4506- 12.2.25SG Sup2+ 'sho policy-map int' output
-IOS command 'sho policy-map int fa 3/x' doesnot show value for only one interface rather it shows cumulative value for all interfaces. Could be a bug in IOS ?
IOS: cat4500-ipbasek9-mz.122-25.SG.bin
#sho policy-map int fa3/6
FastEthernet3/6
Service-policy input: untrusted_model
Class-map: voice_trafic (match-all)
16626976 packets
Match: access-group name voice_trafic
QoS Set
ip dscp ef
Class-map: voice_signaling (match-all)
75954 packets
Match: access-group name voice_signaling
QoS Set
ip dscp ef
Class-map: class-default (match-any)
174134940 packets
Match: any
QoS Set
ip dscp default
#sho policy-map int fa3/5
FastEthernet3/5
Service-policy input: untrusted_model
Class-map: voice_trafic (match-all)
16636254 packets
Match: access-group name voice_trafic
QoS Set
ip dscp ef
Class-map: voice_signaling (match-all)
75954 packets
Match: access-group name voice_signaling
QoS Set
ip dscp ef
Class-map: class-default (match-any)
174161775 packets
Match: any
QoS Set
ip dscp default
#sho policy-map int fa3/5
FastEthernet3/5
Service-policy input: untrusted_model
Class-map: voice_trafic (match-all)
16639246 packets
Match: access-group name voice_trafic
QoS Set
ip dscp ef
Class-map: voice_signaling (match-all)
75954 packets
Match: access-group name voice_signaling
QoS Set
ip dscp ef
Class-map: class-default (match-any)
174167019 packets
Match: any
QoS Set
ip dscp default
#sho policy-map int fa3/5
FastEthernet3/5
Service-policy input: untrusted_model
Class-map: voice_trafic (match-all)
16641517 packets
Match: access-group name voice_trafic
QoS Set
ip dscp ef
Class-map: voice_signaling (match-all)
75954 packets
Match: access-group name voice_signaling
QoS Set
ip dscp ef
Class-map: class-default (match-any)
174175910 packets
Match: any
QoS Set
ip dscp default
The show policy-map interface command displays the packet statistics for classes on the specified interface or the specified PVC only if a service policy has been attached to the interface or the PVC.
check out the following link for the command reference :
http://www.cisco.com/en/US/products/sw/iosswrel/ps5187/products_command_reference_chapter09186a008017cf12.html#wp1146884
Similar Messages
-
Policy-map going into suspended mode over a GRE
Hi
I have a GRE tunnel over another GRE tunnel. When I apply a nested policy on the Child GRE the policy map does not attach, what is the cause. The sho policy-map int Tux/x showed that it is suspended I am not making a breakthrough here. The hard ware platform is ASR 1001
Thanks
DonDownload RecBoot. You can kick it out of recovery mode with that. You may have an underlying issue though causing that. A restore may be in order.
Check out the new remodeled MacOSG website! 24-hour Apple-related news & support.
MacOSG: An Apple User Group iTunes: MacOSG Podcast Follow us on Twitter: MacOSG -
I have configured policy-maps and class-maps on 3550 and 3560 switches.
The following is excerpt....
class-map match-any voip_class
match access-group 100
policy-map voip_policy
class voip_class
trust dscp
interface GigabitEthernet0/12
service-policy input voip_policy
priority-queue out
access-list 100 permit udp any any
I have the access-list 'open' for testing purposes.
However when I run the command 'sh policy-map int gi0/12' I get no counters increasing.
Should I?
Also if I run the 'sh access-list 100' command, should I get increasing counters?
Thanks for any help
Nik MihelioudakisSh policy map is not supported on this platform
http://www.cisco.com/cgi-bin/bugtool/onebug.pl?bugid=CSCdy50035
Use "show mls qos interface gig0/12 statistics" instead. -
Sh policy-map LLQ counters showing strange results.
I've config'd LLQ for video conferencing across a dual-T1 multilink connection. When I have a video conf. session going, the Class-map counters for 'packets', 'match' and 'pkts matched' under queueing being exactly the same. This is supposed to show either that all packets are being processed switched - which they aren't, or that there is congestion on the link, but there isn't. There is nothing else going across the link except my telnet session I use to get the counters. I would have expected all counters, except Class-default, to be zero under the queueing area, and then when I flood the link with large file transfers, the other class queueing counters to begin incrementing - but all counters are equal even without congestion. This doesn't help me prove that my QOS LLQ is working properly. What gives?
