ICMP unreachable, rate-limit command
Hi !
I'm currently working on projet of network hardening.
Based on Cisco security best pratice, I see it's recommand to rate limit genaration of ICMP unreachable message to prevent DoS attack. (according to document : http://www.cisco.com/application/pdf/en/us/guest/netsol/ns171/c649/ccmigration_09186a0080825564.pdf page 74)
On Catalyst 6509 run IOS 12.2(17r)SX5 I see to possible way to rate-limit ICMP messages if mls QoS is running.
1- mls rate-limit unicast ip ICMP unreachable acl-drop 100 10 (enable by default, according to document : http://www.cisco.com/application/pdf/en/us/guest/netsol/ns171/c649/ccmigration_09186a0080825564.pdf page 74)
mls rate-limit unicast ip ICMP unreachable no-route 100 10
2- ip ICMP rate-limit unreachable <millisecond> (500 ms is default parameters, which permit 2 paquets per seconds, also enable by default if I'm base on : http://www.cisco.com/warp/public/707/cisco-sn-20030125-worm.shtml, ACL for IOS section)
Which one of those command have precedence over the other one ?
Which one is better over the other one ?
With the mls rate-limit option, we have the possibility to check default parameter with : "show mls rate-limit" command is exist equivalent for : "ip ICMP rate-limit unreachable"
We have also Catalyst 3550 switches, on which we have to rate-limit genaration of ICMP unreachable message for same reason as 6509. I understand the :"ip ICMP rate-limit unreachable" command is my only option "under "mls " the only option I have is QoS or aclmerge. Under thoses parameter I have no way to rate-limit ICMP message generation....
I have check in running-configuration I did not find any reference to ICMP rate-limit command, I hope this is active like explain in document http://www.cisco.com/warp/public/707/cisco-sn-20030125-worm.shtml, ACL for IOS section, (Version 12.2(44)SE3) but I would like to be able to confirm if any show command exist to confirm this.
thanks a lot !
This is now showing up with running ssh over this tunnel. I can get the initial connection, but certain commands are not going through.
Similar Messages
-
ICMP unreacheble, rate-limit
Hi !
I'm currently working on projet of network hardening.
Based on Cisco security best pratice, I see it's recommand to rate limit genaration of ICMP unreachable message to prevent DoS attack. (according to document : http://www.cisco.com/application/pdf/en/us/guest/netsol/ns171/c649/ccmigration_09186a0080825564.pdf page 74)
On Catalyst 6509 run IOS 12.2(17r)SX5 I see to possible way to rate-limit ICMP messages if mls QoS is running.
1- mls rate-limit unicast ip ICMP unreachable acl-drop 100 10 (enable by default, according to document : http://www.cisco.com/application/pdf/en/us/guest/netsol/ns171/c649/ccmigration_09186a0080825564.pdf page 74)
mls rate-limit unicast ip ICMP unreachable no-route 100 10
2- ip ICMP rate-limit unreachable <millisecond> (500 ms is default parameters, which permit 2 paquets per seconds, also enable by default if I'm base on : http://www.cisco.com/warp/public/707/cisco-sn-20030125-worm.shtml, ACL for IOS section)
Which one of those command have precedence over the other one ?
Which one is better over the other one ?
With the mls rate-limit option, we have the possibility to check default parameter with : "show mls rate-limit" command is exist equivalent for : "ip ICMP rate-limit unreachable"
We have also Catalyst 3550 switches, on which we have to rate-limit genaration of ICMP unreachable message for same reason as 6509. I understand the :"ip ICMP rate-limit unreachable" command is my only option "under "mls " the only option I have is QoS or aclmerge. Under thoses parameter I have no way to rate-limit ICMP message generation....
I have check in running-configuration I did not find any reference to ICMP rate-limit command, I hope this is active like explain in document http://www.cisco.com/warp/public/707/cisco-sn-20030125-worm.shtml, ACL for IOS section, (Version 12.2(44)SE3) but I would like to be able to confirm if any show command exist to confirm this.
thanks a lot !Hello Marcus,
On the ASA as you are already aware we only have the choice of modifying the ICMP unreachable rate,
With the IOS the rate-limit for ICMP unreachable replies will be rate limited to one every 500ms
use:
show ip icmp rate-limit
Besides that I have not seen any other information that you could customize.
