Cisco WS-C3750X-24 policy-map problem
In our organization we have a cisco ws.c3750X-24 switch. we are using policy maps to restrict bandwidth in 3750x but if we edit or add new policys other policys are not working.
can you please share config?
Similar Messages
-
Cisco cat 3560 service-policy output problem
I have just use the 3560 to replace 3550 switchs, but the cat3560 does not support the command "service-policy output" which was supported by 3550,
we have already use this command in 3550 to control the network traffic.
so there somebody knows if there an schedule to implement this command?
Thank you very much."service-policy output" is not supported in 3560/3750 due to ASIC limitation. See if "srr-queue bandwidth limit" command will work for you
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat3560/12225sed/scg/swqos.htm#wp1253412 -
Hallo,
I have a question about the policy mapping in ACS 5.4.
When a request matches in "Access Selection Rule" the request goes to an "Access Service".
In "Access Service" there are three kinds of policy rules:
- Identity:
If condition match then result "Identity Source"
- Group Mapping
If condition match then result "Identity Group"
- Authorization
If condition match the result "Auth Profil"
Q1:
For example:
The User "Test" is registered in Internal User with a local password. But now I will authenticate the user "Test" from a RSA Token server. How can I configure this rule in "identity policy"? Wich condition matches to choose the identity source. I will set the internal user with an attribute enumeration field like "Password". The administrator should have an option to choose "locale databse password" or "token passcode".
Q2:
What does it mean: "Group mapping"?
Thx for your answer!
StefanHi Stefan,
The User "Test" is registered in Internal User with a local password. But now I will authenticate the user "Test" from a RSA Token server. How can I configure this rule in "identity policy"? Wich condition matches to choose the identity source. I will set the internal user with an attribute enumeration field like "Password". The administrator should have an option to choose "locale databse password" or "token passcode".
In the identity, if you click on select, you can select the type of Database, you can choose RSA (you will first need to create the connection under Users and Identity Stores-->External Identity Stores-->RSA secure ID)
Another, way is you continue to use the internal users DB, but you go to that user internally and select the password type to be RSA
(you will first need to create the connection under Users and Identity Stores-->External Identity Stores-->RSA secure ID)
Group mapping is a feature to assign a local identity group as a result by choose conditions.
EG:
If (Active directory x) Then (Internal group x)
The IF is the condition and Then is Result.
https://supportforums.cisco.com/docs/DOC-34890
Hope this Helps.
Ed -
Is there a policy map difference from 8.0 to 9.0?
We have been testing blocking a few select websites (no web filtering yet) with some of our smaller location ASA's. Following the document at:
https://supportforums.cisco.com/docs/DOC-1268
I have been successful at sites which run ASA's with version 8.0 of the IOS on them, but not with 9.0. With 9.0 (2) it appears that when you institute the policy map to make it take effect, it blocks all web traffic, not just the ones specified.
So, I guess I'm asking, is there that large of a difference between 8.0 and 9.0 that would cause this to no longer work properly?You went to the same page I did 7 hours ago. Use the "FILES TYPE EDIT" solution and follow almost all of the instructions...Edit FIREFOX URL, HYPERTEXT TRANSFER PROTOCOL and HYPERTEXT TRANSFER PROTOCOL WITH PRIVACY....It isn't necessary to take the step of "unchecking the "DDE BOX", just follow the instructions to delete the characters in the "DDE Message Box" and the problem is fixed. If you uncheck the "DDE BOX", as instructed, it may come back to bite you.
Thank you for helping,
Sel Warren -
ACS DB Replcation Fails Through Cisco Firewalls w/Skinny Policy Inspect
We run Cisco ACS v3.3 (Windows) on two servers over our WAN, and replcate the internal databases for redundancy. The problem is that replications fail between the ACS servers and it is because of the default port the ACS servers use to replicate over...TCP 2000.
Between the two servers are Cisco ASA firewalls running 7.2.2(19). We run Cisco MGCP VoIP phones between the sites as well, which utilize TCP 2000 for call control.
When the policy-inspect skinny command is enabled on the firewalls, the ACS server replcation breaks, because the firewall sees that the TCP 2000 packets for the DB replication are not VoIP call control packets.
Is there a way to reconfigure the ACS servers so they use a different port other than TCP 2000? (Registry hack, ini file edit, something???)
Frankly, it is rather lame of Cisco to implement an already defined port for their DB replication that defined in IETF as a well know port for the skinny protocol. Even worse is that this problem continues to exist into v4.0 as I understand it.
An no...we should not have to disable the inspect-policy for skinny on the ASA's. :-)
Any help to qwell my frustration on this topic would be appreciated.
Thanks,
-ScottScott,
If disabling the inspection of the skinny protocol is not feasible, the following
configuration sample may be incorporated into the firewall configuration so that replication traffic is not affected by the skinny fixup:
In this example, the ACS servers are at IP addresses 10.1.2.3 and 10.4.5.6.
#Define what traffic you want inspected:
access-list skinny_acl extended deny ip host 10.1.2.3 host 10.4.5.6
access-list skinny_acl extended deny ip host 10.4.5.6 host 10.1.2.3
access-list skinny_acl extended permit tcp any any eq 2000
#Create a class map to match the acl
class-map skinny_map
match access-list skinny_acl
#Under the global policy, take the skinny inspection out of the
#class inspection_default, and add it under our new class
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
class skinny_map
inspect skinny
service-policy global_policy global
###Will be inspected for skinny###
FWSM(config-pmap-c)# show service-policy flow tcp host 172.16.1.2 host 172.16.5.6 eq 2000
Global policy:
Service-policy: global_policy
Class-map: skinny_map
Match: access-list skinny_acl
Access rule: permit tcp any any eq 2000
Action:
Input flow: inspect skinny
FWSM(config-pmap-c)#
###Will not be inspected for skinny###
FWSM(config-pmap-c)# show service-policy flow tcp host 10.1.2.3 host 10.4.5.6 eq 2000
Global policy:
Service-policy: global_policy
FWSM(config-pmap-c)#
Regards,
~JG
Please rate if helps ! -
Policy-map input on an interface VLAN
Hi there,
I have a problem with a policy-map on an interface VLAN on my Cisco 6509-E.
The switch has the IOS Version 12.2(33)SXI10, RELEASE SOFTWARE (fc2).
I have configured this policy-map:
policy-map PM-10Mbit
class class-default
police cir 10000000 bc 1875000 be 3750000 conform-action transmit exceed-action drop violate-action drop
I bind this map on a physical interface
interface GigabitEthernet2/2
description <removed>
ip vrf forwarding <removed>
ip address <removed>
ip access-group <removed> out
service-policy input PM-10Mbit
service-policy output PM-10Mbit
and get this result:
show policy-map interface
GigabitEthernet2/2
Service-policy input: PM-10Mbit
class-map: class-default (match-any)
Match: any
police :
10000000 bps 1875000 limit 1875000 extended limit
Earl in slot 5 :
6428065284 bytes
5 minute offered rate 14696 bps
aggregate-forwarded 6294160565 bytes action: transmit
exceeded 133904719 bytes action: drop
aggregate-forward 584 bps exceed 0 bps
Service-policy output: PM-10Mbit
class-map: class-default (match-any)
Match: any
police :
10000000 bps 1875000 limit 1875000 extended limit
Earl in slot 4 :
10335145381 bytes
5 minute offered rate 21536 bps
aggregate-forwarded 10142894661 bytes action: transmit
exceeded 192250720 bytes action: drop
aggregate-forward 128 bps exceed 0 bps
Earl in slot 5 :
263335780 bytes
5 minute offered rate 176 bps
aggregate-forwarded 263335780 bytes action: transmit
exceeded 0 bytes action: drop
aggregate-forward 448 bps exceed 0 bps
But when I bind it on an interface VLAN i see no incoming traffic:
show policy-map interface
Vlan1012
Service-policy input: PM-100Mbit
class-map: class-default (match-any)
Match: any
police :
100000000 bps 18750000 limit 18750000 extended limit
Earl in slot 4 :
0 bytes
30 second offered rate 0 bps
aggregate-forwarded 0 bytes action: transmit
exceeded 0 bytes action: drop
aggregate-forward 0 bps exceed 0 bps
Earl in slot 5 :
0 bytes
30 second offered rate 0 bps
aggregate-forwarded 0 bytes action: transmit
exceeded 0 bytes action: drop
aggregate-forward 0 bps exceed 0 bps
Service-policy output: PM-100Mbit
class-map: class-default (match-any)
Match: any
police :
100000000 bps 18750000 limit 18750000 extended limit
Earl in slot 4 :
1005376843668 bytes
30 second offered rate 33016448 bps
aggregate-forwarded 1005362388151 bytes action: transmit
exceeded 14455517 bytes action: drop
aggregate-forward 30943792 bps exceed 0 bps
Earl in slot 5 :
1828318775 bytes
30 second offered rate 1296 bps
aggregate-forwarded 1828318775 bytes action: transmit
exceeded 0 bytes action: drop
aggregate-forward 1272 bps exceed 0 bps
Is this a bug or am I doing something wrong here?Hello
As I understand it , this is command is required in mls qos because on a SVI ( L3 vlan interface) runs in a vlan-based mode which differs from normal L3 routed interfaces which run in interface mode.
