Policy Map Case
Dears HI
please i want to limit Input traffic to a port c3750 to 20Mbps , by Policy-Map
#policy-map A-PM
# class A-CM
#police 20000000 ?
<8000-1000000> Normal burst bytes
#police 20000000 3750000 ?
% Unrecognized command
As you know Normal Burst Bytes of 20Mbps is 3750000 , so why i cant issue this number ?
PLEASE HELP ME
Hi Rawa,
I dont't agree that the normal burst size would be 3750000.
Go through the following links to calculate the correct burst size:
https://supportforums.cisco.com/thread/151681and https://learningnetwork.cisco.com/thread/53215
Thanks
Ankur
"Please rate the post if found useful"
Similar Messages
-
Class-Map and Policy-Map Configuration in CM Confusion
Hi,
I'm implementing a green field WAAS deployment for a customer. We currently have a Proof-of-Concept up and running.
I've got some questions regarding custom class-map and policy-map configuration in the CM. I'd like to nail-down the custom class-map and policy-map configuration (and understanding) in the PoC before cutting over the PoC branches to the production WAAS environment.
Assuming a typical WAAS Deployment using WCCP for off-path interception, branch to DC.
==> 61 in LAN (BRANCH ROUTER) <== 62 in WAN (WAN CLOUD) ==> 61 in WAN (DC ROUTER) <== 62 in LAN
We are using two distinct device groups, BRANCH and DATA CENTER.
If the customer has traffic that we need to classify in order to provide TFO only optimisation, should the single class-map include the traffic in both directions? Ie., (assume the SERVER is 10.1.1.1 TCP Port 443). Should the class-map be configured as:
Class-Map
Line 1: DST IP 10.1.1.1 DST Port 443
Line 2: SRC IP 10.1.1.1 SRC Port 443
Or in this case is only the DST line required? And in which Device Group should the custom policy be applied? Or should it be applied to both Device Groups? If it should be applied to both Device Groups, then would it make more sense to have the policy-map in the Branch DG configured to match the DST traffic, and on the Data Center DG have a different class-map match the SRC traffic?
My confusion is how to classify the traffic (SRC or DST or Both - Separate classes for each or different lines within the same class-map), and where to apply the appropriate policy (both Device Groups, just Branch, just DC) and why...
I tried to apply a custom policy and the impact in the PoC was that the TCP Summary report stopped reporting the individual traffic classes showed 'other traffic' only. Can anyone explain why this may have occurred?
I hope this makes sense.for instance like this:
policy-map police-in
class class-default
police rate 10 mpbs <optionally set burst>
policy-map shape-out-parent
class class-default
shape 10 mpbs <optional burst config>
service-policy shape-out-child
policy-map shape-out-child
class class-default
queue-limit 10 packets
int g 0/0/0/0
service-policy police-in in
service-policy shape-out-parent out
also have a look at CL 2013/2014 (orlando/sanfran) ID 2904 for more QOS details
and the support forum article of "asr9000 quality of service architecture"
xander -
Radius accounting for QoS pppoe policy-map
Hi folks
I have a radius pushing an AVPAIR ip:sub-qos-policy-out to a virtual template for clients connected to a BRAS through PPPOE.
The AVPAIR is correctly applied to each and every pppoe session but the following link http://www.cisco.com/c/en/us/td/docs/ios/12_2sb/feature/guide/sbbbrs1c.html is indicating that I should be able to push back to the RADIUS some traffic info per class-map/policy map. This would allow some Quota stuff and getting some info about traffic used per customer
From what I have been able to configure, i'm not getting any of this stats back to the RADIUS
the debug radius accounting :
*Mar 12 05:29:00.419: RADIUS/ENCODE(0000000E):Orig. component type = PPPoE
*Mar 12 05:29:00.419: RADIUS/ENCODE(0000000E): Acct-session-id pre-pended with Nas Port = 0/0/3/0
*Mar 12 05:29:00.419: RADIUS(0000000E): Config NAS IP: 0.0.0.0
*Mar 12 05:29:00.419: RADIUS(0000000E): sending
*Mar 12 05:29:00.419: RADIUS/ENCODE: Best Local IP-Address 192.168.38.133 for Radius-Server 192.168.38.131