Regards -
Rate-limit command interpretation
I am not sure this is in the right area or not but I hope it is. I have the following rate-limit command on my cisco 7206 router Gi subinterface:
rate-limit input 30000000 5625000 11250000 conform-action transmit exceed-action drop
rate-limit output 30000000 5625000 11250000 conform-action transmit exceed-action drop
Does this mean I am rate-limiting this interface at 3Mb or 30 Mb?
Thank youI am not sure this is in the
right area or not but I hope it is. I have the following rate-limit
command on my cisco 7206 router Gi subinterface: rate-limit input 30000000 5625000 11250000 conform-action transmit exceed-action drop
rate-limit output 30000000 5625000 11250000 conform-action transmit exceed-action dropDoes this mean I am rate-limiting this interface at 3Mb or 30 Mb?Thank you
This will presumably limit the interface to 30 Mbits/sec
Hope to Help !!
Ganesh.H
Remember to rate the helpful post -
Rate-limit command brief explanation
Hi,
There is this rate-limit command in our company's router.
rate-limit input access-group 127 1000000 187500 187500 conform-action transmit exceed-action drop
I know that the access-group part refers to an access list
conform action transmit means that packets will be transmitted
exceed-action drop means that if it exceed the values listed packets will be dropped.
What i dont understand is the logic behind the numbers 1000000 187500 187500. It would be very helpful if someone could explain it briefly, i am having a hard time understanding the cisco docs regarding this command.
thanks.Hi @seaweeds24,
Those numbers are "average rate" "normal burts size" "excess burst size", respectively.
Average rate determines the long-term average transmission rate. Traffic that falls into this rate will always conform
Normal burst size determines how large traffic bursts can be before some traffic exceeds the rate limit
Excess burst size determines how larget traffic bursts can be before ALL traffic exceeds the rate limit.
Traffic that falls between the Normal Burst size and the Exces Burst size exceeds the rate limit with a probability that increases as the burst size increases.
HTH.
Rgrds,
Martin, IT Specialist -
Rate-limit command 3560 does it exist?
I have just come across a command in my router IOS which might be useful too me. I was wondering if the following command is available on a 3560 Switch. I don't see it on my 3550 but the IOS is quite old. I don't have a 3560 avaiable currently to check.
Config t > int vlan x > rate-limit input/output
does this exist on the 3560? I am also interest if it does in the Bits per second range and if available input/output.
Thanks for any helpHello,
what kind of feature are you looking for?
CAR?
http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_command_reference_chapter09186a0080087f26.html#wp1037428
For command list check the following link:
Catalyst 3560 Switch Command Reference, Rel. 12.2(25)SEE
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat3560/12225see/cr/index.htm
For QOS configs:
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat3560/12225see/scg/swqos.htm
If you need to rate limit traffic on an interface check:
Limiting the Bandwidth on an Egress Interface
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat3560/12225see/scg/swqos.htm#wp1253412
Hope this help a bit,
if it does, please rate this post.
Vlad -
Can I rate-limit on the sub-interface in cisco asr 1013?
Hi,
I am looking for the command of rate-limit on a sub-interface in cisco asr 1013.
Cisco IOS Software, IOS-XE Software (X86_64_LINUX_IOSD-ADVENTERPRISEK9-M), Version 15.2(2)S, RELEASE SOFTWARE (fc1)
IOS XE Version: 03.06.00.S
Please let me know if it is possible in cisco asr 1013. If yes then what are the commands.
ZobairThe ASR no longer supports the rate-limit command, but it does support the same functionality in a QoS policy.
Please find a sample configuration -
ASR1004(config)#policy-map test
ASR1004(config-pmap)#class class-default
ASR1004(config-pmap-c)#shape average 10000
Applying for both ingress and egress : -
ASR1004(config)#int gig1/1/0
ASR1004(config-if)#service-policy output test
or
ASR1004(config-if)#service-policy input test -
3750X rate-limit (QoS)
Hello,
I'm trying to configure a rate-limit in a 3750X but I'm not seeing any result...
These are my configurations:
RF#show run
Building configuration...
