4506- 12.2.25SG Sup2+ 'sho policy-map int' output

Similar Messages

• Policy-map going into suspended mode over a GRE

  Hi
  I have a GRE tunnel over another GRE tunnel. When I apply a nested policy on the Child GRE the policy map does not attach, what is the cause. The sho policy-map int Tux/x showed that it is suspended I am not making a breakthrough here. The hard ware platform is ASR 1001
  Thanks
  Don

  Download RecBoot. You can kick it out of recovery mode with that. You may have an underlying issue though causing that. A restore may be in order.
  Check out the new remodeled MacOSG website! 24-hour Apple-related news & support.
   MacOSG: An Apple User Group  iTunes: MacOSG Podcast  Follow us on Twitter: MacOSG

• POLICY-MAP counters

  I have configured policy-maps and class-maps on 3550 and 3560 switches.
  The following is excerpt....
  class-map match-any voip_class
  match access-group 100
  policy-map voip_policy
  class voip_class
  trust dscp
  interface GigabitEthernet0/12
  service-policy input voip_policy
  priority-queue out
  access-list 100 permit udp any any
  I have the access-list 'open' for testing purposes.
  However when I run the command 'sh policy-map int gi0/12' I get no counters increasing.
  Should I?
  Also if I run the 'sh access-list 100' command, should I get increasing counters?
  Thanks for any help
  Nik Mihelioudakis

  Sh policy map is not supported on this platform
  http://www.cisco.com/cgi-bin/bugtool/onebug.pl?bugid=CSCdy50035
  Use "show mls qos interface gig0/12 statistics" instead.

• Sh policy-map LLQ counters showing strange results.

  I've config'd LLQ for video conferencing across a dual-T1 multilink connection. When I have a video conf. session going, the Class-map counters for 'packets', 'match' and 'pkts matched' under queueing being exactly the same. This is supposed to show either that all packets are being processed switched - which they aren't, or that there is congestion on the link, but there isn't. There is nothing else going across the link except my telnet session I use to get the counters. I would have expected all counters, except Class-default, to be zero under the queueing area, and then when I flood the link with large file transfers, the other class queueing counters to begin incrementing - but all counters are equal even without congestion. This doesn't help me prove that my QOS LLQ is working properly. What gives?
  Here is the config and some outputs:
  policy-map WAN-multilink
  class Voice
  priority 90
  class Video
  bandwidth 460
  class Call-Control
  bandwidth 27
  class class-default
  fair-queue
  random-detect
  policy-map QOS_classes
  class Voice
  priority 90
  class Video
  bandwidth 460
  class Call-Control
  bandwidth 27
  class class-default
  fair-queue
  interface Multilink1
  ppp multilink
  ppp multilink fragment delay 20
  ppp multilink interleave
  ppp multilink group 1
  max-reserved-bandwidth 95
  service-policy output WAN-multilink
  interface Serial0/2/0
  bandwidth 1536
  encapsulation ppp
  no fair-queue
  service-module t1 timeslots 1-24
  ppp multilink
  ppp multilink group 1
  max-reserved-bandwidth 95
  interface Serial0/3/0
  bandwidth 1536
  encapsulation ppp
  no fair-queue
  service-module t1 timeslots 1-24
  ppp multilink
  ppp multilink group 1
  max-reserved-bandwidth 95
  MDF-VoIP-RT2811#sh int stats
  Multilink1
  Switching path Pkts In Chars In Pkts Out Chars Out
  Processor 2175 179609 2436 237735
  Route cache 7519 3809321 7416 2108198
  Total 9694 3988930 9852 2345933
  MDF-VoIP-RT2811#sh policy-map int mu 1
  Multilink1
  Service-policy output: WAN-multilink
  Class-map: Voice (match-any)
  2037 packets, 411126 bytes
  5 minute offered rate 0 bps, drop rate 0 bps
  Match: ip dscp ef (46)
  2037 packets, 411126 bytes
  5 minute rate 0 bps
  Queueing
  Strict Priority
  Output Queue: Conversation 264
  Bandwidth 90 (kbps) Burst 2250 (Bytes)
  (pkts matched/bytes matched) 2037/411126
  (total drops/bytes drops) 0/0
  Class-map: Video (match-any)
  1919 packets, 1087702 bytes
  5 minute offered rate 0 bps, drop rate 0 bps
  Match: ip dscp af41 (34)
  1919 packets, 1087702 bytes
  5 minute rate 0 bps
  Match: ip precedence 4
  0 packets, 0 bytes
  5 minute rate 0 bps
  Queueing
  Output Queue: Conversation 265
  Bandwidth 460 (kbps) Max Threshold 64 (packets)
  (pkts matched/bytes matched) 1919/1087702
  (depth/total drops/no-buffer drops) 0/0/0
  Class-map: Call-Control (match-any)
  430 packets, 31418 bytes
  5 minute offered rate 0 bps, drop rate 0 bps
  Match: ip dscp cs3 (24)
  430 packets, 31418 bytes
  5 minute rate 0 bps
  Match: ip precedence 3
  0 packets, 0 bytes
  5 minute rate 0 bps
  Queueing
  Output Queue: Conversation 266
  Bandwidth 27 (kbps) Max Threshold 64 (packets)
  (pkts matched/bytes matched) 430/31418
  (depth/total drops/no-buffer drops) 0/0/0
  Class-map: class-default (match-any)
  4669 packets, 612771 bytes
  5 minute offered rate 3000 bps, drop rate 0 bps
  Match: any
  Queueing
  Flow Based Fair Queueing
  Maximum Number of Hashed Queues 256
  (total queued/total drops/no-buffer drops) 0/0/0
  exponential weight: 9

