Cyrillic characters in Layer-7 Class Maps statements ?
Hi,
For a specific implementation, I need the ACE to parse URIs with cyrillic characters in a Layer-7 class-map. Does the ACE-4710 support it ?
If yes, how to enter them in a L7 class-map statement like : match http url /Искусство.*
Thank you for any hints
Yves
Hi Yves,
I cannot find anything regarding this and i don't see a way to put that in there. I tried pasting it in my ACE and it didn't take it. I would suggest to open a TAC case for official confirmation.
Regards,
Kanwal
Note: Please mark answers if they are helpful.
Similar Messages
-
Layer 7 class-map with different match types
Hello,
I am fighting with a problem on an ACE-4710 version A3(2.4) configuation. I just want to configure a layer 7 class-map that matches if one of two conditions is true. The problem is that these conditions are not from the same type and the ACE refuses the second match statement. However, in the configuration guide, it is clearly defined that it should be possible :
Here is what the configuration guides says :
host1/Admin(config)# class-map type http loadbalance match-any CLASS3
host1/Admin(config-cmap-http-lb)# 100 match http url .*.gif
host1/Admin(config-cmap-http-lb)# 200 match http header Host header-value XYZ
host1/Admin(config-cmap-http-lb)# exit
If I test exactly the same configuration in a context of my ACE, I receive an error message :
CH01AC03/P-104-A(config)# class-map type http loadbalance match-any CLASS3
CH01AC03/P-104-A(config-cmap-http-lb)# 100 match http url .*.gif
CH01AC03/P-104-A(config-cmap-http-lb)# 200 match http header Host header-value XYZ
Error: Match-any classmap can not have different type of match
If I use nested class-maps, I receive the same error message !
Is it a known problem or is it a solution for it ?
Thank you for any help
YvesHello Yves,
The command error is correct. I'll take a look at the docs and see about getting them corrected, if necessary.
Basically, for a match-all, you would have to use different types. For example, there will only be one Host header, so you would only specify it once using regex or a fixed string. As you found out, the match-any requires that they all be of the same type. See my example below:
class-map type http loadbalance match-all HEADER-AND-URL
100 match http url /login.*
200 match http header Host header-value "XYZ"
class-map type http loadbalance match-any URLS
100 match http url .*\.gif
200 match http url .*\.jpg
class-map type http loadbalance match-any HEADER
200 match http header Host header-value "CISCO"
policy-map type loadbalance first-match SLB_LOGIC
class HEADER-AND-URL
serverfarm LOGIN-FARM
class URLS
serverfarm IMAGES-FARM
class HEADER
serverfarm CISCO-FARM
class class-default
serverfarm WWW-FARM
So let's say you want to match requests for URLs ending in .jpg or for requests with Host header XYZ, and if it matches either one, then send to the same serverfarm.
class-map type http loadbalance match-any URL-JPG
2 match http url .*\.jpg
class-map type http loadbalance match-any HOST-XYZ
2 match http header Host header-value "XYZ"
policy-map type loadbalance first-match SLB_LOGIC
class URL-JPG
serverfarm SERVER-FARM
class HOST-XYZ
serverfarm SERVER-FARM
If you wanted to send these requests to the farm only if they matched BOTH matches, then you could do it as follows:
class-map type http loadbalance match-all HEADER-AND-URL
100 match http url /login.*
200 match http header Host header-value "XYZ"
policy-map type loadbalance first-match SLB_LOGIC
class HEADER-AND-URL
serverfarm LOGIN-FARM
Hope this helps,
Sean -
Layer-7 Class-maps: 'not' match-any
Hallo All,
I'm wondering if the following logic is possible on the ACEs.