As per cisco ="In VLAN-based mode, the policy map that is attached to the Layer 2 interface is ignored, and QoS is driven by the policy map that is attached to the corresponding VLAN interface."
Lastly regards
Try matching on all traffic incoming on the trunk interface on that switch for it to successfully police incoming traffic:
class-map V102
match input-interface x/x
Policy-map POLICE
class V102
Police xxxx xxxx
res
Paul -
C3750X - Power supply OIDs problems
Hello,
We are trying to monitor two stacks of CISCO WS-c3750X running IOS 12.2.(58)SE.
We can get the state of the power supplies, but after a power cycle or reboot of the switches the identifier of ONE of the Power supplies ALWAYS change. The OIDs for the rest of the PS do not vary. The problem happens in the two stacks.
Any idea or work around?
Kind regards
MarkHi,
I'm trying to determine if the issue addressed in this post is a match with the following symptom:
As you can see from the output below - the switch 2 power supplies appear to be healthy:
SWITCH#show env power switch 1
SW PID Serial# Status Sys Pwr PoE Pwr Watts
1A C3KX-PWR-350WAC AZS161707F3 OK Good Good 350/0
1B C3KX-PWR-715WAC LIT16180RRU OK Good Good 715/0
SWITCH#show env power switch 2
SW PID Serial# Status Sys Pwr PoE Pwr Watts
2A C3KX-PWR-715WAC LIT16180RRY OK Good Good 715/0
2B C3KX-PWR-350WAC AZS161707FZ OK Good Good 350/0
Yet, the snmpwalk output shows a Sw2 PS2 power supply fault:
snmpwalk -v1 X.X.X.X -c READONLY .1.3.6.1.4.1.9.9.13.1.5.1
SNMPv2-SMI::enterprises.9.9.13.1.5.1.2.1035 = STRING: "Sw1, PS1 Normal, RPS NotExist"
SNMPv2-SMI::enterprises.9.9.13.1.5.1.2.1036 = STRING: "Sw1, PS2 Normal, RPS NotExist"
SNMPv2-SMI::enterprises.9.9.13.1.5.1.2.2034 = STRING: "Sw2, PS1 Normal, RPS NotExist"
SNMPv2-SMI::enterprises.9.9.13.1.5.1.2.2035 = STRING: "Sw2, PS2 Faulty, RPS NotExist"
Do my symptoms match with the issue addressed in this post ?
TIA,
Amir -
Radius accounting for QoS pppoe policy-map
Hi folks
I have a radius pushing an AVPAIR ip:sub-qos-policy-out to a virtual template for clients connected to a BRAS through PPPOE.
The AVPAIR is correctly applied to each and every pppoe session but the following link http://www.cisco.com/c/en/us/td/docs/ios/12_2sb/feature/guide/sbbbrs1c.html is indicating that I should be able to push back to the RADIUS some traffic info per class-map/policy map. This would allow some Quota stuff and getting some info about traffic used per customer
From what I have been able to configure, i'm not getting any of this stats back to the RADIUS
the debug radius accounting :
*Mar 12 05:29:00.419: RADIUS/ENCODE(0000000E):Orig. component type = PPPoE
*Mar 12 05:29:00.419: RADIUS/ENCODE(0000000E): Acct-session-id pre-pended with Nas Port = 0/0/3/0
*Mar 12 05:29:00.419: RADIUS(0000000E): Config NAS IP: 0.0.0.0
*Mar 12 05:29:00.419: RADIUS(0000000E): sending
*Mar 12 05:29:00.419: RADIUS/ENCODE: Best Local IP-Address 192.168.38.133 for Radius-Server 192.168.38.131
*Mar 12 05:29:00.419: RADIUS(0000000E): Send Accounting-Request to 192.168.38.131:1813 id 1646/55, len 299
*Mar 12 05:29:00.419: RADIUS: authenticator ED 94 CF EE BD 73 30 7E - 93 07 A4 C3 50 A6 03 DE
*Mar 12 05:29:00.419: RADIUS: Acct-Session-Id [44] 18 "0/0/3/0_00000005"
*Mar 12 05:29:00.419: RADIUS: Framed-Protocol [7] 6 PPP [1]
*Mar 12 05:29:00.419: RADIUS: Framed-IP-Address [8] 6 10.10.10.2
*Mar 12 05:29:00.419: RADIUS: User-Name [1] 9 "olivier"
*Mar 12 05:29:00.419: RADIUS: Vendor, Cisco [26] 35
*Mar 12 05:29:00.419: RADIUS: Cisco AVpair [1] 29 "connect-progress=LAN Ses Up"
*Mar 12 05:29:00.419: RADIUS: Vendor, Cisco [26] 29
*Mar 12 05:29:00.419: RADIUS: Cisco AVpair [1] 23 "nas-tx-speed=10000000"
*Mar 12 05:29:00.419: RADIUS: Vendor, Cisco [26] 29
*Mar 12 05:29:00.419: RADIUS: Cisco AVpair [1] 23 "nas-rx-speed=10000000"
*Mar 12 05:29:00.419: RADIUS: Acct-Session-Time [46] 6 2582
*Mar 12 05:29:00.419: RADIUS: Acct-Input-Octets [42] 6 7232
*Mar 12 05:29:00.419: RADIUS: Acct-Output-Octets [43] 6 7232
*Mar 12 05:29:00.419: RADIUS: Acct-Input-Packets [47] 6 517
*Mar 12 05:29:00.419: RADIUS: Acct-Output-Packets [48] 6 517
*Mar 12 05:29:00.419: RADIUS: Acct-Authentic [45] 6 RADIUS [1]
*Mar 12 05:29:00.419: RADIUS: Acct-Status-Type [40] 6 Watchdog [3]
*Mar 12 05:29:00.419: RADIUS: NAS-Port-Type [61] 6 Virtual [5]
*Mar 12 05:29:00.419: RADIUS: Vendor, Cisco [26] 15
*Mar 12 05:29:00.419: RADIUS: cisco-nas-port [2] 9 "0/0/3/0"
*Mar 12 05:29:00.419: RADIUS: NAS-Port [5] 6 50331648
*Mar 12 05:29:00.419: RADIUS: NAS-Port-Id [87] 9 "0/0/3/0"
*Mar 12 05:29:00.419: RADIUS: Vendor, Cisco [26] 41
*Mar 12 05:29:00.419: RADIUS: Cisco AVpair [1] 35 "client-mac-address=aabb.cc00.6430"
*Mar 12 05:29:00.419: RADIUS: Service-Type [6] 6 Framed [2]
*Mar 12 05:29:00.419: RADIUS: NAS-IP-Address [4] 6 192.168.38.133
*Mar 12 05:29:00.419: RADIUS: Ascend-Session-Svr-K[151] 10
*Mar 12 05:29:00.419: RADIUS: 37 39 38 32 45 41 38 30 [ 7982EA80]
*Mar 12 05:29:00.419: RADIUS: Acct-Delay-Time [41] 6 0
*Mar 12 05:29:00.419: RADIUS(0000000E): Started 5 sec timeout
*Mar 12 05:29:00.419: RADIUS: Received from id 1646/55 192.168.38.131:1813, Accounting-response, len 20
*Mar 12 05:29:00.419: RADIUS: authenticator A7 0E 79 40 C5 B5 CF DC - 09 46 27 48 52 BE 01 7D
What I get in the freeradius log :
Tue Mar 11 22:30:04 2014
Acct-Session-Id = "0/0/3/0_00000005"
Framed-Protocol = PPP
Framed-IP-Address = 10.10.10.2
User-Name = "olivier"
Cisco-AVPair = "connect-progress=LAN Ses Up"
Cisco-AVPair = "nas-tx-speed=10000000"
Cisco-AVPair = "nas-rx-speed=10000000"
Acct-Session-Time = 2646
Acct-Input-Octets = 7428
Acct-Output-Octets = 7428
Acct-Input-Packets = 531
Acct-Output-Packets = 531
Acct-Authentic = RADIUS
Acct-Status-Type = Interim-Update
NAS-Port-Type = Virtual
Cisco-NAS-Port = "0/0/3/0"
NAS-Port = 50331648
NAS-Port-Id = "0/0/3/0"
Cisco-AVPair = "client-mac-address=aabb.cc00.6430"
Service-Type = Framed-User
NAS-IP-Address = 192.168.38.133
X-Ascend-Session-Svr-Key = "7982EA80"
Acct-Delay-Time = 0
Acct-Unique-Session-Id = "523eac6ae326a778"
Timestamp = 1394602204
Request-Authenticator = Verified
user config in the users file on the freeradius server :
olivier Cleartext-Password := "olivier"
Service-Type = Framed-User,
Cisco-AVPair += "ip:addr-pool=pppoepool",
Cisco-AVpair += "ip:sub-qos-policy-out=TEST"
I see that the policy map name is pulled correctly from the radius server and applied to the session :
#sh policy-map session uid 14
SSS session identifier 14 -
Service-policy output: TEST
Class-map: TEST (match-all)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: any
police:
cir 8000 bps, bc 1500 bytes
conformed 0 packets, 0 bytes; actions:
transmit
exceeded 0 packets, 0 bytes; actions:
drop
conformed 0 bps, exceed 0 bps
Class-map: class-default (match-any)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: any
Any input very welcomeCisco sever is working fine. When you do use non-standard or non-RFC requests from your NAS to the AAA server for instance, you have to configure your server accordingly to instruct it how to handle this kind of requests.
