Traffic Policies IN NAC

Hello friends,
For host remediation we shld allow for access to a particular destination or by default it is accessible?????
OR
traffic policies are applied after a host passes posture assessment and remediation.??? to limit network access.
Thanks

Hello Faisal,
Thanks for reponse,
My setup is IN-band virtual mode.
From ur mail what i understand is if the host want to succeed posture assesment he has to be permited for the particular destination.
for example: host is not updated with full AV then he has to permit access to AV server for the updates in the temporary role,
access-list will be like : permit tcp any host 10.10.10.10 (AV Server) eq (port)
correct me if i m wrong  ?????
2) After host get success in host posture assessment after that also we can limit the host for a particular destination.
where is option that we can specify such access-list.
Thanks

Similar Messages

  • Traffic policing question on Cisco ASR 1001

    Hi Experts,
    I have a request to setup aggregated traffic policing on a Cisco ASR 1001 router for multiple networks within a router.
    Lets say I have a router with several subinterfaces:
    interface GigabitEthernet0/2
     description WAN
     ip address x.x.x.x x.x.x.x
    interface GigabitEthernet0/1.70
     description Lan_1
     encapsulation dot1Q 70
     ip address 192.168.55.1 255.255.255.0
    interface GigabitEthernet0/1.80
     description LAN_2
     encapsulation dot1Q 80
     ip address 192.168.56.1 255.255.255.0
    interface GigabitEthernet0/1.90
     description Servers
     encapsulation dot1Q 90
     ip address 172.16.10.1 255.255.255.0
    I have a WAN link 100Mbit/s and I need to police traffic, so that I have 30Mbit/s for servers (GigabitEthernet0/1.90) and the rest 70Mbit I want to share between Interface Lan_1 and LAN_2. The Idea is that I need 70Mbit/s equally shared between two interfaces, so that I have fair policing on both iunterfaces. What is the best way to achieve this?
    Many Thanks

    Hello
    The below configuration is a possible option, Its provides policing inbound from the clients interfaces and LLQ priority queung on the wan interface for the servers and  shaping values from LAN1 & 2 traffic is set to 35MB.each.
    Notice nothing is defined for the default class, however i am on the understanding this is given by default 1% of Hqos implementations.
    Maybe others on here could review to verify any problems with this post and share their thoughts?
    ip access-list extended SRVS_acl
     permit ip 172.16.10.0 0.0.0.255 any
    ip access-list extended LAN1_acl
     permit ip 192.168.55.0 0.0.0.255 any
    ip access-list extended LAN2_acl
     permit ip 192.168.56.0 0.0.0.255 any
    class-map match-all SRVS_CM
     match access-group name SRVS_acl
    class-map match-all LAN_1_CM
     match access-group name  LAN1_acl
    class-map match-all LAN_2_CM
     match access-group name LAN2_acl
    policy-map SRVS_PM
     class SRVS_CM
        police 30720000 conform-action transmit exceed-action drop
    policy-map LAN_2_PM
     class LAN_2_CM
        police 35840000 conform-action transmit 
    policy-map LAN_1_PM
     class LAN_1_CM
        police 35840000 conform-action transmit 
    interface GigabitEthernet0/1.70
    service-policy input LAN_1_PM
    interface GigabitEthernet0/1.90
     service-policy input SRVS_PM
    interface GigabitEthernet0/1.80
     service-policy input LAN_2_PM
    policy-map WAN_CHILD
     class SRVS_CM
      priority 30720
     class LAN_1_CM
      shape average 35840000
     class LAN_2_CM
      shape average 35840000
     class class-default
      fair-queue
    policy-map WAN_PARENT
     class class-default
      shape average 102400000
      service-policy WAN_CHILD
    int  GigabitEthernet0/2
    bandwidth 102400
    service-policy output WAN_PARENT
    res
    Paul

  • ISG: Service with traffic policing counts dropped packets.