*Mar 12 05:29:00.419: RADIUS(0000000E): Send Accounting-Request to 192.168.38.131:1813 id 1646/55, len 299
*Mar 12 05:29:00.419: RADIUS: authenticator ED 94 CF EE BD 73 30 7E - 93 07 A4 C3 50 A6 03 DE
*Mar 12 05:29:00.419: RADIUS: Acct-Session-Id [44] 18 "0/0/3/0_00000005"
*Mar 12 05:29:00.419: RADIUS: Framed-Protocol [7] 6 PPP [1]
*Mar 12 05:29:00.419: RADIUS: Framed-IP-Address [8] 6 10.10.10.2
*Mar 12 05:29:00.419: RADIUS: User-Name [1] 9 "olivier"
*Mar 12 05:29:00.419: RADIUS: Vendor, Cisco [26] 35
*Mar 12 05:29:00.419: RADIUS: Cisco AVpair [1] 29 "connect-progress=LAN Ses Up"
*Mar 12 05:29:00.419: RADIUS: Vendor, Cisco [26] 29
*Mar 12 05:29:00.419: RADIUS: Cisco AVpair [1] 23 "nas-tx-speed=10000000"
*Mar 12 05:29:00.419: RADIUS: Vendor, Cisco [26] 29
*Mar 12 05:29:00.419: RADIUS: Cisco AVpair [1] 23 "nas-rx-speed=10000000"
*Mar 12 05:29:00.419: RADIUS: Acct-Session-Time [46] 6 2582
*Mar 12 05:29:00.419: RADIUS: Acct-Input-Octets [42] 6 7232
*Mar 12 05:29:00.419: RADIUS: Acct-Output-Octets [43] 6 7232
*Mar 12 05:29:00.419: RADIUS: Acct-Input-Packets [47] 6 517
*Mar 12 05:29:00.419: RADIUS: Acct-Output-Packets [48] 6 517
*Mar 12 05:29:00.419: RADIUS: Acct-Authentic [45] 6 RADIUS [1]
*Mar 12 05:29:00.419: RADIUS: Acct-Status-Type [40] 6 Watchdog [3]
*Mar 12 05:29:00.419: RADIUS: NAS-Port-Type [61] 6 Virtual [5]
*Mar 12 05:29:00.419: RADIUS: Vendor, Cisco [26] 15
*Mar 12 05:29:00.419: RADIUS: cisco-nas-port [2] 9 "0/0/3/0"
*Mar 12 05:29:00.419: RADIUS: NAS-Port [5] 6 50331648
*Mar 12 05:29:00.419: RADIUS: NAS-Port-Id [87] 9 "0/0/3/0"
*Mar 12 05:29:00.419: RADIUS: Vendor, Cisco [26] 41
*Mar 12 05:29:00.419: RADIUS: Cisco AVpair [1] 35 "client-mac-address=aabb.cc00.6430"
*Mar 12 05:29:00.419: RADIUS: Service-Type [6] 6 Framed [2]
*Mar 12 05:29:00.419: RADIUS: NAS-IP-Address [4] 6 192.168.38.133
*Mar 12 05:29:00.419: RADIUS: Ascend-Session-Svr-K[151] 10
*Mar 12 05:29:00.419: RADIUS: 37 39 38 32 45 41 38 30 [ 7982EA80]
*Mar 12 05:29:00.419: RADIUS: Acct-Delay-Time [41] 6 0
*Mar 12 05:29:00.419: RADIUS(0000000E): Started 5 sec timeout
*Mar 12 05:29:00.419: RADIUS: Received from id 1646/55 192.168.38.131:1813, Accounting-response, len 20
*Mar 12 05:29:00.419: RADIUS: authenticator A7 0E 79 40 C5 B5 CF DC - 09 46 27 48 52 BE 01 7D
What I get in the freeradius log :
Tue Mar 11 22:30:04 2014
Acct-Session-Id = "0/0/3/0_00000005"
Framed-Protocol = PPP
Framed-IP-Address = 10.10.10.2
User-Name = "olivier"
Cisco-AVPair = "connect-progress=LAN Ses Up"
Cisco-AVPair = "nas-tx-speed=10000000"
Cisco-AVPair = "nas-rx-speed=10000000"
Acct-Session-Time = 2646
Acct-Input-Octets = 7428
Acct-Output-Octets = 7428
Acct-Input-Packets = 531
Acct-Output-Packets = 531
Acct-Authentic = RADIUS
Acct-Status-Type = Interim-Update
NAS-Port-Type = Virtual
Cisco-NAS-Port = "0/0/3/0"
NAS-Port = 50331648
NAS-Port-Id = "0/0/3/0"
Cisco-AVPair = "client-mac-address=aabb.cc00.6430"
Service-Type = Framed-User
NAS-IP-Address = 192.168.38.133
X-Ascend-Session-Svr-Key = "7982EA80"
Acct-Delay-Time = 0
Acct-Unique-Session-Id = "523eac6ae326a778"
Timestamp = 1394602204
Request-Authenticator = Verified
user config in the users file on the freeradius server :
olivier Cleartext-Password := "olivier"
Service-Type = Framed-User,
Cisco-AVPair += "ip:addr-pool=pppoepool",
Cisco-AVpair += "ip:sub-qos-policy-out=TEST"
I see that the policy map name is pulled correctly from the radius server and applied to the session :
#sh policy-map session uid 14
SSS session identifier 14 -
Service-policy output: TEST
Class-map: TEST (match-all)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: any
police:
cir 8000 bps, bc 1500 bytes
conformed 0 packets, 0 bytes; actions:
transmit
exceeded 0 packets, 0 bytes; actions:
drop
conformed 0 bps, exceed 0 bps
Class-map: class-default (match-any)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: any
Any input very welcomeCisco sever is working fine. When you do use non-standard or non-RFC requests from your NAS to the AAA server for instance, you have to configure your server accordingly to instruct it how to handle this kind of requests.
