Per session QoS for LNS

Similar Messages

• 4500 Aggregate policers and Per-Port Per-VLAN QoS

  Hello,
  I want to limit the aggregate traffic of multiple VLANs on a trunk using an aggregate policer. I also need Per-Port Per-VLAN QoS for other VLANs on the same trunk.
  To cut a long story short, will the example config below work?
  qos aggregate-policer pol_aggr_10Mbit 10m 12.5k conform-action transmit exceed-action drop
  policy-map Aggr_10Mbit
  class class-default
  police aggregate pol_aggr_10Mbit
  policy-map Limit_10M
  class class-default
  police 10m 12.5k conform-action transmit exceed-action drop
  interface GigabitEthernetx/y
  switchport trunk encapsulation dot1q
  switchport mode trunk
  ! Aggregate 10Mbit VLANs
  vlan-range 208, 316, 909
  service-policy output Aggr_10Mbit
  ! 10 Mbit VLANs
  vlan range 20, 50-100
  service-policy output Limit_10M
  Regards, Jan

  Your config looks good . Actually Per-port per-VLAN QoS (PVQoS) offers differentiated quality-of-services to individual VLANs on a trunk port. It enables service providers to rate limit individual VLAN-based services on each trunk port to a business or a residence. In an enterprise Voice-over-IP environment, it can be used to rate limit voice VLAN even if an attacker impersonates an IP phone. A per-port per-VLAN service policy can be separately applied to either ingress or egress traffic.

• Per Tunnel QoS: NHRP-3-QOS_POLICY_APPLY_FAILED

  Hello,
  another day another problem :-)
  Since I got DMVPN Netzwork up and running for a few month now, the customer wishes to implement voice-over-ip, therefore I tryied to configure Per-Tunnel-QoS  in the DMVPN Network.
  The Policy Map on the Hub-Site is as followed:
  class-map match-all BULK-DATA match ip dscp af11  af12
  class-map match-all INTERACTIVE-VIDEO
  match ip dscp af41  af42
  class-map match-all VOICE
  match ip dscp ef
  class-map match-all SCAVENGER
  match ip dscp cs1
  class-map match-any INTERNETWORK-CONTROL
  match ip dscp cs6
  match access-group name IKEclass-map match-any CALL-SIGNALING
  match ip dscp cs3
  match ip dscp af31
  class-map match-all TRANSACTIONAL-DATA match ip dscp af21  af22
  policy-map voice
  class VOICE
      priority percent 18
  class INTERACTIVE-VIDEO
      priority percent 15
  class CALL-SIGNALING
      bandwidth percent 5
  class INTERNETWORK-CONTROL
      bandwidth percent 5
  class TRANSACTIONAL-DATA    bandwidth percent 27
      queue-limit 18 packets class BULK-DATA
      bandwidth percent 4
      queue-limit 3 packets class SCAVENGER
      bandwidth percent 1
      queue-limit 1 packets
  class class-default
      bandwidth percent 25
      queue-limit 16 packets
  The Hub and the Spokes are configured with the proper NHRP Group, but when checking the QoS State, the Spokes appair to be in the right NHRP Group but the QoS service policy is not applied.
  Hub#sh dmvpn detailLegend: Attrb --> S - Static, D - Dynamic, I - Incomplete
          N - NATed, L - Local, X - No Socket
          # Ent --> Number of NHRP entries with same NBMA peer
          NHS Status: E --> Expecting Replies, R --> Responding
          UpDn Time --> Up or Down Time for a Tunnel
  ==========================================================================
  Interface Tunnel1 is up/up, Addr. is 192.168.205.1, VRF ""
     Tunnel Src./Dest. addr: 2.2.2.1/MGRE, Tunnel VRF ""   Protocol/Transport: "multi-GRE/IP", Protect "Schmidt-Group"
     Interface State Control: Disabled
  Type:Hub, Total NBMA Peers (v4/v6): 1
  # Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb    Target  Network----- --------------- --------------- ----- -------- -----  -----------------
      1        1.1.1.1   192.168.205.2    UP 00:40:52    D   192.168.205.2/32NHRP group: voice
  Output QoS service-policy applied: none
  Crypto Session Details:--------------------------------------------------------------------------------
  Interface: Tunnel1Session: [0x8693F664]
    IKE SA: local 2.2.2.1/500 remote 1.1.1.1/500 Active
            Capabilities:D connid:2001 lifetime:23:19:07
    Crypto Session Status: UP-ACTIVE  fvrf: (none), Phase1_id: 1.1.1.1
    IPSEC FLOW: permit 47 host 2.2.2.1 host 1.1.1.1
          Active SAs: 2, origin: crypto map
          Inbound:  #pkts dec'ed 574 drop 0 life (KB/Sec) 4487723/1147        Outbound: #pkts enc'ed 560 drop 0 life (KB/Sec) 4487725/1147   Outbound SPI : 0xABF33617, transform : esp-256-aes esp-sha-hmac
      Socket State: Open
  Pending DMVPN Sessions:
  A debugging on QoS events results with the message:
  Oct 18 08:20:51.883: %NHRP-3-QOS_POLICY_APPLY_FAILED: Failed to apply QoS  policy voice mapped to NHRP
  group voice on interface Tunnel1, to tunnel 1.1.1.1  due to policy installation failure
  I'm greatfull for any suggestions or hints!
  Kind regards
  Thomas