This is typically done with something called "dictionary", which should be included in your radius server. The server typically decodes all RFC 2865 VSAs (or should), but when a new NAS model is introduced into the network, you can modify it to add any VSAs not appearing in the dictionary, which is your case.
As an example, imagine you want to change the attribute cisco-vsa-port-string to tagged-string, your dictionary will look somethign similar than:
And finally you will have to modify with a text editor, or XML editor and change type="tagged-string" supposing your device comply with RFC 2868. Probably
the AAA server will have to restarted for taking this
changes into account.
Also,since this does apply to all devices for this vendor, you've got other option more, which is define your own dictionary for a specific vendor, or even if you wish for a specific NAS or group or NASes.
In NavisRadius you could associate a dictionary to a
device adding a client-class:
# Client-IP Client-Secret Client-Class
10.0.0.1 secret taos-old
And then specifying the dictionary later in client_properties for this device:
# This file contains information about client classes # and is used to set per-client specific information.
# TAOS Devices in OLD mode with RFC conflicts
taos-old
Client-Dictionary=max_dictionary
# Other devices now, etc.
Hope it helps -
Hi, all:
I'm trying to configure TrendMicro IOS content filtering. I have this working on a separate box, running 15.1.
On this particular testbed, I have a 2900 running:
System image file is "flash0:c2900-universalk9-mz.SPA.152-3.T1.bin"
And the following licensing:
Technology Package License Information for Module:'c2900'
Technology Technology-package Technology-package
Current Type Next reboot
ipbase ipbasek9 Permanent ipbasek9
security securityk9 Permanent securityk9
uc uck9 Permanent uck9
data datak9 Permanent datak9
Configuration register is 0x2102
CUBE_GOLD_MEX#show ip trm subscription status
Package Name: Security & Productivity (Trial)
Status: Active
Status Update Time: 18:02:51 CST Mon Jul 23 2012
Expiration-Date: Mon Aug 20 02:00:00 2012
Last Req Status: Processed response successfully
Last Req Sent Time: 18:02:51 CST Mon Jul 23 2012
CUBE_GOLD_MEX#
Also, I have the following config lines on it:
ip host trps.trendmicro.com 216.104.8.100
ip name-server 4.2.2.2
ip cef
multilink bundle-name authenticated
parameter-map type urlfpolicy trend tm-pmap
allow-mode on
[snip]
parameter-map type trend-global trend-glob-map
class-map type inspect match-all http-imap
match protocol http
class-map type urlfilter trend match-any drop-category
match url category Abortion
match url category Activist-Groups
match url category Adult-Mature-Content
match url reputation ADWARE
match url reputation DIALER
match url reputation DISEASE-VECTOR
match url reputation HACKING
match url reputation PASSWORD-CRACKING-APPLICATIONS
match url reputation PHISHING
match url reputation POTENTIALLY-MALICIOUS-SOFTWARE
match url reputation SPYWARE
match url reputation VIRUS-ACCOMPLICE
policy-map type inspect urlfilter trend-policy
class type urlfilter trend drop-category
I have not been able to get to the good part of configuring the ZBF.
I've looked over several configuration examples and can't figure out what I'm doing wrong, since I'm not able to see the command 'parameter-map' under the 'policy-map urlfiltering'
XXXXXX(config)#policy-map type inspect urlfilter trend-policy
XXXXXX(config-pmap)#?
Policy-map configuration commands:
class policy criteria
description Policy-Map description
exit Exit from policy-map configuration mode
no Negate or set default values of a command
XXXXXX(config-pmap)#
I thought it might be an issue with version 15.2.3, but according to configuration guides, commands are the same.
Can anyone provide some assistance?
TIA.
c.Hi Carlos,
I am having the same problem. I have seen a few diffenent configuration examples and they all show adding the "parameter type urlfpolicy trend parm-map-name" command but it doesn't exist, at least in 15.2(3)T1 and I see it listed in the the IOS documentation for 15.2. Maybe they forgot it :-)
I guess I will open a TAC case as I do not want to downgrade...
I will keep you posted if I find the answer.
Regards,
Troy -
Hi,
I'm a new Network admin, and I have some configuration questions about my installation (see attachment).
I have 3 web servers behind a router.
Public interface: 3 public ip adresses
Private interface: router on a stick config ( 3 sub-interfaces, 3 different networks, 3 VLAN)
I would to know the best way to redirect http traffic to the right server.
My idea is to map a public address to a private address, via NAT, but I'm not sure for the configuration. I could also redirect via Policy-map and filter by url content.
So if you have some advise for this case, it would be really appreciated.
Thank you.
Chris.Hello Christophe,
As I understand you want 1st that ;
if somebody go to A.local.com from internet then he will redirect to 192.168.1.10 in your internal network.
That means, you need static mapping between your public @ip address and your local ip address.
for this example, your local interface is Fa0/0.1 and I dont your public interface because it is not mention in your diagram. I will suppose S0/0 for public interface.
that is the config for the Web Server1. You can do the same with the remaining servers:
interface fa0/0.1
ip nat inside
interface serial0/0
ip nat outside
ip nat inside source static 192.168.1.10 172.1.2.3
static mapping from local to public.
I suppose you have done the dns mapping in your network and the ISP have done the same in his network.
ip route 171.1.2.3 interface serial0/0
or
ip route 0.0.0.0 0.0.0.0 interface serial0/0.
After these step for each web server, you will get the mapping.
Now you can restrict access to this ip only to http or https protocol on your isp and after on your local network
like
ip access-list extended ACL_WebServer1
permit ip any 192.168.1.10 eq www
deny ip any 192.168.1.10
exit
interface fa0/0.1
ip acess-group ACL_WebServer1 in
no shut
exit
That is the first step.
Second step : you want to filter traffic by url, that means layer 5 to 7 filtering.
I am not sure that it is possible using cisco router with (ZBF + Regex).
Check the first step and let us know !
Please rate and mark as correct if it is the case.