Current configuration : 23410 bytes
! Last configuration change at 08:53:35 UTC Sun Mar 14 1993
version 15.0
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname RF
boot-start-marker
boot-end-marker
no aaa new-model
switch 1 provision ws-c3750x-48p
system mtu routing 1500
ip routing
ip domain-name erf.carco.com.mx
rep admin vlan 100
mls qos
spanning-tree mode pvst
spanning-tree extend system-id
vlan internal allocation policy ascending
vlan 2
vlan 4
vlan 6
vlan 8
vlan 10
vlan 20
vlan 21
vlan 22
vlan 23
vlan 25
vlan 26
vlan 30
vlan 50
vlan 53
vlan 70
vlan 81
vlan 91
vlan 92
vlan 93
vlan 95
vlan 96
vlan 99
vlan 100
vlan 102
vlan 110
vlan 122
vlan 129
vlan 200
vlan 213
vlan 227
vlan 333
vlan 357
vlan 417
vlan 444
vlan 500
vlan 502
vlan 555
vlan 700
vlan 712
vlan 910
vlan 911
vlan 951
vlan 1105
vlan 1508
vlan 1830
vlan 1870
vlan 1890
vlan 1891
vlan 1892
class-map match-any test
match access-group 100
policy-map test
class test
police 150000000 512000 exceed-action drop
interface Loopback0
ip address 10.20.40.106 255.255.255.0
interface Port-channel22
switchport trunk encapsulation dot1q
switchport trunk native vlan 100
switchport mode trunk
bandwidth 10000000
rep segment 10
interface Port-channel24
switchport trunk encapsulation dot1q
switchport trunk native vlan 100
switchport mode trunk
bandwidth 10000000
rep segment 10
interface FastEthernet0
no ip address
no ip route-cache
shutdown
interface GigabitEthernet1/0/1
interface GigabitEthernet1/0/2
interface GigabitEthernet1/0/3
switchport trunk encapsulation dot1q
switchport trunk native vlan 100
switchport trunk allowed vlan 2,10,50,53,60,70,91-93,95,96,99,100,110,213,227
switchport trunk allowed vlan add 500,700,910,911,951,1830,1870,1890-1892
switchport mode trunk
no logging event link-status
shutdown
speed 1000
duplex full
interface GigabitEthernet1/0/4
switchport trunk encapsulation dot1q
switchport trunk native vlan 100
switchport trunk allowed vlan 2,8,10,20,50,53,70,91-93,95,96,99,100,110,213
switchport trunk allowed vlan add 227,500,700,910,911,951,1830,1870,1890-1892
switchport mode trunk
shutdown
speed 1000
duplex full
interface GigabitEthernet1/0/5
interface GigabitEthernet1/0/6
interface GigabitEthernet1/0/7
interface GigabitEthernet1/0/8
interface GigabitEthernet1/0/9
interface GigabitEthernet1/0/10
switchport access vlan 91
switchport mode access
logging event link-status
interface GigabitEthernet1/0/11
interface GigabitEthernet1/0/12
interface GigabitEthernet1/0/13
interface GigabitEthernet1/0/14
interface GigabitEthernet1/0/15
switchport access vlan 91
switchport mode access
logging event link-status
interface GigabitEthernet1/0/16
interface GigabitEthernet1/0/17
interface GigabitEthernet1/0/18
interface GigabitEthernet1/0/19
interface GigabitEthernet1/0/20
switchport access vlan 91
switchport mode access
logging event link-status
interface GigabitEthernet1/0/21
interface GigabitEthernet1/0/22
interface GigabitEthernet1/0/23
interface GigabitEthernet1/0/24
interface GigabitEthernet1/0/25
switchport access vlan 910
switchport mode access
interface GigabitEthernet1/0/26
interface GigabitEthernet1/0/27
interface GigabitEthernet1/0/28
interface GigabitEthernet1/0/29
interface GigabitEthernet1/0/30
interface GigabitEthernet1/0/31
interface GigabitEthernet1/0/32
interface GigabitEthernet1/0/33
interface GigabitEthernet1/0/34
interface GigabitEthernet1/0/35
interface GigabitEthernet1/0/36
interface GigabitEthernet1/0/37
no switchport
bandwidth 150000
ip address 10.20.103.13 255.255.255.252
rate-limit output access-group 100 24000000 3000000 3000000 conform-action transmit exceed-action drop
logging event link-status
interface GigabitEthernet1/0/38
interface GigabitEthernet1/0/39
interface GigabitEthernet1/0/40
interface GigabitEthernet1/0/41
interface GigabitEthernet1/0/42
interface GigabitEthernet1/0/43
switchport trunk encapsulation dot1q
