Class-default traffic drop in congension

Hi Guys,
Please consider the following example and share your thoughts:
In a MQC deployement, consider that there are following two classes defined:
Class1: EF marking with priority 20%
Class2: AF41 marking with bandwidth 40%
All remaining traffic except above said two classes will go to default class known as class-default.
In case of congestion, which traffic will drop in class-default.
As per my understanding class-default will match all traffic except EF, AF41, CS6 & CS7 (EF is defined in Class1, AF41 is defined in Class2, CS6 & CS7 will be considered as control traffic for 25% reserve bandwidth) and during congestion on all classes (including class-default) class-default will not carry the traffic marked with EF, AF41, CS6 & CS7 instead it will carry the low priority traffic (traffic from class selectors CS0, CS1, CS2, CS3 and CS4 (AF42 + AF43).
Please comment & correct if I am wrong. Do let me know if any other clarity is required on this scenerio.
Thanks.

Disclaimer
The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
Liability Disclaimer
In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
Posting
Actually LLQ can exceed its bandwidth allocation, if there's no interface congestion.
Class-default does not directly "consider" other class congestion.  Nor do other classes directly "consider" class-default congestion.
Excluding LLQ, what happens when there's congestion, each class is dequeued proportionally to its class (actually queue) weight relative to other classes except for class-default, pre-HQF, with FQ enabled.  The latter, has flow queues which get dequeued, also proportionally, relative to all the other queues.
Each queue, again excluding LLQ, will drop when the number of packets trying to be enqueued exceed the queue depth (in packets) allocated for that queue.
Specifically for your question, class-2, your AF41 marked traffic, will drop if it exceeds it allocated queue size.  By default, this would be tail drop.  If WRED is enabled, WRED will look at the "average" queue depth when tries to enqueue a new packet and determines, based on its settings, whether to drop that packet.
Does class-default, or other classes, have any affect?  Yes, as whatever share of interface bandwidth being otherwise used will not be available to class-2, and when it's not, class-2 may enqueue when it otherwise would not.

Similar Messages

  • N7000 : details of packets dropped by COPP policy (class-default) ?

    Hi,
    On one of our N7K, we have some packets dropped by the COPP policy in the class-default class-map. :
    Partial results of "show policy-map interface control-plane" not so long after clearing the counters :
    class-map class-default (match-any)
          set cos 0
          police cir 100 kbps , bc 250 ms
          module 1 :
            conformed 12210790 bytes; action: transmit
            violated 201870 bytes; action: drop
          module 2 :
            conformed 8399646 bytes; action: transmit
            violated 0 bytes; action: drop
          module 3 :
            conformed 34518233 bytes; action: transmit
            violated 6186895 bytes; action: drop
    What would be the best way to figure out what traffic is dropped by the policy ? Is there any logging possible ?
    Thanks,
    Laurent

    There is still no logging possible.
    What can be done is piping the class-default-traffic to some port and then analyze it with wireshark or some similar tool. But as far as I know, this still cannot be done by default - at least with NX-OS 4.2(4) we had to reprogram the module with assistance from TAC. I suggest you contact your support partner in this matter.