  In accordance with the above, you would need to apply the policy to the subinterface.
  As my collegue clearly depicts, you should be able to combine the two pvc's into one, that would also be the scenario where the policy comes in action. When you are sending voice over a dedicated pvc there is little need to prioritize the flow. This equals the configuration where you have a dedicated leased line for voice.
  regards,
  Leo

• Output of show policy-map

  Hi experts,
  below is the output of show policy-map.
  PE3-AMS-EU# show policy-map int serial 3/0/10:0 o
  Serial3/0/10:0
  Service-policy output: rao-pe-out
  Class-map: pe-management-output (match-any)
  0 packets, 0 bytes
  30 second offered rate 0 bps, drop rate 0 bps
  Match: access-group 107
  0 packets, 0 bytes
  30 second rate 0 bps
  Queueing
  queue limit 144 packets
  (queue depth/total drops/no-buffer drops) 0/0/0
  (pkts output/bytes output) 0/0
  bandwidth 8 kbps
  Exp-weight-constant: 7 (1/128)
  Mean queue depth: 0 packets
  class Transmitted Random drop Tail drop Minimum Maximum Mark
  pkts/bytes pkts/bytes pkts/bytes thresh thresh prob
  default 0/0 0/0 0/0 65535 65535 1/10
  6 0/0 0/0 0/0 45 72 1/10
  Class-map: pe-class1-output (match-any)
  131960 packets, 8445440 bytes
  30 second offered rate 249000 bps, drop rate 33000 bps
  Match: ip precedence 4
  131960 packets, 8445440 bytes
  30 second rate 249000 bps
  Police:
  216000 bps, 2000 limit, 2000 extended limit
  conformed 113909 packets, 7290176 bytes; action: transmit
  exceeded 0 packets, 0 bytes; action: drop
  violated 17856 packets, 1142784 bytes; action: drop
  Class-map: pe-class2-output (match-any)
  158740 packets, 64127887 bytes
  30 second offered rate 1897000 bps, drop rate 157000 bps
  Match: ip precedence 6
  158740 packets, 64127887 bytes
  30 second rate 1897000 bps
  Match: ip precedence 2
  0 packets, 0 bytes
  30 second rate 0 bps
  Queueing
  queue limit 144 packets
  (queue depth/total drops/no-buffer drops) 70/13397/0
  (pkts output/bytes output) 149343/60928439
  bandwidth 1586 kbps
  Exp-weight-constant: 7 (1/128)
  Mean queue depth: 69 packets
  class Transmitted Random drop Tail drop Minimum Maximum Mark
  pkts/bytes pkts/bytes pkts/bytes thresh thresh prob
  default 10/575 0/0 0/0 65535 65535 1/10
  6 149333/60927864 13191/5381928 206/84048 45 72 1/10
  2 0/0 0/0 0/0 14 36 1/5
  Class-map: class-default (match-any)
  1352 packets, 546208 bytes
  30 second offered rate 16000 bps, drop rate 45000 bps
  Match: any
  1352 packets, 546208 bytes
  30 second rate 16000 bps
  Queueing
  queue limit 144 packets
  (queue depth/total drops/no-buffer drops) 140/16394/0
  (pkts output/bytes output) 101943/6932124
  bandwidth 176 kbps
  Exp-weight-constant: 7 (1/128)
  Mean queue depth: 185 packets
  class Transmitted Random drop Tail drop Minimum Maximum Mark
  pkts/bytes pkts/bytes pkts/bytes thresh thresh prob
  default 101943/6932124 0/0 15008/1020544 65535 65535 1/10
  5 0/0 0/0 1386/565488 14 36 1/5
  6 0/0 0/0 0/0 45 72 1/10
  0 0/0 0/0 0/0 14 36 1/5
  The min and max thresold value in the output are 65535 for default class.what is the significance of these values and what are those meant for.Why the values are 65535 ..

