Policy-map input on an interface VLAN

Similar Messages

• Policy-map based rate-limiting per vlan

  Hi
  I was thinking if someone could help me to come up with solution to a problem. Scenario as follow:
  I have a trunk interface with multiple vlans on:
  interface GigabitEthernet2/0/3
  description TRUNK-to-*********
  switchport trunk encapsulation dot1q
  switchport trunk allowed vlan 415,416,610,1191-1193,1195
  switchport mode trunk
  duplex full
  storm-control broadcast level pps 1k
  storm-control multicast level pps 3k
  storm-control unicast level pps 250k
  storm-control action trap
  spanning-tree portfast trunk
  spanning-tree bpdufilter enable
  I'm trying to rate limit two of the vlans that are present on this trunk interface - vlan 415 and vlan 1192.
  So I'm putting the class-map (to be later applied under the policy-map which is not significant here):
  (config)#class-map match-any 120-mbps-class
  (config-cmap)#match input-interface vlan 415
  (config-cmap)#match input-interface vlan 1192
  Now, when you show the class-map I created, I can see this:
  sh class-map 120-mbps-class
  Class Map match-any 120-mbps-class (id 1)
     Match input-interface  Vlan415
     Match input-interface  FastEthernet0
  For some bizzare reason class-map is matching the Fa0. I have researched this, and this is most probably because you can only match 1 vlan instance under the class-map.
  And here's my problem - I can't police whole interface as the other vlans should not be policed - how can I police those two vlans ?
  Any thoughts ? All help appreciated as always.
  Rob.

  Hi Daniel,
  I have labed it and unfortuantely it does not work as expected. I have put 1x 3750 and 1x 2960 trunk between them, each box had an access port for laptop to create some traffic across. All vlan-based qos has been applied on 3750G.
  3750G config
  Interface g1/0/20
  descriprion trunk
  swicthport trunk encapsulation dot1q
  switchport mode trunk
  switchport trunk allowed vlan 100,120
  Interface g1/0/1
  description access
  switchport mode access
  switchport access vlan 100
  Interface vlan 100
  ip address 192.168.100.254
  service-policy input PARENT-POLICER
  Interface vlan 120
  ip address 10.10.10.1
  Policy-map PARENT-POLICER
  class PERMIT-ANY-CLASS
  trust COS
  service-policy CHILD-POLICER
  class-map match-any PERMIT-ANY-CLASS
  match access-group name POLICY-LIST
  Extended IP access list POLICY-LIST
      10 permit ip any any
  Policy-map CHILD-POLICER
  class INTERFACE-POLICE-CLASS
    police 100000 8000 exceed-action drop
  Class Map match-any INTERFACE-POLICE-CLASS
  Match input-interface  GigabitEthernet1/0/20
  2960 config:
  interface g0/20
  switchport mode trunk
  switchport trunk allowed vlan 100,120
  interface g0/1
  switchport mode access
  switchport access vlan 100
  interface vlan 100
  ip address 192.168.100.253
  interface vlan 120
  ip address 10.10.10.2
  So as you can see vlan 100 is the one it need to be rate limited (I have only rate limited to 100kbps just to see if it's working) and vlan 120 is only on the trunk ports to confirm if the traffic  for this one is not affected.
  Unfortunately when the policing is applied on 3750 vlan 100 (and policing is working fine) then I can see the packet loss while pinging between switches on vlan 120 suggesting that the policy is affecting the other vlan as well. When I take the policy out of the vlan 100 I cannot observe the packet loss on vlan 120 meaning is no longer affected.
  Not sure if I have explained this clear enough so far, if not let me know.
  Do you have any suggestions ?
  Thanks!

