
ip virtual-reassembly
zone-member security MyNetNet-zone
interface Vlan69
description MyNetGuest
ip address 192.168.19.1 255.255.255.240
ip nat inside
ip virtual-reassembly
zone-member security MyNetGuest-zone
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
access-list 100 remark MyNetnet
access-list 100 permit ip 10.0.0.0 0.0.0.7 any
access-list 100 permit ip 172.16.15.0 0.0.0.31 any
access-list 100 permit ip 172.16.17.0 0.0.0.15 any
access-list 110 remark MyNetGuest
access-list 110 permit ip 192.168.19.0 0.0.0.15 host 172.16.15.2
access-list 110 permit ip 192.168.19.0 0.0.0.15 host 172.16.15.3
access-list 110 deny ip 192.168.19.0 0.0.0.15 10.0.0.0 0.0.0.7
access-list 110 deny ip 192.168.19.0 0.0.0.15 172.16.15.0 0.0.0.31
access-list 110 deny ip 192.168.19.0 0.0.0.15 172.16.17.0 0.0.0.15
access-list 110 permit ip 192.168.19.0 0.0.0.15 any
control-plane
banner login ^CC
You know if you should be here or not.
if not please leave
NOW
^C
line con 0
no modem enable
line aux 0
line vty 0 4
privilege level 15
transport input telnet ssh
scheduler max-task-time 5000
ntp server 172.16.15.14
webvpn cef
end
Cisco871#sh zone security
zone self
Description: System defined zone
zone MyNetNet-zone
Member Interfaces:
Vlan1
Vlan10
Vlan20
zone MyNetGuest-zone
Member Interfaces:
Vlan69
zone MyNetWAN-zone
Member Interfaces:
FastEthernet4
Cisco871#sh zone-pair security
Zone-pair name MyNetNet->MyNetGuest
Source-Zone MyNetNet-zone Destination-Zone MyNetGuest-zone
service-policy MyNetNet-zone_to_MyNetGuest-zone_policy
Zone-pair name MyNetNet->MyNetWAN
Source-Zone MyNetNet-zone Destination-Zone MyNetWAN-zone
service-policy MyNetNet-zone_to_MyNetWAN-zone_policy
Zone-pair name MyNetGuest->MyNetWAN
Source-Zone MyNetGuest-zone Destination-Zone MyNetWAN-zone
service-policy MyNetGuest-zone_to_MyNetWAN-zone_policy
Zone-pair name MyNetGuest->MyNetNet
Source-Zone MyNetGuest-zone Destination-Zone MyNetNet-zone
service-policy MyNetGuest-zone_to_MyNetNet-zone_policy
Cisco871#sh int faste4
FastEthernet4 is up, line protocol is up
Hardware is PQUICC_FEC, address is 0016.9d29.a667 (bia 0016.9d29.a667)
Description: WAN
Internet address is 10.38.177.98/25
MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Full-duplex, 100Mb/s, 100BaseTX/FX
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:00:00, output 00:34:50, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 2000 bits/sec, 3 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
593096 packets input, 73090812 bytes
Received 592752 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 watchdog
0 input packets with dribble condition detected
9940 packets output, 1016025 bytes, 0 underruns
0 output errors, 0 collisions, 3 interface resets
0 babbles, 0 late collision, 0 deferred
0 lost carrier, 0 no carrier
0 output buffer failures, 0 output buffers swapped out
Zone-pair: MyNetNet->MyNetWAN
Service-policy inspect : MyNetNet-zone_to_MyNetWAN-zone_policy
Class-map: MyNetNet-Class (match-all)
Match: class-map match-all MyNetNet-access-list
Match: access-group 100
Match: class-map match-any Voice-protocols
Match: protocol h323
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol skinny
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol sip
0 packets, 0 bytes
30 second rate 0 bps
Match: class-map match-any Extended-protocols
Match: protocol pop3
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol pop3s
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol imap
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol imaps
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol smtp
0 packets, 0 bytes
30 second rate 0 bps
Match: class-map match-any Base-protocols
Match: protocol http
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol https
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol ftp
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol ssh
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol dns
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol ntp
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol ica
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol pptp
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol icmp
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol tcp
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol udp
0 packets, 0 bytes
30 second rate 0 bps
Inspect
Session creations since subsystem startup or last reset 0
Current session counts (estab/half-open/terminating) [0:0:0]
Maxever session counts (estab/half-open/terminating) [0:0:0]
Last session created never
Last statistic reset never
Last session creation rate 0
Maxever session creation rate 0
Last half-open session total 0
Class-map: class-default (match-any)
Match: any
Drop (default action)
5196 packets, 256211 bytes
Cisco871#sh log
Syslog logging: enabled (1 messages dropped, 0 messages rate-limited,
0 flushes, 0 overruns, xml disabled, filtering disabled)
No Active Message Discriminator.