  I have the same problem. I found this info, it might be related to your problem. For me, I only have one spoke on my QoS/DMVPN Hub tunnel. However, I am running MPLS-VPN, multiple Hub tunnels connecting to multiple spokes so the policy could be see all spokes connected to my router, not just the hub tunnel.
  https://cisco-images.test.edgekey.net/en/US/docs/ios/ios_xe/3/release/notes/asr1k_rn_3s_rel_notes_book_pdf.pdf
  CSCts62082
  Symptoms: Router generates the following message:%NHRP-3-QOS_POLICY_APPLY_FAILED: Failed to apply QoS policy 10M-shape mapped
  to NHRP group xx on interface Tunnelxx, to tunnel x.x.x.x due to policy
  installation failureConditions: This symptom is observed when “per-tunnel” QoS is applied and there are more than
  nine DMVPN spokes. (Up to eight spokes, with QoS applied is fine.)
  Workaround: There is no workaround.

• Hi I have two questions. I am using NAS 4.1 and was wondering is it possible to set a different session timeout for different users? How is the session timeout set? Thanks, YS

   

  <i>I am using NAS 4.1 and was wondering is it possible to set a different session timeout for different users?</i>
  Um, there is no such thing as NAS4.1.
  I'm assuming that you mean NAS4.0 (maybe NAS4.0sp1?). If so, then the session timeouts are specified in the session section of the NTV configuration files.
  AFAIK, you can specify session timeouts on a per user basis.

• Lion 10.7.2 On both mac book pro and iMac, both with Lion 10.7.2, obtain repeated iCal event notifications from calendar or address book.  Cannot turn these off.  They repeat several times per session and every time computer is used.  How to diagnose this

  Lion 10.7.2 On both mac book pro and iMac, both with Lion 10.7.2, obtain repeated iCal event notifications from calendar or address book.  Cannot turn these off.  They repeat several times per session and every time computer is used.  How to diagnose this?

  First, uninstall "SuperTV" (whatever that is) according to the developer's instructions. It isn't working and it's filling the log with noise.
  If you have more than one user account, these instructions must be carried out as an administrator.
  Launch the Console application.
  Step 1
  Make sure the title of the Console window is All Messages. If it isn't, select All Messages from the SYSTEM LOG QUERIES menu on the left.
  Enter "BOOT_TIME" (without the quotes) in the search box. Note the timestamps of those log messages, which refer to the times when the system was booted. Now clear the search box and scroll back in the log to the last boot time when you had the problem. Post the messages logged before the boot, while the system was unresponsive or was failing to shut down. Please include the BOOT_TIME message at the end of the log extract.
  Post the log text, please, not a screenshot. If there are runs of repeated messages, post only one example of each. Don’t post many repetitions of the same message. When posting a log extract, be selective. In most cases, a few dozen lines are more than enough.
  PLEASE DO NOT INDISCRIMINATELY DUMP THOUSANDS OF LINES FROM THE LOG INTO A MESSAGE. If you do that, I will not respond.
  Important: Some private information, such as your name, may appear in the log. Edit it out by search-and-replace in a text editor before posting.
  Step 2
  Still in Console, look under System Diagnostic Reports for crash or panic logs, and post the most recent one, if any. In the interest of privacy, I suggest you edit out the “Anonymous UUID,” a long string of letters, numbers, and dashes in the header of the report, if present (it may not be.) Please don’t post shutdownStall, spin, or hang logs — they're very long and not helpful.

