Application Traffic Policies

Similar Messages

• Blocking p2p application traffic and tunneling

  I need help ........
  We have taken two ASA with AIP card, and have configured Active/Active , but user are using p2p and tunneling softwares . how can we block p2p and tunneling traffic ..
  plz anyone reply me..........
  regards

  If you are using Firewall software 12.4(9)T and above, it has integrated policies to block or rate limit p2p application traffic using dynamically updateable application
  definitions for newer p2p applications. KaZaA, Gnutella, BitTorrent, and eDonkey are currently supported.
  You may also see this: http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00801e419a.shtml

• Traffic policing question on Cisco ASR 1001

  Hi Experts,
  I have a request to setup aggregated traffic policing on a Cisco ASR 1001 router for multiple networks within a router.
  Lets say I have a router with several subinterfaces:
  interface GigabitEthernet0/2
   description WAN
   ip address x.x.x.x x.x.x.x
  interface GigabitEthernet0/1.70
   description Lan_1
   encapsulation dot1Q 70
   ip address 192.168.55.1 255.255.255.0
  interface GigabitEthernet0/1.80
   description LAN_2
   encapsulation dot1Q 80
   ip address 192.168.56.1 255.255.255.0
  interface GigabitEthernet0/1.90
   description Servers
   encapsulation dot1Q 90
   ip address 172.16.10.1 255.255.255.0
  I have a WAN link 100Mbit/s and I need to police traffic, so that I have 30Mbit/s for servers (GigabitEthernet0/1.90) and the rest 70Mbit I want to share between Interface Lan_1 and LAN_2. The Idea is that I need 70Mbit/s equally shared between two interfaces, so that I have fair policing on both iunterfaces. What is the best way to achieve this?
  Many Thanks

  Hello
  The below configuration is a possible option, Its provides policing inbound from the clients interfaces and LLQ priority queung on the wan interface for the servers and  shaping values from LAN1 & 2 traffic is set to 35MB.each.
  Notice nothing is defined for the default class, however i am on the understanding this is given by default 1% of Hqos implementations.
  Maybe others on here could review to verify any problems with this post and share their thoughts?
  ip access-list extended SRVS_acl
   permit ip 172.16.10.0 0.0.0.255 any
  ip access-list extended LAN1_acl
   permit ip 192.168.55.0 0.0.0.255 any
  ip access-list extended LAN2_acl
   permit ip 192.168.56.0 0.0.0.255 any
  class-map match-all SRVS_CM
   match access-group name SRVS_acl
  class-map match-all LAN_1_CM
   match access-group name  LAN1_acl
  class-map match-all LAN_2_CM
   match access-group name LAN2_acl
  policy-map SRVS_PM
   class SRVS_CM
      police 30720000 conform-action transmit exceed-action drop
  policy-map LAN_2_PM
   class LAN_2_CM
      police 35840000 conform-action transmit 
  policy-map LAN_1_PM
   class LAN_1_CM
      police 35840000 conform-action transmit 
  interface GigabitEthernet0/1.70
  service-policy input LAN_1_PM
  interface GigabitEthernet0/1.90
   service-policy input SRVS_PM
  interface GigabitEthernet0/1.80
   service-policy input LAN_2_PM
  policy-map WAN_CHILD
   class SRVS_CM
    priority 30720
   class LAN_1_CM
    shape average 35840000
   class LAN_2_CM
    shape average 35840000
   class class-default
    fair-queue
  policy-map WAN_PARENT
   class class-default
    shape average 102400000
    service-policy WAN_CHILD
  int  GigabitEthernet0/2
  bandwidth 102400
  service-policy output WAN_PARENT
  res
  Paul

• Traffic Policies IN NAC

  Hello friends,
  For host remediation we shld allow for access to a particular destination or by default it is accessible?????
  OR
  traffic policies are applied after a host passes posture assessment and remediation.??? to limit network access.
  Thanks

  Hello Faisal,
  Thanks for reponse,
  My setup is IN-band virtual mode.
  From ur mail what i understand is if the host want to succeed posture assesment he has to be permited for the particular destination.
  for example: host is not updated with full AV then he has to permit access to AV server for the updates in the temporary role,
  access-list will be like : permit tcp any host 10.10.10.10 (AV Server) eq (port)
  correct me if i m wrong  ?????
  2) After host get success in host posture assessment after that also we can limit the host for a particular destination.
  where is option that we can specify such access-list.
  Thanks

• ISG: Service with traffic policing counts dropped packets.

