Class-default traffic drop in congension
Hi Guys,
Please consider the following example and share your thoughts:
In a MQC deployement, consider that there are following two classes defined:
Class1: EF marking with priority 20%
Class2: AF41 marking with bandwidth 40%
All remaining traffic except above said two classes will go to default class known as class-default.
In case of congestion, which traffic will drop in class-default.
As per my understanding class-default will match all traffic except EF, AF41, CS6 & CS7 (EF is defined in Class1, AF41 is defined in Class2, CS6 & CS7 will be considered as control traffic for 25% reserve bandwidth) and during congestion on all classes (including class-default) class-default will not carry the traffic marked with EF, AF41, CS6 & CS7 instead it will carry the low priority traffic (traffic from class selectors CS0, CS1, CS2, CS3 and CS4 (AF42 + AF43).
Please comment & correct if I am wrong. Do let me know if any other clarity is required on this scenerio.
Thanks.
Disclaimer
The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
Liability Disclaimer
In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
Posting
Actually LLQ can exceed its bandwidth allocation, if there's no interface congestion.
Class-default does not directly "consider" other class congestion. Nor do other classes directly "consider" class-default congestion.
Excluding LLQ, what happens when there's congestion, each class is dequeued proportionally to its class (actually queue) weight relative to other classes except for class-default, pre-HQF, with FQ enabled. The latter, has flow queues which get dequeued, also proportionally, relative to all the other queues.
Each queue, again excluding LLQ, will drop when the number of packets trying to be enqueued exceed the queue depth (in packets) allocated for that queue.
Specifically for your question, class-2, your AF41 marked traffic, will drop if it exceeds it allocated queue size. By default, this would be tail drop. If WRED is enabled, WRED will look at the "average" queue depth when tries to enqueue a new packet and determines, based on its settings, whether to drop that packet.
Does class-default, or other classes, have any affect? Yes, as whatever share of interface bandwidth being otherwise used will not be available to class-2, and when it's not, class-2 may enqueue when it otherwise would not.
Similar Messages
-
N7000 : details of packets dropped by COPP policy (class-default) ?
Hi,
On one of our N7K, we have some packets dropped by the COPP policy in the class-default class-map. :
Partial results of "show policy-map interface control-plane" not so long after clearing the counters :
class-map class-default (match-any)
set cos 0
police cir 100 kbps , bc 250 ms
module 1 :
conformed 12210790 bytes; action: transmit
violated 201870 bytes; action: drop
module 2 :
conformed 8399646 bytes; action: transmit
violated 0 bytes; action: drop
module 3 :
conformed 34518233 bytes; action: transmit
violated 6186895 bytes; action: drop
What would be the best way to figure out what traffic is dropped by the policy ? Is there any logging possible ?
Thanks,
LaurentThere is still no logging possible.
What can be done is piping the class-default-traffic to some port and then analyze it with wireshark or some similar tool. But as far as I know, this still cannot be done by default - at least with NX-OS 4.2(4) we had to reprogram the module with assistance from TAC. I suggest you contact your support partner in this matter. -
Default class map is dropping all Packets
Hello I have a Cisco 871 router that used to have Access list based security. now I am trying the ZBFW for the first time. I thought I had a pretty good program until I found all my traffic was getting dropped. This is my first stab at ZBFWs and I am a bit confused esp with the default class part. Any help is greatly appreciated!!!!
The router is for my house and thus also has to have priority for gaming. I will add the gaming and voice QOS once I get it working,
Guest VLAN has access to 2 IP's in Data for printing.
Cisco871#sh run
Building configuration...