First Match is:
class-map type http loadbalance match-any CM7-MatchSrcIP
10 match source-address 192.168.0.0 255.255.0.0
20 match source-address 172.16.0.0 255.255.0.0
class-map type http loadbalance match-any CM7-URLs
10 match http url /testing.*
class-map type http loadbalance match-all CM7-WWW
10 match class-map CM7-MatchSrcIP
20 match class-map CM7-URLs
If the above URL and IP sources are matched, I want to send to a specific SF. (easy enough)
If the URL matches /testing.* but source IP address doesn't match of any of the above subnets, I want to redirect to a 'restricted' page. (ummm)
If the URL is something else (e.g. /temporary.*) with any IP source address, I want it to be load-balanced by a different SF (say like in a class-default)
Thx in adv
DavidHi David,
Sure you can try this on the ACE, you already created most of the configuration so now just need to apply the maps under the first-match policy.
According to your description this is how this policy should look like:
policy-map type loadbalance first-match SLB_LOGIC
class CM7-WWW
serverfarm Testing
class CM7-URLs
serverfarm Restricted
class class-default
serverfarm Any
- ACE checks for testing plus IP address matching.
- If user belongs to any other subnet then SF restricted is used.
- If none of the above statements is matched then defaul class map and SF is used.
Cheers!
Pablo -
Cyrillic characters issue in ABAP mapping
Hello Experts,
I am using ABAP mapping program to convert IDOC XML to flat file. Further i am using FIle adapter to write this file on FTP server.
My problem is:
When Idoc contains CYRILLIC characters in payload, then these characters appear as "#" after the mapping has executed.
If I check in SXMB_MONI in XI, the inbound payload displays data correctly. In "Request Message mapping" node, if I check the output of ABAP mapping program, then cyrillic characters are replaced with "#". The same "#" is then written to File.
Do you have any idea, how do i deal with this problem.
NOTE: I tried passing encoding type = UTF-8 to the function - SCMS_STRING_TO_XSTRING which is used the mapping program to set the encoding type, but it did not work.@PI Expert: I tried to debug the ABAP mapping using SXI_MAPPING_TEST transaction, however when I paste my payload in the editor, the cyrillic characters appear as junk characters. Due to this, in the output, these junk characters are appear as "#"
@Sarvesh: I too initially thought that this could be problem with AL11, that it is not displaying the data correctly. However when I checked the "Request Message Mapping" node in SXMB_MONI, it showed "#" characters. Also the .csv file generated contains "#" only.
Thanks for your time and response. -
Cyrillic Characters not shown in pdf file when xsl is parsed part 2:
I am using Fop to create a pdf file from an XSL file, an XML file and a ApplicationResources.properties file.
The XML file is populated by a Java class, where the information is taken from a Russian Database. This XML file is them used to populate the XSL file.
The ApplicationResources.properties file, is in windows 1251 format, as we converted it using NativeToAscii converter.
I downloaded a cyrillic ttf file, and created a metrics file, according to the Fop website. And I had Russian appearing on my PDF from the database (not ApplicationResources.properties file though). However, the information which we were retrieving from the database would not display on the jsp pages which are part of the same application.
To fix this, we changed our database driver from a ODBC-JDBC driver, to an oracle thin type 4 driver.
Since this happened, my cyrillic characters no longer appear on my PDF file.
I know that the information from the database comes back in windows 1251 format, so I tried to put the
<?xml version="1.0" encoding="windows-1251"?>
and
<?xml version="1.0" encoding="Cp1251"?>
but when I do this, I get the following error in my log file:
L2|14:14:58:433|ExecuteThread-9|PDFService.generatePDF: class com.petrotechnics.skyobma.service.SkyobmaServiceException Exception :javax.xml.transform.TransformerConfigurationException: javax.xml.transform.TransformerException: org.xml.sax.SAXParseException: The encoding "Cp1251" is not supported.
or the windows-1251 is not supported.
I do not know what to do at all, I am really struggling and was wondering if anyone had any idea about where I can go from here, or even if someone can just tell me I am fighting a loosing battle I would be happy.