Regards, -
Policy-map based rate-limiting per vlan
Hi
I was thinking if someone could help me to come up with solution to a problem. Scenario as follow:
I have a trunk interface with multiple vlans on:
interface GigabitEthernet2/0/3
description TRUNK-to-*********
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 415,416,610,1191-1193,1195
switchport mode trunk
duplex full
storm-control broadcast level pps 1k
storm-control multicast level pps 3k
storm-control unicast level pps 250k
storm-control action trap
spanning-tree portfast trunk
spanning-tree bpdufilter enable
I'm trying to rate limit two of the vlans that are present on this trunk interface - vlan 415 and vlan 1192.
So I'm putting the class-map (to be later applied under the policy-map which is not significant here):
(config)#class-map match-any 120-mbps-class
(config-cmap)#match input-interface vlan 415
(config-cmap)#match input-interface vlan 1192
Now, when you show the class-map I created, I can see this:
sh class-map 120-mbps-class
Class Map match-any 120-mbps-class (id 1)
Match input-interface Vlan415
Match input-interface FastEthernet0
For some bizzare reason class-map is matching the Fa0. I have researched this, and this is most probably because you can only match 1 vlan instance under the class-map.
And here's my problem - I can't police whole interface as the other vlans should not be policed - how can I police those two vlans ?
Any thoughts ? All help appreciated as always.
Rob.Hi Daniel,
I have labed it and unfortuantely it does not work as expected. I have put 1x 3750 and 1x 2960 trunk between them, each box had an access port for laptop to create some traffic across. All vlan-based qos has been applied on 3750G.
3750G config
Interface g1/0/20
descriprion trunk
swicthport trunk encapsulation dot1q
switchport mode trunk
switchport trunk allowed vlan 100,120
Interface g1/0/1
description access
switchport mode access
switchport access vlan 100
Interface vlan 100
ip address 192.168.100.254
service-policy input PARENT-POLICER
Interface vlan 120
ip address 10.10.10.1
Policy-map PARENT-POLICER
class PERMIT-ANY-CLASS
trust COS
service-policy CHILD-POLICER
class-map match-any PERMIT-ANY-CLASS
match access-group name POLICY-LIST
Extended IP access list POLICY-LIST
10 permit ip any any
Policy-map CHILD-POLICER
class INTERFACE-POLICE-CLASS
police 100000 8000 exceed-action drop
Class Map match-any INTERFACE-POLICE-CLASS
Match input-interface GigabitEthernet1/0/20
2960 config:
interface g0/20
switchport mode trunk
switchport trunk allowed vlan 100,120
interface g0/1
switchport mode access
switchport access vlan 100
interface vlan 100
ip address 192.168.100.253
interface vlan 120
ip address 10.10.10.2
So as you can see vlan 100 is the one it need to be rate limited (I have only rate limited to 100kbps just to see if it's working) and vlan 120 is only on the trunk ports to confirm if the traffic for this one is not affected.
Unfortunately when the policing is applied on 3750 vlan 100 (and policing is working fine) then I can see the packet loss while pinging between switches on vlan 120 suggesting that the policy is affecting the other vlan as well. When I take the policy out of the vlan 100 I cannot observe the packet loss on vlan 120 meaning is no longer affected.
Not sure if I have explained this clear enough so far, if not let me know.
Do you have any suggestions ?
Thanks! -
Dears HI
please i want to limit Input traffic to a port c3750 to 20Mbps , by Policy-Map
#policy-map A-PM
# class A-CM
#police 20000000 ?
<8000-1000000> Normal burst bytes
#police 20000000 3750000 ?
% Unrecognized command
As you know Normal Burst Bytes of 20Mbps is 3750000 , so why i cant issue this number ?
PLEASE HELP MEHi Rawa,
I dont't agree that the normal burst size would be 3750000.
Go through the following links to calculate the correct burst size:
https://supportforums.cisco.com/thread/151681and https://learningnetwork.cisco.com/thread/53215
Thanks
Ankur
"Please rate the post if found useful" -
I have configured policy-maps and class-maps on 3550 and 3560 switches.
The following is excerpt....
class-map match-any voip_class
match access-group 100
policy-map voip_policy
class voip_class
trust dscp
interface GigabitEthernet0/12
service-policy input voip_policy
priority-queue out
access-list 100 permit udp any any
I have the access-list 'open' for testing purposes.
However when I run the command 'sh policy-map int gi0/12' I get no counters increasing.
Should I?
Also if I run the 'sh access-list 100' command, should I get increasing counters?
Thanks for any help
Nik MihelioudakisSh policy map is not supported on this platform
http://www.cisco.com/cgi-bin/bugtool/onebug.pl?bugid=CSCdy50035
Use "show mls qos interface gig0/12 statistics" instead. -
Ok I am going insane here! I have a policy map on one of my 5k's but not the other and seem to create it either. They are in an active/active pair. Here is the policy, can someone help me understand what it is and maybe why I cant create it on my other device?
policy-map type control-plane copp-system-policy-customized
class copp-system-class-hsrp-vrrp
police cir 1024 kbps bc 256000 bytes
class copp-system-class-l3dest-miss
police cir 64 kbps bc 16000 bytesYes vPC pair. The issue is I enter the commands but they do not show in the running config on one of the two units...
N5K1
N5K2
show policy-map type control-plane
policy-map type control-plane copp-system-policy-customized
class copp-system-class-igmp
police cir 1024 kbps bc 65535 bytes
class copp-system-class-pim-hello
police cir 1024 kbps bc 4800000 bytes
class copp-system-class-bridging
police cir 20000 kbps bc 4800000 bytes
class copp-system-class-arp
police cir 1024 kbps bc 3600000 bytes
class copp-system-class-dhcp
police cir 1024 kbps bc 4800000 bytes
class copp-system-class-mgmt
police cir 12000 kbps bc 4800000 bytes
class copp-system-class-lacp
police cir 1024 kbps bc 4800000 bytes
class copp-system-class-lldp
police cir 2048 kbps bc 4800000 bytes
class copp-system-class-udld
police cir 2048 kbps bc 4800000 bytes
class copp-system-class-isis
police cir 1024 kbps bc 4800000 bytes
class copp-system-class-msdp
police cir 9600 kbps bc 4800000 bytes
class copp-system-class-cdp
police cir 1024 kbps bc 4800000 bytes
class copp-system-class-fip
police cir 1024 kbps bc 4800000 bytes
class copp-system-class-bgp
police cir 9600 kbps bc 4800000 bytes
class copp-system-class-eigrp
police cir 9600 kbps bc 4800000 bytes
class copp-system-class-exception
police cir 64 kbps bc 4800000 bytes
class copp-system-class-glean
police cir 1024 kbps bc 4800000 bytes
class copp-system-class-hsrp-vrrp
police cir 1024 kbps bc 256000 bytes
class copp-system-class-icmp-echo
police cir 64 kbps bc 3600000 bytes
class copp-system-class-ospf
police cir 9600 kbps bc 4800000 bytes
class copp-system-class-pim-register
police cir 9600 kbps bc 4800000 bytes
class copp-system-class-rip
police cir 9600 kbps bc 4800000 bytes
class copp-system-class-l3dest-miss
police cir 64 kbps bc 16000 bytes
class copp-system-class-mcast-miss
police cir 256 kbps bc 3200000 bytes
class copp-system-class-excp-ip-frag
police cir 64 kbps bc 3200000 bytes
class copp-system-class-excp-same-if
police cir 64 kbps bc 3200000 bytes
class copp-system-class-excp-ttl
police cir 64 kbps bc 3200000 bytes
