ADSL QOS service policy
My ISP has said they will set up their side to give 50% policed real time traffic and 30% for our application traffic burstable then 5% anything else burstable. The QOS below is my attempt to do this but I was advised that to apply it to the Dialer 1 interface I hade to create a second policy-map (ADSLOut) which had the class-default and the child policy (QOSADSL) within that.
When I did this I can't apply it to the Dialer 1 interface but if I use the child policy then it will allow me to apply that, will this work the same way.
class-map match-all RealTime
match ip dscp ef
class-map match-all General
match any
class-map match-any Application
match ip dscp cs3
match ip dscp af41
policy-map QOSADSL
class RealTime
bandwidth percent 50
class Application
priority percent 30
class General
priority percent 5
class class-default
shape peak percent 85
policy-map ADSLOut
class class-default
service-policy QOSADSL
interface Dialer1
<Snipped>
bandwidth 1240
ip nbar protocol-discovery
ip flow ingress
ip flow egress
load-interval 30
tx-ring-limit 3
tx-queue-limit 3
service-policy output QOSADSL
or
service-policy output ADSLOut
Hi @scotlandvisit,
My first opinion is a recomendation: in the policy-map, when you're configuring LLQ use the priority command for delay-sensitive traffic (Voice) and the bandwidth command for the rest. This is because the priority command is used to indentify a class as a "strict priority class" which in my opinion should be the voice traffic and the bandwidth command is used to allocate bandwidth to nonpriority classes.
The interface is not letting you apply the service-policy because you have to configure shaping inside the class-default of the parent policy-map. This shape is going to be the value in bps that you want to assing to the traffic classes that you've configured. For example, let's say that you want to allocate 1Mbps for all the classes.
policy-map QOSADSL
class RealTime
priority percent 50
class Application
bandwidth percent 30
class General
bandwidth percent 5
class class-default
shape peak percent 85
policy-map ADSLOut
class class-default
shape average 1000000
service-policy QOSADSL
interface Dialer1
service-policy output ADSLOut
Try this configuration and let me know.
HTH.
Rgrds,
Martin, IT Specialist
Similar Messages
-
Assign QoS Service Policy via RADIUS to Catalyst 45k/37k?
hi,
is there a way to assigen a QoS service policy via Radius to an Caltalyst 4500/3750 Switchport?
in detail, we would like to assign this policy
policy-map SET_EF
class class-default
set dscp ef
to an interface. All traffic should be marked with a defined DSCP value.
This works find when doing it statically with
interface FastEthernet2/1
service-policy input SET_EF
but we would need to assign such a policy via Radius during the 802.1x Authentication. different users should get differnt policies. We use Cisco ACS 5.2 as Radius Server and there actually is a field for
that in the Authorization Profile Common Tasks Configuration. in detail, this uses the cisco-av-pair "sub-policy-In=<policy name>" attribute to assign a service policy to an NAS.
we found also two other attributes "sub-qos-policy-in" and "ip:sub-qos-polcy-in" for that. CCO says that "ip:sub-qos-polcy-in" works with Catalyst 65k (http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/qos.html#wp1926523)
unfortunately this seems to not work on Catalyst 45k and 37k.
In the ACS Logs we can see that these attributes are attached to the Radius Reply, but unfortunately they are ignored by the switch.
it is interesing that when entering "show aaa attributes" on the Catalyst 45k, these attributes are displayd - so for my understanding the switch should understand these attibutes (?)
4503-E#sh aaa attributes
AAA ATTRIBUTE LIST:
Type=1 Name=disc-cause-ext Format=Enum
Type=2 Name=Acct-Status-Type Format=Enum
<snip>
Type=345 Name=sub-policy-In Format=String
Type=346 Name=sub-qos-policy-in Format=String
Type=347 Name=sub-policy-Out Format=String
Type=348 Name=sub-qos-policy-out Format=String
any input is welcome :-))
best reagrdsadditionally to this discussion, i've just opened a service request with TAC.
unfortunately the engineer told me that by now per-User QoS is definitely no supported on this two plattforms but it's listed on the roadmap and will be possibly availabe mid 2012...... -
DMVPN per tunnel QOS. show policy-map multipoint not working
Hi All,
I have a DMVPN hub which is a 1841 with image c1841-advsecurityk9-mz.151-4.M1.bin .