  Hello,
  Our company has a router Cisco 7304 NPEG100. ("show version" in the  bottom of this message). We are planing to start ISG services at this router, but there is a bug CSCei4190. When I set traffic policing in service, accounting in this service counts  packets that has been dropped by traffic policing.
  Here is example of my definition of service in RADIUS:
  User-Name = 'Internet-Service'
  Cisco-AVPair += "ip:traffic-class=in access-group 2000 priority 10"
  Cisco-AVPair += "ip:traffic-class=out access-group 2001 priority 10"
  Cisco-AVPair += "ip:traffic-class=in default drop"
  Cisco-AVPair += "ip:traffic-class=out default drop"
  Cisco-AVPair += "prepaid-config=TRAFFIC_PREPAID"
  Cisco-AVPair += "accounting-list=ISG_ACCT"
  Cisco-Service-Info += "QU;256000;D;512000"
  Acct-Interim-Interval += '60'
  When I remove Cisco-Service-Info += "QU;256000;D;512000" from service  definition, all traffic are counting correctly.
  I did not found in Bug Details, which version of IOS, I should use in my  7304 router where this bug is fixed.
  Cisco IOS Software, 7300 Software (C7300-A3JK91S-M), Version 12.2(31)SB17,  RELEASE SOFTWARE (fc1)
  Technical Support: http://www.cisco.com/techsupport
  Copyright (c) 1986-2009 by Cisco Systems, Inc.
  Compiled Fri 30-Oct-09 12:35 by vpernank
  ROM: System Bootstrap, Version 12.2(22r)S, RELEASE SOFTWARE (fc1)
  BOOTLDR: 7300 Software (C7300-BOOT-M), Version 12.2(20)S6, RELEASE 
  SOFTWARE (fc4)
  7304 uptime is 17 hours, 24 minutes
  Uptime for this control processor is 17 hours, 24 minutes
  System returned to ROM by reload at 06:22:24 TSK Wed Feb 23 2005
  System restarted at 18:46:54 TSK Mon Mar 22 2010
  System image file is "disk0:c7300-a3jk91s-mz.122-31.SB17.bin"
  cisco 7300 (NPEG100) processor (revision B) with 983040K/65536K bytes of  memory.
  SB-1 CPU at 800Mhz, Implementation 0x401, Rev 0.2, 512KB L2 Cache
  4 slot midplane, Version 67.49
  Last reset from software reset or reload
  4 FastEthernet interfaces
  3 Gigabit Ethernet interfaces
  1021K bytes of non-volatile configuration memory.
  62592K bytes of ATA compact flash in bootdisk (Sector size 512 bytes).
  125952K bytes of ATA compact flash in disk0 (Sector size 512 bytes).
  Configuration register is 0x2102

  I am getting other logs sent to the syslog server, yes, just not the firewall-related "dropped packet" logs.  Here's an example of one that does make it through:
  5790: *Apr 30 15:05:27.039 UTC: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:-647534746 1500 bytes is out-of-order; expectedseq:3647406270. Reason: TCP reassembly queue overflow - session 192.168.1.179:3895 to 54.240.160.142:80 on zone-pair inside-to-Transitclass WB-Browsing
  I am not allowing all the traffic across the box.  The "self-to-inside" zone-pair just allows the *firewall itself* to initiate any traffic to the inside zone.  That's temporary until I get all the management traffic to and from the firewall defined, then I will lock it down further.
  And I added the "ip inspect log drop-pkt" and it did not appear to make any difference.
  Any other suggestions?
  -Mat