  Explanation for the threshold value 65535:
  For example if you consider Class-map: class-default (match-any), WRED is configured only for IP Precedence 5, 6and 0, then rest of the IP Precedence values will come under the default, with no WRED configured. So under the default, tail drop is used for dropping the packets, instead of WRED.If there is no user-configured default profile, the default action is to tail drop. The value of 65535 displayed for max and min thresholds when there is no default configured is expected behavior; it just means we are going to tail drop.
  I got the above solution from Developer.
  Thanks,
  satish

• ME3400E parent child policy map

  I've pasted the output of the show policy-map that is applied to an interface that connected to an access layer switch - I want one customer to have 15MB and the other customers to share the remaining bandwidth of the 200MB of internet bandwidth we currently have.
  Does it look like it is working?  It has only been applied for an hour or 2 - I dont' understand why under the Class-map:  cust1 is shows 0 packets, and under the service policy class-Map is shows 0 packets and 0 bytes, but it shows that packets are conforming under the police section . . .
  ME.3400#sh policy-map int g0/11
  GigabitEthernet0/11
    Service-policy input: IP_Parent
      Class-map: cust1 (match-any)
        0 packets
        Match: vlan  301
        Service-policy : cust1
  Class-map: class-default (match-any)
            0 packets, 0 bytes
            5 minute offered rate 0 bps, drop rate 0 bps
            Match: any
        police cir 15000000 bc 468750
           conform-action transmit
           exceed-action drop
        conform: 3354685 (packets) 596174238 (bytes)
        exceed: 0 (packets) 0 (bytes)
        conform: 1945694 bps, exceed: 0 bps
      Class-map: Shared_IP (match-any)
        0 packets
        Match: vlan  300
        Service-policy : Shared_IP
          Class-map: class-default (match-any)
            0 packets, 0 bytes
            5 minute offered rate 0 bps, drop rate 0 bps
            Match: any
        police cir 80000000 bc 1000000
           conform-action transmit
           exceed-action drop
        conform: 878911 (packets) 145461269 (bytes)
        exceed: 0 (packets) 0 (bytes)
        conform: 409508 bps, exceed: 0 bps
      Class-map: class-default (match-any)
        0 packets, 0 bytes
        5 minute offered rate 0 bps, drop rate 0 bps
        Match: any

  Here is the output after letting it run for 6 days.  Does anyone have an opinion about if it is working correctly?
  I'm still confused by the places where it says 0 packets, or 0 packets, 0 bytes.
  ME.3400#sh policy-map int g0/11
  GigabitEthernet0/11
    Service-policy input: IP_Parent
      Class-map: cust1 (match-any)
        0 packets
        Match: vlan  301
        Service-policy : cust1
          Class-map: class-default (match-any)
            0 packets, 0 bytes
            5 minute offered rate 0 bps, drop rate 0 bps
            Match: any
        police cir 15000000 bc 468750
           conform-action transmit
           exceed-action drop
        conform: 911003596 (packets) 153048040973 (bytes)
        exceed: 445 (packets) 439435 (bytes)
        conform: 2501473 bps, exceed: 0 bps
      Class-map: Shared_IP (match-any)
        0 packets
        Match: vlan  300
        Service-policy : Shared_IP
          Class-map: class-default (match-any)
            0 packets, 0 bytes
            5 minute offered rate 0 bps, drop rate 0 bps
            Match: any
        police cir 180000000 bc 1000000
           conform-action transmit
           exceed-action drop
        conform: 262737871 (packets) 42238049347 (bytes)
        exceed: 0 (packets) 0 (bytes)
        conform: 1005000 bps, exceed: 0 bps
      Class-map: class-default (match-any)
        0 packets, 0 bytes
        5 minute offered rate 0 bps, drop rate 0 bps
        Match: any

• Is there a policy map difference from 8.0 to 9.0?

  We have been testing blocking a few select websites (no web filtering yet) with some of our smaller location ASA's.  Following the document at:
  https://supportforums.cisco.com/docs/DOC-1268
  I have been successful at sites which run ASA's with version 8.0 of the IOS on them, but not with 9.0.  With 9.0 (2) it appears that when you institute the policy map to make it take effect, it blocks all web traffic, not just the ones specified. 
  So, I guess I'm asking, is there that large of a difference between 8.0 and 9.0 that would cause this to no longer work properly?