Here is the config and some outputs:
policy-map WAN-multilink
class Voice
priority 90
class Video
bandwidth 460
class Call-Control
bandwidth 27
class class-default
fair-queue
random-detect
policy-map QOS_classes
class Voice
priority 90
class Video
bandwidth 460
class Call-Control
bandwidth 27
class class-default
fair-queue
interface Multilink1
ppp multilink
ppp multilink fragment delay 20
ppp multilink interleave
ppp multilink group 1
max-reserved-bandwidth 95
service-policy output WAN-multilink
interface Serial0/2/0
bandwidth 1536
encapsulation ppp
no fair-queue
service-module t1 timeslots 1-24
ppp multilink
ppp multilink group 1
max-reserved-bandwidth 95
interface Serial0/3/0
bandwidth 1536
encapsulation ppp
no fair-queue
service-module t1 timeslots 1-24
ppp multilink
ppp multilink group 1
max-reserved-bandwidth 95
MDF-VoIP-RT2811#sh int stats
Multilink1
Switching path Pkts In Chars In Pkts Out Chars Out
Processor 2175 179609 2436 237735
Route cache 7519 3809321 7416 2108198
Total 9694 3988930 9852 2345933
MDF-VoIP-RT2811#sh policy-map int mu 1
Multilink1
Service-policy output: WAN-multilink
Class-map: Voice (match-any)
2037 packets, 411126 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: ip dscp ef (46)
2037 packets, 411126 bytes
5 minute rate 0 bps
Queueing
Strict Priority
Output Queue: Conversation 264
Bandwidth 90 (kbps) Burst 2250 (Bytes)
(pkts matched/bytes matched) 2037/411126
(total drops/bytes drops) 0/0
Class-map: Video (match-any)
1919 packets, 1087702 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: ip dscp af41 (34)
1919 packets, 1087702 bytes
5 minute rate 0 bps
Match: ip precedence 4
0 packets, 0 bytes
5 minute rate 0 bps
Queueing
Output Queue: Conversation 265
Bandwidth 460 (kbps) Max Threshold 64 (packets)
(pkts matched/bytes matched) 1919/1087702
(depth/total drops/no-buffer drops) 0/0/0
Class-map: Call-Control (match-any)
430 packets, 31418 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: ip dscp cs3 (24)
430 packets, 31418 bytes
5 minute rate 0 bps
Match: ip precedence 3
0 packets, 0 bytes
5 minute rate 0 bps
Queueing
Output Queue: Conversation 266
Bandwidth 27 (kbps) Max Threshold 64 (packets)
(pkts matched/bytes matched) 430/31418
(depth/total drops/no-buffer drops) 0/0/0
Class-map: class-default (match-any)
4669 packets, 612771 bytes
5 minute offered rate 3000 bps, drop rate 0 bps
Match: any
Queueing
Flow Based Fair Queueing
Maximum Number of Hashed Queues 256
(total queued/total drops/no-buffer drops) 0/0/0
exponential weight: 9In accordance with the above, you would need to apply the policy to the subinterface.
As my collegue clearly depicts, you should be able to combine the two pvc's into one, that would also be the scenario where the policy comes in action. When you are sending voice over a dedicated pvc there is little need to prioritize the flow. This equals the configuration where you have a dedicated leased line for voice.
regards,
Leo -
Hi experts,
below is the output of show policy-map.