Current configuration : 8005 bytes
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service sequence-numbers
hostname Cisco871
boot-start-marker
boot-end-marker
logging buffered 4096
no logging console
aaa new-model
aaa authentication login default local
aaa authorization exec default local
aaa session-id common
clock summer-time PST recurring
crypto pki trustpoint TP-self-signed-4004039535
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-4004039535
revocation-check none
rsakeypair TP-self-signed-4004039535
crypto pki certificate chain TP-self-signed-4004039535
certificate self-signed 01
3082024C 308201B5 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 34303034 30333935 3335301E 170D3038 30323037 30373532
32375A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D34 30303430
33393533 3530819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100CEC2 7B89C73F AB4860EE 729C3B64 82139630 239A2301 8EA8B4C4 05505E25
B0F24E7F 26ECEC53 3E266E80 F3104F61 BDDC5592 40E12537 2262D272 08D38F8E
147F5059 7F632F5E 635B9CDF 652FFE82 C2F45C60 5F619AF0 72E640E0 E69EA9EF
41C6B06C DD8ACF4B 0A1A33CF AF3C6BFB 73AD6BE0 BD84DD7F 435BD943 0A22E0E5
F4130203 010001A3 74307230 0F060355 1D130101 FF040530 030101FF 301F0603
551D1104 18301682 144C7570 696E2E44 61627567 61626F6F 732E6F72 67301F06
03551D23 04183016 801473C6 E0784818 29A89377 23A22F5E BDD430CE E282301D
0603551D 0E041604 1473C6E0 78481829 A8937723 A22F5EBD D430CEE2 82300D06
092A8648 86F70D01 01040500 03818100 299AD241 442F976F 4F030B33 C477B069
D356C518 8132E61B 1220F999 A30A4E0C D337DCE5 C408E3BC 0439BB66 543CF585
8B26AA77 91FA510B 14796239 F272A306 C942490C A44336E0 A9430B81 9FC62524
E55017FA 5C5463D7 B3492753 42315BEC 32B78F24 D10B0CA7 D1844CD5 C3E466B9
3543BD68 A4B2692D 05CBF6DC C93C8142
quit
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 10.0.0.1 10.0.0.5
ip dhcp excluded-address 172.16.15.1 172.16.15.5
ip dhcp excluded-address 172.16.15.14
ip dhcp excluded-address 172.16.17.1 172.16.17.5
ip dhcp excluded-address 192.168.19.1 192.168.19.5
ip dhcp pool MyNetNative
import all
network 10.0.0.0 255.255.255.248
default-router 10.0.0.1
domain-name MyNetNet.org
dns-server 4.2.2.1 4.2.2.6 8.8.8.8 208.67.220.220
lease 0 2
ip dhcp pool MyNetData
import all
network 172.16.15.0 255.255.255.240
dns-server 172.16.15.14 4.2.2.1 4.2.2.6 8.8.8.8 208.67.220.220
default-router 172.16.15.1
domain-name MyDomain.org
ip dhcp pool MyNetVoice
import all
network 172.16.17.0 255.255.255.240
dns-server 172.16.15.14
default-router 172.16.17.1
domain-name MyDomain.org
ip dhcp pool MyNetGuest
import all
network 192.168.19.0 255.255.255.240
default-router 192.168.19.1
domain-name MyNetGuest.org
dns-server 4.2.2.1 4.2.2.6 8.8.8.8 208.67.220.220
ip domain name MyDomain.org
ip name-server 172.16.15.14
ip name-server 4.2.2.4
ip inspect log drop-pkt
multilink bundle-name authenticated
parameter-map type inspect TCP_PARAM
parameter-map type inspect global
username MyAdmin privilege 15 secret 5 MyPassword
archive
log config
hidekeys
class-map type inspect match-all MyNetGuest-access-list
match access-group 110
class-map type inspect match-any Base-protocols
match protocol http
match protocol https
match protocol ftp
match protocol ssh
match protocol dns
match protocol ntp
match protocol ica
match protocol pptp
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-all MyNetGuest-Class
match class-map MyNetGuest-access-list
match class-map Base-protocols
class-map type inspect match-all MyNetNet-access-list
match access-group 100
class-map type inspect match-any Voice-protocols
match protocol h323
match protocol skinny
match protocol sip
class-map type inspect match-any Extended-protocols
match protocol pop3
match protocol pop3s
match protocol imap
match protocol imaps
match protocol smtp
class-map type inspect match-all MyNetNet-Class
match class-map MyNetNet-access-list
match class-map Voice-protocols
match class-map Extended-protocols
match class-map Base-protocols
policy-map type inspect MyNetNet-zone_to_MyNetWAN-zone_policy
class type inspect MyNetNet-Class
inspect
class class-default
policy-map type inspect MyNetNet-zone_to_MyNetGuest-zone_policy
class type inspect MyNetNet-Class
inspect
class class-default
policy-map type inspect MyNetGuest-zone_to_MyNetNet-zone_policy
class type inspect MyNetGuest-access-list
inspect
class class-default
policy-map type inspect MyNetGuest-zone_to_MyNetWAN-zone_policy
class type inspect MyNetGuest-Class
inspect
class class-default
policy-map type inspect MyNetNet-zone
class class-default
pass
zone security MyNetNet-zone
zone security MyNetGuest-zone
zone security MyNetWAN-zone
zone-pair security MyNetNet->MyNetGuest source MyNetNet-zone destination MyNetGuest-zone
service-policy type inspect MyNetNet-zone_to_MyNetGuest-zone_policy
zone-pair security MyNetNet->MyNetWAN source MyNetNet-zone destination MyNetWAN-zone
service-policy type inspect MyNetNet-zone_to_MyNetWAN-zone_policy
zone-pair security MyNetGuest->MyNetWAN source MyNetGuest-zone destination MyNetWAN-zone
service-policy type inspect MyNetGuest-zone_to_MyNetWAN-zone_policy
zone-pair security MyNetGuest->MyNetNet source MyNetGuest-zone destination MyNetNet-zone
service-policy type inspect MyNetGuest-zone_to_MyNetNet-zone_policy
interface FastEthernet0
description Cisco-2849-Switch
switchport mode trunk
speed 100
interface FastEthernet1
interface FastEthernet2
interface FastEthernet3
description SBS-Server
switchport access vlan 10
spanning-tree portfast
interface FastEthernet4
description WAN