• ACE - Policy map bound to multiple interface

  Hello,
  I have a policy map bound to multiple VLAN interfaces. The policy is pretty standard, any traffic hitting the VIP is load balanced.
  Now, is it ok to assign the same policy map / VIP to to multiple VLAN interfaces on a virtual context?
  I addition, I should add that one of the clients hitting the vip are the servers configured in the serverfarm of the context.
  Basically the requirement here is that the rservers are client and server at the same time.
  The problem I have is that when one of the servers send an HTTP request to the VIP, the ACE module reset the connection. I can see the dropped conns counter increasing as i generate requests to the ACE.
  Rdgs,
  Thibault.

  Thibault,
  the RESET is probably comming from the server.
  If the server sends a SYN to the VIP, the packet is nated and forwarded to another server which sees a packet coming from a neighbor server (not ACE) and sends the SYN/ACK directly to the client(rserver).
  This one is expecting a packet from the VIP and not the server itself and sends a RST.
  You need to enable client nat for server opening connections to the vip.
  Gilles.

• Policy-map on tunnel or physical interface?

  Hi all,
  I have a 3800 headend router which has a number of ipsec tunnels to remote office sites. Our current QoS design applies a policy-map to each tunnel interface to prioritise and shape outbound traffic.
  My question is how does the physical egress interface queue and transmit traffic from tunnel interfaces with this design? For example, if a mixture of large data packets and voice packets from different tunnel interfaces hit the physical interface around the same time what will happen to the voice packets?
  Furthermore, would it be a better to apply the policy-map to the physical interface instead of the tunnel interfaces? What advantages if any would this bring?
  Many thanks.

  If you're shaping each tunnel to the outbound physical bandwidth, yes it would be better to just have the policy, without any shaping, on the physical interface. Again, you'll will either need to depend on a copied ToS value in the outbound packet or use qos pre-classify. (A single physical policy would be much like your QUEUE_DATA if using qos pre-classify.)
  e.g.
  !assumes qos-preclassify
  interface Ethernet0
  service-policy output QUEUE_DATA
  What I thought you might be doing, and you could also do, was shape each tunnel to the far side's ingress bandwidth. This would require a distinct policy, if the shaper values change, for every tunnel interface, or a policy on the physical interface that has a class per tunnel (matches against tunnel destination address).
  e.g.
  !assume local outbound interface not oversubscribed
  policy-map NESTED_QOS_512K
  class class-default
  shape average 512000
  service-policy QUEUE_DATA
  policy-map NESTED_QOS_768K
  class class-default
  shape average 768000
  service-policy QUEUE_DATA
  policy-map NESTED_QOS_1500K
  class class-default
  shape average 1500000
  service-policy QUEUE_DATA
  interface Tunnel1
  service-policy output NESTED_QOS_786K
  interface Tunnel2
  service-policy output NESTED_QOS_512K
  interface Tunnel3
  service-policy output NESTED_QOS_1500K
  interface Tunnel4
  service-policy output NESTED_QOS_512K
  e.g.
  !assume local outbound interface not oversubscribed
  class-map match-all Tunnel1
  match group (ACL that matches tunnel1 destination address)
  class-map match-all Tunnel2
  match group (ACL that matches tunnel2 destination address)
  policy-map outbound_tunnels
  class Tunnel1
  shape average 768000
  service-policy output QUEUE_DATA
  class Tunnel2
  shape average 512000
  service-policy output QUEUE_DATA
  Interface Ethernet 0
  service-policy outbound outbound_tunnels
  If all the far side bandwidths exceed your local outbound physical bandwidth, then you should have both tunnel policies, that shape each tunnel, and a physical interface policy.
  e.g.
  !assume local outbound interface is oversubscribed
  policy-map NESTED_QOS_512K
  class class-default
  shape average 512000
  service-policy QUEUE_DATA
  policy-map NESTED_QOS_768K
  class class-default
  shape average 768000
  service-policy QUEUE_DATA
  policy-map NESTED_QOS_1500K
  class class-default
  shape average 1500000
  service-policy QUEUE_DATA
  interface Tunnel1
  service-policy output NESTED_QOS_786K
  interface Tunnel2
  service-policy output NESTED_QOS_512K
  interface Tunnel3
  service-policy output NESTED_QOS_1500K
  interface Tunnel4
  service-policy output NESTED_QOS_512K
  !assumes qos-preclassify
  interface Ethernet0
  service-policy output QUEUE_DATA

• Can you add one L3-class to two different policy maps ?