PE3-AMS-EU# show policy-map int serial 3/0/10:0 o
Serial3/0/10:0
Service-policy output: rao-pe-out
Class-map: pe-management-output (match-any)
0 packets, 0 bytes
30 second offered rate 0 bps, drop rate 0 bps
Match: access-group 107
0 packets, 0 bytes
30 second rate 0 bps
Queueing
queue limit 144 packets
(queue depth/total drops/no-buffer drops) 0/0/0
(pkts output/bytes output) 0/0
bandwidth 8 kbps
Exp-weight-constant: 7 (1/128)
Mean queue depth: 0 packets
class Transmitted Random drop Tail drop Minimum Maximum Mark
pkts/bytes pkts/bytes pkts/bytes thresh thresh prob
default 0/0 0/0 0/0 65535 65535 1/10
6 0/0 0/0 0/0 45 72 1/10
Class-map: pe-class1-output (match-any)
131960 packets, 8445440 bytes
30 second offered rate 249000 bps, drop rate 33000 bps
Match: ip precedence 4
131960 packets, 8445440 bytes
30 second rate 249000 bps
Police:
216000 bps, 2000 limit, 2000 extended limit
conformed 113909 packets, 7290176 bytes; action: transmit
exceeded 0 packets, 0 bytes; action: drop
violated 17856 packets, 1142784 bytes; action: drop
Class-map: pe-class2-output (match-any)
158740 packets, 64127887 bytes
30 second offered rate 1897000 bps, drop rate 157000 bps
Match: ip precedence 6
158740 packets, 64127887 bytes
30 second rate 1897000 bps
Match: ip precedence 2
0 packets, 0 bytes
30 second rate 0 bps
Queueing
queue limit 144 packets
(queue depth/total drops/no-buffer drops) 70/13397/0
(pkts output/bytes output) 149343/60928439
bandwidth 1586 kbps
Exp-weight-constant: 7 (1/128)
Mean queue depth: 69 packets
class Transmitted Random drop Tail drop Minimum Maximum Mark
pkts/bytes pkts/bytes pkts/bytes thresh thresh prob
default 10/575 0/0 0/0 65535 65535 1/10
6 149333/60927864 13191/5381928 206/84048 45 72 1/10
2 0/0 0/0 0/0 14 36 1/5
Class-map: class-default (match-any)
1352 packets, 546208 bytes
30 second offered rate 16000 bps, drop rate 45000 bps
Match: any
1352 packets, 546208 bytes
30 second rate 16000 bps
Queueing
queue limit 144 packets
(queue depth/total drops/no-buffer drops) 140/16394/0
(pkts output/bytes output) 101943/6932124
bandwidth 176 kbps
Exp-weight-constant: 7 (1/128)
Mean queue depth: 185 packets
class Transmitted Random drop Tail drop Minimum Maximum Mark
pkts/bytes pkts/bytes pkts/bytes thresh thresh prob
default 101943/6932124 0/0 15008/1020544 65535 65535 1/10
5 0/0 0/0 1386/565488 14 36 1/5
6 0/0 0/0 0/0 45 72 1/10
0 0/0 0/0 0/0 14 36 1/5
The min and max thresold value in the output are 65535 for default class.what is the significance of these values and what are those meant for.Why the values are 65535 ..Explanation for the threshold value 65535:
For example if you consider Class-map: class-default (match-any), WRED is configured only for IP Precedence 5, 6and 0, then rest of the IP Precedence values will come under the default, with no WRED configured. So under the default, tail drop is used for dropping the packets, instead of WRED.If there is no user-configured default profile, the default action is to tail drop. The value of 65535 displayed for max and min thresholds when there is no default configured is expected behavior; it just means we are going to tail drop.
I got the above solution from Developer.
Thanks,
satish -
ME3400E parent child policy map
I've pasted the output of the show policy-map that is applied to an interface that connected to an access layer switch - I want one customer to have 15MB and the other customers to share the remaining bandwidth of the 200MB of internet bandwidth we currently have.
Does it look like it is working? It has only been applied for an hour or 2 - I dont' understand why under the Class-map: cust1 is shows 0 packets, and under the service policy class-Map is shows 0 packets and 0 bytes, but it shows that packets are conforming under the police section . . .
ME.3400#sh policy-map int g0/11
GigabitEthernet0/11
Service-policy input: IP_Parent
Class-map: cust1 (match-any)
0 packets
Match: vlan 301
Service-policy : cust1
Class-map: class-default (match-any)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: any
police cir 15000000 bc 468750
conform-action transmit
exceed-action drop
conform: 3354685 (packets) 596174238 (bytes)
exceed: 0 (packets) 0 (bytes)
conform: 1945694 bps, exceed: 0 bps
Class-map: Shared_IP (match-any)
0 packets
Match: vlan 300
Service-policy : Shared_IP
Class-map: class-default (match-any)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: any
police cir 80000000 bc 1000000
conform-action transmit
exceed-action drop
conform: 878911 (packets) 145461269 (bytes)
exceed: 0 (packets) 0 (bytes)
conform: 409508 bps, exceed: 0 bps
Class-map: class-default (match-any)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: anyHere is the output after letting it run for 6 days. Does anyone have an opinion about if it is working correctly?
I'm still confused by the places where it says 0 packets, or 0 packets, 0 bytes.
ME.3400#sh policy-map int g0/11
GigabitEthernet0/11
Service-policy input: IP_Parent
Class-map: cust1 (match-any)
0 packets
Match: vlan 301
Service-policy : cust1
Class-map: class-default (match-any)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: any
police cir 15000000 bc 468750
conform-action transmit
exceed-action drop
conform: 911003596 (packets) 153048040973 (bytes)
exceed: 445 (packets) 439435 (bytes)
conform: 2501473 bps, exceed: 0 bps
Class-map: Shared_IP (match-any)
0 packets
Match: vlan 300
Service-policy : Shared_IP
Class-map: class-default (match-any)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: any
police cir 180000000 bc 1000000
conform-action transmit
exceed-action drop
conform: 262737871 (packets) 42238049347 (bytes)
exceed: 0 (packets) 0 (bytes)
conform: 1005000 bps, exceed: 0 bps
Class-map: class-default (match-any)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: any -
Is there a policy map difference from 8.0 to 9.0?