Yours Truly Hopefully,
Gillian Danieleither you configure FOP to use a SAX Parser that supports Cp1251 or you encode your XML data to UTF-8.
we flawlessly generate Greek PDF documents out of data selected from Oracle 8.1 by using UTF-8. -
According to Cisco dumentation (http://www.cisco.com/en/US/docs/security/asa/asa81/config/guide/mpc.html)
, the ASA is equipped with two default class-maps
class-map inspection_default
match default-inspection-traffic
and
class-map class-default
match any
The first makes perfect sense, but what is the class-default used for? Cisco says
"This class map appears at the end of all Layer 3/4 policy maps and essentially tells the adaptive security appliance to not perform any actions on all other traffic. You can use the class-default class map if desired, rather than making your own
match any class map. In fact, some features are only available for class-default."
But I see stuff like this:
policy-map MyPolicy
class class-default
inspect tfp MyFTPpolicy
Obviously it is being used here to act on traffic! So I am confused.
I also noticed that when you upgrade from 8.2 to 8.4, all default class-maps are removed from the configuration: you have to re-create everything (strange)Hello Collin,
This is Mike. I dont think it is well documented. Basically it is just a class map (that does not appear on the configuration unless an action is specified) that will match all traffic passing through the ASA firewall. Some features like NSEL (Netflow) and Traffic shaping are only allowed to use this kind of class maps because they dont support any other match command.
The one that you currently have (and God I hope its not applied) will look for tftp traffic on every IP packet passing across the ASA.
This specific type of policy you have there can only be applied on the interface (as it is not a layer 7 inspection policy) you can check if it is applied or not by running the show "run service-policy command"
Mike -
Hello Gilles,
One question about something I was not able to find in the documentation.
Lets say I have one class-map which includes 2 ports (in this case https and 5061).
Can I associate this class-map to just 1 generic serverfarm and probe for both ports or I have to specify 2 serverfarms/rservers/probes?
So, by not specifying the ports on the rserver, if a request is received on port 443 (or 5061), it is sent to the same respective port on the rserver?
The same way is valid for the generic probe. ACE module is able to probe both ports based on the class-map?
Thanks and have a great day!!
Giulio.
probe tcp PROBE_GENERIC_TCP
description This probe works for all TCP services by inheriting the VIP port.
interval 15
faildetect 2
passdetect interval 15
passdetect count 2
open 2
rserver host SERVER1_ACCESS
ip address <1AC>
inservice
rserver host SERVER2_ACCESS
ip address <2AC>
inservice
serverfarm host ACCESS-SFARM
probe PROBE_GENERIC_TCP
rserver SERVER1_ACCESS
inservice
rserver SERVER2_ACCESS
inservice
class-map match-any OCS_L4ACCESS
2 match virtual-address x.x.x.176 tcp eq https
2 match virtual-address x.x.x.176 tcp eq 5061
policy-map type loadbalance first-match OCS_L4ACCESS
class class-default
sticky-serverfarm ACCESS_STICKY
policy-map multi-match POLICY
class OCS_L4ACCESS
loadbalance vip inservice
loadbalance policy OCS_L4ACCESS
loadbalance vip icmp-reply active
connection advanced-options OCS_VIPTIMEOUT
nat dynamic XXX vlan 503Even if you use the 4710 appliance or expect the inheritance in the module software, it's worth considering if this is really what you want. If you keep multiple ports in the L3/L4 class-map you can't handle the services independently. You will have a common serverfarm for both https and 5061. If https service stops on one rserver, the ACE will place that rserver (and not that service) in out-of-operation state and it won't receive any 5061 traffic either. (You have the fail-on-all probe option but I wouldn't say it's a better choice. In that case, https traffic would be sent to the rserver even if https port is closed as long as there is at least one working service on it.) That's why I prefer a separate class-map and separate serverfarm for each service. (They can contain the same rservers, no need to duplicate.) BUT if the software supports probe port inheritance, you can benefit from it even in this scenario: serverfarm-443 and serverfarm-5061 can both use your PROBE_GENERIC_TCP.