  • Default class map is dropping all Packets

    Hello I have a Cisco 871 router that used to have Access list based security. now I am trying the ZBFW for the first time.  I thought I had a pretty good program until I found all my traffic was getting dropped. This is my first stab at ZBFWs and I am a bit confused esp with the default class part. Any help is greatly appreciated!!!!
    The router is for my house and thus also has to have priority for gaming. I will add the gaming and voice QOS once I get it working,
    Guest VLAN has access to 2 IP's in Data for printing.
    Cisco871#sh run
    Building configuration...
    Current configuration : 8005 bytes
    version 12.4
    no service pad
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    service sequence-numbers
    hostname Cisco871
    boot-start-marker
    boot-end-marker
    logging buffered 4096
    no logging console
    aaa new-model
    aaa authentication login default local
    aaa authorization exec default local
    aaa session-id common
    clock summer-time PST recurring
    crypto pki trustpoint TP-self-signed-4004039535
    enrollment selfsigned
    subject-name cn=IOS-Self-Signed-Certificate-4004039535
    revocation-check none
    rsakeypair TP-self-signed-4004039535
    crypto pki certificate chain TP-self-signed-4004039535
    certificate self-signed 01
      3082024C 308201B5 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
      31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
      69666963 6174652D 34303034 30333935 3335301E 170D3038 30323037 30373532
      32375A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
      4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D34 30303430
      33393533 3530819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
      8100CEC2 7B89C73F AB4860EE 729C3B64 82139630 239A2301 8EA8B4C4 05505E25
      B0F24E7F 26ECEC53 3E266E80 F3104F61 BDDC5592 40E12537 2262D272 08D38F8E
      147F5059 7F632F5E 635B9CDF 652FFE82 C2F45C60 5F619AF0 72E640E0 E69EA9EF
      41C6B06C DD8ACF4B 0A1A33CF AF3C6BFB 73AD6BE0 BD84DD7F 435BD943 0A22E0E5
      F4130203 010001A3 74307230 0F060355 1D130101 FF040530 030101FF 301F0603
      551D1104 18301682 144C7570 696E2E44 61627567 61626F6F 732E6F72 67301F06
      03551D23 04183016 801473C6 E0784818 29A89377 23A22F5E BDD430CE E282301D
      0603551D 0E041604 1473C6E0 78481829 A8937723 A22F5EBD D430CEE2 82300D06
      092A8648 86F70D01 01040500 03818100 299AD241 442F976F 4F030B33 C477B069
      D356C518 8132E61B 1220F999 A30A4E0C D337DCE5 C408E3BC 0439BB66 543CF585
      8B26AA77 91FA510B 14796239 F272A306 C942490C A44336E0 A9430B81 9FC62524
      E55017FA 5C5463D7 B3492753 42315BEC 32B78F24 D10B0CA7 D1844CD5 C3E466B9
      3543BD68 A4B2692D 05CBF6DC C93C8142
                quit
    ip cef
    no ip dhcp use vrf connected
    ip dhcp excluded-address 10.0.0.1 10.0.0.5
    ip dhcp excluded-address 172.16.15.1 172.16.15.5
    ip dhcp excluded-address 172.16.15.14
    ip dhcp excluded-address 172.16.17.1 172.16.17.5
    ip dhcp excluded-address 192.168.19.1 192.168.19.5
    ip dhcp pool MyNetNative
       import all
       network 10.0.0.0 255.255.255.248
       default-router 10.0.0.1
       domain-name MyNetNet.org
       dns-server 4.2.2.1 4.2.2.6 8.8.8.8 208.67.220.220
       lease 0 2
    ip dhcp pool MyNetData
       import all
       network 172.16.15.0 255.255.255.240
       dns-server 172.16.15.14 4.2.2.1 4.2.2.6 8.8.8.8 208.67.220.220
       default-router 172.16.15.1
       domain-name MyDomain.org
    ip dhcp pool MyNetVoice
       import all
       network 172.16.17.0 255.255.255.240
       dns-server 172.16.15.14
       default-router 172.16.17.1
       domain-name MyDomain.org
    ip dhcp pool MyNetGuest
       import all
       network 192.168.19.0 255.255.255.240
       default-router 192.168.19.1
       domain-name MyNetGuest.org
       dns-server 4.2.2.1 4.2.2.6 8.8.8.8 208.67.220.220
    ip domain name MyDomain.org
    ip name-server 172.16.15.14
    ip name-server 4.2.2.4
    ip inspect log drop-pkt
    multilink bundle-name authenticated
    parameter-map type inspect TCP_PARAM
    parameter-map type inspect global
    username MyAdmin privilege 15 secret 5 MyPassword
    archive
    log config
      hidekeys
    class-map type inspect match-all MyNetGuest-access-list
    match access-group 110
    class-map type inspect match-any Base-protocols
    match protocol http
    match protocol https
    match protocol ftp
    match protocol ssh
    match protocol dns
    match protocol ntp
    match protocol ica
    match protocol pptp
    match protocol icmp
    match protocol tcp
    match protocol udp
    class-map type inspect match-all MyNetGuest-Class
    match class-map MyNetGuest-access-list
    match class-map Base-protocols
    class-map type inspect match-all MyNetNet-access-list
    match access-group 100
    class-map type inspect match-any Voice-protocols
    match protocol h323
    match protocol skinny
    match protocol sip
    class-map type inspect match-any Extended-protocols
    match protocol pop3
    match protocol pop3s
    match protocol imap
    match protocol imaps
    match protocol smtp
    class-map type inspect match-all MyNetNet-Class
    match class-map MyNetNet-access-list
    match class-map Voice-protocols
    match class-map Extended-protocols
    match class-map Base-protocols
    policy-map type inspect MyNetNet-zone_to_MyNetWAN-zone_policy
    class type inspect MyNetNet-Class
      inspect
    class class-default
    policy-map type inspect MyNetNet-zone_to_MyNetGuest-zone_policy
    class type inspect MyNetNet-Class
      inspect
    class class-default
    policy-map type inspect MyNetGuest-zone_to_MyNetNet-zone_policy
    class type inspect MyNetGuest-access-list
      inspect
    class class-default
    policy-map type inspect MyNetGuest-zone_to_MyNetWAN-zone_policy
    class type inspect MyNetGuest-Class
      inspect
    class class-default
    policy-map type inspect MyNetNet-zone
    class class-default
      pass
    zone security MyNetNet-zone
    zone security MyNetGuest-zone
    zone security MyNetWAN-zone
    zone-pair security MyNetNet->MyNetGuest source MyNetNet-zone destination MyNetGuest-zone
    service-policy type inspect MyNetNet-zone_to_MyNetGuest-zone_policy
    zone-pair security MyNetNet->MyNetWAN source MyNetNet-zone destination MyNetWAN-zone
    service-policy type inspect MyNetNet-zone_to_MyNetWAN-zone_policy
    zone-pair security MyNetGuest->MyNetWAN source MyNetGuest-zone destination MyNetWAN-zone
    service-policy type inspect MyNetGuest-zone_to_MyNetWAN-zone_policy
    zone-pair security MyNetGuest->MyNetNet source MyNetGuest-zone destination MyNetNet-zone
    service-policy type inspect MyNetGuest-zone_to_MyNetNet-zone_policy
    interface FastEthernet0
    description Cisco-2849-Switch
    switchport mode trunk
    speed 100
    interface FastEthernet1
    interface FastEthernet2
    interface FastEthernet3
    description SBS-Server
    switchport access vlan 10
    spanning-tree portfast
    interface FastEthernet4
    description WAN
    no ip address
    ip mtu 1492
    ip nat outside
    ip virtual-reassembly
    zone-member security MyNetWAN-zone
    ip tcp adjust-mss 1452
    duplex auto
    speed auto
    no cdp enable
    interface Vlan1
    description MyNetNative
    ip address 10.0.0.1 255.255.255.248
    ip nat inside
    ip virtual-reassembly
    zone-member security MyNetNet-zone
    ip tcp adjust-mss 1452
    interface Vlan10
    description MyNetData
    ip address 172.16.15.1 255.255.255.240
    ip nat inside
    ip virtual-reassembly
    zone-member security MyNetNet-zone
    interface Vlan20
    description MyNetVoice
    ip address 172.16.17.1 255.255.255.240
    ip nat inside
    ip virtual-reassembly
    zone-member security MyNetNet-zone
    interface Vlan69
    description MyNetGuest
    ip address 192.168.19.1 255.255.255.240