  Hi Experts;
                  Requirement is to have requests from outside as well as inside from different vlan Server to our Production Servers.At present all requests are coming from inside vlan via policy-map multi-match L3_XYZ.  See Example below
  policy-map multi-match L3_XYZ
  class L3_PROD
     loadbalance vip inservice
     loadbalance policy L7_PROD
     loadbalance vip icmp-reply active
  policy-map multi-match L3_OUTSIDE
  class L3_PROD
     loadbalance vip inservice
     loadbalance policy L7_PROD
     loadbalance vip icmp-reply active
  Many thanks
  Regards

  Hi Hidayat
  yes, class map alone doesn't have any deep meaning and can be reused in many policy maps. Actually policy maps can be reused too, so in your particular example you can put the same policy map on 2 different interfaces. (Sometimes it's a good idea, if requirements are the same for traffic coming from both interfaces or if requirements are diffrent - it's better to create a new one, but class-map definitely can be reused.)

• Policy map rules

  I read that "Only one policy map can be applied to a specific interface". What if you alreay using the default policy map and want to create one for you AIP-SSM and one for the current ACL?

  The default policy map is the "global" policy-map. If you want to send the traffic on all interfaces, through the SSM module, you dont need to create a new policy-map, you only need to create the class mathing the traffic you need to send via SSM module. Then you can include this class also in the policy-map applied globally.
  With above said, assuming you have default policy-map config, if I implement following commands to divert all traffic via SSM module:
  access-list ips-acl permit ip any any
  class-map ips-class
  match access-list ips-acl
  policy-map global_policy
  class ips-class
  ips inline fail-open
  Thus final policy-map configuration would look like:
  policy-map global_policy
  class inspection_default
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  class ips-class
  ips inline fail-open
  service-policy global_policy global
  Alternatively, I cann apply the ips class to altogether a new policy-map but I cant apply this policy-map globally. I can apply the new policy-map to a particular interface though.
  Hope that helps.
  Regards,
  Vibhor.

• 1 policy-map for more than 1 physical interface

  Hi,
  the situation I want to achieve is, that 2 physical interfaces (here 2 TP GigbitEthernet Ports of a 3750) are limited together from one 'service-policy'/'policy-map'.
  In the example below I have 2 Ports on one switch and the traffic coming in on both ports in total (traffic port #1 + traffic port #2) should be limited to the 'policy-map 5MBits'.
  Right now I have configured a 3750 with:
  class-map match-all EveryMAC
  match access-group name everythingL2
  policy-map 5MBits
  class EveryMAC
  police 5000000 32768 exceed-action drop
  policy-map TEST
  class EveryMAC
  set dscp default
  mac access-list extended everythingL2
  permit any any
  interface GigabitEthernet1/0/1
  description port #1
  switchport access vlan 123
  switchport mode access
  speed 10
  duplex auto
  interface GigabitEthernet1/0/2
  description port #2
  switchport access vlan 123
  switchport mode access
  speed 10
  duplex auto
  interface Vlan123
  service-policy input TEST
  And at the 'other side' a 2950 works with the following config:
  class-map match-all EveryMAC
  match access-group name everythingL2
  policy-map 5MBits
  class EveryMAC
  police 5000000 32768 exceed-action drop
  mac access-list extended everythingL2
  permit any any
  interface FastEthernet0/1
  description port #A
  switchport access vlan 123
  switchport mode access
  speed 10
  duplex auto
  As far as I can see this seems to work. But it would be nice if someone can confirm this or provide an other suggestion.
  thanks in advance
  Mark

  Only thing i can think of is instead of using a MAC ACL , u cud jus use the default class
  Policy Map Test
  class class-default
  police 56000 8000 exceed-action drop
  Class Map match-any class-default (id 0)
  Match any
  You would be saving a MAC-ACL ;-).