• Windows 8.1 MDM not responding to more than one SyncML from MDM server per session

  Here is the behaviour i see, which was not expected by Windows 8.1.
  1) Device is enrolled
  2) Client initiates the connection with the MDM server defined in provisioning XML during enrollment.
  3) MDM Server sends some commands as a SyncML response.
  4) Client accepts the commands and sends Status and results.
  5) Again MDM Server sends some commands as a SyncML response.
  6) Client doesn't respond to these commands or not sending any SyncML. Here is the problem that i am referring to.
  We are capturing the traffic in fiddler and found that device is not sending the next request where we are expecting the status for these commands. 
  The same is being repeated in all the requests client initiates. DM Client responds back only for one syncML sent by the MDM server per session.
  Is this the expected behaviour with Windows 8.1? Or are we doing something wrong to see this behaviour?
  Below is the SyncML for which I am expecting the response from the DM client. (Note: I got the response for the same SyncML in the first connection, but not in the second.)
  <SyncML xml:lang="en" xmlns="syncml:SYNCML1.2">
    <SyncHdr>
      <VerDTD>1.2</VerDTD>
      <VerProto>DM/1.2</VerProto>
      <SessionID>1</SessionID>
      <MsgID>1</MsgID>
      <Target>
        <LocURI>0</LocURI>
      </Target>
      <Source>
        <LocURI>https://####</LocURI>
        <LocName>AfariaWinPhoneProvider</LocName>
      </Source>
      <RespURI>https://####</RespURI>
    </SyncHdr>
    <SyncBody>
      <Status>
        <CmdID>1</CmdID>
        <MsgRef>2</MsgRef>
        <CmdRef>0</CmdRef>
        <Cmd>SyncHdr</Cmd>
        <TargetRef>https://####</TargetRef>
        <SourceRef>0</SourceRef>
        <Data>200</Data>
      </Status>
      <Get>
        <CmdID>2</CmdID>
        <Item>
          <Target>
            <LocURI>./cimv2/Win32_ComputerSystemProduct</LocURI>
          </Target>
        </Item>
      </Get>
      <Final />
    </SyncBody>
  </SyncML>

  Hello Sreekanth,
  I am facing similar issue, here is the behaviour description:
  1) Device is enrolled
  2) Client initiates the connection with the MDM server defined in provisioning XML during enrollment.
  3) MDM Server sends some commands as a SyncML response.
   4) Client doesn't respond to these commands or not sending any SyncML. 
  The same is being repeated in all client request. 
  Below is the SyncML
  for which I am expecting the response from the DM client:
  <SyncML xmlns="SYNCML:SYNCML1.2">
      <SyncHdr>
          <VerDTD>1.2</VerDTD>
          <VerProto>DM/1.2</VerProto>
          <SessionID>1</SessionID>
          <MsgID>1</MsgID>
          <Target>
              <LocURI>9302116</LocURI>
          </Target>
          <Source>
              <LocURI>https://#####</LocURI>
          </Source>
      </SyncHdr>
      <SyncBody>
          <Status>
              <CmdID>1</CmdID>
              <MsgRef>1</MsgRef>
              <CmdRef>0</CmdRef>
              <Cmd>SyncHdr</Cmd>
              <TargetRef>9302116</TargetRef>
              <Data>212</Data>
          </Status>
          <Status>
              <CmdID>2</CmdID>
              <MsgRef>1</MsgRef>
              <CmdRef>2</CmdRef>
              <Cmd>Alert</Cmd>
              <Data>200</Data>
          </Status>
          <Status>
              <CmdID>3</CmdID>
              <MsgRef>1</MsgRef>
              <CmdRef>3</CmdRef>
              <Cmd>Replace</Cmd>
              <TargetRef>./devinf12</TargetRef>
              <Data>200</Data>
          </Status>
          <Get>
              <CmdID>75</CmdID>
              <Item>
                  <Target>
                      <LocURI>./DevDetail/SwV</LocURI>
                  </Target>
              </Item>
          </Get>
      </SyncBody>
  </SyncML>
  Here
  we had tried sending 
   <Target>
              <LocURI>0</LocURI>
          </Target>
  But it didn't worked.