    ip nat inside
    ip virtual-reassembly
    zone-member security MyNetGuest-zone
    ip http server
    ip http authentication local
    ip http secure-server
    ip http timeout-policy idle 60 life 86400 requests 10000
    access-list 100 remark MyNetnet
    access-list 100 permit ip 10.0.0.0 0.0.0.7 any
    access-list 100 permit ip 172.16.15.0 0.0.0.31 any
    access-list 100 permit ip 172.16.17.0 0.0.0.15 any
    access-list 110 remark MyNetGuest
    access-list 110 permit ip 192.168.19.0 0.0.0.15 host 172.16.15.2
    access-list 110 permit ip 192.168.19.0 0.0.0.15 host 172.16.15.3
    access-list 110 deny   ip 192.168.19.0 0.0.0.15 10.0.0.0 0.0.0.7
    access-list 110 deny   ip 192.168.19.0 0.0.0.15 172.16.15.0 0.0.0.31
    access-list 110 deny   ip 192.168.19.0 0.0.0.15 172.16.17.0 0.0.0.15
    access-list 110 permit ip 192.168.19.0 0.0.0.15 any
    control-plane
    banner login ^CC
    You know if you should be here or not.
             if not please leave
    NOW
    ^C
    line con 0
    no modem enable
    line aux 0
    line vty 0 4
    privilege level 15
    transport input telnet ssh
    scheduler max-task-time 5000
    ntp server 172.16.15.14
    webvpn cef
    end
    Cisco871#sh zone security
    zone self
      Description: System defined zone
    zone MyNetNet-zone
      Member Interfaces:
        Vlan1
        Vlan10
        Vlan20
    zone MyNetGuest-zone
      Member Interfaces:
        Vlan69
    zone MyNetWAN-zone
      Member Interfaces:
        FastEthernet4
    Cisco871#sh zone-pair security
    Zone-pair name MyNetNet->MyNetGuest
        Source-Zone MyNetNet-zone  Destination-Zone MyNetGuest-zone
        service-policy MyNetNet-zone_to_MyNetGuest-zone_policy
    Zone-pair name MyNetNet->MyNetWAN
        Source-Zone MyNetNet-zone  Destination-Zone MyNetWAN-zone
        service-policy MyNetNet-zone_to_MyNetWAN-zone_policy
    Zone-pair name MyNetGuest->MyNetWAN
        Source-Zone MyNetGuest-zone  Destination-Zone MyNetWAN-zone
        service-policy MyNetGuest-zone_to_MyNetWAN-zone_policy
    Zone-pair name MyNetGuest->MyNetNet
        Source-Zone MyNetGuest-zone  Destination-Zone MyNetNet-zone
        service-policy MyNetGuest-zone_to_MyNetNet-zone_policy
    Cisco871#sh int faste4
    FastEthernet4 is up, line protocol is up
      Hardware is PQUICC_FEC, address is 0016.9d29.a667 (bia 0016.9d29.a667)
      Description: WAN
      Internet address is 10.38.177.98/25
      MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec,
         reliability 255/255, txload 1/255, rxload 1/255
      Encapsulation ARPA, loopback not set
      Keepalive set (10 sec)
      Full-duplex, 100Mb/s, 100BaseTX/FX
      ARP type: ARPA, ARP Timeout 04:00:00
      Last input 00:00:00, output 00:34:50, output hang never
      Last clearing of "show interface" counters never
      Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
      Queueing strategy: fifo
      Output queue: 0/40 (size/max)
      5 minute input rate 2000 bits/sec, 3 packets/sec
      5 minute output rate 0 bits/sec, 0 packets/sec
         593096 packets input, 73090812 bytes
         Received 592752 broadcasts, 0 runts, 0 giants, 0 throttles
         0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
         0 watchdog
         0 input packets with dribble condition detected
         9940 packets output, 1016025 bytes, 0 underruns
         0 output errors, 0 collisions, 3 interface resets
         0 babbles, 0 late collision, 0 deferred
         0 lost carrier, 0 no carrier
         0 output buffer failures, 0 output buffers swapped out
    Zone-pair: MyNetNet->MyNetWAN
      Service-policy inspect : MyNetNet-zone_to_MyNetWAN-zone_policy
        Class-map: MyNetNet-Class (match-all)
          Match: class-map match-all MyNetNet-access-list
            Match: access-group 100
          Match: class-map match-any Voice-protocols
            Match: protocol h323
              0 packets, 0 bytes
              30 second rate 0 bps
            Match: protocol skinny
              0 packets, 0 bytes
              30 second rate 0 bps
            Match: protocol sip
              0 packets, 0 bytes
              30 second rate 0 bps
          Match: class-map match-any Extended-protocols
            Match: protocol pop3
              0 packets, 0 bytes
              30 second rate 0 bps
            Match: protocol pop3s
              0 packets, 0 bytes
              30 second rate 0 bps
            Match: protocol imap
              0 packets, 0 bytes
              30 second rate 0 bps
            Match: protocol imaps
              0 packets, 0 bytes
              30 second rate 0 bps
            Match: protocol smtp
              0 packets, 0 bytes
              30 second rate 0 bps
          Match: class-map match-any Base-protocols
            Match: protocol http
              0 packets, 0 bytes
              30 second rate 0 bps
            Match: protocol https
              0 packets, 0 bytes
              30 second rate 0 bps
            Match: protocol ftp
              0 packets, 0 bytes
              30 second rate 0 bps
            Match: protocol ssh
              0 packets, 0 bytes
              30 second rate 0 bps
            Match: protocol dns
              0 packets, 0 bytes
              30 second rate 0 bps
            Match: protocol ntp
              0 packets, 0 bytes
              30 second rate 0 bps
            Match: protocol ica
              0 packets, 0 bytes
              30 second rate 0 bps
            Match: protocol pptp
              0 packets, 0 bytes
              30 second rate 0 bps
            Match: protocol icmp
              0 packets, 0 bytes
              30 second rate 0 bps
            Match: protocol tcp
              0 packets, 0 bytes
              30 second rate 0 bps
            Match: protocol udp
              0 packets, 0 bytes
              30 second rate 0 bps
          Inspect
            Session creations since subsystem startup or last reset 0
            Current session counts (estab/half-open/terminating) [0:0:0]
            Maxever session counts (estab/half-open/terminating) [0:0:0]
            Last session created never
            Last statistic reset never
            Last session creation rate 0
            Maxever session creation rate 0
            Last half-open session total 0
        Class-map: class-default (match-any)
          Match: any
          Drop (default action)
            5196 packets, 256211 bytes
    Cisco871#sh log
    Syslog logging: enabled (1 messages dropped, 0 messages rate-limited,
                    0 flushes, 0 overruns, xml disabled, filtering disabled)
    No Active Message Discriminator.
    No Inactive Message Discriminator.
        Console logging: disabled
        Monitor logging: level debugging, 0 messages logged, xml disabled,
                         filtering disabled
        Buffer logging:  level debugging, 1745 messages logged, xml disabled,
                         filtering disabled
        Logging Exception size (4096 bytes)
        Count and timestamp logging messages: disabled
        Persistent logging: disabled
    No active filter modules.
    ESM: 0 messages dropped
        Trap logging: level informational, 1785 message lines logged
    Log Buffer (4096 bytes):
    001779: *Feb 15 11:00:55.979: %FW-6-DROP_UDP_PKT: Dropping Other pkt 172.16.15.6:61806 => 168.94.0.1:53 with ip ident 511 due to  policy match failure
    001780: *Feb 15 11:00:59.739: %FW-6-DROP_TCP_PKT: Dropping Other pkt 172.16.15.6:4399 => 168.94.69.30:443 due to  policy match failure -- ip ident 515 tcpflags 0x7002 seq.no 974122240 ack 0
    001781: *Feb 15 11:01:26.507: %FW-6-DROP_UDP_PKT: Dropping Other pkt 172.16.15.6:51991 => 168.94.0.1:53 with ip ident 625 due to  policy match failure
    001783: *Feb 15 11:01:57.891: %FW-6-DROP_UDP_PKT: Dropping Other pkt 172.16.15.6:64470 => 168.94.0.1:53 with ip ident 677 due to  policy match failure