We have been testing blocking a few select websites (no web filtering yet) with some of our smaller location ASA's. Following the document at:
https://supportforums.cisco.com/docs/DOC-1268
I have been successful at sites which run ASA's with version 8.0 of the IOS on them, but not with 9.0. With 9.0 (2) it appears that when you institute the policy map to make it take effect, it blocks all web traffic, not just the ones specified.
So, I guess I'm asking, is there that large of a difference between 8.0 and 9.0 that would cause this to no longer work properly?You went to the same page I did 7 hours ago. Use the "FILES TYPE EDIT" solution and follow almost all of the instructions...Edit FIREFOX URL, HYPERTEXT TRANSFER PROTOCOL and HYPERTEXT TRANSFER PROTOCOL WITH PRIVACY....It isn't necessary to take the step of "unchecking the "DDE BOX", just follow the instructions to delete the characters in the "DDE Message Box" and the problem is fixed. If you uncheck the "DDE BOX", as instructed, it may come back to bite you.
Thank you for helping,
Sel Warren -
Hi i have configured following Policy MAp to restrict 12.203 to use 5mb bandwidth.
Issue is that i dont recieve any hits when i apply this on outside interface like that
service-policy PM-RATELIMIT interface outside
But when i add permit ip any any in ACL then i receive hits.
Else This map work fine in inside interface but i want to apply it on outside .
Conf are as follows
access-list vlan10_rate_limit extended permit ip host 192.168.12.203 any
class-map CM-RATELIMIT
match access-list vlan10_rate_limit
policy-map PM-RATELIMIT
class CM-RATELIMIT
police input 5000000the ACL that you have configured is sourcing from the internal host to any on the outside. So you would need to apply that on the inside interface.
If you would like to limit the return traffic towards that host, then you would need to configure ACL with source any and destination the NATed ip address of that internal host. -
Policy map/ class map/ service policy for IOS xr
Hi,
I need to create a policy map and class map/service policy to limit the amount of bandwidth that can be used on one interface both in and out.
I need the cap for the bandwidth to traverse this circuit to ne 10 Meg.
the IOS xr version we are using is 4.3.4
I was hoping someone could help me out by giving me a configuration example I could follow.
Thank you.for instance like this:
policy-map police-in
class class-default
police rate 10 mpbs <optionally set burst>
policy-map shape-out-parent
class class-default
shape 10 mpbs <optional burst config>
service-policy shape-out-child
policy-map shape-out-child
class class-default
queue-limit 10 packets
int g 0/0/0/0
service-policy police-in in
service-policy shape-out-parent out
also have a look at CL 2013/2014 (orlando/sanfran) ID 2904 for more QOS details
and the support forum article of "asr9000 quality of service architecture"
xander -
Class-Map and Policy-Map Configuration in CM Confusion
Hi,
I'm implementing a green field WAAS deployment for a customer. We currently have a Proof-of-Concept up and running.
I've got some questions regarding custom class-map and policy-map configuration in the CM. I'd like to nail-down the custom class-map and policy-map configuration (and understanding) in the PoC before cutting over the PoC branches to the production WAAS environment.
Assuming a typical WAAS Deployment using WCCP for off-path interception, branch to DC.
==> 61 in LAN (BRANCH ROUTER) <== 62 in WAN (WAN CLOUD) ==> 61 in WAN (DC ROUTER) <== 62 in LAN
We are using two distinct device groups, BRANCH and DATA CENTER.
If the customer has traffic that we need to classify in order to provide TFO only optimisation, should the single class-map include the traffic in both directions? Ie., (assume the SERVER is 10.1.1.1 TCP Port 443). Should the class-map be configured as:
Class-Map
Line 1: DST IP 10.1.1.1 DST Port 443
Line 2: SRC IP 10.1.1.1 SRC Port 443
Or in this case is only the DST line required? And in which Device Group should the custom policy be applied? Or should it be applied to both Device Groups? If it should be applied to both Device Groups, then would it make more sense to have the policy-map in the Branch DG configured to match the DST traffic, and on the Data Center DG have a different class-map match the SRC traffic?
My confusion is how to classify the traffic (SRC or DST or Both - Separate classes for each or different lines within the same class-map), and where to apply the appropriate policy (both Device Groups, just Branch, just DC) and why...