• Policy maps on port-channel sub-interfaces

  We're trying to implement an enterprise QoS policy and I'm wondering how we can apply our QoS policy maps to several different sub-interfaces on a port-channel. In our case, we have both LAN and WAN connections that connect as VLANs on a switch and terminate as sub-interfaces on a port-channel that combines two Gigabit Ethernet interfaces on our router. The LAN connection will need to have a ingress service-policy to classify traffic as it comes from a customer LAN, and the WAN connections will have to have an egress service-policy to place the traffic classes into LLQ and CBWFQ queues as it leaves the router. Could I put both the ingress and egress service-policies on the physical router interface, or should I put them on the port-channel interface? Or should I apply them to the individual sub-interfaces? For example, I could put the ingress classification service-policy on the LAN sub-interface connection.
  Any thoughts or insight would be helpful. Thanks.

  I can't put it as input because :
  gw-a(config-subif)#service-policy input policy_upload                     
  Traffic Shaping feature not supported in input policy.
  Here's a show during a bandwidth test. You can see the offered rate is properly measured and is _way_ above the target shape rate.
  gw-a#show policy-map interface Port-channel 1.2
  Port-channel1.2
    Service-policy output: policy_upload
      Class-map: class-default (match-any)
        624006 packets, 842239036 bytes
        5 minute offered rate 12774000 bps, drop rate 0 bps
        Match: any
        Queueing
        queue limit 64 packets
        (queue depth/total drops/no-buffer drops) 0/0/0
        (pkts output/bytes output) 0/0
        shape (average) cir 100000, bc 400, be 400
        target shape rate 100000

• Route map does not applied on interface vlan

  Hi all,
  could you pls tell me why i can't apply a route-map on an interface vlan,
  belown my config:
  SWBBO(config-if)#ip policy route-map TEST
                             ^
  % Invalid input detected at '^' marker.
  Cisco IOS Software, C3750E Software (C3750E-UNIVERSALK9-M), Version 15.0(2)SE1, RELEASE SOFTWARE (fc1)
  Technical Support: http://www.cisco.com/techsupport
  Copyright (c) 1986-2013 by Cisco Systems, Inc.
  Compiled Fri 04-Jan-13 01:38 by prod_rel_team
  ROM: Bootstrap program is C3750E boot loader
  BOOTLDR: C3750E Boot Loader (C3750X-HBOOT-M) Version 12.2(53r)SE2, RELEASE SOFTWARE (fc1)
  BBWMASALE01 uptime is 40 weeks, 1 day, 6 minutes
  System returned to ROM by power-on
  System restarted at 22:12:07 UTC Mon Feb 18 2013
  System image file is "flash:/c3750e-universalk9-mz.150-2.SE1.bin"
  Best regards,
  James

  Hi jon,
  belown the result of sh sdm prefer,so need i a licence ip service to apply the route-maap on the interface vlan,or just entrer the config"sdm prefer routing" and reboot the switch?
  SWBB0#sh sdm prefer
  The current template is "desktop default" template.
  The selected template optimizes the resources in
  the switch to support this level of features for
  8 routed interfaces and 1024 VLANs.
    number of unicast mac addresses:                  6K
    number of IPv4 IGMP groups + multicast routes:    1K
    number of IPv4 unicast routes:                    8K
      number of directly-connected IPv4 hosts:        6K
      number of indirect IPv4 routes:                 2K
    number of IPv6 multicast groups:                  64
    number of directly-connected IPv6 addresses:      74
    number of indirect IPv6 unicast routes:           32
    number of IPv4 policy based routing aces:         0
    number of IPv4/MAC qos aces:                      0.5K
    number of IPv4/MAC security aces:                 0.875k
    number of IPv6 policy based routing aces:         0
    number of IPv6 qos aces:                          0
    number of IPv6 security aces:                     60