This is typically done with something called "dictionary", which should be included in your radius server. The server typically decodes all RFC 2865 VSAs (or should), but when a new NAS model is introduced into the network, you can modify it to add any VSAs not appearing in the dictionary, which is your case.
As an example, imagine you want to change the attribute cisco-vsa-port-string to tagged-string, your dictionary will look somethign similar than:
And finally you will have to modify with a text editor, or XML editor and change type="tagged-string" supposing your device comply with RFC 2868. Probably
the AAA server will have to restarted for taking this
changes into account.
Also,since this does apply to all devices for this vendor, you've got other option more, which is define your own dictionary for a specific vendor, or even if you wish for a specific NAS or group or NASes.
In NavisRadius you could associate a dictionary to a
device adding a client-class:
# Client-IP Client-Secret Client-Class
10.0.0.1 secret taos-old
And then specifying the dictionary later in client_properties for this device:
# This file contains information about client classes # and is used to set per-client specific information.
# TAOS Devices in OLD mode with RFC conflicts
taos-old
Client-Dictionary=max_dictionary
# Other devices now, etc.
Hope it helps -
[Trend Micro Ios content filtering] parameter-type command under policy map not available
Hi, all:
I'm trying to configure TrendMicro IOS content filtering. I have this working on a separate box, running 15.1.
On this particular testbed, I have a 2900 running:
System image file is "flash0:c2900-universalk9-mz.SPA.152-3.T1.bin"
And the following licensing:
Technology Package License Information for Module:'c2900'
Technology Technology-package Technology-package
Current Type Next reboot
ipbase ipbasek9 Permanent ipbasek9
security securityk9 Permanent securityk9
uc uck9 Permanent uck9
data datak9 Permanent datak9
Configuration register is 0x2102
CUBE_GOLD_MEX#show ip trm subscription status
Package Name: Security & Productivity (Trial)
Status: Active
Status Update Time: 18:02:51 CST Mon Jul 23 2012
Expiration-Date: Mon Aug 20 02:00:00 2012
Last Req Status: Processed response successfully
Last Req Sent Time: 18:02:51 CST Mon Jul 23 2012
CUBE_GOLD_MEX#
Also, I have the following config lines on it:
ip host trps.trendmicro.com 216.104.8.100
ip name-server 4.2.2.2
ip cef
multilink bundle-name authenticated
parameter-map type urlfpolicy trend tm-pmap
allow-mode on
[snip]
parameter-map type trend-global trend-glob-map
class-map type inspect match-all http-imap
match protocol http
class-map type urlfilter trend match-any drop-category
match url category Abortion
match url category Activist-Groups
match url category Adult-Mature-Content
match url reputation ADWARE
match url reputation DIALER
match url reputation DISEASE-VECTOR
match url reputation HACKING
match url reputation PASSWORD-CRACKING-APPLICATIONS
match url reputation PHISHING
match url reputation POTENTIALLY-MALICIOUS-SOFTWARE
match url reputation SPYWARE
match url reputation VIRUS-ACCOMPLICE
policy-map type inspect urlfilter trend-policy
class type urlfilter trend drop-category
I have not been able to get to the good part of configuring the ZBF.
I've looked over several configuration examples and can't figure out what I'm doing wrong, since I'm not able to see the command 'parameter-map' under the 'policy-map urlfiltering'
XXXXXX(config)#policy-map type inspect urlfilter trend-policy
XXXXXX(config-pmap)#?
Policy-map configuration commands:
class policy criteria
description Policy-Map description
exit Exit from policy-map configuration mode
no Negate or set default values of a command
XXXXXX(config-pmap)#
I thought it might be an issue with version 15.2.3, but according to configuration guides, commands are the same.
Can anyone provide some assistance?
TIA.
c.Hi Carlos,
I am having the same problem. I have seen a few diffenent configuration examples and they all show adding the "parameter type urlfpolicy trend parm-map-name" command but it doesn't exist, at least in 15.2(3)T1 and I see it listed in the the IOS documentation for 15.2. Maybe they forgot it :-)
I guess I will open a TAC case as I do not want to downgrade...