I have been using DMVPN and its awesome but now trying to get the QOS sorted out and having issues.
I have configured the interface like so.
interface Tunnel1
ip address 10.255.255.1 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication xxx
ip nhrp map multicast dynamic
ip nhrp map group ADSL1 service-policy output ADSL1
ip nhrp network-id 1
ip nhrp redirect
ip tcp adjust-mss 1360
no ip split-horizon
ip ospf 1 area 0
tunnel source Loopback0
tunnel mode gre multipoint
tunnel key 1
tunnel path-mtu-discovery
tunnel protection ipsec profile VPN
end
policy-map ADSL1
class class-default
shape average 1000000
service-policy Classes
policy-map Classes
class Silver
bandwidth percent 25
fair-queue
class Gold
bandwidth percent 50
fair-queue
class Scavanger
bandwidth percent 5
class class-default
fair-queue
The output of show dmvpn detail shows it has applied the QOS rule.
NG-SR-WE-RT-2#show dmvpn detail
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
N - NATed, L - Local, X - No Socket
# Ent --> Number of NHRP entries with same NBMA peer
NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
UpDn Time --> Up or Down Time for a Tunnel
==========================================================================
Interface Tunnel1 is up/up, Addr. is 10.255.255.1, VRF ""
Tunnel Src./Dest. addr: 10.32.0.100/MGRE, Tunnel VRF ""
Protocol/Transport: "multi-GRE/IP", Protect "VPN"
Interface State Control: Disabled
Type:Hub, Total NBMA Peers (v4/v6): 1
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb Target Network
1 x.x.x.x 10.255.255.2 UP 1d18h D 10.255.255.2/32
NHRP group: ADSL1
Output QoS service-policy applied: ADSL1
but my router cannot run show policy-map multipoint... it doesnt come up with a tab but i can write it in by hand. Even when i write it in by hand it outputs blank.
I cut the ADSL1 shape down to 512k and it didnt take affect so i dont think the qos is working at all.
Is my feature set too low?
Cheers,
SimonRay,
There could be multiple reasons for it not to function, the config on hub seems just fine, we'd need to inspect the spokes and check (most likely) in debugs if correct group is being sent from spoke.
Also coexistance of other service-policy etc etc.
The feature is quite simple (some level of simplification), spoke says he is in group X when registering, hub assigns this NHRP mapping a service-policy.
M. -
Service Policy won't attach to interface - NO error
Hi,
Am doing some simple CE VoIP QoS for a IPSEC/GRE Customer. I try to ATTACH the policy to the tunnel outbound and the command is accepted without any error but nothing appears in the config.
Here's the base config:
class-map match-all IPSEC-VPN
match access-group name IKE_ACL
class-map match-all ROUTING
match ip dscp cs6
class-map match-all NETWORK-MANAGEMENT
match ip dscp cs2
class-map match-any VOICE-SIGNAL
match protocol rtp
match ip precedence 3
match ip dscp cs3
match ip dscp af31
match ip dscp af32
class-map match-any VOICE-BEARER
match ip precedence 5
match ip dscp ef
match ip dscp cs5
policy-map SHAPE-ADSL-UPLINK
class class-default
bandwidth remaining percent 50
random-detect
random-detect ecn
policy-map VoIP-QoS
class VOICE-BEARER
priority percent 34
class VOICE-SIGNAL
bandwidth percent 5
class ROUTING
bandwidth percent 2
class NETWORK-MANAGEMENT
bandwidth percent 2
class IPSEC-VPN
bandwidth percent 2
class class-default
(config)# int t203
(config-if)#service-policy output SHAPE-ADSL-UPLINK
NOTHING appears in the config and sh policy-map int t100 shows an unapplied policy.
Using:
c836-k9o3s8y6-mz.123-8.T5
Another bug?
ThxPolicy should read (nested):
policy-map SHAPE-ADSL-UPLINK
class class-default
bandwidth remaining percent 50
random-detect
random-detect ecn
service-policy VoIP-QoS -
Error while applying the Service Policy
Hi,
I am getting the below error while applying the service policy to the Interface.