class copp-system-class-default
police cir 512 kbps bc 6400000 bytes
class copp-system-class-rpf-fail
police cir 512 kbps bc 3200000 bytes
class copp-system-class-mcast-last-hop
police cir 512 kbps bc 3200000 bytes
policy-map type control-plane copp-system-policy-default
class copp-system-class-igmp
police cir 1024 kbps bc 65535 bytes
class copp-system-class-pim-hello
police cir 1024 kbps bc 4800000 bytes
class copp-system-class-bridging
police cir 20000 kbps bc 4800000 bytes
class copp-system-class-arp
police cir 1024 kbps bc 3600000 bytes
class copp-system-class-dhcp
police cir 1024 kbps bc 4800000 bytes
class copp-system-class-mgmt
police cir 12000 kbps bc 4800000 bytes
class copp-system-class-lacp
police cir 1024 kbps bc 4800000 bytes
class copp-system-class-lldp
police cir 2048 kbps bc 4800000 bytes
class copp-system-class-udld
police cir 2048 kbps bc 4800000 bytes
class copp-system-class-isis
police cir 1024 kbps bc 4800000 bytes
class copp-system-class-msdp
police cir 9600 kbps bc 4800000 bytes
class copp-system-class-cdp
police cir 1024 kbps bc 4800000 bytes
class copp-system-class-fip
police cir 1024 kbps bc 4800000 bytes
class copp-system-class-bgp
police cir 9600 kbps bc 4800000 bytes
class copp-system-class-eigrp
police cir 9600 kbps bc 4800000 bytes
class copp-system-class-exception
police cir 64 kbps bc 4800000 bytes
class copp-system-class-glean
police cir 1024 kbps bc 4800000 bytes
class copp-system-class-hsrp-vrrp
police cir 1024 kbps bc 256000 bytes
class copp-system-class-icmp-echo
police cir 64 kbps bc 3600000 bytes
class copp-system-class-ospf
police cir 9600 kbps bc 4800000 bytes
class copp-system-class-pim-register
police cir 9600 kbps bc 4800000 bytes
class copp-system-class-rip
police cir 9600 kbps bc 4800000 bytes
class copp-system-class-l3dest-miss
police cir 64 kbps bc 16000 bytes
class copp-system-class-mcast-miss
police cir 256 kbps bc 3200000 bytes
class copp-system-class-excp-ip-frag
police cir 64 kbps bc 3200000 bytes
class copp-system-class-excp-same-if
police cir 64 kbps bc 3200000 bytes
class copp-system-class-excp-ttl
police cir 64 kbps bc 3200000 bytes
class copp-system-class-default
police cir 512 kbps bc 6400000 bytes
class copp-system-class-rpf-fail
police cir 512 kbps bc 3200000 bytes
class copp-system-class-mcast-last-hop
police cir 512 kbps bc 3200000 bytes
policy-map type control-plane copp-system-policy-scaled-l2
class copp-system-class-igmp
police cir 4096 kbps bc 264000 bytes
class copp-system-class-pim-hello
police cir 1024 kbps bc 4800000 bytes
class copp-system-class-bridging
police cir 20000 kbps bc 4800000 bytes
class copp-system-class-arp
police cir 1024 kbps bc 3600000 bytes
class copp-system-class-dhcp
police cir 1024 kbps bc 4800000 bytes
class copp-system-class-mgmt
police cir 12000 kbps bc 4800000 bytes
class copp-system-class-lacp
police cir 1024 kbps bc 4800000 bytes
class copp-system-class-lldp
police cir 2048 kbps bc 4800000 bytes
class copp-system-class-udld
police cir 2048 kbps bc 4800000 bytes
class copp-system-class-isis
police cir 2048 kbps bc 4800000 bytes
class copp-system-class-msdp
police cir 9600 kbps bc 4800000 bytes
class copp-system-class-cdp
police cir 1024 kbps bc 4800000 bytes
class copp-system-class-fip
police cir 1024 kbps bc 4800000 bytes
class copp-system-class-bgp
police cir 9600 kbps bc 4800000 bytes
class copp-system-class-eigrp
police cir 9600 kbps bc 4800000 bytes
class copp-system-class-exception
police cir 64 kbps bc 4800000 bytes
class copp-system-class-glean
police cir 1024 kbps bc 4800000 bytes
class copp-system-class-hsrp-vrrp
police cir 1024 kbps bc 256000 bytes
class copp-system-class-icmp-echo
police cir 64 kbps bc 3600000 bytes
class copp-system-class-ospf
police cir 9600 kbps bc 4800000 bytes
class copp-system-class-pim-register
police cir 9600 kbps bc 4800000 bytes
class copp-system-class-rip
police cir 9600 kbps bc 4800000 bytes
class copp-system-class-l3dest-miss
police cir 64 kbps bc 16000 bytes
class copp-system-class-mcast-miss
police cir 256 kbps bc 3200000 bytes
class copp-system-class-excp-ip-frag
police cir 64 kbps bc 3200000 bytes
class copp-system-class-excp-same-if
police cir 64 kbps bc 3200000 bytes
class copp-system-class-excp-ttl
police cir 64 kbps bc 3200000 bytes
class copp-system-class-default
police cir 512 kbps bc 6400000 bytes
class copp-system-class-rpf-fail
police cir 512 kbps bc 3200000 bytes
class copp-system-class-mcast-last-hop
police cir 512 kbps bc 3200000 bytes
policy-map type control-plane copp-system-policy-scaled-l3
class copp-system-class-igmp
police cir 4096 kbps bc 264000 bytes
class copp-system-class-pim-hello
police cir 1024 kbps bc 4800000 bytes
class copp-system-class-bridging
police cir 20000 kbps bc 4800000 bytes
class copp-system-class-arp
police cir 4000 kbps bc 3600000 bytes
class copp-system-class-dhcp
police cir 1024 kbps bc 4800000 bytes
class copp-system-class-mgmt
police cir 12000 kbps bc 4800000 bytes
class copp-system-class-lacp
police cir 1024 kbps bc 4800000 bytes
class copp-system-class-lldp
police cir 2048 kbps bc 4800000 bytes
class copp-system-class-udld
police cir 2048 kbps bc 4800000 bytes
class copp-system-class-isis
police cir 2048 kbps bc 4800000 bytes
class copp-system-class-msdp
police cir 9600 kbps bc 4800000 bytes
class copp-system-class-cdp
police cir 1024 kbps bc 4800000 bytes
class copp-system-class-fip
police cir 1024 kbps bc 4800000 bytes
class copp-system-class-bgp
police cir 9600 kbps bc 4800000 bytes
class copp-system-class-eigrp
police cir 9600 kbps bc 4800000 bytes
class copp-system-class-exception
police cir 64 kbps bc 4800000 bytes
class copp-system-class-glean
police cir 4000 kbps bc 4800000 bytes
class copp-system-class-hsrp-vrrp
police cir 1024 kbps bc 256000 bytes
class copp-system-class-icmp-echo
police cir 4000 kbps bc 3600000 bytes
class copp-system-class-ospf
police cir 9600 kbps bc 4800000 bytes
class copp-system-class-pim-register
police cir 9600 kbps bc 4800000 bytes
class copp-system-class-rip
police cir 9600 kbps bc 4800000 bytes
class copp-system-class-l3dest-miss
police cir 64 kbps bc 16000 bytes
class copp-system-class-mcast-miss
police cir 512 kbps bc 3200000 bytes
class copp-system-class-excp-ip-frag
police cir 64 kbps bc 3200000 bytes
class copp-system-class-excp-same-if
police cir 64 kbps bc 3200000 bytes
class copp-system-class-excp-ttl
police cir 64 kbps bc 3200000 bytes
class copp-system-class-default
police cir 512 kbps bc 6400000 bytes
class copp-system-class-rpf-fail
police cir 512 kbps bc 3200000 bytes
class copp-system-class-mcast-last-hop
police cir 512 kbps bc 3200000 bytes
NEXUS5K001# show policy-map interface control-plane
Control Plane
service-policy input: copp-system-policy-customized
class-map copp-system-class-igmp (match-any)
match protocol igmp
police cir 1024 kbps , bc 65535 bytes
conformed 834102 bytes; action: transmit
violated 0 bytes;
class-map copp-system-class-pim-hello (match-any)
match protocol pim
police cir 1024 kbps , bc 4800000 bytes
conformed 0 bytes; action: transmit
violated 0 bytes;
class-map copp-system-class-bridging (match-any)
match protocol bridging
police cir 20000 kbps , bc 4800000 bytes
conformed 184965072 bytes; action: transmit
violated 0 bytes;
class-map copp-system-class-arp (match-any)
match protocol arp
match protocol nd
police cir 1024 kbps , bc 3600000 bytes