• 2950 Traffic Policing

  Hi,
  I'm trying to configure traffic policing on a Catalyst 2950. The config is pretty straight-forward, or so I thought. I need to set up several policy-maps, each one policing traffic at different levels (5meg, 10meg, 20meg, etc.). My problem is, anything above 1Meg just doesn't seem to work as expected. Here's my config for a 10Meg policer:
  class-map match-all ALL-TRAFFIC
  match access-group 1
  policy-map 10mbs
  class ALL-TRAFFIC
  police 10000000 65536 exceed-action drop
  access-list 1 permit any
  Here's the interface config:
  interface FastEthernet0/24
  switchport access vlan 53
  load-interval 30
  service-policy input 10mbs
  spanning-tree portfast
  spanning-tree bpdufilter enable
  spanning-tree link-type point-to-point
  What happens is, when uploading files from the server attached to this port (ingress to the switch), my throughput is nowhere near 10Mb/s. I only end up getting about 2Mb/s consistently, with a large 600MB ISO file transfer.
  I've configured policers before in routers and other types of switches and I would at least get around 7 to 8Mb/s, if not immediately, after some time, due to TCP's native congestion avoidance. I may be missing something blatantly obvious, though, as I've been wrestling with this the past few hours.

  Although the page is about the 3550 I think most of the information is relevent to the 2950 as well (although the 2950 doesn't support the granularity of the 3550).
  http://www.cisco.com/en/US/partner/products/hw/switches/ps646/products_tech_note09186a00800feff5.shtml
  Have you tried using non connection-oriented traffic (UDP) to see what rates you achieve? I suspect TCP is probably suffering due to the policer dropping the packets.
  HTH
  Andy

• Traffic Policing on Service Provider Edge router.

  Hi,
  I'm confused about the traffic policing on service provider edge router. Suppose I have taken internet bandwidth from my ISP and he says that they will give me 100 Mbps bandwidth burstable upto 1Gbps. What does that mean? what is burstable here?
  I would appreiciate if anyone from service provider organization, can give a output of their edge router's running config. I just have to understand how the police our traffic. Here I'm talking about the Internet leased lines.

  This is probably something you will have to get your service provider to answer. Different service providers use the term burst in a different context. Some SP's are "NICE' and will setup no policer or shaper and will purely monitor the link for fair use allowing you to exceed what you have purchased as long as you don’t abuse the privilege. Other Serves providers may setup a dual rate policer with a CIR and a PIR to achieve the same. a 3rd scenario is as explained above where the SP will setup a policer for 100Mb/s and then calculate the burst value at 1/8 of a second (or less in some cases) which allows your traffic to burst to full line rate for that time slice,
  There are other scenarios but the point I’m trying to make is that service providers don’t all do this the same way which is why you should ask them what they mean and how long your traffic would be allowed to burst to line rate.
  PJ

• Cisco ASA QoS traffic policing - how to count conform burst

  hi,
  I have cisco ASA 8.4(5). I will do configuration for QoS traffic policing. Maximum output/input rate will be 850 Mbits/s.
  I am not sure if I need to do configuration also for conform burst ? if yes, can I count suitable value for it ? I must admit that I dont understand difference between conform rate and conform burst.
  access-list acl_qos_policing_admin extended permit ip any any
  class-map class_qos_policing_admin
   match access-list acl_qos_policing_admin
  policy-map policy_qos_policing_admin
   class  class_qos_policing_admin
   police output 850000000 xxxxxxx
   police input 850000000 xxxxxxx
  service-policy policy_qos_policing_admin interface
  inside_ADM