  You went to the same page I did 7 hours ago. Use the "FILES TYPE EDIT" solution and follow almost all of the instructions...Edit FIREFOX URL, HYPERTEXT TRANSFER PROTOCOL and HYPERTEXT TRANSFER PROTOCOL WITH PRIVACY....It isn't necessary to take the step of "unchecking the "DDE BOX", just follow the instructions to delete the characters in the "DDE Message Box" and the problem is fixed. If you uncheck the "DDE BOX", as instructed, it may come back to bite you.
  Thank you for helping,
  Sel Warren

• Policy MAP Issue on ASA

  Hi i have configured following  Policy MAp to restrict 12.203 to use 5mb bandwidth.
  Issue is that i dont recieve any hits when i apply this on outside interface like that
  service-policy PM-RATELIMIT interface outside
  But when i add permit ip any any in ACL then i receive hits.
  Else This map work fine in inside interface but i want to apply it on outside .
  Conf are as follows
  access-list vlan10_rate_limit extended permit ip host 192.168.12.203 any
  class-map CM-RATELIMIT
  match access-list vlan10_rate_limit
  policy-map PM-RATELIMIT
  class CM-RATELIMIT
    police input 5000000

  the ACL that you have configured is sourcing from the internal host to any on the outside. So you would need to apply that on the inside interface.
  If you would like to limit the return traffic towards that host, then you would need to configure ACL with source any and destination the NATed ip address of that internal host.

• Policy map/ class map/ service policy for IOS xr

  Hi,
  I need to create a policy map and class map/service policy to limit the amount of bandwidth that can be used on one interface both in and out.
  I need the cap for the bandwidth to traverse this circuit to ne 10 Meg.
  the IOS xr version we are using is 4.3.4
  I was hoping someone could help me out by giving me a configuration example I could follow.
  Thank you.

  for instance like this:
  policy-map police-in
  class class-default
  police rate 10 mpbs <optionally set burst>
  policy-map shape-out-parent
  class class-default
  shape 10 mpbs <optional burst config>
  service-policy shape-out-child
  policy-map shape-out-child
  class class-default
  queue-limit 10 packets
  int g 0/0/0/0
  service-policy police-in in
  service-policy shape-out-parent out
  also have a look at CL 2013/2014 (orlando/sanfran) ID 2904 for more QOS details
  and the support forum article of "asr9000 quality of service architecture"
  xander

• Class-Map and Policy-Map Configuration in CM Confusion

  Hi,
  I'm implementing a green field WAAS deployment for a customer. We currently have a Proof-of-Concept up and running.
  I've got some questions regarding custom class-map and policy-map configuration in the CM. I'd like to nail-down the custom class-map and policy-map configuration (and understanding) in the PoC before cutting over the PoC branches to the production WAAS environment.
  Assuming a typical WAAS Deployment using WCCP for off-path interception, branch to DC.
   ==> 61 in LAN (BRANCH ROUTER) <== 62 in WAN        (WAN CLOUD)        ==> 61 in WAN (DC ROUTER) <== 62 in LAN
  We are using two distinct device groups, BRANCH and DATA CENTER.
  If the customer has traffic that we need to classify in order to provide TFO only optimisation, should the single class-map include the traffic in both directions? Ie., (assume the SERVER is 10.1.1.1 TCP Port 443). Should the class-map be configured as:
  Class-Map
  Line 1: DST IP 10.1.1.1 DST Port 443
  Line 2: SRC IP 10.1.1.1 SRC Port 443
  Or in this case is only the DST line required? And in which Device Group should the custom policy be applied? Or should it be applied to both Device Groups? If it should be applied to both Device Groups, then would it make more sense to have the policy-map in the Branch DG configured to match the DST traffic, and on the Data Center DG have a different class-map match the SRC traffic?
  My confusion is how to classify the traffic (SRC or DST or Both - Separate classes for each or different lines within the same class-map), and where to apply the appropriate policy (both Device Groups, just Branch, just DC) and why...
  I tried to apply a custom policy and the impact in the PoC was that the TCP Summary report stopped reporting the individual traffic classes showed 'other traffic' only. Can anyone explain why this may have occurred?
  I hope this makes sense.