I have set the mpls exp 4 as well as want to limit the bandwidth to 1Mbps
PE#sh policy-map setexp-GBoIP
Policy Map setexp-GBoIP
Class GBoIP-traffic
set mpls experimental imposition 4
police cir 1024000 bc 32000
conform-action transmit
exceed-action drop
PE(config-if)#int vlan 2007
PE(config-if)#service-policy input setexp-GBoIP
QoS-ERROR: Addition/Modification made to policymap setexp-GBoIP and class GBoIP-traffic is not valid, command is rejected
As well as I have created new clas--map with priority and Bandwidth and applied in output direction, I got the belwo error while applying the Service policy in
PE(config-if)#service-policy out TEST
bandwidth command is not supported in output direction for this interface
PE(config-if)#service-policy output TEST
priority command is not supported in output direction for this interface
Any idea why so ?
Thanks in Advance.
Regards,
NileshCheck the current value of IGW_AWARDS_S sequence and make sure the MINVALUE in the patch (i.e. 10000) is not greater than the current one.
OERR: ORA 4007 MINVALUE cannot be made to exceed the current value (Doc ID 19824.1)
You may also log a SR.
Thanks,
Hussein -
Policy map/ class map/ service policy for IOS xr
Hi,
I need to create a policy map and class map/service policy to limit the amount of bandwidth that can be used on one interface both in and out.
I need the cap for the bandwidth to traverse this circuit to ne 10 Meg.
the IOS xr version we are using is 4.3.4
I was hoping someone could help me out by giving me a configuration example I could follow.
Thank you.for instance like this:
policy-map police-in
class class-default
police rate 10 mpbs <optionally set burst>
policy-map shape-out-parent
class class-default
shape 10 mpbs <optional burst config>
service-policy shape-out-child
policy-map shape-out-child
class class-default
queue-limit 10 packets
int g 0/0/0/0
service-policy police-in in
service-policy shape-out-parent out
also have a look at CL 2013/2014 (orlando/sanfran) ID 2904 for more QOS details
and the support forum article of "asr9000 quality of service architecture"
xander -
Radius accounting for QoS pppoe policy-map
Hi folks
I have a radius pushing an AVPAIR ip:sub-qos-policy-out to a virtual template for clients connected to a BRAS through PPPOE.
The AVPAIR is correctly applied to each and every pppoe session but the following link http://www.cisco.com/c/en/us/td/docs/ios/12_2sb/feature/guide/sbbbrs1c.html is indicating that I should be able to push back to the RADIUS some traffic info per class-map/policy map. This would allow some Quota stuff and getting some info about traffic used per customer
From what I have been able to configure, i'm not getting any of this stats back to the RADIUS
the debug radius accounting :
*Mar 12 05:29:00.419: RADIUS/ENCODE(0000000E):Orig. component type = PPPoE
*Mar 12 05:29:00.419: RADIUS/ENCODE(0000000E): Acct-session-id pre-pended with Nas Port = 0/0/3/0
*Mar 12 05:29:00.419: RADIUS(0000000E): Config NAS IP: 0.0.0.0
*Mar 12 05:29:00.419: RADIUS(0000000E): sending
*Mar 12 05:29:00.419: RADIUS/ENCODE: Best Local IP-Address 192.168.38.133 for Radius-Server 192.168.38.131
*Mar 12 05:29:00.419: RADIUS(0000000E): Send Accounting-Request to 192.168.38.131:1813 id 1646/55, len 299
*Mar 12 05:29:00.419: RADIUS: authenticator ED 94 CF EE BD 73 30 7E - 93 07 A4 C3 50 A6 03 DE
*Mar 12 05:29:00.419: RADIUS: Acct-Session-Id [44] 18 "0/0/3/0_00000005"
*Mar 12 05:29:00.419: RADIUS: Framed-Protocol [7] 6 PPP [1]
*Mar 12 05:29:00.419: RADIUS: Framed-IP-Address [8] 6 10.10.10.2
*Mar 12 05:29:00.419: RADIUS: User-Name [1] 9 "olivier"