    Hello Charlie,
    I would recomend you to investigate a little bit more about how the ZBFW features works
    Now I am going to help you on this one at least, then I will give you a few links you could use to study
    We are going to study traffic from MyNetNet-zone to the MyNetWan-zone
    First the zone-pair
    zone-pair security MyNetNet->MyNetWAN source MyNetNet-zone destination MyNetWAN-zone
    service-policy type inspect MyNetNet-zone_to_MyNetWAN-zone_policy
    so lets go policy-map
    policy-map type inspect MyNetNet-zone_to_MyNetWAN-zone_policy
    class type inspect MyNetNet-Class
      inspect
    class class-default
    Finally to the class map
    class-map type inspect match-all MyNetNet-Class
    match class-map MyNetNet-access-list
    match class-map Voice-protocols
    match class-map Extended-protocols
    match class-map Base-protocols
    That keyword MATCH-ALL is the one causing the issues!!
    Why?
    Because you are telling the ZBFW to inspect traffic only if matches all of those class-maps so a packet will need to math the base protocols and the extended protocol and as you know that is not possible ( Just one protocol )
    So here are the links
    http://blogg.kvistofta.nu/cisco-ios-zone-based-policy-firewall/
    https://supportforums.cisco.com/thread/2138873
    http://pktmaniac.info/2011/08/zone-based-firewalls-something-to-keep-in-mind/
    http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00808bc994.shtml
    You have some work to do
    Please remember to rate all the helpful posts
    Julio
    CCSP

  • Total drops for class-map class-default

    Hi,
    I have a gigabit ethernet interface on a 2951 configured with 4x sub interfaces providing connectivity to our four WAN sites. Each sub interface services a 100mb connection to another site.
    I have configured a QoS policy and attached to each sub interface with the primary function of limiting each sub interface to 100mbs. I am now seeing drops (total drops) on the class default and not sure why. I would not expect to see any drops on this interface as it never even reaches 15mb (15%) capacity.
    Any ideas?
            Class-map: class-default (match-any)
              175934881 packets, 95319007968 bytes
              5 minute offered rate 23000 bps, drop rate 0000 bps
              Match: any
              queue limit 64 packets
              (queue depth/total drops/no-buffer drops) 0/340/0
              (pkts output/bytes output) 314212026/180287074028
    policy-map PM-Branch-QoS
    class CM-OAM
      set dscp af11
    class CM-Network
      set dscp cs6
    class CM-VC
      bandwidth percent 5
    class CM-Citrix
      set dscp af21
    class CM-CAPWAP
      set dscp af22
    policy-map PM-WAN
    class class-default
      shape peak 100000000
       service-policy PM-Branch-QoS