no ip address
ip mtu 1492
ip nat outside
ip virtual-reassembly
zone-member security MyNetWAN-zone
ip tcp adjust-mss 1452
duplex auto
speed auto
no cdp enable
interface Vlan1
description MyNetNative
ip address 10.0.0.1 255.255.255.248
ip nat inside
ip virtual-reassembly
zone-member security MyNetNet-zone
ip tcp adjust-mss 1452
interface Vlan10
description MyNetData
ip address 172.16.15.1 255.255.255.240
ip nat inside
ip virtual-reassembly
zone-member security MyNetNet-zone
interface Vlan20
description MyNetVoice
ip address 172.16.17.1 255.255.255.240
ip nat inside
ip virtual-reassembly
zone-member security MyNetNet-zone
interface Vlan69
description MyNetGuest
ip address 192.168.19.1 255.255.255.240
ip nat inside
ip virtual-reassembly
zone-member security MyNetGuest-zone
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
access-list 100 remark MyNetnet
access-list 100 permit ip 10.0.0.0 0.0.0.7 any
access-list 100 permit ip 172.16.15.0 0.0.0.31 any
access-list 100 permit ip 172.16.17.0 0.0.0.15 any
access-list 110 remark MyNetGuest
access-list 110 permit ip 192.168.19.0 0.0.0.15 host 172.16.15.2
access-list 110 permit ip 192.168.19.0 0.0.0.15 host 172.16.15.3
access-list 110 deny ip 192.168.19.0 0.0.0.15 10.0.0.0 0.0.0.7
access-list 110 deny ip 192.168.19.0 0.0.0.15 172.16.15.0 0.0.0.31
access-list 110 deny ip 192.168.19.0 0.0.0.15 172.16.17.0 0.0.0.15
access-list 110 permit ip 192.168.19.0 0.0.0.15 any
control-plane
banner login ^CC
You know if you should be here or not.
if not please leave
NOW
^C
line con 0
no modem enable
line aux 0
line vty 0 4
privilege level 15
transport input telnet ssh
scheduler max-task-time 5000
ntp server 172.16.15.14
webvpn cef
end
Cisco871#sh zone security
zone self
Description: System defined zone
zone MyNetNet-zone
Member Interfaces:
Vlan1
Vlan10
Vlan20
zone MyNetGuest-zone
Member Interfaces:
Vlan69
zone MyNetWAN-zone
Member Interfaces:
FastEthernet4
Cisco871#sh zone-pair security
Zone-pair name MyNetNet->MyNetGuest
Source-Zone MyNetNet-zone Destination-Zone MyNetGuest-zone
service-policy MyNetNet-zone_to_MyNetGuest-zone_policy
Zone-pair name MyNetNet->MyNetWAN
Source-Zone MyNetNet-zone Destination-Zone MyNetWAN-zone
service-policy MyNetNet-zone_to_MyNetWAN-zone_policy
Zone-pair name MyNetGuest->MyNetWAN
Source-Zone MyNetGuest-zone Destination-Zone MyNetWAN-zone
service-policy MyNetGuest-zone_to_MyNetWAN-zone_policy
Zone-pair name MyNetGuest->MyNetNet
Source-Zone MyNetGuest-zone Destination-Zone MyNetNet-zone
service-policy MyNetGuest-zone_to_MyNetNet-zone_policy
Cisco871#sh int faste4
FastEthernet4 is up, line protocol is up
Hardware is PQUICC_FEC, address is 0016.9d29.a667 (bia 0016.9d29.a667)
Description: WAN
Internet address is 10.38.177.98/25
MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Full-duplex, 100Mb/s, 100BaseTX/FX
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:00:00, output 00:34:50, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 2000 bits/sec, 3 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
593096 packets input, 73090812 bytes
Received 592752 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 watchdog
0 input packets with dribble condition detected
9940 packets output, 1016025 bytes, 0 underruns
0 output errors, 0 collisions, 3 interface resets
0 babbles, 0 late collision, 0 deferred
0 lost carrier, 0 no carrier
0 output buffer failures, 0 output buffers swapped out
Zone-pair: MyNetNet->MyNetWAN
Service-policy inspect : MyNetNet-zone_to_MyNetWAN-zone_policy
Class-map: MyNetNet-Class (match-all)
Match: class-map match-all MyNetNet-access-list
Match: access-group 100
Match: class-map match-any Voice-protocols
Match: protocol h323
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol skinny
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol sip
0 packets, 0 bytes
30 second rate 0 bps
Match: class-map match-any Extended-protocols
Match: protocol pop3
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol pop3s
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol imap
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol imaps
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol smtp
0 packets, 0 bytes
30 second rate 0 bps
Match: class-map match-any Base-protocols
Match: protocol http
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol https
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol ftp
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol ssh
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol dns
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol ntp
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol ica
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol pptp
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol icmp
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol tcp
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol udp
0 packets, 0 bytes
30 second rate 0 bps
Inspect
Session creations since subsystem startup or last reset 0
Current session counts (estab/half-open/terminating) [0:0:0]
Maxever session counts (estab/half-open/terminating) [0:0:0]
Last session created never
Last statistic reset never
Last session creation rate 0
Maxever session creation rate 0
Last half-open session total 0
Class-map: class-default (match-any)
Match: any
Drop (default action)
5196 packets, 256211 bytes
Cisco871#sh log
Syslog logging: enabled (1 messages dropped, 0 messages rate-limited,
0 flushes, 0 overruns, xml disabled, filtering disabled)
No Active Message Discriminator.