switchport trunk native vlan 100
switchport mode trunk
bandwidth 10000000
channel-group 24 mode on
interface GigabitEthernet1/0/44
interface GigabitEthernet1/0/45
switchport trunk encapsulation dot1q
switchport trunk native vlan 100
switchport trunk allowed vlan 2,10,50,53,60,70,91-93,95,96,99,100,110,213,227
switchport trunk allowed vlan add 500,700,910,911,951,1830,1870,1890-1892
switchport mode trunk
shutdown
interface GigabitEthernet1/0/46
switchport trunk encapsulation dot1q
switchport trunk native vlan 100
switchport trunk allowed vlan 2,10,50,53,60,70,91-93,95,96,99,100,110,213,227
switchport trunk allowed vlan add 500,700,910,911,951,1830,1870,1890-1892
switchport mode trunk
shutdown
interface GigabitEthernet1/0/47
switchport trunk encapsulation dot1q
switchport trunk native vlan 100
switchport mode trunk
bandwidth 10000000
channel-group 22 mode on
interface GigabitEthernet1/0/48
switchport trunk encapsulation dot1q
switchport trunk native vlan 6
switchport trunk allowed vlan 2,7,10,20,50,53,70,91-93,95,96,99,100,110,213
switchport trunk allowed vlan add 227,700,910,911,951,1830,1870,1890-1892
switchport mode trunk
logging event link-status
shutdown
interface GigabitEthernet1/1/1
switchport trunk encapsulation dot1q
switchport trunk native vlan 100
switchport trunk allowed vlan 2,8,10,20,50,53,60,70,91-93,95,96,99,110,213,227
switchport trunk allowed vlan add 500,700,910,911,951,1830,1870,1890-1892
switchport mode trunk
shutdown
interface GigabitEthernet1/1/2
switchport trunk encapsulation dot1q
switchport trunk native vlan 100
switchport trunk allowed vlan 2,8,10,20,50,53,60,70,91-93,95,96,99,110,213,227
switchport trunk allowed vlan add 500,700,910,911,951,1830,1870,1890-1892
switchport mode trunk
shutdown
interface GigabitEthernet1/1/3
switchport trunk encapsulation dot1q
switchport trunk native vlan 6
switchport trunk allowed vlan 2,6,8,10,20,50,53,70,91-93,95,96,99,100,110,213
switchport trunk allowed vlan add 227,700,910,911,951,1830,1870,1890-1892
logging event link-status
shutdown
interface GigabitEthernet1/1/4
switchport trunk encapsulation dot1q
switchport trunk native vlan 6
switchport trunk allowed vlan 2,6,8,10,20,50,53,70,91-93,95,96,99,100,110,213
switchport trunk allowed vlan add 227,700,910,911,951,1830,1870,1890-1892
switchport mode trunk
logging event link-status
shutdown
interface TenGigabitEthernet1/1/1
interface TenGigabitEthernet1/1/2
interface Vlan1
no ip address
shutdown
interface Vlan6
description ***LANERF**
ip address 10.20.6.106 255.255.255.0
no ip redirects
interface Vlan23
description < TRANSITO MUR >
no ip address
no ip redirects
interface Vlan100
description < VLAN MAN >
ip address 10.20.100.106 255.255.255.0
no ip redirects
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 7 032368342B2F0F
ip ospf dead-interval minimal hello-multiplier 4
router ospf 1
router-id 10.20.40.106
auto-cost reference-bandwidth 100000
area 0.0.0.0 authentication message-digest
area 1.80.1.1 authentication message-digest
redistribute connected subnets
redistribute static subnets
passive-interface default
no passive-interface Vlan23
no passive-interface Vlan100
no passive-interface GigabitEthernet1/0/37
network 10.20.6.0 0.0.0.0 area 0.0.0.0
network 10.20.40.106 0.0.0.0 area 0.0.0.0
network 10.20.91.6 0.0.0.0 area 0.0.0.0
network 10.20.100.106 0.0.0.0 area 0.0.0.0
default-information originate
ip http server
ip http secure-server
access-list 100 permit ip 10.50.80.0 0.0.0.255 10.80.80.0 0.0.0.255
access-list 100 permit ip 10.80.80.0 0.0.0.255 10.50.80.0 0.0.0.255
snmp-server community ASComRO RO
line con 0
line vty 0 4
login
line vty 5 15
login
event manager applet track_qos_down authorization bypass
event syslog pattern "TRACKING-5-STATE: 15 ip sla 15 reachability Up->Down"
action 1 cli command "enable"
action 2 cli command "configure terminal"
action 3 cli command "interface giga1/0/37"