*Mar 12 05:29:00.419: RADIUS: Vendor, Cisco [26] 35
*Mar 12 05:29:00.419: RADIUS: Cisco AVpair [1] 29 "connect-progress=LAN Ses Up"
*Mar 12 05:29:00.419: RADIUS: Vendor, Cisco [26] 29
*Mar 12 05:29:00.419: RADIUS: Cisco AVpair [1] 23 "nas-tx-speed=10000000"
*Mar 12 05:29:00.419: RADIUS: Vendor, Cisco [26] 29
*Mar 12 05:29:00.419: RADIUS: Cisco AVpair [1] 23 "nas-rx-speed=10000000"
*Mar 12 05:29:00.419: RADIUS: Acct-Session-Time [46] 6 2582
*Mar 12 05:29:00.419: RADIUS: Acct-Input-Octets [42] 6 7232
*Mar 12 05:29:00.419: RADIUS: Acct-Output-Octets [43] 6 7232
*Mar 12 05:29:00.419: RADIUS: Acct-Input-Packets [47] 6 517
*Mar 12 05:29:00.419: RADIUS: Acct-Output-Packets [48] 6 517
*Mar 12 05:29:00.419: RADIUS: Acct-Authentic [45] 6 RADIUS [1]
*Mar 12 05:29:00.419: RADIUS: Acct-Status-Type [40] 6 Watchdog [3]
*Mar 12 05:29:00.419: RADIUS: NAS-Port-Type [61] 6 Virtual [5]
*Mar 12 05:29:00.419: RADIUS: Vendor, Cisco [26] 15
*Mar 12 05:29:00.419: RADIUS: cisco-nas-port [2] 9 "0/0/3/0"
*Mar 12 05:29:00.419: RADIUS: NAS-Port [5] 6 50331648
*Mar 12 05:29:00.419: RADIUS: NAS-Port-Id [87] 9 "0/0/3/0"
*Mar 12 05:29:00.419: RADIUS: Vendor, Cisco [26] 41
*Mar 12 05:29:00.419: RADIUS: Cisco AVpair [1] 35 "client-mac-address=aabb.cc00.6430"
*Mar 12 05:29:00.419: RADIUS: Service-Type [6] 6 Framed [2]
*Mar 12 05:29:00.419: RADIUS: NAS-IP-Address [4] 6 192.168.38.133
*Mar 12 05:29:00.419: RADIUS: Ascend-Session-Svr-K[151] 10
*Mar 12 05:29:00.419: RADIUS: 37 39 38 32 45 41 38 30 [ 7982EA80]
*Mar 12 05:29:00.419: RADIUS: Acct-Delay-Time [41] 6 0
*Mar 12 05:29:00.419: RADIUS(0000000E): Started 5 sec timeout
*Mar 12 05:29:00.419: RADIUS: Received from id 1646/55 192.168.38.131:1813, Accounting-response, len 20
*Mar 12 05:29:00.419: RADIUS: authenticator A7 0E 79 40 C5 B5 CF DC - 09 46 27 48 52 BE 01 7D
What I get in the freeradius log :
Tue Mar 11 22:30:04 2014
Acct-Session-Id = "0/0/3/0_00000005"
Framed-Protocol = PPP
Framed-IP-Address = 10.10.10.2
User-Name = "olivier"
Cisco-AVPair = "connect-progress=LAN Ses Up"
Cisco-AVPair = "nas-tx-speed=10000000"
Cisco-AVPair = "nas-rx-speed=10000000"
Acct-Session-Time = 2646
Acct-Input-Octets = 7428
Acct-Output-Octets = 7428
Acct-Input-Packets = 531
Acct-Output-Packets = 531
Acct-Authentic = RADIUS
Acct-Status-Type = Interim-Update
NAS-Port-Type = Virtual
Cisco-NAS-Port = "0/0/3/0"
NAS-Port = 50331648
NAS-Port-Id = "0/0/3/0"
Cisco-AVPair = "client-mac-address=aabb.cc00.6430"
Service-Type = Framed-User
NAS-IP-Address = 192.168.38.133
X-Ascend-Session-Svr-Key = "7982EA80"
Acct-Delay-Time = 0
Acct-Unique-Session-Id = "523eac6ae326a778"
Timestamp = 1394602204
Request-Authenticator = Verified
user config in the users file on the freeradius server :
olivier Cleartext-Password := "olivier"
Service-Type = Framed-User,
Cisco-AVPair += "ip:addr-pool=pppoepool",
Cisco-AVpair += "ip:sub-qos-policy-out=TEST"
I see that the policy map name is pulled correctly from the radius server and applied to the session :
#sh policy-map session uid 14
SSS session identifier 14 -
Service-policy output: TEST
Class-map: TEST (match-all)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: any
police:
cir 8000 bps, bc 1500 bytes
conformed 0 packets, 0 bytes; actions:
transmit
exceeded 0 packets, 0 bytes; actions:
drop
conformed 0 bps, exceed 0 bps
Class-map: class-default (match-any)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: any
Any input very welcomeCisco sever is working fine. When you do use non-standard or non-RFC requests from your NAS to the AAA server for instance, you have to configure your server accordingly to instruct it how to handle this kind of requests.