No Inactive Message Discriminator.
Console logging: disabled
Monitor logging: level debugging, 0 messages logged, xml disabled,
filtering disabled
Buffer logging: level debugging, 1745 messages logged, xml disabled,
filtering disabled
Logging Exception size (4096 bytes)
Count and timestamp logging messages: disabled
Persistent logging: disabled
No active filter modules.
ESM: 0 messages dropped
Trap logging: level informational, 1785 message lines logged
Log Buffer (4096 bytes):
001779: *Feb 15 11:00:55.979: %FW-6-DROP_UDP_PKT: Dropping Other pkt 172.16.15.6:61806 => 168.94.0.1:53 with ip ident 511 due to policy match failure
001780: *Feb 15 11:00:59.739: %FW-6-DROP_TCP_PKT: Dropping Other pkt 172.16.15.6:4399 => 168.94.69.30:443 due to policy match failure -- ip ident 515 tcpflags 0x7002 seq.no 974122240 ack 0
001781: *Feb 15 11:01:26.507: %FW-6-DROP_UDP_PKT: Dropping Other pkt 172.16.15.6:51991 => 168.94.0.1:53 with ip ident 625 due to policy match failure
001783: *Feb 15 11:01:57.891: %FW-6-DROP_UDP_PKT: Dropping Other pkt 172.16.15.6:64470 => 168.94.0.1:53 with ip ident 677 due to policy match failureHello Charlie,
I would recomend you to investigate a little bit more about how the ZBFW features works
Now I am going to help you on this one at least, then I will give you a few links you could use to study
We are going to study traffic from MyNetNet-zone to the MyNetWan-zone
First the zone-pair
zone-pair security MyNetNet->MyNetWAN source MyNetNet-zone destination MyNetWAN-zone
service-policy type inspect MyNetNet-zone_to_MyNetWAN-zone_policy
so lets go policy-map
policy-map type inspect MyNetNet-zone_to_MyNetWAN-zone_policy
class type inspect MyNetNet-Class
inspect
class class-default
Finally to the class map
class-map type inspect match-all MyNetNet-Class
match class-map MyNetNet-access-list
match class-map Voice-protocols
match class-map Extended-protocols
match class-map Base-protocols
That keyword MATCH-ALL is the one causing the issues!!
Why?
Because you are telling the ZBFW to inspect traffic only if matches all of those class-maps so a packet will need to math the base protocols and the extended protocol and as you know that is not possible ( Just one protocol )
So here are the links
http://blogg.kvistofta.nu/cisco-ios-zone-based-policy-firewall/
https://supportforums.cisco.com/thread/2138873
http://pktmaniac.info/2011/08/zone-based-firewalls-something-to-keep-in-mind/
http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00808bc994.shtml
You have some work to do
Please remember to rate all the helpful posts
Julio
CCSP -
Total drops for class-map class-default
Hi,
I have a gigabit ethernet interface on a 2951 configured with 4x sub interfaces providing connectivity to our four WAN sites. Each sub interface services a 100mb connection to another site.
I have configured a QoS policy and attached to each sub interface with the primary function of limiting each sub interface to 100mbs. I am now seeing drops (total drops) on the class default and not sure why. I would not expect to see any drops on this interface as it never even reaches 15mb (15%) capacity.
Any ideas?
Class-map: class-default (match-any)
175934881 packets, 95319007968 bytes
5 minute offered rate 23000 bps, drop rate 0000 bps
Match: any
queue limit 64 packets
(queue depth/total drops/no-buffer drops) 0/340/0
(pkts output/bytes output) 314212026/180287074028
policy-map PM-Branch-QoS
class CM-OAM
set dscp af11
class CM-Network
set dscp cs6
class CM-VC
bandwidth percent 5
class CM-Citrix
set dscp af21
class CM-CAPWAP
set dscp af22
policy-map PM-WAN
class class-default
shape peak 100000000
service-policy PM-Branch-QoSDisclaimer
The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
Liability Disclaimer
In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
Posting
I would not expect to see any drops on this interface as it never even reaches 15mb (15%) capacity.
Your expectations might be incorrect. Often percentage of bandwidth capacity measurements are misunderstood.
Let's assume your ingress is 100 Mbps. Let's also assume your measuring over a five minute period. Lastly, assume the ingress transmits at 100% for 1 minute and then stops for 4 minutes. Bandwidth utilization across the 1 minute would be 100% and 0% for the other 4 minutes, but it would be 20% for the 5 minutes.
But if the 100 Mbps was sent at 100% for each 12 seconds, and not sent for each 48 seconds, 5 minute utilization would still be 20% but unlike the prior 1 minute stats of 100% and 0%, each minute would now also be 20%.
So these first two examples show how bandwidth utilization don't reveal what's happening within the measured time period.