-
Help with Class-map configuration - ZBFW
Hello,
I need some clarification regarding the class-map configuration in a ZBFW. I need to allow https,http,ftp & rdp traffic from Internet to few of the servers inside our LAN. So I put the below configuration to accomplish the task (example shows class-map for only https protocol) :
a.)
class-map type inspect match-all HTTPS-ACCESS
match protocol https
match access-group name HTTPS-SERVER-ACCESS
ip access-list extended HTTPS-SERVER-ACCESS
permit tcp any host 172.17.0.55 eq 443
permit tcp any host 172.17.0.56 eq 443
permit tcp any host 172.17.0.36 eq 443
permit tcp any host 172.17.0.45 eq 443
permit tcp any host 172.17.0.60 eq 443
Where 55,56,36,45,60 are the servers inside the LAN (12 more servers are there) that need to be accessed via https,http,ftp & rdp from Internet.
Is it a correct approach? or do I need to change my configuation so that I have to match ACL with my class-map like below:
b.)
ip access-list extended OUTSIDE-TO-INSIDE-ACL
permit tcp any host 172.17.0.55 eq 443
permit tcp any host 172.17.0.55 eq www
permit tcp any host 172.17.0.55 eq 21
permit tcp any host 172.17.0.55 eq 3389
permit tcp any host 172.17.0.56 eq 443
permit tcp any host 172.17.0.56 eq www
permit tcp any host 172.17.0.56 eq 21
permit tcp any host 172.17.0.56 eq 3389
permit tcp any host 172.17.0.36 eq 443
permit tcp any host 172.17.0.36 eq www
permit tcp any host 172.17.0.36 eq 21
permit tcp any host 172.17.0.36 eq 3389
permit tcp any host 172.17.0.45 eq 443
permit tcp any host 172.17.0.45 eq www
permit tcp any host 172.17.0.45 eq 21
permit tcp any host 172.17.0.45 eq 3389
class-map type inspect match-all OUT-IN-CLASS
match access-group name OUTSIDE-TO-INSIDE-ACL
Which one is the correct approach when we consider the performance of the firewall ? Please help me.
Regards,
YadhuHey
I do not agree with Varun, I think the first approach is the best one.
Why? Because when you issue the "match protocol ..." you are usig NBAR wich is an application inspection software, which means that https or whatever protocol is inspected at layer 7, not layer 3 and 4 which the seconds approach does (IP and port-number).
Lets say you use the second approach and an attacker uses some malicious protocol that runs over port 443 or whatever (a port that you opened). That attack would be successfull because all you say, you are going to IP-address 172.17.0.56 over port 443 so go ahead.
But if you are using NBAR, this would not work because NBAR will look at layer 7, inside the protocol itself and look if this really is HTTPS (or whatever protocol).