This is typically done with something called "dictionary", which should be included in your radius server. The server typically decodes all RFC 2865 VSAs (or should), but when a new NAS model is introduced into the network, you can modify it to add any VSAs not appearing in the dictionary, which is your case.
As an example, imagine you want to change the attribute cisco-vsa-port-string to tagged-string, your dictionary will look somethign similar than:
And finally you will have to modify with a text editor, or XML editor and change type="tagged-string" supposing your device comply with RFC 2868. Probably
the AAA server will have to restarted for taking this
changes into account.
Also,since this does apply to all devices for this vendor, you've got other option more, which is define your own dictionary for a specific vendor, or even if you wish for a specific NAS or group or NASes.
In NavisRadius you could associate a dictionary to a
device adding a client-class:
# Client-IP Client-Secret Client-Class
10.0.0.1 secret taos-old
And then specifying the dictionary later in client_properties for this device:
# This file contains information about client classes # and is used to set per-client specific information.
# TAOS Devices in OLD mode with RFC conflicts
taos-old
Client-Dictionary=max_dictionary
# Other devices now, etc.
Hope it helps -
Fundamental ACL & Service Policy related questions
Hi All,
apologies in advance for seemingly stupid questions but I was forced to ask them as I have ALWAYS had great difficulty in using debug on Cisco platforms. Nothing ever shows up when I set up debug despite configuring "logging console" and setting the level to 7 etc. I have no clue why that is and if it's because all debugging messages go to the debug log instead of being prnted on the console, or what it is...I just don't get it. When I'm saying logging console...please print it on the console! Anyway, that rant aside...
I have a VERY simple topology like so
A few servers in this VLAN
ISP <---> 3560G (Physical Routed Port) <--> SVI (VLAN)
ASA5520 <--> Internal VLAN
With regards to ACLs and their direction, when an ACL is applied to a physical port (or in cases where QoS is enabled and a service-policy) is applied to either a routed physical port on the 3560, saying that the policy is applied in the "in" direction (or 'input' in case of service-policy) does that mean 'inbound' in either direction? As in IF that routed port is my direct connection to the ISP, and I set up "ip access-group myacl in" (or service-policy input myPolicymap) ...will that be applicable if the traffic enters that port from the ISP side OR from the internal network side, or "IN" for it is always JUST the ISP side because it's assuming that all traffic generated from inside the network going out to the Internet is implcitly allowed UNLESS an ACL somewhere in the network restricts that?
then, in case of an SVI...I believe just like the physical routed port, I can ONLY implement an "Inbound" ACL on this as well. So when I implement either a Heirarchical policy-map or just an access-group "in", then what is "IN" ...traffic entering this VLAN from the internal network and those public servers going out to the Internet AND Traffic entering this VLAN from the ISP/Internet via the physical routed Port OR is it JUST the latter, or is it just the former?
Now Lastly, when I have the physical ports to which the ASA and each of those physical servers are connected to sitting on the public VLAN, if I apply port-based ACLs or service-policies to them, then again, what direction is the "IN" ACL applied? Both? i.e. traffic coming into it from the public servers and the Internal network through the ASA, and the Internet OR just the traffic coming into it from the Internet, but the traffic going out from the servers to the Internet is not subjected to this ACL or service-policy
Again, very sorry for a dumb question but I'm seeing bizzare things in my network so was just wondering before I decide on what kind of security I want to plan/design
Thanks in advanceThe mystical difference between debug output going to the console versus showing up in syslog is "logging debug-trace". On goes to syslog, "no logging debug-trace" goes to console. I've been bit by this one myself.
ACLs on physical ports have directionality like the cable plug: "in" is from the cable entering into the switch or firewall, "out" is leaving the device to run along the cable to somewhere else. On Catalyst switches port ACLs are inbound (receiving packets) only. Obviously, on directly connected devices, one devices out is the other devices in.