I will keep you posted if I find the answer.
Regards,
Troy -
Best practice for web servers behind a router (NAT, ACL, policy-map, VLAN)
Hi,
I'm a new Network admin, and I have some configuration questions about my installation (see attachment).
I have 3 web servers behind a router.
Public interface: 3 public ip adresses
Private interface: router on a stick config ( 3 sub-interfaces, 3 different networks, 3 VLAN)
I would to know the best way to redirect http traffic to the right server.
My idea is to map a public address to a private address, via NAT, but I'm not sure for the configuration. I could also redirect via Policy-map and filter by url content.
So if you have some advise for this case, it would be really appreciated.
Thank you.
Chris.Hello Christophe,
As I understand you want 1st that ;
if somebody go to A.local.com from internet then he will redirect to 192.168.1.10 in your internal network.
That means, you need static mapping between your public @ip address and your local ip address.
for this example, your local interface is Fa0/0.1 and I dont your public interface because it is not mention in your diagram. I will suppose S0/0 for public interface.
that is the config for the Web Server1. You can do the same with the remaining servers:
interface fa0/0.1
ip nat inside
interface serial0/0
ip nat outside
ip nat inside source static 192.168.1.10 172.1.2.3
static mapping from local to public.
I suppose you have done the dns mapping in your network and the ISP have done the same in his network.
ip route 171.1.2.3 interface serial0/0
or
ip route 0.0.0.0 0.0.0.0 interface serial0/0.
After these step for each web server, you will get the mapping.
Now you can restrict access to this ip only to http or https protocol on your isp and after on your local network
like
ip access-list extended ACL_WebServer1
permit ip any 192.168.1.10 eq www
deny ip any 192.168.1.10
exit
interface fa0/0.1
ip acess-group ACL_WebServer1 in
no shut
exit
That is the first step.
Second step : you want to filter traffic by url, that means layer 5 to 7 filtering.
I am not sure that it is possible using cisco router with (ZBF + Regex).
Check the first step and let us know !
Please rate and mark as correct if it is the case.
Regards, -
Hi Guys,
I need explanation on multi-match policy on ACE. How does it work ?
Lets take this example-
policy-map multi-match CLIENT-VIPS
class VIP1-80
loadbalance vip inservice
loadbalance policy VIP1-POLICY
policy-map type loadbalance first-match VIP1-POLICY
class class-default
serverfarm SERVERFARM1
class-map match-all VIP1-80
2 match virtual-address 192.168.1.200 tcp eq http
This will work for sure looking for functional diffrence if I make POLICY CLIENT_VIPS to frist match,what difrence will come in this case. will it not just match class VIP1-80 and redirect request to serverfarm.
Or this is something where multiple class can be called under CLIENT_VIPS like Inspection ?
Thanks
AjayHI Ajay,
Say if you have 2 class-maps on different ports 80 & 443
policy-map multi-match CLIENT-VIPS
class VIP1-80
loadbalance vip inservice
loadbalance policy VIP1-POLICY1
class VIP1-443
loadbalance vip inservice
loadbalance policy VIP1-POLICY2
class-map match-all VIP1-80
2 match virtual-address 192.168.1.200 tcp eq http
class-map match-all VIP1-443
2 match virtual-address 192.168.1.200 tcp eq https
Regards,
Siva -
Policy maps on port-channel sub-interfaces
We're trying to implement an enterprise QoS policy and I'm wondering how we can apply our QoS policy maps to several different sub-interfaces on a port-channel. In our case, we have both LAN and WAN connections that connect as VLANs on a switch and terminate as sub-interfaces on a port-channel that combines two Gigabit Ethernet interfaces on our router. The LAN connection will need to have a ingress service-policy to classify traffic as it comes from a customer LAN, and the WAN connections will have to have an egress service-policy to place the traffic classes into LLQ and CBWFQ queues as it leaves the router. Could I put both the ingress and egress service-policies on the physical router interface, or should I put them on the port-channel interface? Or should I apply them to the individual sub-interfaces? For example, I could put the ingress classification service-policy on the LAN sub-interface connection.
Any thoughts or insight would be helpful. Thanks.I can't put it as input because :
gw-a(config-subif)#service-policy input policy_upload
Traffic Shaping feature not supported in input policy.