    Disclaimer
    The  Author of this posting offers the information contained within this  posting without consideration and with the reader's understanding that  there's no implied or expressed suitability or fitness for any purpose.  Information provided is for informational purposes only and should not  be construed as rendering professional advice of any kind. Usage of this  posting's information is solely at reader's own risk.
    Liability Disclaimer
    In  no event shall Author be liable for any damages whatsoever (including,  without limitation, damages for loss of use, data or profit) arising out  of the use or inability to use the posting's information even if Author  has been advised of the possibility of such damage.
    Posting
    I would not expect to see any drops on this interface as it never even reaches 15mb (15%) capacity.
    Your expectations might be incorrect.  Often percentage of bandwidth capacity measurements are misunderstood.
    Let's assume your ingress is 100 Mbps.  Let's also assume your measuring over a five minute period.  Lastly, assume the ingress transmits at 100% for 1 minute and then stops for 4 minutes.  Bandwidth utilization across the 1 minute would be 100% and 0% for the other 4 minutes, but it would be 20% for the 5 minutes.
    But if the 100 Mbps was sent at 100% for each 12 seconds, and not sent for each 48 seconds, 5 minute utilization would still be 20% but unlike the prior 1 minute stats of 100% and 0%, each minute would now also be 20%.
    So these first two examples show how bandwidth utilization don't reveal what's happening within the measured time period.
    Since ingress was same bandwidth as egress, in the above, there would be no queuing.
    If ingress is gig, though, suppose gig ingress arrives for 6 seconds and stops for a remaining 4 minutes and 54 seconds.  This too would measure as 20% usage across 5 minutes, but since it will take 60 seconds to transmit the same traffic at 100 Mbps, packets will need to be queued.  If queuing buffers are insufficient to hold all the packets, some will be dropped.
    The above is a long way of saying, if your ingress rate exceeds your egress rate, there can be a need to queue packets, and if queuing is insufficient, packets will be dropped, this even if utilization is "low".  Most likely, you have occasional "bursts" if ingress bandwidth exceeds the egress bandwidth.
    From your actual stats, the drop rate percentage is so low, you might not need to concern yourself with the few drops you're seeing.  If it is a concern, you might be able to reduce the drop rate by increasing egress buffering, but doing so, also increases egress queuing delay.

  • QoS Class-Based Traffic Shaping (what is Be)

    Guys,
    two questions on the output below :
    1. What is the Be, is this an amount per interval that can go over Bc or is it the total amount of data that can be sent?
    ie, i interpret the command to read, Bc is the sustained rate per interval and Be is the sustained rate plus another amount, it I would use sommat like this
    shape average 128000 7936 8500
    this would show that I could send in total up to 8500 bits per interval
    or does it work like this ?
    shape average 128000 7936 564
    this would show that I could send in total up to 8500 bits per interval
    if it is the first one, you would not expect to be able to configure a Be of less than Bc?
    Also, how can you show what traffic is within the Bc and what is in the Be? ie, how much data is being sent out of contract?
    Many kind regards,
    Ken
    Metro2(config-pmap-c)#policy-map test1_cos
    Metro2(config-pmap)# class class-default
    Metro2(config-pmap-c)# shape average ?
    <8000-154400000> Target Bit Rate (bits per second), the value needs to be
    multiple of 8000
    percent % of interface bandwidth for Committed information rate
    Metro2(config-pmap-c)# shape average 128000 ?
    <256-154400000> bits per interval, sustained. Needs to be multiple of 128.
    Recommend not to configure it, the algorithm will find out
    the best value
    <cr>
    Metro2(config-pmap-c)# shape average 128000 7936 ?
    <0-154400000> bits per interval, excess. Needs to be multiple of 128. Bc
    will be used if you don't configure it.
    <cr>
    Metro2(config-pmap-c)# shape average 128000 7936 1000 ?
    <cr>
    Metro2(config-pmap-c)# shape average 128000 7936 1000
    Metro2(config-pmap-c)#^Z
    Metro2#
    Metro2#sh policy-map int fa 0/1 out
    FastEthernet0/1
    Service-policy output: test1_cos
    Class-map: class-default (match-any)
    5476 packets, 1934775 bytes
    30 second offered rate 0 bps, drop rate 0 bps
    Match: any
    Traffic Shaping
    Target/Average Byte Sustain Excess Interval Increment
    Rate Limit bits/int bits/int (ms) (bytes)
    128000/128000 1117 7936 1000 62 992
    Adapt Queue Packets Bytes Packets Bytes Shaping
    Active Depth Delayed Delayed Active
    - 0 5476 1934775 967 1448313 no
    Metro2#
    Metro2# conf t
    Enter configuration commands, one per line. End with CNTL/Z.
    Metro2(config)#policy-map test1_cos
    Metro2(config-pmap)# class class-default
    Metro2(config-pmap-c)# shape average 128000
    Metro2(config-pmap-c)#^Z
    Metro2#sh policy-map int fa 0/1 out
    FastEthernet0/1
    Service-policy output: test1_cos
    Class-map: class-default (match-any)
    5479 packets, 1934955 bytes
    30 second offered rate 0 bps, drop rate 0 bps
    Match: any
    Traffic Shaping
    Target/Average Byte Sustain Excess Interval Increment
    Rate Limit bits/int bits/int (ms) (bytes)
    128000/128000 1984 7936 7936 62 992
    Adapt Queue Packets Bytes Packets Bytes Shaping
    Active Depth Delayed Delayed Active
    - 0 5479 1934955 967 1448313 no
    Metro2#