ACLs on SVI's depend on whether your are running a base image or services image; services images can do IPv4 and IPv6 in both directions. However, port ACL's trump routed ACL's; if both exist, the port ACL is the only one applied. I think if a directly connected port has no port ACL, no ACL is applied at all; routed ACL's on SVI's only apply to transitions between VLANs inside the switch, not to traffic entering physical ports.
-- Jim Leinweber, WI State Lab of Hygiene -
Command "service-policy input policy-name permit-any" will not work
Hi all,
have a SG500 with latest Firmware, but this command will not work.
service-policy input QoS_01 permit-any
i get this error message:
% Wrong number of parameters or invalid range, size or characters entered
without the option "permit-any or deny-any" the command is successfully.
What is the reason?
It is important, directly to specify this options. Otherwise to lose the access to the switch.
Regards
StefanHi Tom,
i have a ACL / ACE and create a QoS "policy table" put the "policy class map" (with class mappings) in it.
And now i will bind this QoS policy to a Ethernet port.
cli tutorial example say:
Use the service-policy Interface Configuration (Ethernet, Port-channel) mode command to bind a policy map to a port/port-channel. Use the no form of this command to detach a policy map from an interface.
This command is only available in QoS advanced mode.
Syntax
service-policy input policy-map-name default-action [permit-any | deny-any]
no service-policy input
Example:
witchxxxxxx(config-if)# service-policy input policy1 permit-any
A cisco support open a ticket for me.
-Stefan -
Service-Policy Or Bandwidth Rate Limit for IP
Hii Netpros,
Is this possible to configure the Service Policy(for Bandwidth) or Bandwidth Rate Limit for Single IP. For eg: If we want to configure the Service Policy(for Bandwidth) or Bandwidth Rate Limit of 2Mb for only IP " 10.10.10.3" on network i.e the Host or device which is configured with this IP can access upto 2Mb only.
Actual Network :- We need this to configure this for wireless customers, Actually we have created one Vlan 2 (IP:- 10.10.10.1/29 @ our end router) , 10.10.10.2 on Basestation wiresss device (Vlan 2 allowed on this wireless device) and this wireless device is working as point to multipoint wireless. i.e 2 or more then 2 wireless customers or last mile will connect to this basestation wireless. Wireless customer-1 is 10.10.10.3 (2Mb bandwidth) and Wireless Customer-2 10.10.10.4 (512Kb).
Hence we require to limit the bandwidth for this 2 wireless customers having different bandwidth. how to acheive & control bandwidth @ our end router for them. please suggest.
ThanksThis topic is probably better suited in another Infrastructure forum, but I suppose it depends on which features are supported by your Cisco hardware and software. This doc discusses a variety of options:
http://www.cisco.com/en/US/docs/ios/12_2/qos/configuration/guide/qcfpolsh.html
For example, with the older CAR (committed access rate) approach:
interface FastEthernet5/0
rate-limit input access-group 101 20000000 [normal burst size] [excess burst size] conform-action transmit exceed-action drop
rate-limit input access-group 102 5120000 [normal burst size] [excess burst size] conform-action transmit exceed-action drop
access-list 101 permit ip 10.10.10.3 0.0.0.0
access-list 102 permit ip 10.10.10.4 0.0.0.0
You can observe CAR in action with "show interfaces fa5/0 rate-limit" for example. -
High current conns in service policy.
Hi,
We have the following policy on a firewall to limit the maximum number of connections:
policy-map global_policy
class HTTP
set connection conn-max 2250 embryonic-conn-max 100 per-client-max 20 per-client-embryonic-max 5
set connection timeout half-closed 0:05:00 idle 0:05:00
If we look in the logs we see that connections are being dropped because of this:
Feb 05 2014 12:33:12: %ASA-3-201011: Connection limit exceeded 2250/2250 for input packet from x.x.x.x/63257 to x.x.x.x/80 on interface outside
Feb 05 2014 12:33:12: %ASA-3-201011: Connection limit exceeded 2250/2250 for input packet from x.x.x.x/53429 to x.x.x.x/80 on interface outside
Feb 05 2014 12:33:12: %ASA-3-201011: Connection limit exceeded 2250/2250 for input packet fromx.x.x.x/48613 to x.x.x.x/80 on interface outside
And these show true if we look at the service policy
XXXX# show service-policy global
Global policy:
Service-policy: global_policy
Class-map: HTTP
Set connection policy: conn-max 2250 embryonic-conn-max 100 per-client-max 20 per-client-embryonic-max 5
current embryonic conns 2, current conns 2250, drop 15870337
Set connection timeout policy:
half-closed 0:05:00 idle 0:05:00
DCD: disabled, retry-interval 0:00:15, max-retries 5
DCD: client-probe 0, server-probe 0, conn-expiration 0
However the connections on the firewall and servers aren’t high
xxxxx# show conn count
529 in use, 2485 most used
Can anyone explain why this is, not sure if it is bug or is normal expected behavour. Is this "current conns" figure meant to corresond to the firewall conns, or is taking from something else? I guess they only way to remove this is to remove and re-add the policy, just wanted to get peoples thoughts on it or see if I was missing something.