    Hello,
    Our company has a router Cisco 7304 NPEG100. ("show version" in the  bottom of this message). We are planing to start ISG services at this router, but there is a bug CSCei4190. When I set traffic policing in service, accounting in this service counts  packets that has been dropped by traffic policing.
    Here is example of my definition of service in RADIUS:
    User-Name = 'Internet-Service'
    Cisco-AVPair += "ip:traffic-class=in access-group 2000 priority 10"
    Cisco-AVPair += "ip:traffic-class=out access-group 2001 priority 10"
    Cisco-AVPair += "ip:traffic-class=in default drop"
    Cisco-AVPair += "ip:traffic-class=out default drop"
    Cisco-AVPair += "prepaid-config=TRAFFIC_PREPAID"
    Cisco-AVPair += "accounting-list=ISG_ACCT"
    Cisco-Service-Info += "QU;256000;D;512000"
    Acct-Interim-Interval += '60'
    When I remove Cisco-Service-Info += "QU;256000;D;512000" from service  definition, all traffic are counting correctly.
    I did not found in Bug Details, which version of IOS, I should use in my  7304 router where this bug is fixed.
    Cisco IOS Software, 7300 Software (C7300-A3JK91S-M), Version 12.2(31)SB17,  RELEASE SOFTWARE (fc1)
    Technical Support: http://www.cisco.com/techsupport
    Copyright (c) 1986-2009 by Cisco Systems, Inc.
    Compiled Fri 30-Oct-09 12:35 by vpernank
    ROM: System Bootstrap, Version 12.2(22r)S, RELEASE SOFTWARE (fc1)
    BOOTLDR: 7300 Software (C7300-BOOT-M), Version 12.2(20)S6, RELEASE 
    SOFTWARE (fc4)
    7304 uptime is 17 hours, 24 minutes
    Uptime for this control processor is 17 hours, 24 minutes
    System returned to ROM by reload at 06:22:24 TSK Wed Feb 23 2005
    System restarted at 18:46:54 TSK Mon Mar 22 2010
    System image file is "disk0:c7300-a3jk91s-mz.122-31.SB17.bin"
    cisco 7300 (NPEG100) processor (revision B) with 983040K/65536K bytes of  memory.
    SB-1 CPU at 800Mhz, Implementation 0x401, Rev 0.2, 512KB L2 Cache
    4 slot midplane, Version 67.49
    Last reset from software reset or reload
    4 FastEthernet interfaces
    3 Gigabit Ethernet interfaces
    1021K bytes of non-volatile configuration memory.
    62592K bytes of ATA compact flash in bootdisk (Sector size 512 bytes).
    125952K bytes of ATA compact flash in disk0 (Sector size 512 bytes).
    Configuration register is 0x2102

    I am getting other logs sent to the syslog server, yes, just not the firewall-related "dropped packet" logs.  Here's an example of one that does make it through:
    5790: *Apr 30 15:05:27.039 UTC: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:-647534746 1500 bytes is out-of-order; expectedseq:3647406270. Reason: TCP reassembly queue overflow - session 192.168.1.179:3895 to 54.240.160.142:80 on zone-pair inside-to-Transitclass WB-Browsing
    I am not allowing all the traffic across the box.  The "self-to-inside" zone-pair just allows the *firewall itself* to initiate any traffic to the inside zone.  That's temporary until I get all the management traffic to and from the firewall defined, then I will lock it down further.
    And I added the "ip inspect log drop-pkt" and it did not appear to make any difference.
    Any other suggestions?
    -Mat

  • 2950 Traffic Policing

    Hi,
    I'm trying to configure traffic policing on a Catalyst 2950. The config is pretty straight-forward, or so I thought. I need to set up several policy-maps, each one policing traffic at different levels (5meg, 10meg, 20meg, etc.). My problem is, anything above 1Meg just doesn't seem to work as expected. Here's my config for a 10Meg policer:
    class-map match-all ALL-TRAFFIC
    match access-group 1
    policy-map 10mbs
    class ALL-TRAFFIC
    police 10000000 65536 exceed-action drop
    access-list 1 permit any
    Here's the interface config:
    interface FastEthernet0/24
    switchport access vlan 53
    load-interval 30
    service-policy input 10mbs
    spanning-tree portfast
    spanning-tree bpdufilter enable
    spanning-tree link-type point-to-point
    What happens is, when uploading files from the server attached to this port (ingress to the switch), my throughput is nowhere near 10Mb/s. I only end up getting about 2Mb/s consistently, with a large 600MB ISO file transfer.
    I've configured policers before in routers and other types of switches and I would at least get around 7 to 8Mb/s, if not immediately, after some time, due to TCP's native congestion avoidance. I may be missing something blatantly obvious, though, as I've been wrestling with this the past few hours.