  for instance like this:
  policy-map police-in
  class class-default
  police rate 10 mpbs <optionally set burst>
  policy-map shape-out-parent
  class class-default
  shape 10 mpbs <optional burst config>
  service-policy shape-out-child
  policy-map shape-out-child
  class class-default
  queue-limit 10 packets
  int g 0/0/0/0
  service-policy police-in in
  service-policy shape-out-parent out
  also have a look at CL 2013/2014 (orlando/sanfran) ID 2904 for more QOS details
  and the support forum article of "asr9000 quality of service architecture"
  xander

• 1 policy-map for more than 1 physical interface

  Hi,
  the situation I want to achieve is, that 2 physical interfaces (here 2 TP GigbitEthernet Ports of a 3750) are limited together from one 'service-policy'/'policy-map'.
  In the example below I have 2 Ports on one switch and the traffic coming in on both ports in total (traffic port #1 + traffic port #2) should be limited to the 'policy-map 5MBits'.
  Right now I have configured a 3750 with:
  class-map match-all EveryMAC
  match access-group name everythingL2
  policy-map 5MBits
  class EveryMAC
  police 5000000 32768 exceed-action drop
  policy-map TEST
  class EveryMAC
  set dscp default
  mac access-list extended everythingL2
  permit any any
  interface GigabitEthernet1/0/1
  description port #1
  switchport access vlan 123
  switchport mode access
  speed 10
  duplex auto
  interface GigabitEthernet1/0/2
  description port #2
  switchport access vlan 123
  switchport mode access
  speed 10
  duplex auto
  interface Vlan123
  service-policy input TEST
  And at the 'other side' a 2950 works with the following config:
  class-map match-all EveryMAC
  match access-group name everythingL2
  policy-map 5MBits
  class EveryMAC
  police 5000000 32768 exceed-action drop
  mac access-list extended everythingL2
  permit any any
  interface FastEthernet0/1
  description port #A
  switchport access vlan 123
  switchport mode access
  speed 10
  duplex auto
  As far as I can see this seems to work. But it would be nice if someone can confirm this or provide an other suggestion.
  thanks in advance
  Mark

  Only thing i can think of is instead of using a MAC ACL , u cud jus use the default class
  Policy Map Test
  class class-default
  police 56000 8000 exceed-action drop
  Class Map match-any class-default (id 0)
  Match any
  You would be saving a MAC-ACL ;-).