    Guys,
    this is great stuff and I really apprciate it.
    The thing is this.
    One one URL it says the following :-
    For Class-based Shaping - How it Works
    When the Be size equals 0, the interface sends no more than the burst size every interval, achieving an average rate no higher than the mean rate. However, when the Be size is greater than 0, the interface can send as many as Bc + Be bits in a burst, if in a previous time period the maximum amount was not sent. Whenever less than the burst size is sent during an interval, the remaining number of bits, up to the Be size, can be used to send more than the burst size in a later interval.
    The other URL says :-
    DTS How It Works
    The Be size allows more than the Bc size to be sent during a time interval under certain conditions. Therefore, DTS provides two types of shape commands: average and peak. When shape average is configured, the interface sends no more than the Bc size for each interval, achieving an average rate no higher than the CIR. When the shape peak command is configured, the interface sends Bc plus Be bits in each interval.
    So which one is correct. I am really confused.
    As far as I am aware, I am running CB Shaping and not DTS, but when I go into the router configurations I get both options.
    average and peak ?
    Please see example :-
    Metro2(config)#policy-map test1_cos
    Metro2(config-pmap)#class class-default
    Metro2(config-pmap-c)#shap ?
    adaptive Enable Traffic Shaping adaptation to BECN
    average configure token bucket: CIR (bps) [Bc (bits) [Be (bits)]],
    send out Bc only per interval
    fecn-adapt Enable Traffic Shaping reflection of FECN as BECN
    fr-voice-adapt Enable rate adjustment depending on voice presence
    max-buffers Set Maximum Buffer Limit
    peak configure token bucket: CIR (bps) [Bc (bits) [Be (bits)]],
    send out Bc+Be per interval
    Many kind regards and thx for the help with this :)
    Ken

  • The class-default class map

    According to Cisco dumentation (http://www.cisco.com/en/US/docs/security/asa/asa81/config/guide/mpc.html)
    , the ASA is equipped with two default class-maps
    class-map inspection_default
    match default-inspection-traffic
    and
    class-map class-default
    match any
    The first makes perfect sense, but what is the class-default used for? Cisco says
    "This class map appears at the end of all Layer 3/4 policy maps and essentially tells the adaptive security appliance to not perform any actions on all other traffic. You can use the class-default class map if desired, rather than making your own
    match any class map. In fact, some features are only available for class-default."
    But I see stuff like this:
    policy-map MyPolicy
    class class-default
      inspect tfp MyFTPpolicy
    Obviously it is being used here to act on traffic! So I am confused.
    I also noticed that when you upgrade from 8.2 to 8.4, all default class-maps are removed from the configuration: you have to re-create everything (strange)

    Hello Collin,
    This is Mike. I dont think it is well documented. Basically it is just a class map (that does not appear on the configuration unless an action is specified) that will match all traffic passing through the ASA firewall. Some features like NSEL (Netflow) and Traffic shaping are only allowed to use this kind of class maps because they dont support any other match command.
    The one that you currently have (and God I hope its not applied)  will look for tftp traffic on every IP packet passing across the ASA.
    This specific type of policy you have there can only be applied on the interface (as it is not a layer 7 inspection policy) you can check if it is applied or not by running the show "run service-policy command"
    Mike

  • Proper use of class-default

    I want to classifify my traffic into three different IP precedence levels. I want one class set to level 7, one to level 6 and all other to level 0. Can somebody please verify the config I came up with to do this? My biggest concern is that I am using the class-default correctly in order to mark packets that don't fall into the 7 or 6 level category.
    Thanks,
    Diego
    access-list 101 permit ip host 1.1.1.1 any
    access-list 102 permit ip host 2.2.2.2 any
    class-map match-all host1
    match access-group 101
    class-map match-all host2
    match access-group 102
    policy-map markpackets
    class host1
    set ip precedence 7
    class host2
    set ip precedence 6
    class class-default
    set ip precedence 0

    Your configuration seems to be fine but it does not do much beyond setting the IP precedence level. YOu could also refer to http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_configuration_guide_chapter09186a00800c75cf.html#1005901.

  • Opening Build Specificat​ion - Error 7 occurred at Get LV Class Default Value.vi

    I recently ported my project to a new PC. Everything seems to run fine uncompiled, and I am able to build an executable without issue. However, my build specification shows up in the project explorer with question mark next to it. When I try to build again or edit the properties I get a popup with the information below:
    Error 7 occurred at Get LV Class Default Value.vi
    Possible reason(s):
    LabVIEW: File not found. The file might be in a different location or deleted. Use the command prompt or the file explorer to verify that the path is correct.
    =========================
    NI-488: Nonexistent GPIB interface.
    Complete call chain:
    Get LV Class Default Value.vi
    AB_UI_Initialize_Framework.vi
    AB_UI_FRAMEWORK.vi
    AB_Item_OnDoProperties.vi
    AB_Item_OnDoProperties.vi.ProxyCaller
    LabVIEW attempted to load the class at this path:
    <Empty Path>
    I've seen messages from people getting the same error when trying to run a compiled executable, but mine actually runs fine. I am just unable to open the build specification to rebuild or edit its properties.

    This application is for a Windows machine, and I am not using the Report Generation Toolkit. However, I shut down my computer last night and when I booted it up this morning my Build Specification now opens fine and I am able to edit it. My only thought as to why it occured in the first place is that I had added several files to user.lib and instr.lib and restarted LabVIEW, but it appears that it required my computer to be restarted as well.