No Inactive Message Discriminator.
Console logging: disabled
Monitor logging: level debugging, 0 messages logged, xml disabled,
filtering disabled
Buffer logging: level debugging, 1745 messages logged, xml disabled,
filtering disabled
Logging Exception size (4096 bytes)
Count and timestamp logging messages: disabled
Persistent logging: disabled
No active filter modules.
ESM: 0 messages dropped
Trap logging: level informational, 1785 message lines logged
Log Buffer (4096 bytes):
001779: *Feb 15 11:00:55.979: %FW-6-DROP_UDP_PKT: Dropping Other pkt 172.16.15.6:61806 => 168.94.0.1:53 with ip ident 511 due to policy match failure
001780: *Feb 15 11:00:59.739: %FW-6-DROP_TCP_PKT: Dropping Other pkt 172.16.15.6:4399 => 168.94.69.30:443 due to policy match failure -- ip ident 515 tcpflags 0x7002 seq.no 974122240 ack 0
001781: *Feb 15 11:01:26.507: %FW-6-DROP_UDP_PKT: Dropping Other pkt 172.16.15.6:51991 => 168.94.0.1:53 with ip ident 625 due to policy match failure
001783: *Feb 15 11:01:57.891: %FW-6-DROP_UDP_PKT: Dropping Other pkt 172.16.15.6:64470 => 168.94.0.1:53 with ip ident 677 due to policy match failureHello Charlie,
I would recomend you to investigate a little bit more about how the ZBFW features works
Now I am going to help you on this one at least, then I will give you a few links you could use to study
We are going to study traffic from MyNetNet-zone to the MyNetWan-zone
First the zone-pair
zone-pair security MyNetNet->MyNetWAN source MyNetNet-zone destination MyNetWAN-zone
service-policy type inspect MyNetNet-zone_to_MyNetWAN-zone_policy
so lets go policy-map
policy-map type inspect MyNetNet-zone_to_MyNetWAN-zone_policy
class type inspect MyNetNet-Class
inspect
class class-default
Finally to the class map
class-map type inspect match-all MyNetNet-Class
match class-map MyNetNet-access-list
match class-map Voice-protocols
match class-map Extended-protocols
match class-map Base-protocols
That keyword MATCH-ALL is the one causing the issues!!
Why?
Because you are telling the ZBFW to inspect traffic only if matches all of those class-maps so a packet will need to math the base protocols and the extended protocol and as you know that is not possible ( Just one protocol )
So here are the links
http://blogg.kvistofta.nu/cisco-ios-zone-based-policy-firewall/
https://supportforums.cisco.com/thread/2138873
http://pktmaniac.info/2011/08/zone-based-firewalls-something-to-keep-in-mind/
http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00808bc994.shtml
You have some work to do
Please remember to rate all the helpful posts
Julio
CCSP -
Trying to understand the class-default for marking
I have the concept of Identify traffic with ACLs
Classify traffic for marking with class-maps
Mark traffic with policy-maps
the policy-map will always have a default-class for unaccounted traffic in the policy-maps
what I don't quite understand is that the there is not a class-map class-default
when servicing the "policy" the class-maps are referenced with "class A" "class B" "class class-default"
when looking for the matches on class class-default there is no reference class-map to go to....