• Radius accounting for QoS pppoe policy-map

  Hi folks
  I have a radius pushing an AVPAIR ip:sub-qos-policy-out to a virtual template for clients connected to a BRAS through PPPOE.
  The AVPAIR is correctly applied to each and every pppoe session but the following link  http://www.cisco.com/c/en/us/td/docs/ios/12_2sb/feature/guide/sbbbrs1c.html  is indicating that I should be able to push back to the RADIUS some traffic info per class-map/policy map. This would allow some Quota stuff and getting some info about traffic used per customer
  From what I have been able to configure, i'm not getting any of this stats back to the RADIUS
  the debug radius accounting :
  *Mar 12 05:29:00.419: RADIUS/ENCODE(0000000E):Orig. component type = PPPoE
  *Mar 12 05:29:00.419: RADIUS/ENCODE(0000000E): Acct-session-id pre-pended with Nas Port = 0/0/3/0
  *Mar 12 05:29:00.419: RADIUS(0000000E): Config NAS IP: 0.0.0.0
  *Mar 12 05:29:00.419: RADIUS(0000000E): sending
  *Mar 12 05:29:00.419: RADIUS/ENCODE: Best Local IP-Address 192.168.38.133 for Radius-Server 192.168.38.131
  *Mar 12 05:29:00.419: RADIUS(0000000E): Send Accounting-Request to 192.168.38.131:1813 id 1646/55, len 299
  *Mar 12 05:29:00.419: RADIUS:  authenticator ED 94 CF EE BD 73 30 7E - 93 07 A4 C3 50 A6 03 DE
  *Mar 12 05:29:00.419: RADIUS:  Acct-Session-Id     [44]  18  "0/0/3/0_00000005"
  *Mar 12 05:29:00.419: RADIUS:  Framed-Protocol     [7]   6   PPP                       [1]
  *Mar 12 05:29:00.419: RADIUS:  Framed-IP-Address   [8]   6   10.10.10.2
  *Mar 12 05:29:00.419: RADIUS:  User-Name           [1]   9   "olivier"
  *Mar 12 05:29:00.419: RADIUS:  Vendor, Cisco       [26]  35
  *Mar 12 05:29:00.419: RADIUS:   Cisco AVpair       [1]   29  "connect-progress=LAN Ses Up"
  *Mar 12 05:29:00.419: RADIUS:  Vendor, Cisco       [26]  29
  *Mar 12 05:29:00.419: RADIUS:   Cisco AVpair       [1]   23  "nas-tx-speed=10000000"
  *Mar 12 05:29:00.419: RADIUS:  Vendor, Cisco       [26]  29
  *Mar 12 05:29:00.419: RADIUS:   Cisco AVpair       [1]   23  "nas-rx-speed=10000000"
  *Mar 12 05:29:00.419: RADIUS:  Acct-Session-Time   [46]  6   2582
  *Mar 12 05:29:00.419: RADIUS:  Acct-Input-Octets   [42]  6   7232
  *Mar 12 05:29:00.419: RADIUS:  Acct-Output-Octets  [43]  6   7232
  *Mar 12 05:29:00.419: RADIUS:  Acct-Input-Packets  [47]  6   517
  *Mar 12 05:29:00.419: RADIUS:  Acct-Output-Packets [48]  6   517
  *Mar 12 05:29:00.419: RADIUS:  Acct-Authentic      [45]  6   RADIUS                    [1]
  *Mar 12 05:29:00.419: RADIUS:  Acct-Status-Type    [40]  6   Watchdog                  [3]
  *Mar 12 05:29:00.419: RADIUS:  NAS-Port-Type       [61]  6   Virtual                   [5]
  *Mar 12 05:29:00.419: RADIUS:  Vendor, Cisco       [26]  15
  *Mar 12 05:29:00.419: RADIUS:   cisco-nas-port     [2]   9   "0/0/3/0"
  *Mar 12 05:29:00.419: RADIUS:  NAS-Port            [5]   6   50331648
  *Mar 12 05:29:00.419: RADIUS:  NAS-Port-Id         [87]  9   "0/0/3/0"
  *Mar 12 05:29:00.419: RADIUS:  Vendor, Cisco       [26]  41
  *Mar 12 05:29:00.419: RADIUS:   Cisco AVpair       [1]   35  "client-mac-address=aabb.cc00.6430"
  *Mar 12 05:29:00.419: RADIUS:  Service-Type        [6]   6   Framed                    [2]
  *Mar 12 05:29:00.419: RADIUS:  NAS-IP-Address      [4]   6   192.168.38.133
  *Mar 12 05:29:00.419: RADIUS:  Ascend-Session-Svr-K[151] 10
  *Mar 12 05:29:00.419: RADIUS:   37 39 38 32 45 41 38 30          [ 7982EA80]
  *Mar 12 05:29:00.419: RADIUS:  Acct-Delay-Time     [41]  6   0
  *Mar 12 05:29:00.419: RADIUS(0000000E): Started 5 sec timeout
  *Mar 12 05:29:00.419: RADIUS: Received from id 1646/55 192.168.38.131:1813, Accounting-response, len 20
  *Mar 12 05:29:00.419: RADIUS:  authenticator A7 0E 79 40 C5 B5 CF DC - 09 46 27 48 52 BE 01 7D
  What I get in the freeradius log :
  Tue Mar 11 22:30:04 2014
          Acct-Session-Id = "0/0/3/0_00000005"
          Framed-Protocol = PPP
          Framed-IP-Address = 10.10.10.2
          User-Name = "olivier"
          Cisco-AVPair = "connect-progress=LAN Ses Up"
          Cisco-AVPair = "nas-tx-speed=10000000"
          Cisco-AVPair = "nas-rx-speed=10000000"
          Acct-Session-Time = 2646
          Acct-Input-Octets = 7428
          Acct-Output-Octets = 7428
          Acct-Input-Packets = 531
          Acct-Output-Packets = 531
          Acct-Authentic = RADIUS
          Acct-Status-Type = Interim-Update
          NAS-Port-Type = Virtual
          Cisco-NAS-Port = "0/0/3/0"
          NAS-Port = 50331648
          NAS-Port-Id = "0/0/3/0"
          Cisco-AVPair = "client-mac-address=aabb.cc00.6430"
          Service-Type = Framed-User
          NAS-IP-Address = 192.168.38.133
          X-Ascend-Session-Svr-Key = "7982EA80"
          Acct-Delay-Time = 0
          Acct-Unique-Session-Id = "523eac6ae326a778"
          Timestamp = 1394602204
          Request-Authenticator = Verified
  user config in the users file on the freeradius server :
  olivier Cleartext-Password := "olivier"
          Service-Type = Framed-User,
          Cisco-AVPair += "ip:addr-pool=pppoepool",
          Cisco-AVpair += "ip:sub-qos-policy-out=TEST"
  I see that the policy map name is pulled correctly from the radius server and applied to the session :
  #sh policy-map session uid 14
   SSS session identifier 14 -
    Service-policy output: TEST
      Class-map: TEST (match-all)
        0 packets, 0 bytes
        5 minute offered rate 0 bps, drop rate 0 bps
        Match: any
        police:
            cir 8000 bps, bc 1500 bytes
          conformed 0 packets, 0 bytes; actions:
            transmit
          exceeded 0 packets, 0 bytes; actions:
            drop
          conformed 0 bps, exceed 0 bps
      Class-map: class-default (match-any)
        0 packets, 0 bytes
        5 minute offered rate 0 bps, drop rate 0 bps
        Match: any
  Any input very welcome