Here's a show during a bandwidth test. You can see the offered rate is properly measured and is _way_ above the target shape rate.
gw-a#show policy-map interface Port-channel 1.2
Port-channel1.2
Service-policy output: policy_upload
Class-map: class-default (match-any)
624006 packets, 842239036 bytes
5 minute offered rate 12774000 bps, drop rate 0 bps
Match: any
Queueing
queue limit 64 packets
(queue depth/total drops/no-buffer drops) 0/0/0
(pkts output/bytes output) 0/0
shape (average) cir 100000, bc 400, be 400
target shape rate 100000 -
Show policy-map interface | Question about QOS show command output
I hope this is the correct place for this question. If not, please let me know.
When I issue the show policy-map interface command (in this case on a 3845) there is some output I don't understand. I have included some output below and formatted the lines I am confused about as "computer code" which show up as red on my screen. A list of the individual lines i'm confused about is below, followed by those liens in the context of the show policy-map command's output.
Any help with this will be greatly appreciated. Thanks in advance.
5 minute offered rate 46000 bps, drop rate 0 bps
5 minute rate 10000 bps
bandwidth remaining 50% (768 kbps)
show policy-map interface
--- previous output omitted ---
GigabitEthernet0/0
Service-policy input: QoS_IN
class-map: Silver (match-any)
164691299 packets, 23570752398 bytes
5 minute offered rate 46000 bps, drop rate 0 bps
Match: access-group name MAINFRAME
4371992 packets, 2311242335 bytes
5 minute rate 0 bps
Match: access-group name KRONOS
13334297 packets, 3051409140 bytes
5 minute rate 5000 bps
Match: access-group name EMAIL
97652823 packets, 10323856470 bytes
5 minute rate 10000 bps
Match: access-group name VOIP-CONTROL
20782858 packets, 1481676784 bytes
5 minute rate 0 bps
Match: access-group name LOGIXWEB
0 packets, 0 bytes
5 minute rate 0 bps
Match: access-group name GRINDLOG
0 packets, 0 bytes
5 minute rate 0 bps
Match: access-group name CITRIX
46895 packets, 14669179 bytes
5 minute rate 0 bps
Match: access-group name CORP_WEB
28502414 packets, 6387897396 bytes
5 minute rate 4000 bps
QoS Set
dscp af31
Packets marked 164691269
show policy-map interface s0/0/0:0
Serial0/0/0:0
Service-policy output: QoS_OUT
--- previous output omitted ---
Class-map: Silver (match-any)
86590227 packets, 12051546524 bytes
5 minute offered rate 3000 bps, drop rate 0 bps
Match: access-group name MAINFRAME
7641084 packets, 2701232492 bytes
5 minute rate 0 bps
Match: access-group name KRONOS
6975052 packets, 1555404656 bytes
5 minute rate 0 bps
Match: access-group name EMAIL
58438150 packets, 5433636586 bytes
5 minute rate 3000 bps
Match: access-group name VOIP-CONTROL
355083 packets, 41252455 bytes
5 minute rate 0 bps
Match: access-group name LOGIXWEB
0 packets, 0 bytes
5 minute rate 0 bps
Match: access-group name GRINDLOG
0 packets, 0 bytes
5 minute rate 0 bps
Match: access-group name CITRIX
19 packets, 4967 bytes
5 minute rate 0 bps
Match: access-group name CORP_WEB
13180836 packets, 2320015236 bytes
5 minute rate 0 bps
Queueing
queue limit 64 packets
(queue depth/total drops/no-buffer drops) 0/18156/0
(pkts output/bytes output) 86421413/12004278837
bandwidth remaining 50% (768 kbps)this is my configuration
DGMGRL> show configuration
Configuration
Name: matrix
Enabled: YES
Protection Mode: MaxPerformance
Databases:
stdby1 - Primary database
stdby2 - Physical standby database
stdby3 - Physical standby database
Fast-Start Failover: DISABLED
Current status for "matrix":
SUCCESS
--- this is my first successful switchover -----
DGMGRL> switchover to stdby2
Performing switchover NOW, please wait...
New primary database "stdby2" is opening...
Operation requires shutdown of instance "stdby1" on database "stdby1"
Shutting down instance "stdby1"...
ORA-01109: database not open
Database dismounted.
ORACLE instance shut down.
Operation requires startup of instance "stdby1" on database "stdby1"
Starting instance "stdby1"...
ORACLE instance started.
Database mounted.
Switchover succeeded, new primary is "stdby2"
-------------------this is my second switchover -------------
DGMGRL> switchover to stdby1
Performing switchover NOW, please wait...
New primary database "stdby1" is opening...
Operation requires shutdown of instance "stdby2" on database "stdby2"
Shutting down instance "stdby2"...
ORA-01109: database not open
Database dismounted.
ORACLE instance shut down.
Operation requires startup of instance "stdby2" on database "stdby2"
Starting instance "stdby2"...