action 4 cli command "rate-limit output access-group 100 400000000 50000000 50000000 conform-action transmit exceed-action drop"
action 5 cli command "end"
event manager applet track_qos_up authorization bypass
event syslog pattern "TRACKING-5-STATE: 15 ip sla 15 reachability Down->Up"
action 1 cli command "enable"
action 2 cli command "configure terminal"
action 3 cli command "interface giga1/0/37"
action 4 cli command "no rate-limit output access-group 100 400000000 50000000 50000000 conform-action transmit exceed-action drop"
action 5 cli command "end"
end
ERF#
ERF#show mls qos
QoS is enabled
QoS ip packet dscp rewrite is enabled
ERF#show mls qos inter gigabitEthernet 1/0/37
GigabitEthernet1/0/37
trust state: not trusted
trust mode: not trusted
trust enabled flag: ena
COS override: dis
default COS: 0
DSCP Mutation Map: Default DSCP Mutation Map
Trust device: none
qos mode: port-based
When I apply the command I'm seeing a gauge using a 3rd party but I'm not seeing that the traffic will be truncated @ 50Mbps.
Any thoughts???Hi
Bandwidth commands allocates the particular amount of bandwidth you mention or configure over there.
Basically you have the liberty to configure upto 75% of the available interface bandwidth to different classes.
most widelys used with CBWFQ technique..
so while configuring up the same better to watch out for the exact bandwidth value keyed in on the interface to have your alloocation work properly.
policing basically used for limiting the traffic or to control the bursts by dropping them or marking them with different ip precedence or DSCP values.
its very much similar to the rate-limit command applied on the interface level which again uses token bucket system either single or dual based on the configuration parameters.
for more info on above mentioned clis do check these links..
http://www.cisco.com/en/US/tech/tk543/tk545/tsd_technology_support_protocol_home.html
http://www.cisco.com/en/US/tech/tk543/tk544/tsd_technology_support_protocol_home.html
regds -
Rate-limit for some MAC on aironet 1231
Hello!
I need to set rate-limit for some mac addresses on access point aironet 1231.Is it possible?
If no, what ios or devices can do it?
Thanks.No there is no option for rate-limit in Aironet but in controller, Rate-limiting is applicable to all traffic destined to the CPU from either direction (wireless or wired). Cisco recommends that you always run the controller with the default config advanced rate enable command in effect in order to rate-limit traffic to the controller and protect against denial-of-service (DoS) attacks. You can use the config advanced rate disable command to stop rate-limiting of Internet Control Message Protocol (ICMP) echo responses for testing purposes.
-
Per user bandwidth rate limit.
How to configure per user bandwidth rate limit for wireless guest client, authentication server is ISE 1.2 & wireless controller is 5760.
The Cisco 5760 WLC supports better QoS than other c
ontrollers, allowing prioritization of mission-crit
ical
applications:
●
The Cisco 5760 WLC supports four wireless hardware
queues and priority-based queuing compared to
software-based queuing in existing controllers.
●
The Cisco 5760 WLC follows MQC based commands, allo
wing usage of exact commands for configuring
QoS on different types of network devices.
●
The Cisco 5760 WLC supports QoS policies to be appl
ied in a hierarchical fashion with more granularity
per SSID per radio, while on the current controller
s granularity is per WLAN.
●
The Cisco 5760 WLC supports approximate fair bandwi
dth to make sure of fairness at client, SSID, and
radio levels for Non-Real Time (NRT) traffic. There
fore, if one user consumes excessive bandwidth, we
can
limit the amount of bandwidth that user receives an
d thereby not deprive other users. -
Prime Infrastructure 2 - API rate limit change?