  Cisco sever is working fine. When you do use non-standard or non-RFC requests from your NAS to the AAA server for instance, you have to configure your server accordingly to instruct it how to handle this kind of requests.
  This is typically done with something called "dictionary", which should be included in your radius server. The server typically decodes all RFC 2865 VSAs (or should), but when a new NAS model is introduced into the network, you can modify it to add any VSAs not appearing in the dictionary, which is your case.
  As an example, imagine you want to change the attribute cisco-vsa-port-string to tagged-string, your dictionary will look somethign similar than:
  And finally you will have to modify with a text editor, or XML editor and change type="tagged-string" supposing your device comply with RFC 2868. Probably
  the AAA server will have to restarted for taking this
  changes into account.
  Also,since this does apply to all devices for this vendor, you've got other option more, which is define your own dictionary for a specific vendor, or even if you wish for a specific NAS or group or NASes.
  In NavisRadius you could associate a dictionary to a
  device adding a client-class:
  # Client-IP Client-Secret Client-Class
  10.0.0.1 secret taos-old
  And then specifying the dictionary later in client_properties for this device:
  # This file contains information about client classes # and is used to set per-client specific information.
  # TAOS Devices in OLD mode with RFC conflicts
  taos-old
  Client-Dictionary=max_dictionary
  # Other devices now, etc.
  Hope it helps

• [Trend Micro Ios content filtering] parameter-type command under policy map not available

  Hi, all:
  I'm trying to configure TrendMicro IOS content filtering. I have this working on a separate box, running 15.1.
  On this particular testbed, I have a 2900 running:
  System image file is "flash0:c2900-universalk9-mz.SPA.152-3.T1.bin"
  And the following licensing:
  Technology Package License Information for Module:'c2900'
  Technology    Technology-package           Technology-package
                Current       Type           Next reboot 
  ipbase        ipbasek9      Permanent      ipbasek9
  security      securityk9    Permanent      securityk9
  uc            uck9          Permanent      uck9
  data          datak9        Permanent      datak9
  Configuration register is 0x2102
  CUBE_GOLD_MEX#show ip trm subscription status
         Package Name:  Security & Productivity (Trial)
               Status:  Active
  Status Update Time:  18:02:51 CST Mon Jul 23 2012
      Expiration-Date:  Mon Aug 20 02:00:00 2012
      Last Req Status:  Processed response successfully
  Last Req Sent Time:  18:02:51 CST Mon Jul 23 2012
  CUBE_GOLD_MEX#
  Also, I have the following config lines on it:
  ip host trps.trendmicro.com 216.104.8.100
  ip name-server 4.2.2.2
  ip cef
  multilink bundle-name authenticated
  parameter-map type urlfpolicy trend tm-pmap
  allow-mode on
  [snip]
  parameter-map type trend-global trend-glob-map
  class-map type inspect match-all http-imap
  match protocol http
  class-map type urlfilter trend match-any drop-category
  match url category Abortion
  match url category Activist-Groups
  match url category Adult-Mature-Content
  match url reputation ADWARE
  match url reputation DIALER
  match url reputation DISEASE-VECTOR
  match url reputation HACKING
  match url reputation PASSWORD-CRACKING-APPLICATIONS
  match url reputation PHISHING
  match url reputation POTENTIALLY-MALICIOUS-SOFTWARE
  match url reputation SPYWARE
  match url reputation VIRUS-ACCOMPLICE
  policy-map type inspect urlfilter trend-policy
  class type urlfilter trend drop-category
  I have not been able to get to the good part of configuring the ZBF.
  I've looked over several configuration examples and can't figure out what I'm doing wrong, since I'm not able to see the command 'parameter-map' under the 'policy-map urlfiltering'
  XXXXXX(config)#policy-map type inspect urlfilter trend-policy
  XXXXXX(config-pmap)#?
  Policy-map configuration commands:
    class        policy criteria
    description  Policy-Map description
    exit         Exit from policy-map configuration mode
    no           Negate or set default values of a command
  XXXXXX(config-pmap)#
  I thought it might be an issue with version 15.2.3, but according to configuration guides, commands are the same.
  Can anyone provide some assistance?
  TIA.
  c.