I figured I have to accept this logic means if traffic was not specifically matched by the collection of class-maps in the config the IOS can assume the traffic would have been/is class-default.
i had put a config together to classify certain traffic as CS0, like SNMP... i wanted to force traffic there as well as having all unaccounted traffic being classified CS0.
but from what i read if i don't have snmp matched in any class-map in the config then this traffic would find itself in
policy-map XXX
class class-default
set ip precedence 0
even though class-default does not exist as class-map class-defaultHi,
You want to mark some traffic as CS0? and then count that traffic? but you won't know which traffic had CS0 imposed or was natively IPP 0 like all data traffic not specifically marked.
the class class-default exists just do a show class-map and you'll see it, it is the IOS which creates it.
Doing a show policy-map interface will show you which class-map was matched. -
High current conns in service policy.
Hi,
We have the following policy on a firewall to limit the maximum number of connections:
policy-map global_policy
class HTTP
set connection conn-max 2250 embryonic-conn-max 100 per-client-max 20 per-client-embryonic-max 5
set connection timeout half-closed 0:05:00 idle 0:05:00
If we look in the logs we see that connections are being dropped because of this:
Feb 05 2014 12:33:12: %ASA-3-201011: Connection limit exceeded 2250/2250 for input packet from x.x.x.x/63257 to x.x.x.x/80 on interface outside
Feb 05 2014 12:33:12: %ASA-3-201011: Connection limit exceeded 2250/2250 for input packet from x.x.x.x/53429 to x.x.x.x/80 on interface outside
Feb 05 2014 12:33:12: %ASA-3-201011: Connection limit exceeded 2250/2250 for input packet fromx.x.x.x/48613 to x.x.x.x/80 on interface outside
And these show true if we look at the service policy
XXXX# show service-policy global
Global policy:
Service-policy: global_policy
Class-map: HTTP
Set connection policy: conn-max 2250 embryonic-conn-max 100 per-client-max 20 per-client-embryonic-max 5
current embryonic conns 2, current conns 2250, drop 15870337
Set connection timeout policy:
half-closed 0:05:00 idle 0:05:00
DCD: disabled, retry-interval 0:00:15, max-retries 5
DCD: client-probe 0, server-probe 0, conn-expiration 0
However the connections on the firewall and servers aren’t high
xxxxx# show conn count
529 in use, 2485 most used
Can anyone explain why this is, not sure if it is bug or is normal expected behavour. Is this "current conns" figure meant to corresond to the firewall conns, or is taking from something else? I guess they only way to remove this is to remove and re-add the policy, just wanted to get peoples thoughts on it or see if I was missing something.
This is on an ASA5510 running Software Version 8.2(5)41
Thankshi all ,
im really exhausted about this issue
i googled alot , i have been googling about 1 week with no benefit !!!!!
i changed ios many times but no luck !!!!
i followed the navigatro tool of cisco , it say that cisco 7200 npeg2 dont support the feaute called
QoS: Per-Session Shaping and Queuing
i followed here
http://www.cisco.com/en/US/docs/ios/12_2sb/feature/guide/sbsbpssq.html
they say it supported for ios that supported with 7200
i found an old discsuuion on internet for guys about cisco 7200 for shap
i dont know
not sure
does cisco 7200 support shaping and bw gurantee for vpdn session on LNS router ?????????
i need an expert for that
plz help
regards -
Service-policy on Vlan interface failed
Hi, All!
This is my configuration:
class-map match-any voip_control_trust-CMAP
match ip dscp cs3
match ip dscp af31
class-map match-any voip_rtp_trust-CMAP
match ip dscp ef
class-map match-any internetwork-cntrl-CMAP
match ip dscp cs6
policy-map output_qos-PMAP
class voip_rtp_trust-CMAP
priority 56
class voip_control_trust-CMAP
bandwidth percent 2
class internetwork-cntrl-CMAP
bandwidth percent 5
class class-default
fair-queue
random-detect
cisco(config)#int Vlan 2
cisco(config-if)#service-policy output output_qos-PMAP
Configuration failed!