That's my two cents. Hope it helped! -
ZBF Class-map and different way of doing them
Hi People just though i would ask a question on how to set up a ZBF. (question at the end of example config's)
i have been playing with this for a while now and like to get advice over what way is the recomended way of doing multiple matchs
ok we we all know the basic
class-map type inspect match-any ZBF_CM_ICMP
match protocol icmp
policy-map type inspect ZBF_PM_EXTERNAL->DMZ
class type inspect ZBF_CM_ICMP
inspect
and then the ZP dont need to show, this is a simple map using nbar fair enough
then we could a mulitiple matches
class-map type inspect match-any ZBF_CM_STD_DMZ_PORTS
match protocol icmp
match protocol http
match protocol dns
match protocol https
policy-map type inspect ZBF_PM_DMZ->EXTERNAL
class type inspect ZBF_CM_STD_DMZ_PORTS
inspect
Ok still easy to understand but now come the bit that a little more copmplex non NBAR matches
ip access-list extended AL_RDP_PORT
permit tcp any any eq 3389
class-map type inspect match-all ZBF_CM_RDP
match access-group name AL_RDP_PORT
policy-map type inspect ZBF_PM_EXTERNAL->DMZ
class type inspect ZBF_CM_RDP
inspect
This config is now using an access list because NBAR dosent have the protocol in it then map the AL to the CM then CM to PM. next is example is what i setup to get more non NBAR ports and only for 1 host
ip access-list extended AL_HOST_IP_IN
permit ip any host 11.11.11.11
ip access-list extended AL_ISATAP
permit 41 any any
ip access-list extended AL_TEREDO
permit udp any any eq 3544
class-map type inspect match-ANY ZBF_CM_DirectAccess_Protocols
description Nested Class Map
match access-group name AL_ISATAP
match access-group name AL_TEREDO
match protocol https
class-map type inspect match-ALL ZBF_CM_APP_IN
match access-group name AL_HOST_IP_IN
match access-group name ZBF_CM_DirectAccess_Protocols
policy-map type inspect ZBF_PM_EXTERNAL->DMZ
class type inspect ZBF_CM_APP_IN
inspect (or pass with rule for other direction)
THis is what i setup and it works not for this example but the rule flow i then was having issues with DMVPN and ZBF (turned out to be an iso bug annoying me) but i used CiscoCP to setup the ZBF automaticly forthe DMVPN and it ZBF rule where same proceduare as below.
ip access-list extended AL_HOST_IP_IN
permit ip any host 11.11.11.11
ip access-list extended AL_ISATAP
permit 41 any any
ip access-list extended AL_TEREDO
permit udp any any eq 3544
class-map type inspect match-ANY CM_ISATAP
match access-group name AL_ISATAP
class-map type inspect match-ANY CM_TEREDO
match access-group name AL_TEREDO
class-map type inspect match-ANY ZBF_CM_DirectAccess_Protocols
description Nested Class Map
match class-map CM_ISATAP
match class-map CM_TEREDO
match protocol https
class-map type inspect match-ALL ZBF_CM_APP_IN
match access-group name AL_HOST_IP_IN
match access-group name ZBF_CM_DirectAccess_Protocols
policy-map type inspect ZBF_PM_EXTERNAL->DMZ
class type inspect ZBF_CM_APP_IN
inspect
So what Cisco CP did was make yet another level of nesting rather then the match-all class map having the match access list command then made a cm with access list then the main class map had only other match class maps in it..
QUESTION:
Why did CiscoCP do the extra nesting
both ways worked but i would like to know why the cisco CP did the same thing with the other layer of CM did it do this for best practise or dose this make changed later easier i cant understand whats the advange to doing it this way... but if there is a valid reason then ill great jjust trying to understand.
thanks
regards
A very sore headed
DaveWhen people say "use as few classes as possible", it's usually related not to optimize heap usage, but jar size.
But it's true that some smart use of OOP can save a lot of memory during runtime (and even jar size in some cases). Using an interface in my GUI library helps make the architecture a lot simpler and more compact, to the point that even if all the GUI widgets are being used (so the "just loading the code you need at the moment" argument is moot) memory use is still smaller because I need a lot less hacks to glue everything together.
It still is worth noting that often memory fragmentation is the true cause of running-out-of-memory-errors, and in this case loading many small classes will achieve exactly the opposite.
shmoove -
Hi
i'm a little unsure of how using ACL's works within a class map.
I want to allow access to a web server 1.1.1.1 and deny all othetraffic coming from the outside zone to the inside zone, so i have created an acl with a
permit http to 1.1.1.1 and a deny ip any any statement and applied it to the class map.
when i apply this to the policy map i can either inspect, drop or pass the traffic.
what i don't understand is how this works with the ACL permit or deny statements or the implicit deny functionality of the ACL.
for example if I apply the pass action to this class-map/ACL how does it handle the deny ip any any statement in the ACL?