I tried to apply a custom policy and the impact in the PoC was that the TCP Summary report stopped reporting the individual traffic classes showed 'other traffic' only. Can anyone explain why this may have occurred?
I hope this makes sense.for instance like this:
policy-map police-in
class class-default
police rate 10 mpbs <optionally set burst>
policy-map shape-out-parent
class class-default
shape 10 mpbs <optional burst config>
service-policy shape-out-child
policy-map shape-out-child
class class-default
queue-limit 10 packets
int g 0/0/0/0
service-policy police-in in
service-policy shape-out-parent out
also have a look at CL 2013/2014 (orlando/sanfran) ID 2904 for more QOS details
and the support forum article of "asr9000 quality of service architecture"
xander -
1 policy-map for more than 1 physical interface
Hi,
the situation I want to achieve is, that 2 physical interfaces (here 2 TP GigbitEthernet Ports of a 3750) are limited together from one 'service-policy'/'policy-map'.
In the example below I have 2 Ports on one switch and the traffic coming in on both ports in total (traffic port #1 + traffic port #2) should be limited to the 'policy-map 5MBits'.
Right now I have configured a 3750 with:
class-map match-all EveryMAC
match access-group name everythingL2
policy-map 5MBits
class EveryMAC
police 5000000 32768 exceed-action drop
policy-map TEST
class EveryMAC
set dscp default
mac access-list extended everythingL2
permit any any
interface GigabitEthernet1/0/1
description port #1
switchport access vlan 123
switchport mode access
speed 10
duplex auto
interface GigabitEthernet1/0/2
description port #2
switchport access vlan 123
switchport mode access
speed 10
duplex auto
interface Vlan123
service-policy input TEST
And at the 'other side' a 2950 works with the following config:
class-map match-all EveryMAC
match access-group name everythingL2
policy-map 5MBits
class EveryMAC
police 5000000 32768 exceed-action drop
mac access-list extended everythingL2
permit any any
interface FastEthernet0/1
description port #A
switchport access vlan 123
switchport mode access
speed 10
duplex auto
As far as I can see this seems to work. But it would be nice if someone can confirm this or provide an other suggestion.
thanks in advance
MarkOnly thing i can think of is instead of using a MAC ACL , u cud jus use the default class
Policy Map Test
class class-default
police 56000 8000 exceed-action drop
Class Map match-any class-default (id 0)
Match any
You would be saving a MAC-ACL ;-). -
Radius accounting for QoS pppoe policy-map
Hi folks
I have a radius pushing an AVPAIR ip:sub-qos-policy-out to a virtual template for clients connected to a BRAS through PPPOE.
The AVPAIR is correctly applied to each and every pppoe session but the following link http://www.cisco.com/c/en/us/td/docs/ios/12_2sb/feature/guide/sbbbrs1c.html is indicating that I should be able to push back to the RADIUS some traffic info per class-map/policy map. This would allow some Quota stuff and getting some info about traffic used per customer
From what I have been able to configure, i'm not getting any of this stats back to the RADIUS
the debug radius accounting :
*Mar 12 05:29:00.419: RADIUS/ENCODE(0000000E):Orig. component type = PPPoE
*Mar 12 05:29:00.419: RADIUS/ENCODE(0000000E): Acct-session-id pre-pended with Nas Port = 0/0/3/0
*Mar 12 05:29:00.419: RADIUS(0000000E): Config NAS IP: 0.0.0.0
*Mar 12 05:29:00.419: RADIUS(0000000E): sending
*Mar 12 05:29:00.419: RADIUS/ENCODE: Best Local IP-Address 192.168.38.133 for Radius-Server 192.168.38.131
*Mar 12 05:29:00.419: RADIUS(0000000E): Send Accounting-Request to 192.168.38.131:1813 id 1646/55, len 299
*Mar 12 05:29:00.419: RADIUS: authenticator ED 94 CF EE BD 73 30 7E - 93 07 A4 C3 50 A6 03 DE
*Mar 12 05:29:00.419: RADIUS: Acct-Session-Id [44] 18 "0/0/3/0_00000005"