It was tested on 877, 871, 871W, 877W with ios c870-advipservicesk9-mz.124-15.T5.bin, c870-advipservicesk9-mz.124-15.T8.bin, c870-advipservicesk9-mz.124-15.T10.bin, c870-advipservicesk9-mz.124-15.T11.bin, c870-advipservicesk9-mz.124-24.T2.bin
Strange error. Does anybody know what's the problem?Ok, i tried to make workaround solution:
policy-map OUTPUT_QOS_PMAP
class VOIP_RTP_TRUST_CMAP
priority 56
class VOIP_CTRL_TRUST_CMAP
bandwidth percent 2
class INETWORK-CTRL-CMAP
bandwidth percent 5
class class-default
fair-queue
random-detect
service-policy OUTPUT_QOS_PMAP
service-policy output OUTPUT_QOS_PMAP
interface Vlan2
description *** WAN SVI ***
bandwidth 256
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip virtual-reassembly
bridge-group 1
end
interface BVI1
description *** WAN BVI ***
bandwidth 256
ip address 10.96.0.57 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip virtual-reassembly
service-policy output OUTPUT_QOS_PMAP
end
sh policy-map interface
BVI1
Service-policy output: OUTPUT_QOS_PMAP
queue stats for all priority classes:
queue limit 64 packets
(queue depth/total drops/no-buffer drops) 0/0/0
(pkts output/bytes output) 0/0
Class-map: VOIP_RTP_TRUST_CMAP (match-any)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: ip dscp ef (46)
0 packets, 0 bytes
5 minute rate 0 bps
Priority: 56 kbps, burst bytes 1500, b/w exceed drops: 0
Class-map: VOIP_CTRL_TRUST_CMAP (match-any)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: ip dscp cs3 (24)
0 packets, 0 bytes
5 minute rate 0 bps
Match: ip dscp af31 (26)
0 packets, 0 bytes
5 minute rate 0 bps
Queueing
queue limit 64 packets
(queue depth/total drops/no-buffer drops) 0/0/0
(pkts output/bytes output) 0/0
bandwidth 2% (5 kbps)
Class-map: INETWORK-CTRL-CMAP (match-any)
6 packets, 896 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: ip dscp cs6 (48)
6 packets, 896 bytes
5 minute rate 0 bps
Match: access-group name IKE
0 packets, 0 bytes
5 minute rate 0 bps
Queueing
queue limit 64 packets
(queue depth/total drops/no-buffer drops) 5/0/0
(pkts output/bytes output) 6/1120
bandwidth 5% (12 kbps)
Class-map: class-default (match-any)
11 packets, 660 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: any
Queueing
queue limit 64 packets
(queue depth/total drops/no-buffer drops/flowdrops) 10/0/0/0
(pkts output/bytes output) 11/660
Fair-queue: per-flow queue limit 16
Exp-weight-constant: 9 (1/512)
Mean queue depth: 0 packets
class Transmitted Random drop Tail/Flow drop Minimum Maximum Mark
pkts/bytes pkts/bytes pkts/bytes thresh thresh prob
0 11/660 0/0 0/0 20 40 1/10
1 0/0 0/0 0/0 22 40 1/10
2 0/0 0/0 0/0 24 40 1/10
3 0/0 0/0 0/0 26 40 1/10
4 0/0 0/0 0/0 28 40 1/10
5 0/0 0/0 0/0 30 40 1/10
6 0/0 0/0 0/0 32 40 1/10
7 0/0 0/0 0/0 34 40 1/10
BUT! Until service-policy is on interface works nothing.
sh int bvi1
BVI1 is up, line protocol is up
Hardware is BVI, address is 0025.454a.940d (bia 0024.c495.6780)
Description: *** WAN BVI ***
Internet address is 10.96.0.57/24
MTU 1500 bytes, BW 256 Kbit/sec, DLY 5000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
ARP type: ARPA, ARP Timeout 04:00:00
Last input never, output never, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 74
Queueing strategy: Class-based queueing
Output queue: 33/1000/0 (size/max total/drops)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
114 packets output, 11034 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 unknown protocol drops
0 output buffer failures, 0 output buffers swapped out
ping 10.96.0.1 source bvi1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.96.0.1, timeout is 2 seconds:
Packet sent with a source address of 10.96.0.57
Success rate is 0 percent (0/5) -
Why doesn't "show service-policy url-summary" work?