Since ingress was same bandwidth as egress, in the above, there would be no queuing.
If ingress is gig, though, suppose gig ingress arrives for 6 seconds and stops for a remaining 4 minutes and 54 seconds. This too would measure as 20% usage across 5 minutes, but since it will take 60 seconds to transmit the same traffic at 100 Mbps, packets will need to be queued. If queuing buffers are insufficient to hold all the packets, some will be dropped.
The above is a long way of saying, if your ingress rate exceeds your egress rate, there can be a need to queue packets, and if queuing is insufficient, packets will be dropped, this even if utilization is "low". Most likely, you have occasional "bursts" if ingress bandwidth exceeds the egress bandwidth.
From your actual stats, the drop rate percentage is so low, you might not need to concern yourself with the few drops you're seeing. If it is a concern, you might be able to reduce the drop rate by increasing egress buffering, but doing so, also increases egress queuing delay. -
QoS Class-Based Traffic Shaping (what is Be)
Guys,
two questions on the output below :
1. What is the Be, is this an amount per interval that can go over Bc or is it the total amount of data that can be sent?
ie, i interpret the command to read, Bc is the sustained rate per interval and Be is the sustained rate plus another amount, it I would use sommat like this
shape average 128000 7936 8500
this would show that I could send in total up to 8500 bits per interval
or does it work like this ?
shape average 128000 7936 564
this would show that I could send in total up to 8500 bits per interval
if it is the first one, you would not expect to be able to configure a Be of less than Bc?
Also, how can you show what traffic is within the Bc and what is in the Be? ie, how much data is being sent out of contract?
Many kind regards,
Ken
Metro2(config-pmap-c)#policy-map test1_cos
Metro2(config-pmap)# class class-default
Metro2(config-pmap-c)# shape average ?
<8000-154400000> Target Bit Rate (bits per second), the value needs to be
multiple of 8000
percent % of interface bandwidth for Committed information rate
Metro2(config-pmap-c)# shape average 128000 ?
<256-154400000> bits per interval, sustained. Needs to be multiple of 128.
Recommend not to configure it, the algorithm will find out
the best value
<cr>
Metro2(config-pmap-c)# shape average 128000 7936 ?
<0-154400000> bits per interval, excess. Needs to be multiple of 128. Bc
will be used if you don't configure it.
<cr>
Metro2(config-pmap-c)# shape average 128000 7936 1000 ?
<cr>
Metro2(config-pmap-c)# shape average 128000 7936 1000
Metro2(config-pmap-c)#^Z
Metro2#
Metro2#sh policy-map int fa 0/1 out
FastEthernet0/1
Service-policy output: test1_cos
Class-map: class-default (match-any)
5476 packets, 1934775 bytes
30 second offered rate 0 bps, drop rate 0 bps
Match: any
Traffic Shaping
Target/Average Byte Sustain Excess Interval Increment
Rate Limit bits/int bits/int (ms) (bytes)
128000/128000 1117 7936 1000 62 992
Adapt Queue Packets Bytes Packets Bytes Shaping
Active Depth Delayed Delayed Active
- 0 5476 1934775 967 1448313 no
Metro2#
Metro2# conf t
Enter configuration commands, one per line. End with CNTL/Z.
Metro2(config)#policy-map test1_cos
Metro2(config-pmap)# class class-default
Metro2(config-pmap-c)# shape average 128000
Metro2(config-pmap-c)#^Z
Metro2#sh policy-map int fa 0/1 out
FastEthernet0/1
Service-policy output: test1_cos
Class-map: class-default (match-any)
5479 packets, 1934955 bytes
30 second offered rate 0 bps, drop rate 0 bps
Match: any
Traffic Shaping
Target/Average Byte Sustain Excess Interval Increment
Rate Limit bits/int bits/int (ms) (bytes)
128000/128000 1984 7936 7936 62 992
Adapt Queue Packets Bytes Packets Bytes Shaping
Active Depth Delayed Delayed Active
- 0 5479 1934955 967 1448313 no
Metro2#Guys,
this is great stuff and I really apprciate it.
The thing is this.
One one URL it says the following :-
For Class-based Shaping - How it Works
When the Be size equals 0, the interface sends no more than the burst size every interval, achieving an average rate no higher than the mean rate. However, when the Be size is greater than 0, the interface can send as many as Bc + Be bits in a burst, if in a previous time period the maximum amount was not sent. Whenever less than the burst size is sent during an interval, the remaining number of bits, up to the Be size, can be used to send more than the burst size in a later interval.
The other URL says :-
DTS How It Works
The Be size allows more than the Bc size to be sent during a time interval under certain conditions. Therefore, DTS provides two types of shape commands: average and peak. When shape average is configured, the interface sends no more than the Bc size for each interval, achieving an average rate no higher than the CIR. When the shape peak command is configured, the interface sends Bc plus Be bits in each interval.
So which one is correct. I am really confused.
As far as I am aware, I am running CB Shaping and not DTS, but when I go into the router configurations I get both options.
average and peak ?