conformed 1711299342 bytes; action: transmit
violated 467458 bytes;
class-map copp-system-class-dhcp (match-any)
match protocol dhcp
police cir 1024 kbps , bc 4800000 bytes
conformed 96669859 bytes; action: transmit
violated 0 bytes;
class-map copp-system-class-mgmt (match-any)
match protocol mgmt
police cir 12000 kbps , bc 4800000 bytes
conformed 3420991988 bytes; action: transmit
violated 0 bytes;
class-map copp-system-class-lacp (match-any)
match protocol lacp
police cir 1024 kbps , bc 4800000 bytes
conformed 5003732 bytes; action: transmit
violated 0 bytes;
class-map copp-system-class-lldp (match-any)
match protocol lldp_dcx
police cir 2048 kbps , bc 4800000 bytes
conformed 8283269 bytes; action: transmit
violated 0 bytes;
class-map copp-system-class-udld (match-any)
match protocol udld
police cir 2048 kbps , bc 4800000 bytes
conformed 0 bytes; action: transmit
violated 0 bytes;
class-map copp-system-class-isis (match-any)
match protocol isis_dce
police cir 1024 kbps , bc 4800000 bytes
conformed 0 bytes; action: transmit
violated 0 bytes;
class-map copp-system-class-msdp (match-any)
match protocol msdp
police cir 9600 kbps , bc 4800000 bytes
conformed 0 bytes; action: transmit
violated 0 bytes;
class-map copp-system-class-cdp (match-any)
match protocol cdp
police cir 1024 kbps , bc 4800000 bytes
conformed 5995146 bytes; action: transmit
violated 0 bytes;
class-map copp-system-class-fip (match-any)
match protocol fip
police cir 1024 kbps , bc 4800000 bytes
conformed 7396000 bytes; action: transmit
violated 0 bytes;
class-map copp-system-class-bgp (match-any)
match protocol bgp
police cir 9600 kbps , bc 4800000 bytes
conformed 52049287 bytes; action: transmit
violated 0 bytes;
class-map copp-system-class-eigrp (match-any)
match protocol eigrp
match protocol eigrp6
police cir 9600 kbps , bc 4800000 bytes
conformed 0 bytes; action: transmit
violated 0 bytes;
class-map copp-system-class-exception (match-any)
match protocol exception
police cir 64 kbps , bc 4800000 bytes
conformed 16415315 bytes; action: transmit
violated 0 bytes;
class-map copp-system-class-glean (match-any)
match protocol glean
police cir 1024 kbps , bc 4800000 bytes
conformed 94203992002 bytes; action: transmit
violated 5920334550 bytes;
class-map copp-system-class-hsrp-vrrp (match-any)
match protocol hsrp_vrrp
match protocol hsrp6
police cir 1024 kbps , bc 256000 bytes
conformed 54227844 bytes; action: transmit
violated 0 bytes;
class-map copp-system-class-icmp-echo (match-any)
match protocol icmp_echo
police cir 64 kbps , bc 3600000 bytes
conformed 184940591 bytes; action: transmit
violated 46970 bytes;
class-map copp-system-class-ospf (match-any)
match protocol ospf
match protocol ospf3
police cir 9600 kbps , bc 4800000 bytes
conformed 0 bytes; action: transmit
violated 0 bytes;
class-map copp-system-class-pim-register (match-any)
match protocol reg
police cir 9600 kbps , bc 4800000 bytes
conformed 0 bytes; action: transmit
violated 0 bytes;
class-map copp-system-class-rip (match-any)
match protocol rip
police cir 9600 kbps , bc 4800000 bytes
conformed 0 bytes; action: transmit
violated 0 bytes;
class-map copp-system-class-l3dest-miss (match-any)
match protocol unicast
police cir 64 kbps , bc 16000 bytes
conformed 4214 bytes; action: transmit
violated 0 bytes;
class-map copp-system-class-mcast-miss (match-any)
match protocol multicast
police cir 256 kbps , bc 3200000 bytes
conformed 0 bytes; action: transmit
violated 0 bytes;
class-map copp-system-class-excp-ip-frag (match-any)
match protocol ip_frag
police cir 64 kbps , bc 3200000 bytes
conformed 0 bytes; action: transmit
violated 0 bytes;
class-map copp-system-class-excp-same-if (match-any)
match protocol same-if
police cir 64 kbps , bc 3200000 bytes
conformed 17075590565 bytes; action: transmit
violated 370668351863 bytes;
class-map copp-system-class-excp-ttl (match-any)
match protocol ttl
police cir 64 kbps , bc 3200000 bytes
conformed 1243144216 bytes; action: transmit
violated 1611787 bytes;
class-map copp-system-class-default (match-any)
match protocol default
police cir 512 kbps , bc 6400000 bytes
conformed 157079876 bytes; action: transmit
violated 0 bytes;
class-map copp-system-class-rpf-fail (match-any)
police cir 512 kbps , bc 3200000 bytes
conformed 0 bytes; action: transmit
violated 0 bytes;
class-map copp-system-class-mcast-last-hop (match-any)
police cir 512 kbps , bc 3200000 bytes
conformed 0 bytes; action: transmit
violated 0 bytes;
NEXUS5K001# show running copp all
!Command: show running-config copp all
!Time: Wed Mar 31 13:35:40 2010
version 6.0(2)N1(2a)
control-plane
scale-factor 1.00 module 1
scale-factor 1.00 module 2
scale-factor 1.00 module 3
control-plane
service-policy input copp-system-policy-customized
NEXUS5K001#
Nexus 5000 Switch
Cisco Nexus Operating System (NX-OS) Software
TAC support: http://www.cisco.com/tac
Copyright (c) 2002-2013, Cisco Systems, Inc. All rights reserved.
The copyrights to certain works contained in this software are
owned by other third parties and used and distributed under
license. Certain components of this software are licensed under
the GNU General Public License (GPL) version 2.0 or the GNU
Lesser General Public License (LGPL) Version 2.1. A copy of each
such license is available at
http://www.opensource.org/licenses/gpl-2.0.php and
http://www.opensource.org/licenses/lgpl-2.1.php
NEXUS5K002# show policy-map type control-plane
policy-map type control-plane copp-system-policy-customized
class copp-system-class-igmp
police cir 1024 kbps bc 65535 bytes
class copp-system-class-pim-hello
police cir 1024 kbps bc 4800000 bytes
class copp-system-class-bridging
police cir 20000 kbps bc 4800000 bytes
class copp-system-class-arp
police cir 1024 kbps bc 3600000 bytes
class copp-system-class-dhcp
police cir 1024 kbps bc 4800000 bytes
class copp-system-class-mgmt
police cir 12000 kbps bc 4800000 bytes
class copp-system-class-lacp
police cir 1024 kbps bc 4800000 bytes
class copp-system-class-lldp
police cir 2048 kbps bc 4800000 bytes
class copp-system-class-udld
police cir 2048 kbps bc 4800000 bytes
class copp-system-class-isis
police cir 1024 kbps bc 4800000 bytes
class copp-system-class-msdp
police cir 9600 kbps bc 4800000 bytes
class copp-system-class-cdp
police cir 1024 kbps bc 4800000 bytes
class copp-system-class-fip
police cir 1024 kbps bc 4800000 bytes
class copp-system-class-bgp
police cir 9600 kbps bc 4800000 bytes
class copp-system-class-eigrp
police cir 9600 kbps bc 4800000 bytes
class copp-system-class-exception
police cir 64 kbps bc 4800000 bytes
class copp-system-class-glean
police cir 1024 kbps bc 4800000 bytes
class copp-system-class-hsrp-vrrp
police cir 1024 kbps bc 256000 bytes
class copp-system-class-icmp-echo
police cir 64 kbps bc 3600000 bytes
class copp-system-class-ospf
police cir 9600 kbps bc 4800000 bytes
class copp-system-class-pim-register
police cir 9600 kbps bc 4800000 bytes
class copp-system-class-rip
police cir 9600 kbps bc 4800000 bytes
class copp-system-class-l3dest-miss
police cir 64 kbps bc 16000 bytes
class copp-system-class-mcast-miss
police cir 256 kbps bc 3200000 bytes
class copp-system-class-excp-ip-frag
police cir 64 kbps bc 3200000 bytes
class copp-system-class-excp-same-if
police cir 64 kbps bc 3200000 bytes
class copp-system-class-excp-ttl
police cir 64 kbps bc 3200000 bytes