If i am passing the traffic in the policy, does it still deny any deny statements in the ACL?
also what about multiple class maps in a policy map, wouldn't a deny statement in the first acl stop further processing in the policy map
hope this makes sense..
thanks for any helpWhen using ACLs in a class map, a permit entry causes the ACL condition to match and a deny entry does not. So, for your ACL "permit tcp any host 1.1.1.1 eq www", any HTTP traffic to 1.1.1.1 on 80/tcp will be matched by the class map and the implicit "deny ip any any" will not be matched. There is no action implied by the ACL when used this way, only a match or no match.
ip access-list extended ACL_HTTP
permit tcp any host 1.1.1.1 eq www
class-map type inspect match-any CM_HTTP
match access-group name ACL_HTTP
In order to actually deny the traffic, you have to specify a drop in the policy map.
policy-map PM_HTTP
class CM_HTTP
inspect
class class-default
drop
To illustrate the point a bit further, let's say you were going to allow HTTP and HTTPS with two ACLs and did it like this:
ip access-list extended ACL_HTTP
permit tcp any host 1.1.1.1 eq www
ip access-list extended ACL_HTTPS
permit tcp any host 1.1.1.1 eq 443
class-map type inspect match-any CM_HTTP
match access-group name ACL_HTTP
match access-group name ACL_HTTPS
policy-map PM_HTTP
class CM_HTTP
inspect
class class-default
drop
In the above case, HTTP traffic to 1.1.1.1 is a hit on ACL_HTTP's permit statement, is matched by the class map and is inspected by the policy map. HTTPS traffic to 1.1.1.1 is a hit on ACL_HTTPS's permit statement, is likewise matched by the class map and is inspected by the policy map. The implicit deny statements (and any other deny statements you may add) only ensure that the packet doesn't match that element of the class map and doesn't prevent it from being matched against another. -
In the following class-map:
"class-map match-any voice
match access-group 190"
If the ACL 190 has more than one line with "permit" statements.
In order for the policy-map using the above class-map to find a match and use the rules applied for the above class-map, does the traffic need to meet all the criteria in the ACL or does it work like a regular ACL, where it "walks" down and it stops execution at the first permit/deny "hit"?
Regards,
Christosthe explicit " match-any" will do just that.So, a nested ACL can be configured for multiple criteria.
The alternate is a "match-all" where all nested options in your acl MUST be met. Hope this helps.
T -
Six magic cyrillic characters?
Hello!
Sorry, if such topic have already been submitted.
Could someone, please, clarify and/or propose any solution for the next problem?
There are six cyrillic characters which are converted from Unicode into UTF-8 incorrectly: 3 uppercase letters (\u0410 \u0401 \u041D) and 3 lowercase letters (\u0441 \u044D \u044F).
It seems that the problem appears on every Java platform. I tried IBM1.4.0, IBM1.3.1, SUN1.3.1_04, SUN1.3.1_08, SUN1.4.2 and SUN1.5.0_02 on WIN2000PRO - the result is the same.
Here is the test (see comments also):
//--------------------------------------------------------- src begin...
public class IsABug {
protected static void dumpString(String str) {
System.out.println("--- Dump string. Length: " str.length()" ---");
byte[] b = str.getBytes();
for (int i=0; i<b.length; i++) {
System.out.println(i + " = " + b[i] );
public static void main(String[] args) throws Exception {
// OK. Each character is translated into sequence of different UTF-8 codes
String okstr = "\u0412\u0421\u0415 \u041E\u041A";
String ok = new String(okstr.getBytes("UTF-8"));
dumpString(ok);
/*OUTPUT:
--- Dump string. Length: 11 ---
0 = -48
1 = -110
2 = -48
3 = -95
4 = -48
5 = -107
6 = 32
7 = -48
8 = -98
9 = -48
10 = -102
/* ERROR1. The next string consist of different characters, but
* after conversion into UTF-8 the result is the sequence of the
* identical byte pairs: (-48,63), (-48,63), (-48,63).