    Although the page is about the 3550 I think most of the information is relevent to the 2950 as well (although the 2950 doesn't support the granularity of the 3550).
    http://www.cisco.com/en/US/partner/products/hw/switches/ps646/products_tech_note09186a00800feff5.shtml
    Have you tried using non connection-oriented traffic (UDP) to see what rates you achieve? I suspect TCP is probably suffering due to the policer dropping the packets.
    HTH
    Andy

  • Traffic Policing on Service Provider Edge router.

    Hi,
    I'm confused about the traffic policing on service provider edge router. Suppose I have taken internet bandwidth from my ISP and he says that they will give me 100 Mbps bandwidth burstable upto 1Gbps. What does that mean? what is burstable here?
    I would appreiciate if anyone from service provider organization, can give a output of their edge router's running config. I just have to understand how the police our traffic. Here I'm talking about the Internet leased lines.

    This is probably something you will have to get your service provider to answer. Different service providers use the term burst in a different context. Some SP's are "NICE' and will setup no policer or shaper and will purely monitor the link for fair use allowing you to exceed what you have purchased as long as you don’t abuse the privilege. Other Serves providers may setup a dual rate policer with a CIR and a PIR to achieve the same. a 3rd scenario is as explained above where the SP will setup a policer for 100Mb/s and then calculate the burst value at 1/8 of a second (or less in some cases) which allows your traffic to burst to full line rate for that time slice,
    There are other scenarios but the point I’m trying to make is that service providers don’t all do this the same way which is why you should ask them what they mean and how long your traffic would be allowed to burst to line rate.
    PJ

  • Cisco ASA QoS traffic policing - how to count conform burst

    hi,
    I have cisco ASA 8.4(5). I will do configuration for QoS traffic policing. Maximum output/input rate will be 850 Mbits/s.
    I am not sure if I need to do configuration also for conform burst ? if yes, can I count suitable value for it ? I must admit that I dont understand difference between conform rate and conform burst.
    access-list acl_qos_policing_admin extended permit ip any any
    class-map class_qos_policing_admin
     match access-list acl_qos_policing_admin
    policy-map policy_qos_policing_admin
     class  class_qos_policing_admin
     police output 850000000 xxxxxxx
     police input 850000000 xxxxxxx
    service-policy policy_qos_policing_admin interface
    inside_ADM

    Hi, I already have done configuration on production firewall. Bandwidth test worked very good for 200Mbps or 300 Mbps. But I got little strange results for bigger rate limits such 600Mbps or 850 Mbps. I could not see any dropped packets. I did test via http://www.speedtest.net. Maybe because
    I need to set conform-burst? there is now only default value (If you set bigger conform-rate then you get bigger conform-burst with default value).
    Interface inside_EDU:
      Service-policy: policy_qos_policing_edu
        Class-map: class_qos_policing_edu
          Output police Interface inside_EDU:
            cir 200000000 bps, bc 6250000 bytes
          Input police Interface inside_EDU:
            cir 200000000 bps, bc 6250000 bytes
    Interface inside_EDU:
      Service-policy: policy_qos_policing_edu
        Class-map: class_qos_policing_edu
          Output police Interface inside_EDU:
            cir 600000000 bps, bc 18750000 bytes
          Input police Interface inside_EDU:
            cir 600000000 bps, bc 18750000 bytes
    Interface inside_ADM:
      Service-policy: policy_qos_policing_admin
        Class-map: class_qos_policing_admin
          Output police Interface inside_ADM:
            cir 300000000 bps, bc 9375000 bytes
          Input police Interface inside_ADM:
            cir 300000000 bps, bc 9375000 bytes
    Interface inside_ADM:
      Service-policy: policy_qos_policing_admin
        Class-map: class_qos_policing_admin
          Output police Interface inside_ADM:
            cir 850000000 bps, bc 26562500 bytes
          Input police Interface inside_ADM:
            cir 850000000 bps, bc 26562500 bytes