• Best practice for web servers behind a router (NAT, ACL, policy-map, VLAN)

  Hi,
  I'm a new Network admin, and I have some configuration questions about my installation (see attachment).
  I have 3 web servers behind a router.
  Public interface: 3 public ip adresses
  Private interface: router on a stick config ( 3 sub-interfaces, 3 different networks, 3 VLAN)
  I would to know the best way to redirect http traffic to the right server.
  My idea is to map a public address to a private address, via NAT, but I'm not sure for the configuration.  I could also redirect via Policy-map and filter by url content.
  So if you have some advise for this case, it would be really appreciated.
  Thank you.
  Chris.

  Hello Christophe,
  As I understand you want 1st that ; 
  if somebody go to A.local.com from internet then he will redirect to 192.168.1.10 in your internal network. 
  That means, you need static mapping between your public @ip address and your local ip address. 
  for this example, your local interface is Fa0/0.1 and I dont your public interface because it is not mention in your diagram. I will suppose S0/0 for public interface. 
  that is the config for the Web Server1. You can do the same with the remaining servers:
  interface fa0/0.1 
  ip nat inside
  interface serial0/0
   ip nat outside
  ip nat inside source static 192.168.1.10 172.1.2.3 
  static mapping from local to public. 
  I suppose you have done the dns mapping in your network and the ISP have done the same in his network. 
  ip route 171.1.2.3 interface serial0/0 
  or 
  ip route 0.0.0.0 0.0.0.0 interface serial0/0. 
  After these step for each web server, you will get the mapping. 
  Now you can restrict access to this ip only to http or https protocol on your isp and after on your local network 
  like
  ip access-list extended ACL_WebServer1
  permit ip any 192.168.1.10 eq www
  deny ip any 192.168.1.10
  exit
  interface fa0/0.1
   ip acess-group ACL_WebServer1 in
  no shut
  exit
  That is the first step. 
  Second step : you want to filter traffic by url, that means layer 5 to 7 filtering. 
  I am not sure that it is possible using cisco router with (ZBF + Regex).
  Check the first step and let us know ! 
  Please rate and mark as correct if it is the case. 
  Regards,

• Show policy-map interface | Question about QOS show command output

  I hope this is the correct place for this question. If not, please let me know.
  When I issue the show policy-map interface command (in this case on a  3845) there is some output I don't understand.  I have included some output below and formatted the lines I am confused about as "computer code" which show up as red on my screen.  A list of the individual lines i'm confused about is below, followed by those liens in the context of the show policy-map command's output.
  Any help with this will be greatly appreciated. Thanks in advance.
  5 minute offered rate 46000 bps, drop rate 0 bps
   5 minute rate 10000 bps
   bandwidth remaining 50% (768 kbps)
  show policy-map interface
  --- previous output omitted ---
  GigabitEthernet0/0
    Service-policy input: QoS_IN
  class-map: Silver (match-any)
        164691299 packets, 23570752398 bytes
        5 minute offered rate 46000 bps, drop rate 0 bps
        Match: access-group name MAINFRAME
          4371992 packets, 2311242335 bytes
          5 minute rate 0 bps
        Match: access-group name KRONOS
          13334297 packets, 3051409140 bytes
          5 minute rate 5000 bps
        Match: access-group name EMAIL
          97652823 packets, 10323856470 bytes
          5 minute rate 10000 bps
        Match: access-group name VOIP-CONTROL
          20782858 packets, 1481676784 bytes
          5 minute rate 0 bps
        Match: access-group name LOGIXWEB
          0 packets, 0 bytes
          5 minute rate 0 bps
        Match: access-group name GRINDLOG
          0 packets, 0 bytes
          5 minute rate 0 bps
        Match: access-group name CITRIX
          46895 packets, 14669179 bytes
          5 minute rate 0 bps
        Match: access-group name CORP_WEB
          28502414 packets, 6387897396 bytes
          5 minute rate 4000 bps
        QoS Set
          dscp af31
            Packets marked 164691269
  show policy-map interface s0/0/0:0
  Serial0/0/0:0
    Service-policy output: QoS_OUT
  --- previous output omitted ---
      Class-map: Silver (match-any)
        86590227 packets, 12051546524 bytes
        5 minute offered rate 3000 bps, drop rate 0 bps
        Match: access-group name MAINFRAME
          7641084 packets, 2701232492 bytes
          5 minute rate 0 bps
        Match: access-group name KRONOS
          6975052 packets, 1555404656 bytes
          5 minute rate 0 bps
        Match: access-group name EMAIL
          58438150 packets, 5433636586 bytes
          5 minute rate 3000 bps
        Match: access-group name VOIP-CONTROL
          355083 packets, 41252455 bytes
          5 minute rate 0 bps
        Match: access-group name LOGIXWEB
          0 packets, 0 bytes
          5 minute rate 0 bps
        Match: access-group name GRINDLOG
          0 packets, 0 bytes
          5 minute rate 0 bps
        Match: access-group name CITRIX
          19 packets, 4967 bytes
          5 minute rate 0 bps
        Match: access-group name CORP_WEB
          13180836 packets, 2320015236 bytes
          5 minute rate 0 bps
        Queueing
        queue limit 64 packets
        (queue depth/total drops/no-buffer drops) 0/18156/0
        (pkts output/bytes output) 86421413/12004278837
        bandwidth remaining 50% (768 kbps)