• Public and Authenticated App with Authorization Scheme once per session

  I have a question . . .
  Let's say I have an application and at the application level I have an authorization scheme (auth1). If auth1 is set up to evaluate once per session, does it authenticate for the public user, then pass me back to the page and then check then evaluate the auth1 scheme. Or does it evaluate the auth1 scheme, then log in, then return to the page. Is it the same regardless of authentication scheme (e.g. Oracle SSO).
  It may make a big difference. If the authorization sheme is based upon the user (most will be) then setting it to evaluate once per session can be a real problem. If it evaluates before the user logs in, then it won't really work.
  This is an even bigger question when the application does not have a authorization scheme at the application level and allows public pages. If a page that is not public has an authorization scheme set, and the user goes directly to that page, it seems to authenticate the authorization scheme and then logs you in, but does not re-evaluate authorization scheme after you are logged in. Is this accurate? I realize that I could set it up to evaluate for every page view, but I really only need it once after login.
  Is this clear?

  Anton,
  It seems that all authorization schemes that are set to evaluate once per session are evaluated with the beginning establishment of a session.Sort of correct. Authorization schemes don't get evaluated until the component that uses them is considered for rendering or processing. So if the authorization scheme is attached to a page, it won't fire until the page is requested. If another component uses that scheme first, the evaluation will happen then and will not happen again during the session.
  What if I have another page that is not public. If it is the first page I go to, what happens. Obviously, I get redirected to login, then login. Do the authorization schemes get evaluated at this point?Yes, assuming the authorization scheme is used by the page, the scheme is evaluated during the first rendering or processing of the page in the session, after the authentication step.
  Now, what if I have a page that is public, but also has an auth scheme (odd, but could happen). Now what happens, does the auth scheme get evaluated before or after login?During the rendering or processing of the page after the authentication step. For a public page, the authentication step is performed up to the point where it determines that no authentication is required.
  OK, now let's add in Application level auth scheme. I can have public or private pages. If I go to a private page, when does the app level auth scheme kick in? How about for a public page?When an application uses an authorization scheme, it gets evaluated before the authorization scheme (if any) for the page that is being requested, so the public/private property of the page doesn't matter.
  General advice: when an authorization scheme uses :APP_USER, it doesn't work well to have it fire once per session because it'll get run before authentication to the application occurs, which sets APP_USER. You can have such schemes fire once per page view and for PL/SQL function-type schemes, have them give a "pass" when the current page is the login page, that kind of thing.
  In addition, if the overhead of running a scheme is high, one can set an application-level item to indicate that a once-per-page scheme has already run satisfactorily. The PL/SQL-type schemes can access the value of such an item to skip the expensive part of the evaluation and return true immediately.
  Finally, the htmldb_application.reset_security_check API can be called in order to reset the "fired" status of all authorization schemes in the session, allowing them to be re-evaluated if/when they are encountered again in the session.
  Hope this helps,
  Scott

• Avg number of open cursors per session

  We've been noticing a large number of open cursors open per session in our database, these users being Oracle Forms users. There are quite a few 'bells & whistles' in this vendor-supplied application with many round trips to the database. The warning we were receiving was induced by an alert that we had set up within OEM.
  It got me wondering then, what a large number of cursors per process really was. We're seeing between 10-80 open cursors. The init parm OPEN_CURSORS has a default value of 50 upon installation (which is per session), so the max of 80 doesn't seem too much higher.
  Are we really experiencing a large # of open cursors per session? Does someone have a means of estimating the max # of cursors that one would expect based upon CPU & memory resources? I can't find anything in the documentation.
  Thanks,
  Chuck