String errstr1 = "\u0410\u0401\u041D";
String er1 = new String(errstr1.getBytes("UTF-8"));
dumpString(er1);
/* OUTPUT:
--- Dump string. Length: 6 ---
0 = -48
1 = 63
2 = -48
3 = 63
4 = -48
5 = 63
/* ERROR2. The next string consist of different characters, but
* after conversion into UTF-8 the result is the sequence of the
* identical byte pairs: (-47,63) (-47,63) (-47,63).
String errstr2 = "\u0441\u044D\u044F";
String er2 = new String(errstr2.getBytes("UTF-8"));
dumpString(er2);
/* OUTPUT:
--- Dump string. Length: 6 ---
0 = -47
1 = 63
2 = -47
3 = 63
4 = -47
5 = 63
//----------------------------------------------------- src end
Is it a bug?Yes, it's a bug. In your program. You are not testing UTF-8 conversion at all.String errstr1 = "\u0410\u0401\u041D";
String er1 = new String(errstr1.getBytes("UTF-8"));This takes that String of 3 characters and converts it to bytes, using the UTF-8 encoding. You now have an array of bytes that is encoded in UTF-8. Next you convert those bytes to a String, assuming that they were encoded according to your system's default encoding. Since you don't get the original string back, that just means that your system's default encoding is not UTF-8. Try this instead:String errstr1 = "\u0410\u0401\u041D";
String er1 = new String(errstr1.getBytes("UTF-8"), "UTF-8"); -
Match-any or Match All For Class-map On Nexus?
I have an access-list MANAGEMENT
permit udp any eq snmp any
permit udp any any eq snmp
permit tcp any any eq telnet
permit tcp any eq telnet any
permit tcp any any eq 22
permit tcp any eq 22 any
My question does it matter if I use a match-any or match-all. I want to match anything in the access-list to classify the traffic correctly
class-map type qos match-any MANAGEMENT
match access-group name MANAGEMENT
Or
class-map type qos match-all MANAGEMENT
match access-group name MANAGEMENT
I understand a match-any is an or and a match-all is an and function. Does this apply to an access-list for a class-map?
ThanksIt applies to match statements within the class map. In your case, you're only using one match statement, so there will be no difference between match-all and match-any, no matter how many entries are in the ACL. If your class map had two different ACLs in two different match statements , then the and/or logic of match-all and match-any would come into play.
-
Total drops for class-map class-default
Hi,
I have a gigabit ethernet interface on a 2951 configured with 4x sub interfaces providing connectivity to our four WAN sites. Each sub interface services a 100mb connection to another site.
I have configured a QoS policy and attached to each sub interface with the primary function of limiting each sub interface to 100mbs. I am now seeing drops (total drops) on the class default and not sure why. I would not expect to see any drops on this interface as it never even reaches 15mb (15%) capacity.
Any ideas?
Class-map: class-default (match-any)
175934881 packets, 95319007968 bytes
5 minute offered rate 23000 bps, drop rate 0000 bps
Match: any
queue limit 64 packets
(queue depth/total drops/no-buffer drops) 0/340/0
(pkts output/bytes output) 314212026/180287074028
policy-map PM-Branch-QoS
class CM-OAM
set dscp af11
class CM-Network
set dscp cs6
class CM-VC
bandwidth percent 5
class CM-Citrix
set dscp af21
class CM-CAPWAP
set dscp af22
policy-map PM-WAN
class class-default
shape peak 100000000
service-policy PM-Branch-QoSDisclaimer
The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
Liability Disclaimer
In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
Posting
I would not expect to see any drops on this interface as it never even reaches 15mb (15%) capacity.
Your expectations might be incorrect. Often percentage of bandwidth capacity measurements are misunderstood.