  this is my configuration
  DGMGRL> show configuration
  Configuration
  Name: matrix
  Enabled: YES
  Protection Mode: MaxPerformance
  Databases:
  stdby1 - Primary database
  stdby2 - Physical standby database
  stdby3 - Physical standby database
  Fast-Start Failover: DISABLED
  Current status for "matrix":
  SUCCESS
  --- this is my first successful switchover -----
  DGMGRL> switchover to stdby2
  Performing switchover NOW, please wait...
  New primary database "stdby2" is opening...
  Operation requires shutdown of instance "stdby1" on database "stdby1"
  Shutting down instance "stdby1"...
  ORA-01109: database not open
  Database dismounted.
  ORACLE instance shut down.
  Operation requires startup of instance "stdby1" on database "stdby1"
  Starting instance "stdby1"...
  ORACLE instance started.
  Database mounted.
  Switchover succeeded, new primary is "stdby2"
  -------------------this is my second switchover -------------
  DGMGRL> switchover to stdby1
  Performing switchover NOW, please wait...
  New primary database "stdby1" is opening...
  Operation requires shutdown of instance "stdby2" on database "stdby2"
  Shutting down instance "stdby2"...
  ORA-01109: database not open
  Database dismounted.
  ORACLE instance shut down.
  Operation requires startup of instance "stdby2" on database "stdby2"
  Starting instance "stdby2"...
  Unable to connect to database
  ORA-12514: TNS:listener does not currently know of service requested in connect descriptor
  Failed.
  You are no longer connected to ORACLE
  Please connect again.
  Unable to start instance "stdby2"
  You must start instance "stdby2" manually
  Switchover succeeded, new primary is "stdby1"
  DGMGRL>
  Edited by: user6981287 on Jan 7, 2010 12:57 AM
  Edited by: user6981287 on Jan 7, 2010 1:00 AM