*Mar 12 05:29:00.419: RADIUS: Framed-Protocol [7] 6 PPP [1]
*Mar 12 05:29:00.419: RADIUS: Framed-IP-Address [8] 6 10.10.10.2
*Mar 12 05:29:00.419: RADIUS: User-Name [1] 9 "olivier"
*Mar 12 05:29:00.419: RADIUS: Vendor, Cisco [26] 35
*Mar 12 05:29:00.419: RADIUS: Cisco AVpair [1] 29 "connect-progress=LAN Ses Up"
*Mar 12 05:29:00.419: RADIUS: Vendor, Cisco [26] 29
*Mar 12 05:29:00.419: RADIUS: Cisco AVpair [1] 23 "nas-tx-speed=10000000"
*Mar 12 05:29:00.419: RADIUS: Vendor, Cisco [26] 29
*Mar 12 05:29:00.419: RADIUS: Cisco AVpair [1] 23 "nas-rx-speed=10000000"
*Mar 12 05:29:00.419: RADIUS: Acct-Session-Time [46] 6 2582
*Mar 12 05:29:00.419: RADIUS: Acct-Input-Octets [42] 6 7232
*Mar 12 05:29:00.419: RADIUS: Acct-Output-Octets [43] 6 7232
*Mar 12 05:29:00.419: RADIUS: Acct-Input-Packets [47] 6 517
*Mar 12 05:29:00.419: RADIUS: Acct-Output-Packets [48] 6 517
*Mar 12 05:29:00.419: RADIUS: Acct-Authentic [45] 6 RADIUS [1]
*Mar 12 05:29:00.419: RADIUS: Acct-Status-Type [40] 6 Watchdog [3]
*Mar 12 05:29:00.419: RADIUS: NAS-Port-Type [61] 6 Virtual [5]
*Mar 12 05:29:00.419: RADIUS: Vendor, Cisco [26] 15
*Mar 12 05:29:00.419: RADIUS: cisco-nas-port [2] 9 "0/0/3/0"
*Mar 12 05:29:00.419: RADIUS: NAS-Port [5] 6 50331648
*Mar 12 05:29:00.419: RADIUS: NAS-Port-Id [87] 9 "0/0/3/0"
*Mar 12 05:29:00.419: RADIUS: Vendor, Cisco [26] 41
*Mar 12 05:29:00.419: RADIUS: Cisco AVpair [1] 35 "client-mac-address=aabb.cc00.6430"
*Mar 12 05:29:00.419: RADIUS: Service-Type [6] 6 Framed [2]
*Mar 12 05:29:00.419: RADIUS: NAS-IP-Address [4] 6 192.168.38.133
*Mar 12 05:29:00.419: RADIUS: Ascend-Session-Svr-K[151] 10
*Mar 12 05:29:00.419: RADIUS: 37 39 38 32 45 41 38 30 [ 7982EA80]
*Mar 12 05:29:00.419: RADIUS: Acct-Delay-Time [41] 6 0
*Mar 12 05:29:00.419: RADIUS(0000000E): Started 5 sec timeout
*Mar 12 05:29:00.419: RADIUS: Received from id 1646/55 192.168.38.131:1813, Accounting-response, len 20
*Mar 12 05:29:00.419: RADIUS: authenticator A7 0E 79 40 C5 B5 CF DC - 09 46 27 48 52 BE 01 7D
What I get in the freeradius log :
Tue Mar 11 22:30:04 2014
Acct-Session-Id = "0/0/3/0_00000005"
Framed-Protocol = PPP
Framed-IP-Address = 10.10.10.2
User-Name = "olivier"
Cisco-AVPair = "connect-progress=LAN Ses Up"
Cisco-AVPair = "nas-tx-speed=10000000"
Cisco-AVPair = "nas-rx-speed=10000000"
Acct-Session-Time = 2646
Acct-Input-Octets = 7428
Acct-Output-Octets = 7428
Acct-Input-Packets = 531
Acct-Output-Packets = 531
Acct-Authentic = RADIUS
Acct-Status-Type = Interim-Update
NAS-Port-Type = Virtual
Cisco-NAS-Port = "0/0/3/0"
NAS-Port = 50331648
NAS-Port-Id = "0/0/3/0"
Cisco-AVPair = "client-mac-address=aabb.cc00.6430"
Service-Type = Framed-User
NAS-IP-Address = 192.168.38.133
X-Ascend-Session-Svr-Key = "7982EA80"
Acct-Delay-Time = 0
Acct-Unique-Session-Id = "523eac6ae326a778"
Timestamp = 1394602204
Request-Authenticator = Verified
user config in the users file on the freeradius server :
olivier Cleartext-Password := "olivier"
Service-Type = Framed-User,
Cisco-AVPair += "ip:addr-pool=pppoepool",
Cisco-AVpair += "ip:sub-qos-policy-out=TEST"
I see that the policy map name is pulled correctly from the radius server and applied to the session :
#sh policy-map session uid 14
SSS session identifier 14 -
Service-policy output: TEST
Class-map: TEST (match-all)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: any
police:
cir 8000 bps, bc 1500 bytes
conformed 0 packets, 0 bytes; actions:
transmit
exceeded 0 packets, 0 bytes; actions:
drop
conformed 0 bps, exceed 0 bps
Class-map: class-default (match-any)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: any
Any input very welcomeCisco sever is working fine. When you do use non-standard or non-RFC requests from your NAS to the AAA server for instance, you have to configure your server accordingly to instruct it how to handle this kind of requests.