Please see example :-
Metro2(config)#policy-map test1_cos
Metro2(config-pmap)#class class-default
Metro2(config-pmap-c)#shap ?
adaptive Enable Traffic Shaping adaptation to BECN
average configure token bucket: CIR (bps) [Bc (bits) [Be (bits)]],
send out Bc only per interval
fecn-adapt Enable Traffic Shaping reflection of FECN as BECN
fr-voice-adapt Enable rate adjustment depending on voice presence
max-buffers Set Maximum Buffer Limit
peak configure token bucket: CIR (bps) [Bc (bits) [Be (bits)]],
send out Bc+Be per interval
Many kind regards and thx for the help with this :)
Ken -
According to Cisco dumentation (http://www.cisco.com/en/US/docs/security/asa/asa81/config/guide/mpc.html)
, the ASA is equipped with two default class-maps
class-map inspection_default
match default-inspection-traffic
and
class-map class-default
match any
The first makes perfect sense, but what is the class-default used for? Cisco says
"This class map appears at the end of all Layer 3/4 policy maps and essentially tells the adaptive security appliance to not perform any actions on all other traffic. You can use the class-default class map if desired, rather than making your own
match any class map. In fact, some features are only available for class-default."
But I see stuff like this:
policy-map MyPolicy
class class-default
inspect tfp MyFTPpolicy
Obviously it is being used here to act on traffic! So I am confused.
I also noticed that when you upgrade from 8.2 to 8.4, all default class-maps are removed from the configuration: you have to re-create everything (strange)Hello Collin,
This is Mike. I dont think it is well documented. Basically it is just a class map (that does not appear on the configuration unless an action is specified) that will match all traffic passing through the ASA firewall. Some features like NSEL (Netflow) and Traffic shaping are only allowed to use this kind of class maps because they dont support any other match command.
The one that you currently have (and God I hope its not applied) will look for tftp traffic on every IP packet passing across the ASA.
This specific type of policy you have there can only be applied on the interface (as it is not a layer 7 inspection policy) you can check if it is applied or not by running the show "run service-policy command"
Mike -
I want to classifify my traffic into three different IP precedence levels. I want one class set to level 7, one to level 6 and all other to level 0. Can somebody please verify the config I came up with to do this? My biggest concern is that I am using the class-default correctly in order to mark packets that don't fall into the 7 or 6 level category.
Thanks,
Diego
access-list 101 permit ip host 1.1.1.1 any
access-list 102 permit ip host 2.2.2.2 any
class-map match-all host1
match access-group 101
class-map match-all host2
match access-group 102
policy-map markpackets
class host1
set ip precedence 7
class host2
set ip precedence 6
class class-default
set ip precedence 0Your configuration seems to be fine but it does not do much beyond setting the IP precedence level. YOu could also refer to http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_configuration_guide_chapter09186a00800c75cf.html#1005901.
-
I recently ported my project to a new PC. Everything seems to run fine uncompiled, and I am able to build an executable without issue. However, my build specification shows up in the project explorer with question mark next to it. When I try to build again or edit the properties I get a popup with the information below:
Error 7 occurred at Get LV Class Default Value.vi
Possible reason(s):
LabVIEW: File not found. The file might be in a different location or deleted. Use the command prompt or the file explorer to verify that the path is correct.
=========================
NI-488: Nonexistent GPIB interface.
Complete call chain:
Get LV Class Default Value.vi
AB_UI_Initialize_Framework.vi
AB_UI_FRAMEWORK.vi
AB_Item_OnDoProperties.vi
AB_Item_OnDoProperties.vi.ProxyCaller
LabVIEW attempted to load the class at this path:
<Empty Path>
I've seen messages from people getting the same error when trying to run a compiled executable, but mine actually runs fine. I am just unable to open the build specification to rebuild or edit its properties.This application is for a Windows machine, and I am not using the Report Generation Toolkit. However, I shut down my computer last night and when I booted it up this morning my Build Specification now opens fine and I am able to edit it. My only thought as to why it occured in the first place is that I had added several files to user.lib and instr.lib and restarted LabVIEW, but it appears that it required my computer to be restarted as well.
-
I have a program written which uses the print report function. Everything works fine in the uncompiled code, my report prints just fine. I can compile my project all the way to a full installer. When I run the executable I get the error:
Error 7 occurred at Get LV Class Default Value.vi
With the following text:
Possible reason(s):
LabVIEW: File not found. The file might have been moved or deleted, or the file path might be incorrectly formatted for the operating system. For example, use \ as path separators on Windows, : on Mac OS X, and / on Linux. Verify that the path is correct using the command prompt or file explorer.
=========================
NI-488: Non-existent board.
Complete call chain:
Get LV Class Default Value.vi
NI_report.lvclass:New Report.vi
print report.vi
EMS V3.0 streamline.vi
LabVIEW attempted to load the class at this path:
H:\InMotion\EMS\builds\EMS_01\Emissions Analyzer\EMS.exe\1abvi3w\vi.lib\Utility\NIReport.llb\Standard Report\NI_Standard Report.lvclass
"EMS V3.0 streamline.vi" is my main vi, "print report.vi" is the subvi that creates and prints the report based on all the information sent to it. I get no warning when I compile this to an executable. I already tried repairing both LV SP1 and the report generator toolkit. No change after I compile to an exe.