This is on an ASA5510 running Software Version 8.2(5)41
Thankshi all ,
im really exhausted about this issue
i googled alot , i have been googling about 1 week with no benefit !!!!!
i changed ios many times but no luck !!!!
i followed the navigatro tool of cisco , it say that cisco 7200 npeg2 dont support the feaute called
QoS: Per-Session Shaping and Queuing
i followed here
http://www.cisco.com/en/US/docs/ios/12_2sb/feature/guide/sbsbpssq.html
they say it supported for ios that supported with 7200
i found an old discsuuion on internet for guys about cisco 7200 for shap
i dont know
not sure
does cisco 7200 support shaping and bw gurantee for vpdn session on LNS router ?????????
i need an expert for that
plz help
regards -
C3750-48ts Service-Policy Output Like Command
Hello,
I'm having an issue trying to find a way to make a QOS or limiting of network traffic on a cisco 3750 that we have at a client site.
What the end goal is to make the network traffic 10x5mbs on some ports and 5x1mbs on others.
From how I normally do traffic shaping on routers is Class-map, policy-map and service-policy. However as I found out with with this project I can't run the Service-policy Output command on the 3750 model. The other way that I know how to limit bandwidth on these switches is to use the srr-queue bandwidth limit % command. However, this isn't going to work for the clients that have 30x5mbs connection though us.
Here is what I have programmed:
mls qos
vlan 100
class-map match-any IN
match access-group 100
class-map match-any OUT
match ip dscp default
policy-map 5M_IN
class IN
police 5000000 256000 exceed-action drop
policy-map 1M_IN
class IN
police 1000000 256000 exceed-action drop
policy-map 30M_OUT
class OUT
police 30000000 512000 exceed-action drop
policy-map 5M_OUT
class OUT
police 5000000 256000 exceed-action drop
interface FastEthernet1/0/36
description TEST
switchport access vlan 100
servic-policy input 1M_IN
(This is where I would like to run the service-policy output 5M_OUT)
If you have any idea on how to limit traffic per port please let me know so that this may help others.
Thank you,
MichaelThe 3560 & 3750 (& 2960) don't support egress policy-maps. They do however support queueing so it is possible to achieve similar results by applying an ingress policer to your user ports to classify (& police?) the traffic, at the egress port you can then queue the traffic based on it's DSCP or CoS value that it was classified with (same as 3550).
It is also possible to restrict the bandwidth in use at an egress port with the interface command 'srr-queue bandwidth limit <10-90>' where 10-90 represents a percentage of the links bandwidth. For example if you want to restrict a 100Mbps port to 10Mbps you would use the command 'srr-queue bandwidth limit 10'
HTH
Andy -
Prevalence between service policy and rate limit
Hi,
I have a question, on the wan interface on my router I have configured two QoS configuration: one is based on rate-limit pointing to a an specified traffic but also I have a configuration with a service policy that include the same traffic with a restriction of bandwidth . I do not know what policy has prevalence if the service policy or the rate limit.
Regards.Hi Rajan ,
Thanks for teh reply.
I'm but confused with your answer....
We have SRM 5 implemented at our place and I see that service carts created in the system using the link "ORDER" when converted to PO's in Sourcing create Purchase orders with HIERARCHY structure i.e. 1 header and 1 item(with the actual service line) but when they are replicated to ECC,we have done an enheancement to create LIMIT PO's for service orders.
Hence I wanted to know when do we need to create SERVICE HIRERACHY based PO's in SRM and when we need to create LIMIT PO's directly in SRM?
Also I understand that in SRM,for limit PO's,when the PO item is deleted in PROCESS PO trasnctions,the items are not returned back to sourcing.We dont want this to happen for all types of PO's(both material and Service).We want that when a PO item is deleted,the item should return back to sourcing.