This is typically done with something called "dictionary", which should be included in your radius server. The server typically decodes all RFC 2865 VSAs (or should), but when a new NAS model is introduced into the network, you can modify it to add any VSAs not appearing in the dictionary, which is your case.
As an example, imagine you want to change the attribute cisco-vsa-port-string to tagged-string, your dictionary will look somethign similar than:
And finally you will have to modify with a text editor, or XML editor and change type="tagged-string" supposing your device comply with RFC 2868. Probably
the AAA server will have to restarted for taking this
changes into account.
Also,since this does apply to all devices for this vendor, you've got other option more, which is define your own dictionary for a specific vendor, or even if you wish for a specific NAS or group or NASes.
In NavisRadius you could associate a dictionary to a
device adding a client-class:
# Client-IP Client-Secret Client-Class
10.0.0.1 secret taos-old
And then specifying the dictionary later in client_properties for this device:
# This file contains information about client classes # and is used to set per-client specific information.
# TAOS Devices in OLD mode with RFC conflicts
taos-old
Client-Dictionary=max_dictionary
# Other devices now, etc.
Hope it helps -
Hi, all:
I'm trying to configure TrendMicro IOS content filtering. I have this working on a separate box, running 15.1.
On this particular testbed, I have a 2900 running:
System image file is "flash0:c2900-universalk9-mz.SPA.152-3.T1.bin"
And the following licensing:
Technology Package License Information for Module:'c2900'
Technology Technology-package Technology-package
Current Type Next reboot
ipbase ipbasek9 Permanent ipbasek9
security securityk9 Permanent securityk9
uc uck9 Permanent uck9
data datak9 Permanent datak9
Configuration register is 0x2102
CUBE_GOLD_MEX#show ip trm subscription status
Package Name: Security & Productivity (Trial)
Status: Active
Status Update Time: 18:02:51 CST Mon Jul 23 2012
Expiration-Date: Mon Aug 20 02:00:00 2012
Last Req Status: Processed response successfully
Last Req Sent Time: 18:02:51 CST Mon Jul 23 2012
CUBE_GOLD_MEX#
Also, I have the following config lines on it:
ip host trps.trendmicro.com 216.104.8.100
ip name-server 4.2.2.2
ip cef
multilink bundle-name authenticated
parameter-map type urlfpolicy trend tm-pmap
allow-mode on
[snip]
parameter-map type trend-global trend-glob-map
class-map type inspect match-all http-imap
match protocol http
class-map type urlfilter trend match-any drop-category
match url category Abortion
match url category Activist-Groups
match url category Adult-Mature-Content
match url reputation ADWARE
match url reputation DIALER
match url reputation DISEASE-VECTOR
match url reputation HACKING
match url reputation PASSWORD-CRACKING-APPLICATIONS
match url reputation PHISHING
match url reputation POTENTIALLY-MALICIOUS-SOFTWARE
match url reputation SPYWARE
match url reputation VIRUS-ACCOMPLICE
policy-map type inspect urlfilter trend-policy
class type urlfilter trend drop-category
I have not been able to get to the good part of configuring the ZBF.
I've looked over several configuration examples and can't figure out what I'm doing wrong, since I'm not able to see the command 'parameter-map' under the 'policy-map urlfiltering'
XXXXXX(config)#policy-map type inspect urlfilter trend-policy
XXXXXX(config-pmap)#?
Policy-map configuration commands:
class policy criteria
description Policy-Map description
exit Exit from policy-map configuration mode
no Negate or set default values of a command
XXXXXX(config-pmap)#
I thought it might be an issue with version 15.2.3, but according to configuration guides, commands are the same.
Can anyone provide some assistance?
TIA.
c.Hi Carlos,
I am having the same problem. I have seen a few diffenent configuration examples and they all show adding the "parameter type urlfpolicy trend parm-map-name" command but it doesn't exist, at least in 15.2(3)T1 and I see it listed in the the IOS documentation for 15.2. Maybe they forgot it :-)
I guess I will open a TAC case as I do not want to downgrade...
I will keep you posted if I find the answer.
Regards,
Troy -
Hi,
I'm a new Network admin, and I have some configuration questions about my installation (see attachment).