Let's assume your ingress is 100 Mbps. Let's also assume your measuring over a five minute period. Lastly, assume the ingress transmits at 100% for 1 minute and then stops for 4 minutes. Bandwidth utilization across the 1 minute would be 100% and 0% for the other 4 minutes, but it would be 20% for the 5 minutes.
But if the 100 Mbps was sent at 100% for each 12 seconds, and not sent for each 48 seconds, 5 minute utilization would still be 20% but unlike the prior 1 minute stats of 100% and 0%, each minute would now also be 20%.
So these first two examples show how bandwidth utilization don't reveal what's happening within the measured time period.
Since ingress was same bandwidth as egress, in the above, there would be no queuing.
If ingress is gig, though, suppose gig ingress arrives for 6 seconds and stops for a remaining 4 minutes and 54 seconds. This too would measure as 20% usage across 5 minutes, but since it will take 60 seconds to transmit the same traffic at 100 Mbps, packets will need to be queued. If queuing buffers are insufficient to hold all the packets, some will be dropped.
The above is a long way of saying, if your ingress rate exceeds your egress rate, there can be a need to queue packets, and if queuing is insufficient, packets will be dropped, this even if utilization is "low". Most likely, you have occasional "bursts" if ingress bandwidth exceeds the egress bandwidth.
From your actual stats, the drop rate percentage is so low, you might not need to concern yourself with the few drops you're seeing. If it is a concern, you might be able to reduce the drop rate by increasing egress buffering, but doing so, also increases egress queuing delay. -
ACE class-map match url syntax
Can someone help me with the string that would match a url with no path specified? For instance; user types "https://outlook.domain.net" into their browser and I want the ACE to redirect that request to https://outlook.domain.net/owa".
2 match http url oulook\.domain\.net\Adam and Shday,
I'll give you a hand on this =)
Adam we can solve your problem only if you're doing SSL offloading on the ACE as the layer 5 information that needs to be checked is being sent encrypted.
In case SSL termination is configured then the configuration would be like this:
rserver redirect OWA
webhost-redirection https://%h/owa 301
inservice
serverfarm redirect OWA
rserver OWA
inservice
class-map type http loadbalance match-any OWA
2 match http header Host header-value "outlook.domain.net"
policy-map type loadbalance first-match OWA
class OWA
serverfarm OWA
class class-default
serverfarm Backend
Shday yours is pretty much the same but you need to decide if class-default needs
to be in place:
rserver redirect Domain
webhost-redirection http://%h/any_path 301
inservice
serverfarm redirect Domain
rserver Domain
inservice
class-map type http loadbalance match-any Any
2 match http url /.*
class-map type http loadbalance match-any Domain
2 match http header Host header-value "domain.com"
policy-map type loadbalance first-match Domain
class Any
serverfarm Backend
class Domain
serverfarm Domain
HTH
Pablo
Maybe you are looking for
-
Hi Gurus, we are using inventory management in BW 3.5 , the data is loaded from SAP R/3 . for every maintenance operation in data sources (2LIS_03_Bf, ...) or upgrade, we have to do initialization in the R/3 side that means blocking all stock movemen
-
Hi, My webdynpro application is integrated into portal via iview. I want to run "Application Profiler" (nwa -> Analysis -> performance) to analyse the amount of time needed to invoke methods in the web dynpro. Unfortunately, after i start profiling (
-
Hello, I really need to enter new account information to itunes connect because I had a returned payment notice. When I put in my ABA number it didnt show my bank branch in the list of banks. I really need to enter the new account info. Please help.
-
As stated, every time I try to check my email, either by access it from the "most visited" tab on v. 17 or manually typing it into the address bar, It begins to load/open the page but after approx. 3 seconds causes the entirety of Firefox to "not res
-
Thoughts on using a Sony Vaio with CS5 for HD event video projects?
Basically I would need to use my Sony Vaio F12 laptop to edit HD wedding videos on CS5. I wanted some opinions on my equipment so i will be able to edit a long project(about an hour to 2 hours) smoothly with no dropped frames, errors, system crash