  • Traffic Control in NAC

    Hi all,
    Is it possible to control traffic after user is authenticated by NAC? For example, a user can only access the server segment, not to other segment. From what i understand, after user is authenticated by NAC, that user is put to trusted segment and server segment is also in trusted segment, so i think it is not possible. Maybe other have another opinion?
    Thanks.

    Hi Brian,
    You can keep controlling traffic with NAC if you have a Clean Access Server (CAS) deployed inline for example:
    http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/49/cas/s_trfpol.html
    Regards,
    Fede
    If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

  • Application Traffic Policies

    Hi,
    Thanks for your previous helpful responses.
    I will be doing a POC at Customer site, I have the following applications listed that I will optimizing:
    Oracle
    MS windows (CIFS)
    MS Exchange
    EFAX- oracle
    RTGS- Real Traffic Gross settlements
    T24
    internet thru proxy server.
    Banknet - Intranet Service.
    DNS.
    Mcafee antivirus updates service.
    I guess one way to capture the traffic types is to run a sniffer on the network, how do i know exactly how the application works so as to know what kind of ATP to create for some of these applications mentioned and what kind of optimation to apply since all do not have a ATP defined in the default Cisco ATP.
    Thanks

    Obiora,
    There are several apps you list that are in the default application policies (CIFS, Oracle, Proxy server, etc.). I would recommend that you create a policy for Exchange via destination IP with full optimization as long is it's not encrypted by the Outlook clients.
    For the other apps, you are correct, you may have to run a sniffer to look at them as they may be customer apps. After you have found out what ports and/or IP addresses they will use, you can create customer policies if they don't fit into the default set.
    Hope that helps,
    Dan

  • Calling DSCP or IP Precedence on traffic Policing

    Hi Guys,
    I have a good question and I can say it's challenging questiion. we have some policy-map on some interfaces but because these interfaces are dedicated to some customers that they are using just for voice and video. I put some detaqil for better understanding
    router#sh policy-map QOS:POLICE:100M:pm-q
      Policy Map QOS:POLICE:100M:pm-q
        Class class-default
         police cir 100000000 bc 3125000
           conform-action transmit
           exceed-action drop
         service-policy QOS:RATE:30-x:pm-q
    router#sh policy-map QOS:RATE:30-x:pm-q
      Policy Map QOS:RATE:30-x:pm-q
        Class QOS:REALTIME:cm-q
          set qos-group 5
         police cir percent 30
           conform-action transmit
           exceed-action drop
        Class QOS:INTERACTIVE:cm-q
          set qos-group 3
        Class QOS:CONTROL:cm-q
          set qos-group 6
         police cir percent 10
           conform-action transmit
           exceed-action drop
        Class QOS:BUSINESSDATA:cm-q
          set qos-group 1
        Class class-default
          set qos-group 0
    we put this because we expected gauranty 30% of that bandwidth. It means we expected gauranty 30mbps but now guys saying this type of configuration is not working because calling dscp on policing is not working.
    now we have to change it to below
    router#Policy Map QOS:POLV2:GWS:100M:pm-q
        Class QOS:INT:MPLS:cm-q
         police cir 120000000 bc 21000000 be 42000000
           conform-action transmit
           exceed-action drop
           violate-action drop
    now question is this change right ?
    Thanks
    Majid

    Sarah
    1) L2 switches can trust the dscp marking as well. The 2960 is a layer 2 only switch and the default is untrusted but if you then enter
    "mls qos trusted" you have a choice of 'cos|dscp|ip-precedence'. The default if no choice is entered is DSCP.
    2) If "mls qos trust dscp" is entered then the switch will use the DSCP marking found in the packet. This will then be used as the internal DSCP marking that all switches use. Unless you have a DSCP-DSCP mutation map the value used will be the value received in the packet.
    Jon