Unable to connect to database
ORA-12514: TNS:listener does not currently know of service requested in connect descriptor
Failed.
You are no longer connected to ORACLE
Please connect again.
Unable to start instance "stdby2"
You must start instance "stdby2" manually
Switchover succeeded, new primary is "stdby1"
DGMGRL>
Edited by: user6981287 on Jan 7, 2010 12:57 AM
Edited by: user6981287 on Jan 7, 2010 1:00 AM -
Is there a policy map difference from 8.0 to 9.0?
We have been testing blocking a few select websites (no web filtering yet) with some of our smaller location ASA's. Following the document at:
https://supportforums.cisco.com/docs/DOC-1268
I have been successful at sites which run ASA's with version 8.0 of the IOS on them, but not with 9.0. With 9.0 (2) it appears that when you institute the policy map to make it take effect, it blocks all web traffic, not just the ones specified.
So, I guess I'm asking, is there that large of a difference between 8.0 and 9.0 that would cause this to no longer work properly?You went to the same page I did 7 hours ago. Use the "FILES TYPE EDIT" solution and follow almost all of the instructions...Edit FIREFOX URL, HYPERTEXT TRANSFER PROTOCOL and HYPERTEXT TRANSFER PROTOCOL WITH PRIVACY....It isn't necessary to take the step of "unchecking the "DDE BOX", just follow the instructions to delete the characters in the "DDE Message Box" and the problem is fixed. If you uncheck the "DDE BOX", as instructed, it may come back to bite you.
Thank you for helping,
Sel Warren -
Hi i have configured following Policy MAp to restrict 12.203 to use 5mb bandwidth.
Issue is that i dont recieve any hits when i apply this on outside interface like that
service-policy PM-RATELIMIT interface outside
But when i add permit ip any any in ACL then i receive hits.
Else This map work fine in inside interface but i want to apply it on outside .
Conf are as follows
access-list vlan10_rate_limit extended permit ip host 192.168.12.203 any
class-map CM-RATELIMIT
match access-list vlan10_rate_limit
policy-map PM-RATELIMIT
class CM-RATELIMIT
police input 5000000the ACL that you have configured is sourcing from the internal host to any on the outside. So you would need to apply that on the inside interface.
If you would like to limit the return traffic towards that host, then you would need to configure ACL with source any and destination the NATed ip address of that internal host. -
Policy map/ class map/ service policy for IOS xr
Hi,
I need to create a policy map and class map/service policy to limit the amount of bandwidth that can be used on one interface both in and out.
I need the cap for the bandwidth to traverse this circuit to ne 10 Meg.
the IOS xr version we are using is 4.3.4
I was hoping someone could help me out by giving me a configuration example I could follow.
Thank you.for instance like this:
policy-map police-in
class class-default
police rate 10 mpbs <optionally set burst>
policy-map shape-out-parent
class class-default
shape 10 mpbs <optional burst config>
service-policy shape-out-child
policy-map shape-out-child
class class-default
queue-limit 10 packets
int g 0/0/0/0
service-policy police-in in
service-policy shape-out-parent out
also have a look at CL 2013/2014 (orlando/sanfran) ID 2904 for more QOS details
and the support forum article of "asr9000 quality of service architecture"
xander -
1 policy-map for more than 1 physical interface
Hi,
the situation I want to achieve is, that 2 physical interfaces (here 2 TP GigbitEthernet Ports of a 3750) are limited together from one 'service-policy'/'policy-map'.
In the example below I have 2 Ports on one switch and the traffic coming in on both ports in total (traffic port #1 + traffic port #2) should be limited to the 'policy-map 5MBits'.
Right now I have configured a 3750 with:
class-map match-all EveryMAC
match access-group name everythingL2
policy-map 5MBits
class EveryMAC
police 5000000 32768 exceed-action drop
policy-map TEST
class EveryMAC
set dscp default
mac access-list extended everythingL2
permit any any
interface GigabitEthernet1/0/1
description port #1
switchport access vlan 123
switchport mode access
speed 10
duplex auto
interface GigabitEthernet1/0/2
description port #2
switchport access vlan 123
switchport mode access
speed 10
duplex auto
interface Vlan123
service-policy input TEST
And at the 'other side' a 2950 works with the following config:
class-map match-all EveryMAC
match access-group name everythingL2
policy-map 5MBits
class EveryMAC
police 5000000 32768 exceed-action drop
mac access-list extended everythingL2
permit any any
interface FastEthernet0/1
description port #A
switchport access vlan 123
switchport mode access
speed 10
duplex auto
As far as I can see this seems to work. But it would be nice if someone can confirm this or provide an other suggestion.
thanks in advance
MarkOnly thing i can think of is instead of using a MAC ACL , u cud jus use the default class
Policy Map Test
class class-default
police 56000 8000 exceed-action drop
Class Map match-any class-default (id 0)
Match any
You would be saving a MAC-ACL ;-). -
Hallo,
I have a question about the policy mapping in ACS 5.4.