class copp-system-class-default
police cir 512 kbps bc 6400000 bytes
class copp-system-class-rpf-fail
police cir 512 kbps bc 3200000 bytes
class copp-system-class-mcast-last-hop
police cir 512 kbps bc 3200000 bytes
policy-map type control-plane copp-system-policy-default
class copp-system-class-igmp
police cir 1024 kbps bc 65535 bytes
class copp-system-class-pim-hello
police cir 1024 kbps bc 4800000 bytes
class copp-system-class-bridging
police cir 20000 kbps bc 4800000 bytes
class copp-system-class-arp
police cir 1024 kbps bc 3600000 bytes
class copp-system-class-dhcp
police cir 1024 kbps bc 4800000 bytes
class copp-system-class-mgmt
police cir 12000 kbps bc 4800000 bytes
class copp-system-class-lacp
police cir 1024 kbps bc 4800000 bytes
class copp-system-class-lldp
police cir 2048 kbps bc 4800000 bytes
class copp-system-class-udld
police cir 2048 kbps bc 4800000 bytes
class copp-system-class-isis
police cir 1024 kbps bc 4800000 bytes
class copp-system-class-msdp
police cir 9600 kbps bc 4800000 bytes
class copp-system-class-cdp
police cir 1024 kbps bc 4800000 bytes
class copp-system-class-fip
police cir 1024 kbps bc 4800000 bytes
class copp-system-class-bgp
police cir 9600 kbps bc 4800000 bytes
class copp-system-class-eigrp
police cir 9600 kbps bc 4800000 bytes
class copp-system-class-exception
police cir 64 kbps bc 4800000 bytes
class copp-system-class-glean
police cir 1024 kbps bc 4800000 bytes
class copp-system-class-hsrp-vrrp
police cir 1024 kbps bc 256000 bytes
class copp-system-class-icmp-echo
police cir 64 kbps bc 3600000 bytes
class copp-system-class-ospf
police cir 9600 kbps bc 4800000 bytes
class copp-system-class-pim-register
police cir 9600 kbps bc 4800000 bytes
class copp-system-class-rip
police cir 9600 kbps bc 4800000 bytes
class copp-system-class-l3dest-miss
police cir 64 kbps bc 16000 bytes
class copp-system-class-mcast-miss
police cir 256 kbps bc 3200000 bytes
class copp-system-class-excp-ip-frag
police cir 64 kbps bc 3200000 bytes
class copp-system-class-excp-same-if
police cir 64 kbps bc 3200000 bytes
class copp-system-class-excp-ttl
police cir 64 kbps bc 3200000 bytes
class copp-system-class-default
police cir 512 kbps bc 6400000 bytes
class copp-system-class-rpf-fail
police cir 512 kbps bc 3200000 bytes
class copp-system-class-mcast-last-hop
police cir 512 kbps bc 3200000 bytes
policy-map type control-plane copp-system-policy-scaled-l2
class copp-system-class-igmp
police cir 4096 kbps bc 264000 bytes
class copp-system-class-pim-hello
police cir 1024 kbps bc 4800000 bytes
class copp-system-class-bridging
police cir 20000 kbps bc 4800000 bytes
class copp-system-class-arp
police cir 1024 kbps bc 3600000 bytes
class copp-system-class-dhcp
police cir 1024 kbps bc 4800000 bytes
class copp-system-class-mgmt
police cir 12000 kbps bc 4800000 bytes
class copp-system-class-lacp
police cir 1024 kbps bc 4800000 bytes
class copp-system-class-lldp
police cir 2048 kbps bc 4800000 bytes
class copp-system-class-udld
police cir 2048 kbps bc 4800000 bytes
class copp-system-class-isis
police cir 2048 kbps bc 4800000 bytes
class copp-system-class-msdp
police cir 9600 kbps bc 4800000 bytes
class copp-system-class-cdp
police cir 1024 kbps bc 4800000 bytes
class copp-system-class-fip
police cir 1024 kbps bc 4800000 bytes
class copp-system-class-bgp
police cir 9600 kbps bc 4800000 bytes
class copp-system-class-eigrp
police cir 9600 kbps bc 4800000 bytes
class copp-system-class-exception
police cir 64 kbps bc 4800000 bytes
class copp-system-class-glean
police cir 1024 kbps bc 4800000 bytes
class copp-system-class-hsrp-vrrp
police cir 1024 kbps bc 256000 bytes
class copp-system-class-icmp-echo
police cir 64 kbps bc 3600000 bytes
class copp-system-class-ospf
police cir 9600 kbps bc 4800000 bytes
class copp-system-class-pim-register
police cir 9600 kbps bc 4800000 bytes
class copp-system-class-rip
police cir 9600 kbps bc 4800000 bytes
class copp-system-class-l3dest-miss
police cir 64 kbps bc 16000 bytes
class copp-system-class-mcast-miss
police cir 256 kbps bc 3200000 bytes
class copp-system-class-excp-ip-frag
police cir 64 kbps bc 3200000 bytes
class copp-system-class-excp-same-if
police cir 64 kbps bc 3200000 bytes
class copp-system-class-excp-ttl
police cir 64 kbps bc 3200000 bytes
class copp-system-class-default
police cir 512 kbps bc 6400000 bytes
class copp-system-class-rpf-fail
police cir 512 kbps bc 3200000 bytes
class copp-system-class-mcast-last-hop
police cir 512 kbps bc 3200000 bytes
policy-map type control-plane copp-system-policy-scaled-l3
class copp-system-class-igmp
police cir 4096 kbps bc 264000 bytes
class copp-system-class-pim-hello
police cir 1024 kbps bc 4800000 bytes
class copp-system-class-bridging
police cir 20000 kbps bc 4800000 bytes
class copp-system-class-arp
police cir 4000 kbps bc 3600000 bytes
class copp-system-class-dhcp
police cir 1024 kbps bc 4800000 bytes
class copp-system-class-mgmt
police cir 12000 kbps bc 4800000 bytes
class copp-system-class-lacp
police cir 1024 kbps bc 4800000 bytes
class copp-system-class-lldp
police cir 2048 kbps bc 4800000 bytes
class copp-system-class-udld
police cir 2048 kbps bc 4800000 bytes
class copp-system-class-isis
police cir 2048 kbps bc 4800000 bytes
class copp-system-class-msdp
police cir 9600 kbps bc 4800000 bytes
class copp-system-class-cdp
police cir 1024 kbps bc 4800000 bytes
class copp-system-class-fip
police cir 1024 kbps bc 4800000 bytes
class copp-system-class-bgp
police cir 9600 kbps bc 4800000 bytes
class copp-system-class-eigrp
police cir 9600 kbps bc 4800000 bytes
class copp-system-class-exception
police cir 64 kbps bc 4800000 bytes
class copp-system-class-glean
police cir 4000 kbps bc 4800000 bytes
class copp-system-class-hsrp-vrrp
police cir 1024 kbps bc 256000 bytes
class copp-system-class-icmp-echo
police cir 4000 kbps bc 3600000 bytes
class copp-system-class-ospf
police cir 9600 kbps bc 4800000 bytes
class copp-system-class-pim-register
police cir 9600 kbps bc 4800000 bytes
class copp-system-class-rip
police cir 9600 kbps bc 4800000 bytes
class copp-system-class-l3dest-miss
police cir 64 kbps bc 16000 bytes
class copp-system-class-mcast-miss
police cir 512 kbps bc 3200000 bytes
class copp-system-class-excp-ip-frag
police cir 64 kbps bc 3200000 bytes
class copp-system-class-excp-same-if
police cir 64 kbps bc 3200000 bytes
class copp-system-class-excp-ttl
police cir 64 kbps bc 3200000 bytes
class copp-system-class-default
police cir 512 kbps bc 6400000 bytes
class copp-system-class-rpf-fail
police cir 512 kbps bc 3200000 bytes
class copp-system-class-mcast-last-hop
police cir 512 kbps bc 3200000 bytes
NEXUS5K002# show policy-map interface control-plane
Control Plane
service-policy input: copp-system-policy-customized
class-map copp-system-class-igmp (match-any)
match protocol igmp
police cir 1024 kbps , bc 65535 bytes
conformed 1099702577173 bytes; action: transmit
violated 0 bytes;
class-map copp-system-class-pim-hello (match-any)
match protocol pim
police cir 1024 kbps , bc 4800000 bytes
conformed 0 bytes; action: transmit
violated 0 bytes;
class-map copp-system-class-bridging (match-any)
match protocol bridging
police cir 20000 kbps , bc 4800000 bytes
conformed 1117682720167 bytes; action: transmit
violated 0 bytes;
class-map copp-system-class-arp (match-any)
match protocol arp