Any help would be appreciated. Thanks.
Garrett HerningOk, I tried that... and now I get an error when I try to compile to an executable... This is right at the end of the build and will not let me build an executable.
Error:
An error has occurred. Expand the Details section for more information.
Details:
Visit the Request Support page at ni.com/ask to learn more about resolving this problem. Use the following information as a reference:
Error 7 occurred at Invoke Node in AB_Build.lvclass:Copy_Files.vi->AB_Application.lvclass:Copy_Files.vi->AB_EXE.lvclass:Copy_Files.vi->AB_Build.lvclass:Build.vi->AB_Application.lvclass:Build.vi->AB_EXE.lvclass:Build.vi->AB_Engine_Build.vi->AB_Build_Invoke.vi->AB_Build_Invoke.vi.ProxyCaller
Possible reason(s):
LabVIEW: File not found. The file might have been moved or deleted, or the file path might be incorrectly formatted for the operating system. For example, use \ as path separators on Windows, : on Mac OS X, and / on Linux. Verify that the path is correct using the command prompt or file explorer.
=========================
NI-488: Non-existent board.
Method Name: Linker:Write Info To File -
ACE SSL Sticky class-map generic vs class default differences.
There was a thread recently titled "ACE 3.0(0) SW / LB with SSL Session-ID" where Giles Dufour outlined a configuration for an ACE performing sticky based on SSL Session ID.
Can anyone explain the benefits and differences of using a specific class-map generic such as this:
class-map type generic match-any SSL-v3-32
2 match layer4-payload regex "\x16\x03\x00..\x01.*"
3 match layer4-payload regex "\x16\x03\x01..\x01.*"
Versus just matching class default?
So if I have a configuration such as this:
policy-map type loadbalance generic first-match SSL-v3-Sticky
class SSL-v3-32
sticky-serverfarm ssl-v3
vs
policy-map type loadbalance generic first-match SSL-v3-Sticky
class class-default
sticky-serverfarm ssl-v3
What's the benefit or drawback?The SSL session id is only available in version 3.0.1 and 3.1.1
So you can match this particular version and then attempt to do stickyness.
You are guaranteed to find what you're looking for.
If you match a class-default it means you apply stickyness to any version of ssl packet.
So there is a risk to misinterpret the content of the packet and stick on something else than the session id.
Gilles. -
Programmatic save of LVOOP class default value
Hi!
I've been stuck on this littel issue for some time now, maybe I can't see the wood for trees, maybe my intention is utopic
Here is what I want to do: retrieve class default value from an existing *.lvclass (no prob so far), modify it in some sort of configuration programme and then save back the default value to this (or another) *.lvclass file.
The only intended editing is about changing the default value, not more, not less.
I have tried some VI server magic but failed (LabVIEW crashed)
Any suggestions?
Cheers
Oli
Programming languages don't create bad code, programmers create bad code....
Solved!
Go to Solution.Well, I do understand this issues for controls, but I'm sill struggling to transfer this to the LVOOP issue.
Here's what I used to understand about loading class default values:
I'm able to load a class default value dynamically from disk as long as inheritance is set right (--> PlugIn Architecture).
So lets say I have a parent class A which has two children B1 and B2. So using the Get LV class default value.vi I'm able to load classes dynamically and cast it to class A (To More Generic Class). This way I can also load Class_B1.lvclass and Class_B2.lvclass and use dynamic dispatch.
Now, if B1 and B2 have basically the same class private data (let's say a Boolean) that only differs in default value (true/false) I have a similar case for loading as what I'd like to do for saving.
Having said that: maybe my intention should be be better described as modifying an existing class default value and save it as a new class.
I guess there is a reason why NI did not implement the saving part... just need to understand why
Oli
Programming languages don't create bad code, programmers create bad code.... -
Why can't I use Get LV Class Default Value in a dynamic VI?
I am attempting to override a VI that uses "Get LV Class Default Value" and getting an error that I don't understand. My parent class, "ANT Message Class", has two children - "ANT Command Class" and "ANT Response Class". The children share a lot of data and functionality, including the factory pattern that the parent class' "Load Message Class" VI implements (see image). I would like to override this VI with a Command version and a Response version, which would simply call the Message version with their respective classes overriding the dynamic input and output terminals. However, I am getting the error "Front Panel Terminal 'ANT Message Class Out': Run-time type not propagated from dynamic input to dynamic output."
Not sure how to get around this one. Any ideas?
Thanks,
-Jamie
Solved!
Go to Solution.
Attachments:
Get LV Class Default Value in dynamic VI.png 179 KBThe To More Specific node is dealing with compile-type inference. In this case, you are loading a default instance from disk and then attempting to cast to the base Message class. However the type you are casting to is going to a dynamic output - this gives the compiler no assurances that the input class at run-time on the dynamic input will be the same as the output type; only that it will be a type at the top of the hierarchy. Dyanmic dispatch inputs/outputs must be the same type to guarantee some form of type safety.