  • NAC in Inband L2 Virtual mode

    Dear Experts,
    I m planning to implement NAC INBand virtual mode,as if i have HP and cisco switches in my network,I have read the installation guide and cisco press book for NAC,as if now i want confirmation from you'll experts the step by step procedure to setup NAC,
    As  i thought to post because many of you'll have implemented NAC for several times so the general steps to start,as i m going to do antivirus update and windows update for the host posture assessment,
    NAC in Inband L2 Virtual mode
    About my thinking for Implementation is :
    create authentication vlan on access switches,(no SVI for authentication vlan)
    Do authentication mapping and actual user vlan mapping in NAC,
    create a rule such as windows update and antivirus update and then requirement is to access the antivirus server and windows update server,
    allow Access-list for all the user vlan to go these antivirus and windows update server BUT these ip's will be the actual vlan IP subnet because we will not have any authentication subnet in DHCP ???????   Correct me if i m wrong.
    Shift the users from actual vlan to authentication vlan,
    Configure managed subnet for the reply of DHCP request
    Enable L3 and setup static routes
    Manually go on each and every PC to open a browser so that it will be redirected to install NAC agent, IS THERE any other way TO INSTALL NAC AGENT IN 1000 WINDOWS MACHINE, MINE SYSTEM ADMINISTRATOR ARE NOT VERY SMART,SO PLEASE ANY SOLUTION WITHOUT ANY HELP OF SYSTEM ADMINISTRATOR?????? IT WILL BE HIGHLY APPRECIABLE.
    The point above i have worte,, that is what i think NAC is  any other point's if i m missing please plese please advice me.or give proper guidance.

    Hi,
    1. This is correct. Auth VLANs shouldn't have SVIs anywhere on the network
    2. Okay
    3. Okay. For posture assessment, look at chalktalk 5 from this link: http://bit.ly/chalktalks
    4. For a L2 VGW setup (assuming In-Band), you will only have one set of IP addresses to work with, and those would be the Access VLAN IP addresses. You don't get a different IP address in your Auth VLAN. You can limit the resources you want your clients to have access to by tweaking the Traffic Policies
    5. You would map the users, and you do that by defining the VLAN mappings
    6. For L2 deployments, you will need managed subnets for all the IP subnets that you work with.
    7. You don't need static routes for L2 deployments
    8. If your clients are using any managed software system, like GPOs using AD, or SMS, or Altiris, you can push out the agent to them using those mechanims.
    HTH,
    Faisal

  • NAC Out-of-Band Deployment for wireless networks

    I am evaluating the NAC appliance for my wired and wireless users. I have read that the only way to deply NAC for wireless is in-band mode but it looks like the following link says that it is possible to deply NAC for wireless networks in-band or out-of-band mode:
    "NAC Appliance can be deployed for WLANs as an in-band deployment for full-time endpoint scanning or out-of-band within a central site for periodic scanning to confirm posture compliance. The NAC Appliance server performs authentication, posture assessment, and remediation. The server securely controls authenticated and unauthenticated user traffic by managing traffic policies based on protocol/port or subnet, providing bandwidth policy management based on shared, or per-user bandwidth, or using time-based sessions and heartbeat controls. (Figure 1)"
    http://www.cisco.com/en/US/prod/collateral/wireless/ps5678/ps6521/prod_brochure0900aecd80355b2f_ps6128_Products_Brochure.html
    Does anyone know if it is possible to use NAC out-of-band deployment for wireless networks? If you can point me to some documentation it will be appreciated.
    Regards

    Thanks Robert.
    In my case I am planning to deploy a central NAC appliance at the main office to control some branch offices and local wired users at the main office. The NAC appliance will operate in out-of-band mode. But for wireless users at the main office I will need an aditional NAC appliance operating in in-band mode, is this correct?
    Regards

  • NAC In-band Real IP Gateway process

    Hi all,
    I've been doing a lot of research and I still can't find good answers to some of my questions. All the big questions are answered for out-of-band configuration but I find that it's assumed that understanding in-band is taken for granted lol...I guess I'm slow =P
    How does In-band Real-IP Gateway work?
    What is the point of the /30 subnets?
    Are there access/auth VLAN pairs in in-band configurations?
    How does quarantining work?
    I read that the NAC Server can only send traffic out the untrusted port in one VLAN and that you aren't allowed to trunk that port. Does this mean that there's no support for multiple untrusted VLANs mapped to a single NAC Server?
    Can you do role-mapping with in-band configurations?
    Any help with any or all of these questions would be GREATLY appreciated!
    Thanks much =]
    ~ Xavier.