But other then above functionality,what are the advantages of creating SERVICE based HIERARHCY PO's v/s LIMIT PO's in SRM?
Please advise.
Any inputs from Experts on this forum will be appreciated.
Thanks in advance. -
I'm trying to get some input on the direction policy maps should be applied, inbound vs outbound. If I have a central site that is hosting resources that include web related apps, Citrix, and SQL, and want users at a remote end of a point 2 point connection or VPN tunnel to have QoS guarantees such as bandwidth reservation and cbwfq, should the policy be applied in the outbound direction of the serial interface on the remote router that makes the point 2 point connection, and the inbound direction of the central site router's serial interface that is the other end of that point 2 point?
Or, from the remote site, should it be the outbound direction on the serial interface that classifies traffic such as http to certain urls, citrix, and sql servers, but on the central router's serial interface that marking would be using acls, having the source being the http, citrix, and sql servers and the remote clients being the destination?
What?s the recommended method of implementing something like this in terms of the direction of the policy maps?
Thank you
BillIf the policy map is being used for classification marking (e.g. DSCP marking), the usual recommendation is mark as close to the source as possible, usually "IN" on an ingress edge interface.
If the policy map is being used for congestion management, and since congestion usually is found on an egress interface, such policies are applied there.
So, from end-to-end, you might have an inbound policy on the local LAN device's edge interface, and an outbound policy on the local WAN device's WAN interface. Same on the remote side's devices for return traffic.
Since congestion is usually of primary concern on the WAN device, the inbound classification could be done inbound on that device's LAN interface, or even as part of the outbound policy.
Sample IOS policies (NB: syntax is incorrect):
wan router
class map VoIP
match protocol Voice
class map mission-critical match-any
match protocol citrix
match protocol sql
match protocol http
class map real-time
match dscp ef
class map gold
match dscp af31
policy map classify
class VoIP
set dscp ef
class mission-critical
set dscp af31
class class-default
set dscp best-effort
policy CBWFQ
class real-time
priority 50 percent
class gold
bandwidth remaining 80 percent
interface ethernet
service policy classify in
interface serial
service policy CBWFQ out -
Service-policy output statement interface vs interface .500 point-to-point
We are running AutoQoS but have recently migrated our WAN service that puts our IP connectivity to a sub-interface (interface serial0/1:0.500 point-to-point and a frame-relay interface-DLCI). In our prior WAN configuration we bound the IP address directly to the interface s0/1:0.
After the migration, the auto qos statement service-policy output AutQoS is still on the interface serial 0/1:0 . Should this service-policy statement be moved down to the serial 0/1:0.500 point-to-point in order to be effective? We have been experiencing QoS problems but I understand it could be many different places, but I wanted to start here.
Thanks
ryanas a rule those are applied in a frame relay policy map.
Create the LLC policy
Create the Frame Relay Policy map (and refer to the LLC policy map in the Frame Relay Config)
Apply the Frame Relay Policy Map to the subinterface (to the DLCI).
Maybe you are looking for
-
How can I send out a voice memo by iphone 6 plus?
How can I send out a voice memo to my friend? the voice memo last around 1.5 hours. I tried to sent by email but not success. Pls. help.
-
How can I interrupt the blocking call when call timeout?
Hi,Guys I wrote an application server(daemon process) to talk with oracle server continuous which used oracle9 OCCI lib, each 5 min it executes the procedure on the DB server. Now I have come cross a problem: If the network is blocked, app server wil
-
Oracle Database Express Edition SQL Developer
Hi all, I did download the Oracle Database Express Edition from Oracle's website and am trying to create a new connection with the following info Connection Name: myconnection Username: ora21 Password: ora21 Hostname: localhost Port: 1521 SID: orcl N
-
Iphone shows more photos in storage than in the photos app
I have an iPhone 6 with 33 photos locally saved and 0 videos. but when I look at my storage under the settings app it shows 2.3Gb of storage being used for photo library. when using my pc to look at the DCIM folder it shows only the 33 photos with a
-
Lion not connecting to file server
We have 2 Macbooks (1 Pro and 1 Air - connecting via USB ethernet) running Lion that can't connect to the file server via ethernet. It was working fine, but now can't connect. When connected to the network via wifi it connects without a problem... An