  There is an OPEN_CURSORS parameter in the init.ora file,
  I want to know the impact of number of open cursors on performance
  (ie., how many open cursors would be appropriate for an instance)There shouldn't be a performance issue here. The value needs to be set based on how many open cursors you want to allow simultaneously. If you set the value too low, applications will get the "too many cursors open" error when they try to open a new cursor. If you're not having problems, or if you don't know how many open cursors you're likely to have, I wouldn't change this parameter.
  Justin

• Once per session, connected anyway

  I have an authentication scheme that is set to once per session. The users are defined in oid and have to logon using sso.
  So far so good. But in following scenario it goes wrong.
  1. User enters the htmldb url
  2. User gets the logon screen from sso
  3. User logs in and is than forwarded to the application where the authorisation scheme says him he has no access and he is redirected to a public page that tells him this.
  4. the user presses the 'Back' key on the browser, so he gets the login screen again.
  5. he enters again his username and password, and enters.
  -> now he is logged in and gets the screen he is not allowed to.
  What goes wrong here? Why does the session not remember that this user has no access ?
  Grtz,
  Chris.

  Scott,
  The solution of htmldb_util.reset_authorizations works fine. But in the end we choose another option.
  We are using the error page now to display wether the user has no access to the application. It looks like the user has access to the error pag even if he has no access to any of the application pages. Now it works fine.
  Now the authorization also returns false.
  Tnx for the replies,
  Chris.

• To configure a QoS for the attached topolgy

  Dear friends,
  I have to configure QoS for the attached topology with the following requirements, can any one please help me to do the same.
  The minimum requirements are that 4 simultaneous VoIP calls need to be supported across the backbone, as well as a dedicated 10MBs of http traffic. Of the remainder of the bandwidth ftp traffic should be given a high priority. Make sure routing protocols are given a suitable priority level.
  Thanks and expecting replies

  Here are some questions that you'll need to answer, to get started.
  What does the HTTP requirement mean? It is not possible to get 10 Megabytes per second on a 1.544 Megabit per second line.
  What voice codec will be used on the IP Phones? This will determine how much bandwidth you need to allocate.
  Next, read the following link:
  http://www.cisco.com/en/US/docs/ios/qos/configuration/guide/12_4t/qos_12_4t_book.html
  It's all in there. Unfortunately, it's a big topic, so there is a lot there.

• Start systemd --user once after first login, not per session?

  Hey guys,
  So I've been toying around with using systemd to manage user daemons and some oneshot processes, it seems like it could be really nice
  Here's what I'm thinking I would like to do:
  I would have two user targets, `console.target` and `graphical.target`.
  The console target will start things like pulseaudio, ssh-agent (envoy), transmission, stuff like that.
  The graphical target will start xorg and then other things like the WM, set the wallpaper.. you get the idea. Obviously the graphical target will want the console target.
  Now, the part I wanted to get some feedback on is this: I would like a systemd --user instance to only be started once after my first login, not once per session.
  So for example, I login from vt1 and it brings systemd --user up to the graphical.target. Then if I later SSH in from somewhere, it won't start a new systemd --user session (Ie, won't start pulse-audio, transmission-daemon, etc).
  However, if I haven't logged into my machine yet and I SSH in, it will start up systemd --user and will start the console.target. If I then later login via vt1 it will see that there's already a systemd --user session started and start the graphical.target
  Does this make sense? Is it a bad idea?