    Hi Xavier,
    let me try to answer your questions
    1.How does In-band Real-IP Gateway work?
    The CAS works in routed mode, so you have different IP addresses (on different subnets) on the trusted and untrusted interfaces. Since the CAS doesn't support routing protocols, all the routing has to be configured through static routes
    2. What is the point of the /30 subnets?
    The idea is to have small subnets for your clients so that with this IP config the clients in the authentication VLAN need to go through the CAS even to talk to other clients in the same L2 subnet.
    Check here for some explaination:
    http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/47/cas/s_dhcp.html#wp1057889
    3. Are there access/auth VLAN pairs in in-band configurations?
    If you ask if there's VLAN mapping, then the answer is NO, as the aim of the VLAN mapping is to *bridge* traffic between the trusted and untrusted mapped VLANs, but in Real-IP the CAS does L3 routing of the traffic.
    4. How does quarantining work?
    When a client is quarantined, this works in the same way as in OOB, as in this phase the client is still inline to the CAS.
    So the concept is that the CAS assigns the user to the temporary or quarantine role and it applies a traffic policy that you configured for the temporary or quarantine role.
    5. I  read that the NAC Server can only send traffic out the untrusted port  in one VLAN and that you aren't allowed to trunk that port. Does this  mean that there's no support for multiple untrusted VLANs mapped to a  single NAC Server?
    The "single" VLAN restriction for Real-IP CAS applies only to the *trusted* side. The CAS can be the default gateway for multiple VLANs/IP Subnets on the *untrusted* side.
    You configure additional VLAN/IP addresses on the untrusted side using the "managed subnet" configuration.
    This is also mentioned here:
    http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/45/cas/s_deploy.html#wp1050938
    The Clean Access Server can manage one or more  subnets, with its untrusted interface acting as a gateway for the  managed subnets. For details on setting up managed subnets, see Configuring Managed Subnets or Static Routes, page 5-26.
    6. Can you do role-mapping with in-band configurations?
    Yes, you can do it! However, you cannot assign VLANs as you do in OOB but you can assign different access level based on the IP traffic policies and bandwidth restrictions you assign to the specific role.
    Check for instance here for more details:
    http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/45/cam/m_users.html#wp1040231
    In a nutshell, irrespective of the use of InBand vs. OutOfBand:
    - the clients are InBand to the CAS during the CAS discovery, authentication, posture assessment and remediation phases.
    The main difference occurs when the user is authorized to have access to the network and you perform role assignment both in IB and OOB but..:
    - in IB the client traffic keeps on flowing inline to the CAS, so you can apply different access policies (ACL) and bandwidth control policies depending on the role (but you cannot assign VLAN);
    - in OOB the client traffic bypasses the CAS once it's authorized: in this case you can apply different VLANs but (since the CAS is no longer along the path) you can't apply ACLs and/or traffic shaping policies in this case.
    I hope this answers your questions.
    Regards,
    Federico
    If this answers your question please mark the question as "answered" and rate it, so other users can easily find it.