• CBWFQ: Question about the output of "show policy-map interface" command

  Hi everyone,
  I have a question about the output of "show policy-map interface" command.
  The following is the output of this command and lower side of the output shows
  (total queued/total drops/no-buffer drops) 0/342/0
  If the packets drop occur due to the situation of no enough buffer,
  "no-buffer drops" counted up. But "no-buffer drops" has not been counted up.
  The "no-buffer drops" is 0 (zero) but "total drops" are counted as 342.
  I guess there are other factors except "no-buffer drops" to add "total drops".
  But I can not find any information about "other factors".
  So I would like to know the "other factors" added to "total drops".
  reserch-3725#sh policy-map interface fastethernet0/1
  FastEthernet0/1
  Service-policy output: shaping
  Class-map: kdpc (match-all)
  146956873 packets, 115209221595 bytes
  5 minute offered rate 156000 bps, drop rate 0 bps
  Match: access-group name YOKOHAMA_to_CHINO
  Traffic Shaping
  Target/Average Byte Sustain Excess Interval Increment
  Rate Limit bits/int bits/int (ms) (bytes)
  9360000/9360000 58500 234000 234000 25 29250
  Adapt Queue Packets Bytes Packets Bytes Shaping
  Active Depth Delayed Delayed Active
  - 0 146956724 3539850811 2960247 3851843541 no
  Class-map: class-default (match-any)
  552458414 packets, 249687580329 bytes
  5 minute offered rate 242000 bps, drop rate 0 bps
  Match: any
  Traffic Shaping
  Target/Average Byte Sustain Excess Interval Increment
  Rate Limit bits/int bits/int (ms) (bytes)
  3072000/3072000 19200 76800 76800 25 9600
  Adapt Queue Packets Bytes Packets Bytes Shaping
  Active Depth Delayed Delayed Active
  - 0 552453209 573909865 30358216 2926188156 no
  Service-policy : policy1
  Class-map: dlsw (match-all)
  979578 packets, 264843255 bytes
  5 minute offered rate 0 bps, drop rate 0 bps
  Match: access-group name acl-dlsw
  Queueing
  Output Queue: Conversation 137
  Bandwidth 128 (kbps) Max Threshold 64 (packets)
  (pkts matched/bytes matched) 20922/17371500
  (depth/total drops/no-buffer drops) 0/0/0
  Class-map: telnet (match-all)
  29938 packets, 1806058 bytes
  5 minute offered rate 0 bps, drop rate 0 bps
  Match: access-group name acl-telnet
  Queueing
  Output Queue: Conversation 138
  Bandwidth 64 (kbps) Max Threshold 64 (packets)
  (pkts matched/bytes matched) 639/38900
  (depth/total drops/no-buffer drops) 0/0/0
  Class-map: class-default (match-any)
  551448911 packets, 249420939729 bytes
  5 minute offered rate 242000 bps, drop rate 0 bps
  Match: any
  Queueing
  Flow Based Fair Queueing
  Maximum Number of Hashed Queues 128
  (total queued/total drops/no-buffer drops) 0/342/0
  Your information would be appreciated.

  Details infomatiuon regarding show policy-map interface
  http://www.cisco.com/en/US/tech/tk543/tk545/technologies_tech_note09186a008010dd6a.shtml
  http://www.cisco.com/en/US/tech/tk543/tk760/technologies_tech_note09186a0080108e2d.shtml
  http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123cgcr/qos_r/qos_s2g.htm#wp1146884

• CSCso80701 - "show policy-map interface" in 2960, 2970, 3560, 3750 should give error - 3

  Have similar issues with 12.2(50)SE4....
  Service-policy command has taken but cann't see in running config. Eventually no output "show policy-map interface fa0/x".

  Try this config:
  policy-map QOS-SOFTPHONE-POLICY
   class QOS_VOICE_CLASS
     set dscp cs3
   class QOS_SIGNALING_CLASS
     set dscp cs2
   class QOS_DATA_CLASS
     set dscp cs1
   class class-default
     set dscp default
  BR

• Policy-map on catalyst 3550

  dear all,
  how to configure policy-map on catalyst 3550 to shapping bandwidth. I've tried to setting that police-map in one of interface, but when I wrote sh policy-map interface fa0/1, in class-map field, the result are
  class-map: policeIn (match-all)
  0 packets, 0 bytes
  5 minute offered rate 0 bps, drop rate 0 bps
  match: access-group 112qm_police_inform_feature: CLASS_SHOW
  Could u give me a clue..??
  thx.
  ..::rhiez::..