I have 3 web servers behind a router.
Public interface: 3 public ip adresses
Private interface: router on a stick config ( 3 sub-interfaces, 3 different networks, 3 VLAN)
I would to know the best way to redirect http traffic to the right server.
My idea is to map a public address to a private address, via NAT, but I'm not sure for the configuration. I could also redirect via Policy-map and filter by url content.
So if you have some advise for this case, it would be really appreciated.
Thank you.
Chris.Hello Christophe,
As I understand you want 1st that ;
if somebody go to A.local.com from internet then he will redirect to 192.168.1.10 in your internal network.
That means, you need static mapping between your public @ip address and your local ip address.
for this example, your local interface is Fa0/0.1 and I dont your public interface because it is not mention in your diagram. I will suppose S0/0 for public interface.
that is the config for the Web Server1. You can do the same with the remaining servers:
interface fa0/0.1
ip nat inside
interface serial0/0
ip nat outside
ip nat inside source static 192.168.1.10 172.1.2.3
static mapping from local to public.
I suppose you have done the dns mapping in your network and the ISP have done the same in his network.
ip route 171.1.2.3 interface serial0/0
or
ip route 0.0.0.0 0.0.0.0 interface serial0/0.
After these step for each web server, you will get the mapping.
Now you can restrict access to this ip only to http or https protocol on your isp and after on your local network
like
ip access-list extended ACL_WebServer1
permit ip any 192.168.1.10 eq www
deny ip any 192.168.1.10
exit
interface fa0/0.1
ip acess-group ACL_WebServer1 in
no shut
exit
That is the first step.
Second step : you want to filter traffic by url, that means layer 5 to 7 filtering.
I am not sure that it is possible using cisco router with (ZBF + Regex).
Check the first step and let us know !
Please rate and mark as correct if it is the case.
Regards, -
Hallo,
I have a question about the policy mapping in ACS 5.4.
When a request matches in "Access Selection Rule" the request goes to an "Access Service".
In "Access Service" there are three kinds of policy rules:
- Identity:
If condition match then result "Identity Source"
- Group Mapping
If condition match then result "Identity Group"
- Authorization
If condition match the result "Auth Profil"
Q1:
For example:
The User "Test" is registered in Internal User with a local password. But now I will authenticate the user "Test" from a RSA Token server. How can I configure this rule in "identity policy"? Wich condition matches to choose the identity source. I will set the internal user with an attribute enumeration field like "Password". The administrator should have an option to choose "locale databse password" or "token passcode".
Q2:
What does it mean: "Group mapping"?
Thx for your answer!
StefanHi Stefan,
The User "Test" is registered in Internal User with a local password. But now I will authenticate the user "Test" from a RSA Token server. How can I configure this rule in "identity policy"? Wich condition matches to choose the identity source. I will set the internal user with an attribute enumeration field like "Password". The administrator should have an option to choose "locale databse password" or "token passcode".
In the identity, if you click on select, you can select the type of Database, you can choose RSA (you will first need to create the connection under Users and Identity Stores-->External Identity Stores-->RSA secure ID)
Another, way is you continue to use the internal users DB, but you go to that user internally and select the password type to be RSA
(you will first need to create the connection under Users and Identity Stores-->External Identity Stores-->RSA secure ID)
Group mapping is a feature to assign a local identity group as a result by choose conditions.
EG:
If (Active directory x) Then (Internal group x)
The IF is the condition and Then is Result.
https://supportforums.cisco.com/docs/DOC-34890
Hope this Helps.
Ed
Maybe you are looking for
-
Question on creation of t-code for SAP query
Hello, I posted a thread in here back on 06/20/2007 asking for help on creating a t-code for a SAP query. one of the responses that I recieved was <i>"Sure, all you need to do is get the report name which is generated by the query. You can find this
-
How to match edges of objects precisely?
Hi all Okay, I have two objects, A and B, both with very irregular, jagged, edges. They should be contiguous and I want the edges to match exactly point for point, so when the border of A goes out, the border of B goes in. A is to the left of B, and
-
FBZP APP configuration - Urgent
Hi sap guru's, I had encountered with the following problem. Our client has 3 a/c's with a bank SBI at same branch(mumbai) and he issues cheques from all 3 a/c's. Here how the configuration should be done for check payment method for APP. can any o
-
Pls note that I did not make those purchese of £18.99
Pls note that I did not purches the item of £18.99 on the invoice u sent me
-
I have 13 sequences that I need to batch export. When I send the sequences to Media Encoder for a batch export, the videos are all out of sync and I lose a lot of frames. When I export individually from PP, the export is fine. Is anyone else having o