match protocol nd
police cir 1024 kbps , bc 3600000 bytes
conformed 7392073468 bytes; action: transmit
violated 0 bytes;
class-map copp-system-class-dhcp (match-any)
match protocol dhcp
police cir 1024 kbps , bc 4800000 bytes
conformed 1554060880 bytes; action: transmit
violated 0 bytes;
class-map copp-system-class-mgmt (match-any)
match protocol mgmt
police cir 12000 kbps , bc 4800000 bytes
conformed 3360293230 bytes; action: transmit
violated 0 bytes;
class-map copp-system-class-lacp (match-any)
match protocol lacp
police cir 1024 kbps , bc 4800000 bytes
conformed 1100653025235 bytes; action: transmit
violated 0 bytes;
class-map copp-system-class-lldp (match-any)
match protocol lldp_dcx
police cir 2048 kbps , bc 4800000 bytes
conformed 1101335075091 bytes; action: transmit
violated 0 bytes;
class-map copp-system-class-udld (match-any)
match protocol udld
police cir 2048 kbps , bc 4800000 bytes
conformed 0 bytes; action: transmit
violated 0 bytes;
class-map copp-system-class-isis (match-any)
match protocol isis_dce
police cir 1024 kbps , bc 4800000 bytes
conformed 0 bytes; action: transmit
violated 0 bytes;
class-map copp-system-class-msdp (match-any)
match protocol msdp
police cir 9600 kbps , bc 4800000 bytes
conformed 0 bytes; action: transmit
violated 0 bytes;
class-map copp-system-class-cdp (match-any)
match protocol cdp
police cir 1024 kbps , bc 4800000 bytes
conformed 1100822976136 bytes; action: transmit
violated 0 bytes;
class-map copp-system-class-fip (match-any)
match protocol fip
police cir 1024 kbps , bc 4800000 bytes
conformed 1334982352 bytes; action: transmit
violated 0 bytes;
class-map copp-system-class-bgp (match-any)
match protocol bgp
police cir 9600 kbps , bc 4800000 bytes
conformed 55322608 bytes; action: transmit
violated 0 bytes;
class-map copp-system-class-eigrp (match-any)
match protocol eigrp
match protocol eigrp6
police cir 9600 kbps , bc 4800000 bytes
conformed 0 bytes; action: transmit
violated 0 bytes;
class-map copp-system-class-exception (match-any)
match protocol exception
police cir 64 kbps , bc 4800000 bytes
conformed 7678996 bytes; action: transmit
violated 0 bytes;
class-map copp-system-class-glean (match-any)
match protocol glean
police cir 1024 kbps , bc 4800000 bytes
conformed 22710843199 bytes; action: transmit
violated 0 bytes;
class-map copp-system-class-hsrp-vrrp (match-any)
match protocol hsrp_vrrp
match protocol hsrp6
police cir 1024 kbps , bc 256000 bytes
conformed 12316200612 bytes; action: transmit
violated 0 bytes;
class-map copp-system-class-icmp-echo (match-any)
match protocol icmp_echo
police cir 64 kbps , bc 3600000 bytes
conformed 50470007 bytes; action: transmit
violated 0 bytes;
class-map copp-system-class-ospf (match-any)
match protocol ospf
match protocol ospf3
police cir 9600 kbps , bc 4800000 bytes
conformed 3366 bytes; action: transmit
violated 0 bytes;
class-map copp-system-class-pim-register (match-any)
match protocol reg
police cir 9600 kbps , bc 4800000 bytes
conformed 0 bytes; action: transmit
violated 0 bytes;
class-map copp-system-class-rip (match-any)
match protocol rip
police cir 9600 kbps , bc 4800000 bytes
conformed 12510 bytes; action: transmit
violated 0 bytes;
class-map copp-system-class-l3dest-miss (match-any)
match protocol unicast
police cir 64 kbps , bc 16000 bytes
conformed 15136 bytes; action: transmit
violated 0 bytes;
class-map copp-system-class-mcast-miss (match-any)
match protocol multicast
police cir 256 kbps , bc 3200000 bytes
conformed 0 bytes; action: transmit
violated 0 bytes;
class-map copp-system-class-excp-ip-frag (match-any)
match protocol ip_frag
police cir 64 kbps , bc 3200000 bytes
conformed 0 bytes; action: transmit
violated 0 bytes;
class-map copp-system-class-excp-same-if (match-any)
match protocol same-if
police cir 64 kbps , bc 3200000 bytes
conformed 0 bytes; action: transmit
violated 0 bytes;
class-map copp-system-class-excp-ttl (match-any)
match protocol ttl
police cir 64 kbps , bc 3200000 bytes
conformed 8531281 bytes; action: transmit
violated 0 bytes;
class-map copp-system-class-default (match-any)
match protocol default
police cir 512 kbps , bc 6400000 bytes
conformed 33212075608 bytes; action: transmit
violated 0 bytes;
class-map copp-system-class-rpf-fail (match-any)
police cir 512 kbps , bc 3200000 bytes
conformed 0 bytes; action: transmit
violated 0 bytes;
class-map copp-system-class-mcast-last-hop (match-any)
police cir 512 kbps , bc 3200000 bytes
conformed 0 bytes; action: transmit
violated 0 bytes;
NEXUS5K002# show running copp all
!Command: show running-config copp all
!Time: Wed Mar 31 13:38:37 2010
version 6.0(2)N1(2a)
control-plane
scale-factor 1.00 module 1
scale-factor 1.00 module 2
scale-factor 1.00 module 3
policy-map type control-plane copp-system-policy-customized
class copp-system-class-hsrp-vrrp
police cir 1024 kbps bc 256000 bytes
class copp-system-class-l3dest-miss
police cir 64 kbps bc 16000 bytes
control-plane
service-policy input copp-system-policy-customized
NEXUS5K002# -
Hi,
I am trying to bypass some ip network from policy-map rule.It`s not working.Any one please help me to resolve the problem.
class-map match-any http
match not access-group name http-allow
match protocol http host "www.yyyy.com"
match protocol http host "www.xxxx.net"
policy-map http
class http
police 8000 conform-action drop exceed-action drop
ip access-list extended http-allow
permit ip 192.168.100.2 0.0.0.1 any
permit ip any 192.168.100.2 0.0.0.1
permit ip any any
interface FastEthernet0/0 (WAN Interface)
service-policy input httpthe ACL that you have configured is sourcing from the internal host to any on the outside. So you would need to apply that on the inside interface.
If you would like to limit the return traffic towards that host, then you would need to configure ACL with source any and destination the NATed ip address of that internal host.
Maybe you are looking for
-
Barcode is not getting printed in Sapscript
Hi, I want to print the PO as barcode in my Script. I have converted the output to PDF format I have created a character format for this and given C128A as Barcode and used this character format to print the barcode. but the barcode is not geettting
-
Safari 5.1.2 Youtube HTML5-Video issues
Fullscreen-Button on Youtube doesn't work for HTML5 videos on Youtube in Safari. Also there are problems with the video performance. The process QTKitServer Safari Webcontent has 105% CPU, the whole MacBook is very slow in that moment. This is only a
-
IMac (late 2009) won't sleep automatically
Hi everyone, I hope anyone can help me out with this: My iMac doesn't go to sleep automatically after the time I set in the preferences menu. The only thing that happens is that the display switches off. I already tried several things: deleted the fi
-
Introducing Shine Pattern A brief history of Shine When we started to do a project we encountered an important problem. Developing a project with amateur developers is very dangerous. Because new developers don't care about some important things, and
-
About Knowledge Exchange Portal (portalstudio)
Hi I really do not understand why you guys decided to take out the Knowledge Exchange Portal. This place was THE PLACE to get in the move with Oracle Portal. Developers could share and find things. Definitely was not the best user friendly interface,