  • Integrating Cisco ACS and Cisco NAC Manager - Downloadable ACL

    Hi There
    I have Cisco NAC setup in my environment. These are all working fine. The users will get themselves authenticated via Cisco NAC Manager. The Cisco NAC Manager talks to the Cisco ACS for the user database portion. These are all working fine. I would like to enable Downloadable ACL. I have tried using the CISCO-AV-PAIR method and creating a downloadable ACL entry in Shared Components, but nothing works. It's either I'm doing it wrongly or this setup of mine doesn't support downloadable ACL? Please kindly advice.
    Regards,
    Ram
    +6-012-2918870

    Hi,
    That is not possible.
    You cannot push ACLs into the NAC manager.
    If you are doing Radius authentication from NAC manager, what you can do is to create Roles on the NAC manager, and on those roles you define traffic policies.
    Using Radius attributes you can then map users to Roles.
    Please take a look into this:
    http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/48/cam/m_auth.html#wp1158789.
    HTH,
    Tiago
    If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

  • Traffic Shaping and Priortization in ASA

    Hi Everyone,
    I  read that traffic prioritixation is always applied outbound direction when traffic is trying to leave the ASA.
    Also i read that traffic Shaping can be applied to all outgoing traffic on a interface.
    need to know if traffic shaping and priortization means same thing in ASA ?
    There direction is always  outbound?
    Regards
    MAhesh

    Hello Mahesh,
    Not sure I get it but let me see if I can help,
    Priority traffic: Basically allows you to split the interface into 2 different queues, one for low latency traffic and the other for best effor traffic. The one being on the Priority queue will always get served first.
    Traffic Shapping:It's the buffering QoS techique that allows you to configure a limit of bandwith that you will provide to a certain traffic class, when you reach that limit the traffic that goes over the limit will be placed into a software queue, where it will be "holded". That's the different between traffic shapping and policing as whit traffic policing you will drop the offending traffic, with shapping you will hold it (so this is not good for Low latency traffic).
    Now regarding the direction Traffic shapping can only be done on the outbound direction as queuing is an outbound process.
    For Networking Posts check my blog at http://www.laguiadelnetworking.com/category/english/
    Cheers,
    Julio Carvajal Segura

  • Cisco Guest NAC access reports

    We have just deployed the Cisco Wireless Guest NAC sponsor server. We are running version 2.0.2. I have created different sponsor user groups and one of the groups allows full access to reporting and audit logs. All of the reports seem to be working properly except for the "Access Reports." There are user accounts that have been created and users have successfully logged in; however, the report always shows "No data" no matter what date range I choose. I have attached a screenshot.
    Additional information:
    Our DMZ controller is a Radius client to the NAC. This Cisco controller is running version 6.0.196. I have checked the firewall for any denied traffic from the NAC server to the DMZ controller and the communication is open. We allow port 1812 between the controller and NAC.

    FlexConnect with Split tunneling may work. 
    Read about this feature & see how that can be used in your branch setup. Here is the Ciscolive presentation slides the above came from.
    BRKEWN-2016: Architecting Network for Branch Offices with Cisco Unified Wireless 
    HTH
    Rasika
    **** Pls rate all useful responses ****

Maybe you are looking for

  • Why is Courier New being sub'ed with Times New Roman saving a PDF to MS Word using Acrobat X

    I am using Acrobat X to save a PDF with CourierNewPSMT to MS Word. When the Word document is created, Courier New is being subsititued with Times New Roman. thanks

  • Time Zone Automation

    I've seen some other threads and info online about automating time zone application during OSD, but it just isn't working for me. I've added the following settings in my CustomSettings.ini. Running through a MDT simulation I get the correct settings.

  • Fail in Patch FND.G

    Hi All I try several times in patching FND.G on my 11.5.8 system but fail at each time. I have applied AD.H successfully and apply c driver of the FND.G well, but when I try to apply d driver for the FND, it always warn my FNDLIBR error then my works

  • Error loading snd modules

    ok so this is my first install, and everything went fairly smoothly.  i just can't figure out why i am getting these errors on boot up: snd-cs4232 and snd-wavefront can't load module.  When I am not calling them in the rc.conf or modprobe.conf. my mo

  • Methods of OLE-objects with IN OUT parameter

    How can I invoke a method of an OLE-object with IN OUT parameter? Trying obj := CREATE_OLEOBJ(localobject VARCHAR2, TRUE); INIT_OLEARGS (n+1); ADD_OLEARG (newvar_1 NUMBER/VARCHAR2, vtype VT_TYPE := VT_R8/VT_BSTR); ADD_OLEARG (newvar_n NUMBER/VARCHAR2