When a request matches in "Access Selection Rule" the request goes to an "Access Service".
In "Access Service" there are three kinds of policy rules:
- Identity:
If condition match then result "Identity Source"
- Group Mapping
If condition match then result "Identity Group"
- Authorization
If condition match the result "Auth Profil"
Q1:
For example:
The User "Test" is registered in Internal User with a local password. But now I will authenticate the user "Test" from a RSA Token server. How can I configure this rule in "identity policy"? Wich condition matches to choose the identity source. I will set the internal user with an attribute enumeration field like "Password". The administrator should have an option to choose "locale databse password" or "token passcode".
Q2:
What does it mean: "Group mapping"?
Thx for your answer!
StefanHi Stefan,
The User "Test" is registered in Internal User with a local password. But now I will authenticate the user "Test" from a RSA Token server. How can I configure this rule in "identity policy"? Wich condition matches to choose the identity source. I will set the internal user with an attribute enumeration field like "Password". The administrator should have an option to choose "locale databse password" or "token passcode".
In the identity, if you click on select, you can select the type of Database, you can choose RSA (you will first need to create the connection under Users and Identity Stores-->External Identity Stores-->RSA secure ID)
Another, way is you continue to use the internal users DB, but you go to that user internally and select the password type to be RSA
(you will first need to create the connection under Users and Identity Stores-->External Identity Stores-->RSA secure ID)
Group mapping is a feature to assign a local identity group as a result by choose conditions.
EG:
If (Active directory x) Then (Internal group x)
The IF is the condition and Then is Result.
https://supportforums.cisco.com/docs/DOC-34890
Hope this Helps.
Ed -
I have a 7507 that has policy maps for matching voice for QoS. A show access-list shows that traffic is being matched. A show interface shows that packets are being dropped. The end result is though, that latency is high and call quality is suffering. A show queueing on the interface shows that no packets are being dropped. Any suggestions?
class-map match-all 2505PlanoRd
match access-group name PlanoRd2505-voice
policy-map 2505PlanoRd
class 2505PlanoRd
priority 192
class class-default
fair-queue
interface Serial5/0/0/5:0
bandwidth 1536
ip address xx.xx.xx.xx 255.255.255.252
no ip redirects
no ip unreachables
load-interval 30
service-policy output 2505PlanoRd
ip access-list extended PlanoRd2505-voice
permit ip any any dscp ef
permit ip any any dscp cs6
permit ip any host xx.xx.xx.xx
Core-1#sh access-list PlanoRd2505-voice
Extended IP access list PlanoRd2505-voice
10 permit ip any any dscp ef (124045 matches)
20 permit ip any any dscp cs6 (9779 matches)
30 permit ip any host xx.xx.xx.xx (93010 matches)
Core-1#sh queueing int s5/0/0/5:0
Interface Serial5/0/0/5:0 queueing strategy: VIP-based fair queueing
Serial5/0/0/5:0 queue size 0
pkts output 0, wfq drops 0, nobuffer drops 0
WFQ: aggregate queue limit 384 max available buffers 384
Priority Class: limit 48 qsize 0 pkts output 0 drops 0
Non-Priority Class: limit 336 qsize 0 pkts output 0 drops 0
available bandwidth 1344
Class 0: weight 8750 limit 336 qsize 0 pkts output 0 drops 0
Core-1#sh int s5/0/0/5:0
Serial5/0/0/5:0 is up, line protocol is up
Hardware is cyBus CT3
Internet address is xx.xx.xx.xx
MTU 1500 bytes, BW 1536 Kbit, DLY 20000 usec,
reliability 255/255, txload 72/255, rxload 12/255
Encapsulation HDLC, crc 16, loopback not set
Keepalive set (10 sec)
Last input 00:00:00, output 00:00:00, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/32 (size/max/drops/flushes); Total output drops: 510996
Queueing strategy: Class-based queueing
Output queue: 0/40 (size/max)
30 second input rate 77000 bits/sec, 57 packets/sec
30 second output rate 439000 bits/sec, 78 packets/sec
80041948 packets input, 17598546217 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 9 giants, 0 throttles
696964 input errors, 38821 CRC, 302664 frame, 92 overrun, 1 ignored, 355377 abort
113990388 packets output, 96683334345 bytes, 0 underruns
0 output errors, 0 collisions, 10 interface resets
0 output buffer failures, 3437585 output buffers swapped out
10 carrier transitions no alarm present
Timeslot(s) Used: 1-24, Transmitter delay is 0 flags
non-inverted data
This is standard VoIp transport selection based on dscp. -
Policy-map based rate-limiting per vlan
Hi
I was thinking if someone could help me to come up with solution to a problem. Scenario as follow:
I have a trunk interface with multiple vlans on:
interface GigabitEthernet2/0/3
description TRUNK-to-*********
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 415,416,610,1191-1193,1195
switchport mode trunk
duplex full
storm-control broadcast level pps 1k
storm-control multicast level pps 3k
storm-control unicast level pps 250k
storm-control action trap
spanning-tree portfast trunk
spanning-tree bpdufilter enable
I'm trying to rate limit two of the vlans that are present on this trunk interface - vlan 415 and vlan 1192.