  Hi, I already have done configuration on production firewall. Bandwidth test worked very good for 200Mbps or 300 Mbps. But I got little strange results for bigger rate limits such 600Mbps or 850 Mbps. I could not see any dropped packets. I did test via http://www.speedtest.net. Maybe because
  I need to set conform-burst? there is now only default value (If you set bigger conform-rate then you get bigger conform-burst with default value).
  Interface inside_EDU:
    Service-policy: policy_qos_policing_edu
      Class-map: class_qos_policing_edu
        Output police Interface inside_EDU:
          cir 200000000 bps, bc 6250000 bytes
        Input police Interface inside_EDU:
          cir 200000000 bps, bc 6250000 bytes
  Interface inside_EDU:
    Service-policy: policy_qos_policing_edu
      Class-map: class_qos_policing_edu
        Output police Interface inside_EDU:
          cir 600000000 bps, bc 18750000 bytes
        Input police Interface inside_EDU:
          cir 600000000 bps, bc 18750000 bytes
  Interface inside_ADM:
    Service-policy: policy_qos_policing_admin
      Class-map: class_qos_policing_admin
        Output police Interface inside_ADM:
          cir 300000000 bps, bc 9375000 bytes
        Input police Interface inside_ADM:
          cir 300000000 bps, bc 9375000 bytes
  Interface inside_ADM:
    Service-policy: policy_qos_policing_admin
      Class-map: class_qos_policing_admin
        Output police Interface inside_ADM:
          cir 850000000 bps, bc 26562500 bytes
        Input police Interface inside_ADM:
          cir 850000000 bps, bc 26562500 bytes

• Cisco Configuration Professional - Monitor - Traffic Status - Application traffic view

  Installed the Latest version of CCP. Noticed that it use Internet Explorer as the default browser.
  Current issue - Monitor - Traffic Status - Application traffic view show a window that is to large for my current screen,
  I've tried several options to make it more viewable, but no luck.
  Screenshot, Explaining the issue - Notice the difficulty to view the graphs
  Any advice will be appreciated.
  Philip

  I've manage to fix it by changing the zoom on Internet Explorer

• WCCP breaks Application Traffic

  Hello Friends,
  I have setup a test WAAS setup. The remote site connects to the main site through a site-to-site VPN connection. Cisco 1841 router is doing WCCP redirection at the remote end without any access lists. So all the traffic is being intercepted. I have set it up as explained in the WAAS quick config guide. File services are working fine but email, http and citrix traffic is being blocked somewhere in the network. This means WAFS is working but application acceleration is not at all working.. When I disable WCCP, everything works.
  What am I doing wrong here?
  thanks
  Ankit

  Ankit,
  Per Cisco the
  Minimum Recommended Versions (IOS Routing Platforms) for WCCP w/ WAAS are
  M Train
  12.4(10)
  T Train
  12.4(9)T1
  You might want to try upgrading your IOS to 12.4(10) or the T train if possible. I would start there.
  Found these caveats on 12.4 code
  ?CSCuk61396
  Symptoms: WCCP service redirection may not work. In particular, packets that are rejected by a third-party vendor appliance device and are returned to the router for normal forwarding may be discarded.
  Conditions: This symptom is observed on a Cisco router when NAT or Cisco IOS Firewall features are enabled on the same interfaces that have WCCP enabled.
  Workaround: There is no workaround.
  HTH
  Mike

• [BUG?] Application Control Policies

  I have had the problem that I first want to locked down everything and than open security step by step.
  But this was not the best idea.
  The problem within the Application Control is the "Search & Find" option or the Filter.
  1. The Window is damn smal and it's not possible to resize.
  2. There are soooooooooooo many settings and options to set and there is no way to export or import. That would be damn cool to set the option within Excel or something like that.
  3. The worst thing is the search or filter option.
  I will give an example:
  When you try to find iPhone than you will get no return. Or give it a try with flash. No way.
  You need to search for the exact application name.
  Can someone change this to a better filter option because this is more than worse to browse through all each setting to find something.

  Hello Jahnke,
  Thank you for the suggestions. While the product is working as designed currently, we will convey your suggestions to the Development team. If those changes are within the scope of the product, it may be implemented in one of the future firmware releases. If you have any further questions, please feel free to reach out to Cisco SBSC and one of our Engineers will be happy to work with you.
  Thanks,
  Nagaraja

• Application Control Policies - Is that it?

  Restrictions based on executable name only seems very restrictive, maybe I came in with the wrong mindset. I was looking at this been an SRP like replacement but the inability to do path based rules or default deny all but allowed programs. Been executable name only without a default deny would mean simple executable rename defeats the policy.
  Can someone enlighten me, have I just totally missed the point?