  hi,
  i've checked statistic of interface and there is traffic on that interface :
  Hardware is Fast Ethernet, address is xxxx.xxxx.xxxx.xxxx(bia xxxx.xxxx.xxxx)
  MTU 1500 bytes, BW 512 Kbit, DLY 100 usec,
  reliability 255/255, txload 102/255, rxload 42/255
  Encapsulation ARPA, loopback not set
  Keepalive set (10 sec)
  Half-duplex, 100Mb/s
  input flow-control is off, output flow-control is off
  ARP type: ARPA, ARP Timeout 04:00:00
  Last clearing of "show interface" counters 00:03:16
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue :0/40 (size/max)
  5 minute input rate 85000 bits/sec, 67 packets/sec
  5 minute output rate 961000 bits/sec, 201 packets/sec
  12965 packets input, 2137646 bytes, 0 no buffer
  Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
  0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
  0 watchdog, 0 multicast, 0 pause input
  0 input packets with dribble condition detected
  38564 packets output, 23504798 bytes, 0 underruns
  0 output errors, 46 collisions, 0 interface resets
  0 babbles, 0 late collision, 62 deferred
  0 lost carrier, 0 no carrier, 0 PAUSE output
  0 output buffer failures, 0 output buffers swapped out
  is there another way to shapping bandwidth per vlan or per port interface on catalyst 3550 with IOS 12.1(8).
  thx.
  ..::rhiez::..

• ACE: 4710 Policy-Map NAT

  Greets. I have a scenario where the rservers are located on two different VLAN's in One Arm Mode.
  My question is, am I able to assign two different NAT commands in my policy map (as written below)? Will the NAT command only kick off for the selected rservers vlan?
  policy-map multi-match PM_Loadbalance
    class VIP_Farm
      loadbalance vip inservice
      loadbalance vip icmp-reply active
      nat dynamic 7 vlan 7
      nat dynamic 741 vlan 741
  Thanks,
  -b

  Hello Brian-
  You can apply 2 different NAT statements, yes.
  The way it works:
  1.)  A client sends a SYN into a vlan where the vip is applied as a service-policy input.
  2.) The ACE matches the SYN to the class in question, the loadbalance policy is checked, and eventually a server in the associated serverfarm is chosen.
  3.) ACE prepares to forward the SYN out of the appropriate VLAN based on the route table.
  4.) Before the packet leaves, if the packet will egress either vlan 7 or 741, the the packet would be source NATted by the group number mentioned in the statement.  This occurs because the "vlan 7" and "vlan 741" in the NAT statements under the class are filters. If the destination matches either vlan, then the nat group for that statement is used.
  i.e.
  rserver host server_1
  ip address 10.0.0.10
  inservice
  rserver host server_2
  ip address 172.16.35.60
  inservice
  serverfarm host SF_1
  rserver server_1
    inservice
  class-map match-any VIP_80
  2 match virtual-address 172.16.35.80 tcp eq 80
  policy map type loadbalance first-match LB
  class class-default
    serverfarm SF_1
  policy map multi-match X
  class VIP_80
    loadbalance policy LB
    loadbalance vip inservice
    nat dynamic 5 vlan 7
    nat dynamic 7 vlan 741
  interface vlan 7
  ip address 172.16.35.2 255.255.255.0
  nat 5 172.16.35.100 172.16.35.100 netmask 255.255.255.0 pat
  service-policy input X
  Interface vlan 741
  ip address 10.0.0.2 255.255.255.0
  nat 7 10.0.0.100 10.0.0.100 netmask 255.255.255.0 pat
  service-policy input X
  If a packet comes into either vlan destine to 172.16.35.80 on port 80, it will be balanced to either 10.0.0.10 or 172.16.35.60.  If 10.0.0.10 was chosen, then natpool 7 under vlan 741 would be used because 10.0.0.10 is layer 2 adjacent to vlan 741.  If 172.16.35.60 was chosen, then natpool 5 would be chosen because that server is layer 2 adjacent to vlan 7.
  Regards,
  Chris Higgins