Does any one know -- At Cisco Live this year -- this command was shown as an Option to see the number of
hits on L7 class maps urls.
It's not an option for me: Running A3 (2.5)
Thanks,
From A2 documentation (maybe this command was dropped from A3 -- but that would be unfortunate)
To display the statistics for all policy maps or a specific policy map that is currently in service, use the show service-policy command. This command also allows you to display statistics for a specific class map in a policy or the hit counts for match HTTP URL statements in a Layer 7 HTTP policy map. If you do not enter an option with this command, the ACE displays all enabled policy statistics.
show service-policy [policy_name [class-map class_name]] [detail | summary | url-summary] [|] [>]
Syntax Description
policy_name
(Optional) Identifier of an existing policy map that is currently in service (applied to an interface) as an unquoted text string with a maximum of 64 alphanumeric characters. If you do not enter the name of an existing policy map, the ACE displays information and statistics for all policy maps.
class-map class_name
(Optional) Displays the statistics for the specified class map associated with the policy.
detail
(Optional) Displays a more detailed listing of policy map or class map statistics and status information.
summary
(Optional) Displays a summary of policy map or class map statistics and status information.
url-summary
(Optional) Displays the number of times that a connection is established based on a match HTTP URL statement for a class map in a Layer 7 HTTP policy map.
The URL hit counter is per match statement per load-balancing Layer 7 policy. If you are using the same combination of Layer 7 policy and class maps with URL match statements in different VIPs, the count is combined. If the ACE configuration exceeds 64K URL and load-balancing policy combinations, this counter displays NA.Hi Dan,
The url-summary has only been added to the ACE module code at this time. The A2 code train is only for the module, while the A3 train is only for the appliance. The good news is that later this year, we will have a new software coming out (A4) that will be the exact same image that can be loaded on either the module or the appliance, hence all functionality will be the same for both (except the acceleration and optimization that only the appliance will support.
Hope this helps,
Sean -
According to Cisco dumentation (http://www.cisco.com/en/US/docs/security/asa/asa81/config/guide/mpc.html)
, the ASA is equipped with two default class-maps
class-map inspection_default
match default-inspection-traffic
and
class-map class-default
match any
The first makes perfect sense, but what is the class-default used for? Cisco says
"This class map appears at the end of all Layer 3/4 policy maps and essentially tells the adaptive security appliance to not perform any actions on all other traffic. You can use the class-default class map if desired, rather than making your own
match any class map. In fact, some features are only available for class-default."
But I see stuff like this:
policy-map MyPolicy
class class-default
inspect tfp MyFTPpolicy
Obviously it is being used here to act on traffic! So I am confused.
I also noticed that when you upgrade from 8.2 to 8.4, all default class-maps are removed from the configuration: you have to re-create everything (strange)Hello Collin,
This is Mike. I dont think it is well documented. Basically it is just a class map (that does not appear on the configuration unless an action is specified) that will match all traffic passing through the ASA firewall. Some features like NSEL (Netflow) and Traffic shaping are only allowed to use this kind of class maps because they dont support any other match command.
The one that you currently have (and God I hope its not applied) will look for tftp traffic on every IP packet passing across the ASA.
This specific type of policy you have there can only be applied on the interface (as it is not a layer 7 inspection policy) you can check if it is applied or not by running the show "run service-policy command"
Mike -
My ISP has said they will set up their side to give 50% policed real time traffic and 30% for our application traffic burstable then 5% anything else burstable. The QOS below is my attempt to do this but I was advised that to apply it to the Dialer 1 interface I hade to create a second policy-map (ADSLOut) which had the class-default and the child policy (QOSADSL) within that.