Good day -
The Prime API is pretty sweet, and can give you JSON data back easily with a call like this:
https://prime/webacs/api/v1/data/Clients.json?.full=true
It is, however, limited to 100 results. We'd like to see more than that.
How do I change this rate limit for the API?I have found that this command does work, but still limits to 1000.
https://prime/webacs/api/v1/data/Clients.json?.maxResults=9999&.full=true
Now I get Tomcat a HTTP Status 503 error. There's another setting I've not found yet.
My json results say "@count":"6980", suggesting I have that many clients in the database. -
I have a Cisco SG300 small business switch and 541 APs. There are 2 VLANs in our network. One must be limited by bandwidth. Does anyone have an idea for configure vlan rate-limiting on SG300? And please describe CIR & CBS for me. Thanks.
http://www.cisco.com/en/US/partner/products/ps10898/prod_command_reference_list.html
Cisco Small Business 300 Series Managed Switches Command Line Interface Guide Release 1.3
Select CIR and CBS according to your design. You can use a larger CBS when performance is not ideal.
49.23 rate-limit (VLAN)
Use the Layer 2 rate-limit (VLAN) Global Configuration mode command to limit the
incoming traffic rate for a VLAN. Use the no form of this command to disable the
rate limit.
Syntax
rate-limit vlan-id committed-rate committed-burst
no rate-limit vlan
Parameters
• vlan-id—Specifies the VLAN ID.
• committed-rate—Specifies the average traffic rate (CIR) in kbits per second
(kbps). (Range: 3-57982058)
• committed-burst—Specifies the maximum burst size (CBS) in bytes.
(Range: 3000-19173960)
Default Configuration
Rate limiting is disabled.
Committed-burst-bytes is 128K.
Command Mode
Global Configuration mode
User Guidelines
Traffic policing in a policy map takes precedence over VLAN rate limiting. If a
packet is subject to traffic policing in a policy map and is associated with a VLAN
that is rate limited, the packet is counted only in the traffic policing of the policy
map.
This command does not work in Layer 3 mode. It does not work in conjunction with
IP Source Guard.
Example
The following example limits the rate on VLAN 11 to 150000 kbps or the normal
burst size to 9600 bytes.
switchxxxxxx(config)# rate-limit 11 150000 9600 -
RATE limit RATE limit RATE limit RATE limit
Dear,
I have tried using RADIUS server to apply rate-limit to my ADSL coustomers using :
rate-limit output access-group 101 1024000 6000 512000 conform-action transmit exceed-action drop
i applied this at raduis server at my output interface but i does not work.
there is no output for sh interface rate limit.
the configuration and settings for rate limit are applied at raduis server....ok
when i do sh interface rate limit on router....i dont have any results.
i have configured (VPDN interface-Virtual and interface-access ) for my ADSL coustomers.
i need to make bills for this customrs.
please if the points not clear let me knowTry this configuration in your interface , or write the access list depend upon your requirement and implement it.
access-list 152 permit tcp any host eq www
access-list 153 permit tcp any host eq www established
interface {int}
rate-limit output access-group 153 1024000 6000 512000
conform-action transmit exceed-action drop
rate-limit output access-group 152 1024000 6000 512000
conform-action transmit exceed-action drop
finally verifies this configuration through the following commands.
show access-lists rate-limit
Displays information about rate-limit access lists.
show interfaces rate-limit
Displays information about CAR for a specified interface -
Hi All,
I have tried to configure the above parameter but it doesn't seem to be working.
The version running on the ACE is 2.3.4 and I am running multiple contexts.
The below configuration was tried on one of the contexts, not being Admin.
The command I used was :
logging rate-limit 42 60 message 251010
What I am trying to achieve here is receive notification that a rserver has failed its connectivity check, therefore alerting the relevant people.
The issue I am encountering is that every second I receive all the alerts again.
I am only wanting to receive the alert once if possible and gain once the rserver has come back online.
Is this possible, if so please explain how I can do it?
TIA.
Jack.your rate limit should be giving you 42 of those messages per 60 seconds. But this is health probe failure which depending on how many does not necessarily mean server is down. (depends on fail count). also it is level 6 message. the message you really want is:
Error Message %ACE-4-442001: Health probe probe name detected real_server_name
(interface interface_name) in serverfarm sfarm_name changed state to UP
Explanation The state of a real server changed from down to up.