  You could make a column in the database, and when the
  information is set (emailed) make the value to be 0, then when they
  first register use a IF recodset("column_name") = 0 Then
  reponse.redirect("filloutpage.asp") end if, then when they fill out
  the info have a hidden form field thats updates the value to 1. on
  the login page after the first if make another IF
  recordset("column_name") = 1 Then response.redirect("index.asp")
  end if.
  i have forms that have three different redirect based on user
  input, and you could do the same thing you could add the one for
  the first time to dw made code, here is an example, you could
  change the request.form to a recordset value and it will work.
  If Request.Form("select") = "Self" Then
  MM_editRedirectUrl = "FridaySchedule.asp"
  Response.Redirect(MM_editRedirectUrl)
  End IF
  If Session("MM_AdminEdit") = "True" Then
  MM_editRedirectUrl = "FridayScheduleAdmin.asp"
  Response.Redirect(MM_editRedirectUrl)
  End IF
  MM_editRedirectUrl = "FridayScheduleDept.asp"
  If (Request.QueryString <> "") Then
  If (InStr(1, MM_editRedirectUrl, "?", vbTextCompare) = 0)
  Then
  MM_editRedirectUrl = MM_editRedirectUrl & "?" &
  Request.QueryString
  Else
  MM_editRedirectUrl = MM_editRedirectUrl & "&" &
  Request.QueryString
  End If
  End If
  Response.Redirect(MM_editRedirectUrl)

• DMVPN Design: Multi-Hub, Router Per-Tunnel QoS

  Some DMVPN questions:
  1) A site I've worked with has about 7 hubs and 5 spokes. This looks at best a bit odd to me. The Cisco design docs all have at most 2 hub sites. Is more than 2 DMVPN hub sites a good idea / bad idea? Pros / cons / drawbacks? I've googled this topic heavily, found little.
  2) If two sites are DMVPN hub sites that have NHRP map statements for  each other, can they both be doing the Per-Tunnel QoS feature to get some QoS shaping towards each other?
  3) What is recommended for DMVPN QoS in general? And for a spoke site where the hub site is doing the Per-Tunnel QoS? Just put some QoS on the physical link?

  Ray,
  There could be multiple reasons for it not to function, the config on hub seems just fine, we'd need to inspect the spokes and check (most likely) in debugs if correct group is being sent from spoke.
  Also coexistance of other service-policy etc etc.
  The feature is quite simple (some level of simplification), spoke says he is in group X when registering, hub assigns this NHRP mapping a service-policy.
  M.

• Per Session Maximum Message Limit

  I have a front-end messaging server that would need to feed the messages to an Anti Spam System before these messages could be further relayed to their respective destinations/back-end messaging server.
  The Anti Spam System has a certain limit in number of messages it could receive/process per session. So, I would like to set a per session limit in the number of messages my front-end messaging server can send to the Anti Spam System in order not to have long queue at the front-end messaging server due to the receiving/processing limit set in the Anti Spam System.
  The exact version of my messaging server here is iPlanet Messaging Server 5.2 HotFix 1.21. Please advise on how could I achieve this objective of mine.

  Could you please explain the below sentence as stated in SUN documentation? =========================================
  If the option accepts an integer value, a base may be specified using notation of the form b%v, where b is the base expressed in base 10 and vb. =========================================
  For example, if I would like to set "ATTEMPT_TRANSACTIONS_PER_SESSION" to 15 messages, how do I set it based on the above highlighted sentence from SUN documentation?

• Is open_cursors per session or user?

  I'm getting a lot of ORA-01000 in error logs on my app servers. 8i documentation states that:
  "OPEN_CURSORS determines the maximum number of cursors per user."
  but I suspect this is a typo and should be per session, an extremely relavant difference when multiple app servers are connecting to DB w/common username.
  does Oracle actually track open cursors across all active sessions for a given username or is it per session like most parameters?

  It must be per session,
  You can resolve the problem by increasing the parameter to 2500 as it cotrolls maximum allowed.

• Sort by columns once per session

  Hi there, I am using apex 3.1 and I have a report generated by a pl/sql function. There are several columns on which the user might sort. Is it possible to reset the sorting preferences when the user logs in? (like: a process running once per session?)
  thx in advance
  Edited by: 814932 on 23-Nov-2010 08:00

  You can use the <tt>apex_util.remove_sort_preferences</tt> method (although it is a bit of a blunt instrument). See the Admin guide for more information on user preferences.
  To run it once per session, code the call as an Application Process with execution point On New Session After Authentication.