So I'm putting the class-map (to be later applied under the policy-map which is not significant here):
(config)#class-map match-any 120-mbps-class
(config-cmap)#match input-interface vlan 415
(config-cmap)#match input-interface vlan 1192
Now, when you show the class-map I created, I can see this:
sh class-map 120-mbps-class
Class Map match-any 120-mbps-class (id 1)
Match input-interface Vlan415
Match input-interface FastEthernet0
For some bizzare reason class-map is matching the Fa0. I have researched this, and this is most probably because you can only match 1 vlan instance under the class-map.
And here's my problem - I can't police whole interface as the other vlans should not be policed - how can I police those two vlans ?
Any thoughts ? All help appreciated as always.
Rob.Hi Daniel,
I have labed it and unfortuantely it does not work as expected. I have put 1x 3750 and 1x 2960 trunk between them, each box had an access port for laptop to create some traffic across. All vlan-based qos has been applied on 3750G.
3750G config
Interface g1/0/20
descriprion trunk
swicthport trunk encapsulation dot1q
switchport mode trunk
switchport trunk allowed vlan 100,120
Interface g1/0/1
description access
switchport mode access
switchport access vlan 100
Interface vlan 100
ip address 192.168.100.254
service-policy input PARENT-POLICER
Interface vlan 120
ip address 10.10.10.1
Policy-map PARENT-POLICER
class PERMIT-ANY-CLASS
trust COS
service-policy CHILD-POLICER
class-map match-any PERMIT-ANY-CLASS
match access-group name POLICY-LIST
Extended IP access list POLICY-LIST
10 permit ip any any
Policy-map CHILD-POLICER
class INTERFACE-POLICE-CLASS
police 100000 8000 exceed-action drop
Class Map match-any INTERFACE-POLICE-CLASS
Match input-interface GigabitEthernet1/0/20
2960 config:
interface g0/20
switchport mode trunk
switchport trunk allowed vlan 100,120
interface g0/1
switchport mode access
switchport access vlan 100
interface vlan 100
ip address 192.168.100.253
interface vlan 120
ip address 10.10.10.2
So as you can see vlan 100 is the one it need to be rate limited (I have only rate limited to 100kbps just to see if it's working) and vlan 120 is only on the trunk ports to confirm if the traffic for this one is not affected.
Unfortunately when the policing is applied on 3750 vlan 100 (and policing is working fine) then I can see the packet loss while pinging between switches on vlan 120 suggesting that the policy is affecting the other vlan as well. When I take the policy out of the vlan 100 I cannot observe the packet loss on vlan 120 meaning is no longer affected.
Not sure if I have explained this clear enough so far, if not let me know.
Do you have any suggestions ?
Thanks!
Maybe you are looking for
-
790FX-GD70 not setting RAM to correct timing nor voltage from SPED
My 790FX-GD70 not setting RAM to correct timing nor voltage from SPED when set to auto. The RAM I have should be 6 6 6 20 @ 1.8V but the motherboard is setting it to 9 9 9 24 @ 1.5 V The RAM is Crucial 2GB, Ballistix 240-pin DIMM, DDR3 PC3-10600 me
-
I have saved a form in pdf and i want to use it in my business i need to save it so i can fill in
i want to use a form i saved in pdf, i want to fill it in and it will not let me type on it. how to i save it and use it when i need it?
-
I installed iOS 6 to my ipad and I used Siri and now it's not working
Please tell me the trick of it
-
Hi, We are using Dac Build AN 10.1.3.4.1.20090415.0146. The start date is 01-Jan-1980 and end date 31-dec-2010. I am interested to change the end date to 31-dec-2020. For that I have created a custom container. Design -> Task -> Query on SIL_DayDimen
-
Few functionalities of few websites doesn't work
goto page https://drive.google.com/keep/ Click on Grid View to view the notes that way now to edit a note, you have to click anywhere inside the note. i'm not able to edit the notes. (This works in Google Chrome) Note: editing the note works in list