Recommended Action None required.
442002
Error Message %ACE-4-442002: Health probe probe name detected real_server_name
(interface interface_name) in serverfarm sfarm_name changed state to DOWN
suggest you do logging at level 4 and you will only see the message when server state changes -
Hello friends,
I have a problem; now i'm changing the router that have at work of Cisco 3925 to Cisco ISR 4451X but in the new router i can't put the command that have in my old router:
rate-limit input access-group 110 16384000 3072000 6144000 conform-action transmit exceed-action drop
Can someone help me telling what command replace it or which is the equivalent?
Atte.
PercyEdison,
Thanks for helping with this it is greatly appreciated. I have been playing around with this and have managed to get the policing working successfully on the SVI.
The problem was basically the direction the policing was being applied. Initially I was applying the service policies to the customer SVIs in an inbound direction. This would only be traffic coming into the VLAN interface from within the VLAN; therefore, in terms of internet traffic this would be upload and NOT the required download.
In order to resolve this, I have applied the service policy to the Internet facing VLAN. Please see below -
Class Maps and Policy Maps
class-map match-all CUST-A-VL10-CMAP1
match input-interface FastEthernet1/0/24
class-map match-all CUST-A-VL10-CMAP2
match access-group name CUST-A-VL10-ACL-POL
policy-map CUST-A-VL10-PMAP1
class CUST-A-VL10-CMAP1
police 100000 18750 exceed-action drop
policy-map CUST-A-VL10-PARENT-PMAP1
class CUST-A-VL10-CMAP2
set ip precedence 1
service-policy CUST-A-VL10-PMAP1
VLAN Confguration
interface Vlan300
ip address ************
service-policy input CUST-A-VL10-PARENT-PMAP1
This works successfully and polices the traffic as expected. However, I have now run into the problem with assigning multiple service policies to the VLAN interface. As this is the internet facing VLAN for the routing of traffic to and from the internet, all customer service policies need to be applied to this interface. When I attempt to apply more than one service policy to this VLAN i receive the following error -
(config-if)#service-policy input CUST-B-VL20-PARENT-PMAP1
Policy map CUST-A-VL10-PARENT-PMAP1 is already attached
Looks like another couple of hours needed working around this problem!!
Thanks
Nick -
Rate Limit on the MPLS Tag interface
In MPLS Networks, we generally enable tag-switching IP and MTU (1526) configuration on the specific interface . Say if the above commands are applied in the 2 mb Lease Line Serial interface , How do i rate Limit to 64K ?
Can anyone provide me this info w.r.t the configuration?
Regards
SrikantGeneric rate-limiting should be possible. Here's a URL explaining how to configure this feature.
http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_command_reference_chapter09186a00801a7ee1.html#1080850
Hope this helps,
Maybe you are looking for
-
Keith Gilabert "HP Laserjet Pro 200 MFP will not connect wirelessly"
Hi. Laserjet HP Pro 200 will not allow me to have a wireless connection direct to the printer when I have the network cable plugged in. Please advise. Thank you, Keith Gilabert Keith Gilabert
-
I have an iPhone 3 8gig with iOS 4.2.1 can i upgrade it to iOS 4 or 5
Hi there, I have an iPhone 3 8gig with an operating system of 4.2.1 but want to up grade it. When I'm connected to iTunes it gives me the option to upgrade but it always says that it's up to date. I rang apple supprot and they advised me that it wa
-
Greetings Gurus, I took part of my system home to do some work over the holidays and am now having trouble unmounting my Lacie BigDiskExtremeTriple. This drive has always been connected to my Dual G5 desktop (profile listed below), but I'd hoped to g
-
About Refresh Error In Materialized view
hi i have Oracle 9.2.0.1 at the windows server 2003 i have created some materialized view to use in my one web application running on tomcat i have scheduling for refresh it using refresh utility available in oracle materialized view snapshot refresh
-
How do you use two scripts for a button?
Hi all! I'm referring to my earlier question posted in this topic: Object not found with myContext.getParamIdForComponent In short: when I had the attribute 'jsObjectNeeded="true"' on a button and that was for a script that would start a function va