  • Error 7 occurred at Get LV Class Default Value.vi only in my executable for Print Report - LV 2010 SP1

    I have a program written which uses the print report function. Everything works fine in the uncompiled code, my report prints just fine. I can compile my project all the way to a full installer. When I run the executable I get the error:
    Error 7 occurred at Get LV Class Default Value.vi
    With the following text:
    Possible reason(s):
    LabVIEW:  File not found. The file might have been moved or deleted, or the file path might be incorrectly formatted for the operating system. For example, use \ as path separators on Windows, : on Mac OS X, and / on Linux. Verify that the path is correct using the command prompt or file explorer.
    =========================
    NI-488:  Non-existent board.
    Complete call chain:
         Get LV Class Default Value.vi
         NI_report.lvclass:New Report.vi
         print report.vi
         EMS V3.0 streamline.vi
    LabVIEW attempted to load the class at this path:
    H:\InMotion\EMS\builds\EMS_01\Emissions Analyzer\EMS.exe\1abvi3w\vi.lib\Utility\NIReport.llb\Standard Report\NI_Standard Report.lvclass
    "EMS V3.0 streamline.vi" is my main vi, "print report.vi" is the subvi that creates and prints the report based on all the information sent to it. I get no warning when I compile this to an executable. I already tried repairing both LV SP1 and the report generator toolkit. No change after I compile to an exe.
    Any help would be appreciated. Thanks.
    Garrett Herning

    Ok, I tried that... and now I get an error when I try to compile to an executable... This is right at the end of the build and will not let me build an executable.
    Error:
    An error has occurred. Expand the Details section for more information.
    Details:
    Visit the Request Support page at ni.com/ask to learn more about resolving this problem. Use the following information as a reference:
    Error 7 occurred at Invoke Node in AB_Build.lvclass:Copy_Files.vi->AB_Application.lvclass:Copy_Files.vi->AB_EXE.lvclass:Copy_Files.vi->AB_Build.lvclass:Build.vi->AB_Application.lvclass:Build.vi->AB_EXE.lvclass:Build.vi->AB_Engine_Build.vi->AB_Build_Invoke.vi->AB_Build_Invoke.vi.ProxyCaller
    Possible reason(s):
    LabVIEW:  File not found. The file might have been moved or deleted, or the file path might be incorrectly formatted for the operating system. For example, use \ as path separators on Windows, : on Mac OS X, and / on Linux. Verify that the path is correct using the command prompt or file explorer.
    =========================
    NI-488:  Non-existent board.
    Method Name: Linker:Write Info To File

  • ACE SSL Sticky class-map generic vs class default differences.

    There was a thread recently titled "ACE 3.0(0) SW / LB with SSL Session-ID" where Giles Dufour outlined a configuration for an ACE performing sticky based on SSL Session ID.
    Can anyone explain the benefits and differences of using a specific class-map generic such as this:
    class-map type generic match-any SSL-v3-32
      2 match layer4-payload regex "\x16\x03\x00..\x01.*"
      3 match layer4-payload regex "\x16\x03\x01..\x01.*"
    Versus just matching class default?
    So if I have a configuration such as this:
    policy-map type loadbalance generic first-match SSL-v3-Sticky
    class SSL-v3-32
       sticky-serverfarm ssl-v3
    vs
    policy-map type loadbalance generic first-match SSL-v3-Sticky
    class class-default
       sticky-serverfarm ssl-v3
    What's the benefit or drawback?

    The SSL session id is only available in version 3.0.1 and 3.1.1
    So you can match this particular version and then attempt to do stickyness.
    You are guaranteed to find what you're looking for.
    If you match a class-default it means you apply stickyness to any version of ssl packet.
    So there is a risk to misinterpret the content of the packet and stick on something else than the session id.
    Gilles.

  • Programmatic save of LVOOP class default value

    Hi!
    I've been stuck on this littel issue for some time now, maybe I can't see the wood for trees, maybe my intention is utopic
    Here is what I want to do: retrieve class default value from an existing *.lvclass (no prob so far), modify it in some sort of configuration programme and then save back the default value to this (or another) *.lvclass file.
    The only intended editing is about changing the default value, not more, not less.
    I have tried some VI server magic but failed (LabVIEW crashed)
    Any suggestions?
    Cheers
    Oli
    Programming languages don't create bad code, programmers create bad code....
    Solved!
    Go to Solution.

    Well, I do understand this issues for controls, but I'm sill struggling to transfer this to the LVOOP issue.
    Here's what I used to understand about loading class default values:
    I'm able to load a class default value dynamically from disk as long as inheritance is set right (--> PlugIn Architecture).
    So lets say I have a parent class A which has two children B1 and B2. So using the Get LV class default value.vi I'm able to load classes dynamically and cast it to class A (To More Generic Class). This way I can also load Class_B1.lvclass and Class_B2.lvclass and use dynamic dispatch.
    Now, if B1 and B2 have basically the same class private data (let's say a Boolean) that only differs in default value (true/false) I have a similar case for loading as what I'd like to do for saving.
    Having said that: maybe my intention should be be better described as modifying an existing class default value and save it as a new class.
    I guess there is a reason why NI did not implement the saving part... just need to understand why
    Oli
    Programming languages don't create bad code, programmers create bad code....

  • Why can't I use Get LV Class Default Value in a dynamic VI?