When I did this I can't apply it to the Dialer 1 interface but if I use the child policy then it will allow me to apply that, will this work the same way.
class-map match-all RealTime
match ip dscp ef
class-map match-all General
match any
class-map match-any Application
match ip dscp cs3
match ip dscp af41
policy-map QOSADSL
class RealTime
bandwidth percent 50
class Application
priority percent 30
class General
priority percent 5
class class-default
shape peak percent 85
policy-map ADSLOut
class class-default
service-policy QOSADSL
interface Dialer1
<Snipped>
bandwidth 1240
ip nbar protocol-discovery
ip flow ingress
ip flow egress
load-interval 30
tx-ring-limit 3
tx-queue-limit 3
service-policy output QOSADSL
or
service-policy output ADSLOutHi @scotlandvisit,
My first opinion is a recomendation: in the policy-map, when you're configuring LLQ use the priority command for delay-sensitive traffic (Voice) and the bandwidth command for the rest. This is because the priority command is used to indentify a class as a "strict priority class" which in my opinion should be the voice traffic and the bandwidth command is used to allocate bandwidth to nonpriority classes.
The interface is not letting you apply the service-policy because you have to configure shaping inside the class-default of the parent policy-map. This shape is going to be the value in bps that you want to assing to the traffic classes that you've configured. For example, let's say that you want to allocate 1Mbps for all the classes.
policy-map QOSADSL
class RealTime
priority percent 50
class Application
bandwidth percent 30
class General
bandwidth percent 5
class class-default
shape peak percent 85
policy-map ADSLOut
class class-default
shape average 1000000
service-policy QOSADSL
interface Dialer1
service-policy output ADSLOut
Try this configuration and let me know.
HTH.
Rgrds,
Martin, IT Specialist -
Configuring a 3560. Fa0/1 is connected to LES cct, I need to apply a class-map to allocate bandwidth to Voip, Citrix and printing. I create class map and then try to apply the Service-policy output command but it comes back Output not supported. How do I apply the service policy to the port
will attaching the service-policy input to the port prioritse the traffic down the private cct. Also do I have to apply any qos rules to the other ports.
For example: Port fa0/1 is connected to 10mbps cct.
I attach service-policy to the port
'Service-policy output qos'
(full class-map is:
Class-map match-all class 1
match access-group 101
Class-map match-all class 2
match access-group 102
Class-map match-all class 3
match access-group 103
policy-map Qos
Class Class 1
police 100000 8000 exceed.... drop
Class Class 2
Police 512000 8000 exceed.... drop
Class Class 3
Police 6750000 8000 exceed ..... drop
Access-list 101 permit tcp any any dscp 46
Access-list 102 permit tcp any any dscp 31
Access-list 103 permit tcp any any eq 1494
I have configured (Global) mls qos
Do I have to configure fa0/3 which is configured for two vlans (voice and data)
Regards
Ron
Maybe you are looking for
-
Need toughts on approach. Client moving to Maconomy/Business Objects
Post Author: klokhammer CA Forum: General Feedback Hi.On of our important clients are most likely to migrate between economy systems within the next 9 months. Case as follows: We have developed a budgeting/forecast and reporting system for a certain
-
How to block sales order and Delivery order based on payment terms ?
Hi experts , I have an sceneria to block the sales order and delivery based on payment terms ? For eg ) Customer payment terms is Z001 which is 5 % discount within 30 days , No discount within 60 days. My requirement here i
-
Set a default layout for all users via DIAPI
Hello everyone, I am attempting to set a default report for all users/business partners using the DI-API. I can accomplish this in the B1 application via Tools> Layout Designer...>Set as Default If there are entries in the RDFL table for this layout
-
Hi Gurus, How handling unit number selection happens in delivery document? Does system determines this number automatically? If so from which table? Thank you ANil
-
Brush and eraser cursors turn to arrow on Wacom tablet
Hello, anyone and everyone, drawing with PHotoshop CS5 on the Wacom 22HD, my brush and erasor cursors will suddenly switch to the ordinary 'arrow' or 'pointer' cursor the instant the stylus touches the surface of the tablet. Any ideas as to what's go