  Hi Carlos,
  I am having the same problem.  I have seen a few diffenent configuration examples and they all show adding the "parameter type urlfpolicy trend parm-map-name" command but it doesn't exist, at least in 15.2(3)T1 and I see it listed in the the IOS documentation for 15.2.  Maybe they forgot it :-)
  I guess I will open a TAC case as I do not want to downgrade...
  I will keep you posted if I find the answer.
  Regards,
  Troy

• Best practice for web servers behind a router (NAT, ACL, policy-map, VLAN)

  Hi,
  I'm a new Network admin, and I have some configuration questions about my installation (see attachment).
  I have 3 web servers behind a router.
  Public interface: 3 public ip adresses
  Private interface: router on a stick config ( 3 sub-interfaces, 3 different networks, 3 VLAN)
  I would to know the best way to redirect http traffic to the right server.
  My idea is to map a public address to a private address, via NAT, but I'm not sure for the configuration.  I could also redirect via Policy-map and filter by url content.
  So if you have some advise for this case, it would be really appreciated.
  Thank you.
  Chris.

  Hello Christophe,
  As I understand you want 1st that ; 
  if somebody go to A.local.com from internet then he will redirect to 192.168.1.10 in your internal network. 
  That means, you need static mapping between your public @ip address and your local ip address. 
  for this example, your local interface is Fa0/0.1 and I dont your public interface because it is not mention in your diagram. I will suppose S0/0 for public interface. 
  that is the config for the Web Server1. You can do the same with the remaining servers:
  interface fa0/0.1 
  ip nat inside
  interface serial0/0
   ip nat outside
  ip nat inside source static 192.168.1.10 172.1.2.3 
  static mapping from local to public. 
  I suppose you have done the dns mapping in your network and the ISP have done the same in his network. 
  ip route 171.1.2.3 interface serial0/0 
  or 
  ip route 0.0.0.0 0.0.0.0 interface serial0/0. 
  After these step for each web server, you will get the mapping. 
  Now you can restrict access to this ip only to http or https protocol on your isp and after on your local network 
  like
  ip access-list extended ACL_WebServer1
  permit ip any 192.168.1.10 eq www
  deny ip any 192.168.1.10
  exit
  interface fa0/0.1
   ip acess-group ACL_WebServer1 in
  no shut
  exit
  That is the first step. 
  Second step : you want to filter traffic by url, that means layer 5 to 7 filtering. 
  I am not sure that it is possible using cisco router with (ZBF + Regex).
  Check the first step and let us know ! 
  Please rate and mark as correct if it is the case. 
  Regards,

• Cisco ACS Policy Mapping

  Hallo,
  I have a question about the policy mapping in ACS 5.4.
  When a request matches in "Access Selection Rule" the request goes to an "Access Service".
  In "Access Service" there are three kinds of policy rules:
  - Identity:
  If condition match then result "Identity Source"
  - Group Mapping
  If condition match then result "Identity Group"
  - Authorization
  If condition match the result "Auth Profil"
  Q1:
  For example:
  The User "Test" is registered in Internal User with a local password. But now I will authenticate the user "Test" from a RSA Token server. How can I configure this rule in "identity policy"? Wich condition matches to choose the identity source. I will set the internal user with an attribute enumeration field like "Password". The administrator should have an option to choose "locale databse password" or "token passcode".
  Q2:
  What does it mean: "Group mapping"?
  Thx for your answer!
  Stefan

  Hi Stefan,
  The User "Test" is registered in Internal User with a local password.  But now I will authenticate the user "Test" from a RSA Token server.  How can I configure this rule in "identity policy"? Wich condition  matches to choose the identity source. I will set the internal user with  an attribute enumeration field like "Password". The administrator  should have an option to choose "locale databse password" or "token  passcode".
  In the identity, if you click on select, you can select the type of Database, you can choose RSA (you will first need to create the connection under Users and Identity Stores-->External Identity Stores-->RSA secure ID)
  Another, way is you continue to use the internal users DB, but you go to that user internally and select the password type to be RSA
  (you will first need to create the connection under Users and Identity Stores-->External Identity Stores-->RSA secure ID)
  Group mapping is a feature to assign a local identity group as a result by choose conditions.
  EG:
  If (Active directory x) Then (Internal group x)
  The IF is the condition and Then is Result.
  https://supportforums.cisco.com/docs/DOC-34890
  Hope this Helps.
  Ed