  Originally Posted by bbeachem
  Application "white listing", which is what you're really requesting is on our roadmap for a future product version.
  Is there a current time frame on the whitelist feature? Also do you know if path based rules will be included as part of that feature?

• Calling DSCP or IP Precedence on traffic Policing

  Hi Guys,
  I have a good question and I can say it's challenging questiion. we have some policy-map on some interfaces but because these interfaces are dedicated to some customers that they are using just for voice and video. I put some detaqil for better understanding
  router#sh policy-map QOS:POLICE:100M:pm-q
    Policy Map QOS:POLICE:100M:pm-q
      Class class-default
       police cir 100000000 bc 3125000
         conform-action transmit
         exceed-action drop
       service-policy QOS:RATE:30-x:pm-q
  router#sh policy-map QOS:RATE:30-x:pm-q
    Policy Map QOS:RATE:30-x:pm-q
      Class QOS:REALTIME:cm-q
        set qos-group 5
       police cir percent 30
         conform-action transmit
         exceed-action drop
      Class QOS:INTERACTIVE:cm-q
        set qos-group 3
      Class QOS:CONTROL:cm-q
        set qos-group 6
       police cir percent 10
         conform-action transmit
         exceed-action drop
      Class QOS:BUSINESSDATA:cm-q
        set qos-group 1
      Class class-default
        set qos-group 0
  we put this because we expected gauranty 30% of that bandwidth. It means we expected gauranty 30mbps but now guys saying this type of configuration is not working because calling dscp on policing is not working.
  now we have to change it to below
  router#Policy Map QOS:POLV2:GWS:100M:pm-q
      Class QOS:INT:MPLS:cm-q
       police cir 120000000 bc 21000000 be 42000000
         conform-action transmit
         exceed-action drop
         violate-action drop
  now question is this change right ?
  Thanks
  Majid

  Sarah
  1) L2 switches can trust the dscp marking as well. The 2960 is a layer 2 only switch and the default is untrusted but if you then enter
  "mls qos trusted" you have a choice of 'cos|dscp|ip-precedence'. The default if no choice is entered is DSCP.
  2) If "mls qos trust dscp" is entered then the switch will use the DSCP marking found in the packet. This will then be used as the internal DSCP marking that all switches use. Unless you have a DSCP-DSCP mutation map the value used will be the value received in the packet.
  Jon

• Application Inspection of an ASA

  Does the default inspection policy (without edit) provide Application Inspection ? or Stateful Inspection only ?
  I believe this is the default inspection policy (MPF) on an ASA 5505:
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
  inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
  service-policy global_policy global
  thx

  This is a stateful inspection by default except for the dns
  For application inspection policies (layer 7 inspection) you have to define seperate layer 7 policies for each protocol and define it in the stateful inspection policy map
  Sent from Cisco Technical Support Android App

• Is it possible to allocate bandwidth to an application in an L2L tunnel?

  Hi,
  In an L2L tunnel, we wanted to allocate bandwidth for all users in Site A when accessing applications (Web-based and thick) in a server in Site B. The responses for both applications are not acceptable.
  The same VPN link between the two sites is also used by other applications i.e. DC replication, etc. and the Internet link used for VPN is also used for SMTP and Lotus Notes.
  In Site A, the tunnel is terminated outside of the PIX 7.2(2) and Site B is terminated outside of ASA 5510 7.2(2). The routers infront of these firewalls have PBR such that PAT?ed address from the firewall is routed to the ADSL instead of the serial interface.
  If we?ll upgrade the Internet line, I have to make sure that it will resolve the issue.
  Thanks in advance.
  Regards,
  Archie

  Hi,
  Thanks.
  - The first challenge is where to apply QoS i.e. do traffic policing/allocate bandwidth for IPSec use. My guess is on the router but I'm not 100% sure.
  -If on the router, what's the command?
  - Once the first challenge is done, can I do traffic policing on applications inside VPN which are terminated on PIX and ASA?
  Regards,
  Archie