You need the Preserve node there so that you can guarantee the class at both dynamic dispatch terminals will be the same type.
However this is probably not the best mechanism for a factory method. Factory methods should ideally be static; their job is to provide an instance of the right type (e.g loaded by path as per your example) and you don't need an instance of a class to do that. The only reason I can think of to over-ride said functionailty in a dynamic dispatch method is to provide some form of custom construction for the creation of the type. If all you are creating is an instance with nothing but the default private data then there is no reason to over-ride in the child classes.
EDIT: Another post collision. nathand is on the money with this one. -
Problems with CX dropping all traffic - error message: Unable to create policy params (policy-params-failed) seen when issuing cli cmd show opdata framedrop on CX.
Data hits ASA Service Policy and is redirected to CX, but no traffic is passed (user experience is timeout in browser).
Problem started after SW upgrade - present running versions:
ASA version: 9.1.5(21)
CX version: 9.3.3.1 (13)
Have tried to disable all policies and create a 'permit any any' policy, which at present is the only activve policy - still same problem.
Any suggestions?If i am using 11G andrtp is 11g but on rtp side if they configure SSL, is it mandatory to do it from our side also?No it not mandatory to enable SSL at your end however you have to configure identity and trsut at your end.
Any update on my regular question(The main forum question)?You mentioned that you are posting message from 10g to 11g and as per log you are sending it to URL - https://dev-nog.server:443/b2b/transportServlet
So few things which I see as a problem are-
1. You should use URL https://hostname:soa_server_ssl_port/b2b/httpReceiver instead of https://dev-nog.server:443/b2b/transportServlet
2. SOA server SSL port should be enabled (SSL should be enabled on SOA server)
3. You should configure wallet at 10g side to contain trust cert of 11g server
Regards,
Anuj -
"By default, join" drop-down doesn't have "Preferred Networks" option
I use my laptop on two different networks. I would like it to automatically join whichever one is available. The Mac Help has instructions titled "Choosing preferred AirPort networks" with three steps. Step 1 works fine; I can open network preferences and get to the drop-down labelled "By default, join". It says I should then select the option "Preferred networks" from the drop-down. The problem I have is, there is no such option. The drop-down has only one option, labelled "A specific network".
It works identically on a regular user account and an adminstrator account. I have authenticated.
Tiger 10.4.8, fully updated.Can't find the TIL again... might have it bookmarked at work though, but that's the problem... Sorry can't remember the fix right now at all.
-
Super class default constructor
Hello,
I want to clear some confusion. I am studying for the exam. In this particular book an example shows that
Super class has 2 constructor
public abc() and public abc(int n)
Sub class has 2 constructor
public xyz() and public xyz(int n)
now when an instance is created for the subclass
xyz t = new xyz(1)
It will invoke the super class no argument constructor eventhough a default constructor exist in subclass?
Regards,
adilHere are the rules for constructors--"ctors" because I'm lazy. Also, because I'm lazy, "super(...)" and "this(...)" mean any super or this call, regardless of how many args it takes, including those that take no args.
1) Every class has at least one ctor.
1.1) If you do not define an explicit constructor for your class, the compiler provides a implicit constructor that takes no args and simply calls super().
1.2) If you do define one or more explicit constructors, regardless of whether they take args, then the compiler no longer provides the implicit no-arg ctor. In this case, you must explicitly define a public MyClass() {...} if you want one.
1.3) Constructors are not inherited.
2) The first statement in the body of any ctor is either a call to a superclass ctor super(...) or a call to another ctor of this class this(...) 2.1) If you do not explicitly put a call to super(...) or this(...) as the first statement in a ctor that you define, then the compiler implicitly inserts a call to super's no-arg ctor super() as the first call. The implicitly called ctor is always super's no-arg ctor, regardless of whether the currently running ctor takes args.
2.2) There is always exactly one call to either super(...) or this(...) in each constructor, and it is always the first call. You can't put in more than one, and if you put one in, the compiler's implicitly provided one is removed.
Maybe you are looking for
-
Can anyone help with Photoshop CC download error (49)?
I'm not sure what to do with trying to get the update installed so that I can start the trial version. I have turned off McAfee already. Any suggestions?
-
HT5070 Being Liverpool Season 1 incomplete in one folder
Hi, I purchased Season 1 of Being: Liverpool but apparently bought the wrong folder as the one that I bought has not been updated yet whereas the other folder on offer has all six episodes. How do I gain access to the missing two episodes that I paid
-
Questions for Audit management
Can any body work in auditmanagement any body know kindly guide me how to upload auditquestions
-
Hi Experts, Scenario: File ---> XI - >JMS I have a requirement where XI will processed above 5MB files uing content conversion. Is there any performance issue in XI to proceesed huge files. Does XI support above 5MB files? If XI processed huge file t
-
Keychain Setting for .MAC Sync.
Working with a particular machine where it will not allow me to check the box to allow .MAC syncing (it's greyed out) for login keychain. Tried resetting the keychain and first aid to no avail. Can't figure out why it's greyed out. There is another u