    I am attempting to override a VI that uses "Get LV Class Default Value" and getting an error that I don't understand.  My parent class, "ANT Message Class", has two children - "ANT Command Class" and "ANT Response Class".  The children share a lot of data and functionality, including the factory pattern that the parent class' "Load Message Class" VI implements (see image).  I would like to override this VI with a Command version and a Response version, which would simply call the Message version with their respective classes overriding the dynamic input and output terminals.  However, I am getting the error "Front Panel Terminal 'ANT Message Class Out': Run-time type not propagated from dynamic input to dynamic output."
    Not sure how to get around this one.  Any ideas?
    Thanks,
    -Jamie 
    Solved!
    Go to Solution.
    Attachments:
    Get LV Class Default Value in dynamic VI.png ‏179 KB

    The To More Specific node is dealing with compile-type inference. In this case, you are loading a default instance from disk and then attempting to cast to the base Message class. However the type you are casting to is going to a dynamic output - this gives the compiler no assurances that the input class at run-time on the dynamic input will be the same as the output type; only that it will be a type at the top of the hierarchy. Dyanmic dispatch inputs/outputs must be the same type to guarantee some form of type safety.
    You need the Preserve node there so that you can guarantee the class at both dynamic dispatch terminals will be the same type.
    However this is probably not the best mechanism for a factory method. Factory methods should ideally be static; their job is to provide an instance of the right type (e.g loaded by path as per your example) and you don't need an instance of a class to do that. The only reason I can think of to over-ride said functionailty in a dynamic dispatch method is to provide some form of custom construction for the creation of the type. If all you are creating is an instance with nothing but the default private data then there is no reason to over-ride in the child classes.
    EDIT: Another post collision. nathand is on the money with this one.

  • All CX traffic dropped on data plane with error message 'Unable to create policy params (policy-params-failed)

    Problems with CX dropping all traffic - error message: Unable to create policy params (policy-params-failed) seen when issuing cli cmd show opdata framedrop on CX.
    Data hits ASA Service Policy and is redirected to CX, but no traffic is passed (user experience is timeout in browser).
    Problem started after SW upgrade - present running versions:
    ASA version: 9.1.5(21)
    CX version: 9.3.3.1 (13)
    Have tried to disable all policies and create a 'permit any any' policy, which at present is the only activve policy - still same problem.
    Any suggestions?

    If i am using 11G andrtp is 11g but on rtp side if they configure SSL, is it mandatory to do it from our side also?No it not mandatory to enable SSL at your end however you have to configure identity and trsut at your end.
    Any update on my regular question(The main forum question)?You mentioned that you are posting message from 10g to 11g and as per log you are sending it to URL - https://dev-nog.server:443/b2b/transportServlet
    So few things which I see as a problem are-
    1. You should use URL https://hostname:soa_server_ssl_port/b2b/httpReceiver instead of https://dev-nog.server:443/b2b/transportServlet
    2. SOA server SSL port should be enabled (SSL should be enabled on SOA server)
    3. You should configure wallet at 10g side to contain trust cert of 11g server
    Regards,
    Anuj

  • "By default, join" drop-down doesn't have "Preferred Networks" option

    I use my laptop on two different networks. I would like it to automatically join whichever one is available. The Mac Help has instructions titled "Choosing preferred AirPort networks" with three steps. Step 1 works fine; I can open network preferences and get to the drop-down labelled "By default, join". It says I should then select the option "Preferred networks" from the drop-down. The problem I have is, there is no such option. The drop-down has only one option, labelled "A specific network".
    It works identically on a regular user account and an adminstrator account. I have authenticated.
    Tiger 10.4.8, fully updated.

    Can't find the TIL again... might have it bookmarked at work though, but that's the problem... Sorry can't remember the fix right now at all.

  • Super class default constructor

    Hello,
    I want to clear some confusion. I am studying for the exam. In this particular book an example shows that
    Super class has 2 constructor
    public abc() and public abc(int n)
    Sub class has 2 constructor
    public xyz() and public xyz(int n)
    now when an instance is created for the subclass
    xyz t = new xyz(1)
    It will invoke the super class no argument constructor eventhough a default constructor exist in subclass?
    Regards,
    adil

    Here are the rules for constructors--"ctors" because I'm lazy. Also, because I'm lazy, "super(...)" and "this(...)" mean any super or this call, regardless of how many args it takes, including those that take no args.
    1) Every class has at least one ctor.
    1.1) If you do not define an explicit constructor for your class, the compiler provides a implicit constructor that takes no args and simply calls super().
    1.2) If you do define one or more explicit constructors, regardless of whether they take args, then the compiler no longer provides the implicit no-arg ctor. In this case, you must explicitly define a public MyClass() {...} if you want one.
    1.3) Constructors are not inherited.
    2) The first statement in the body of any ctor is either a call to a superclass ctor super(...) or a call to another ctor of this class this(...) 2.1) If you do not explicitly put a call to super(...) or this(...) as the first statement in a ctor that you define, then the compiler implicitly inserts a call to super's no-arg ctor super() as the first call. The implicitly called ctor is always super's no-arg ctor, regardless of whether the currently running ctor takes args.
    2.2) There is always exactly one call to either super(...) or this(...) in each constructor, and it is always the first call. You can't put in more than one, and if you put one in, the compiler's implicitly provided one is removed.

Maybe you are looking for

  • Can anyone help with Photoshop CC download error (49)?

    I'm not sure what to do with trying to get the update installed so that I can start the trial version.  I have turned off McAfee already.  Any suggestions?

  • HT5070 Being Liverpool Season 1 incomplete in one folder

    Hi, I purchased Season 1 of Being: Liverpool but apparently bought the wrong folder as the one that I bought has not been updated yet whereas the other folder on offer has all six episodes. How do I gain access to the missing two episodes that I paid

  • Questions for Audit management

    Can any body work in auditmanagement any body know kindly guide me  how to upload auditquestions

  • Huge Files Processed in XI

    Hi Experts, Scenario: File ---> XI - >JMS I have a requirement where XI will processed above 5MB files uing content conversion. Is there any performance issue in XI to proceesed huge files. Does XI support above 5MB files? If XI processed huge file t

  • Keychain Setting for .MAC Sync.

    Working with a particular machine where it will not allow me to check the box to allow .MAC syncing (it's greyed out) for login keychain. Tried resetting the keychain and first aid to no avail. Can't figure out why it's greyed out. There is another u