Policy MAP Issue on ASA
Hi i have configured following Policy MAp to restrict 12.203 to use 5mb bandwidth.
Issue is that i dont recieve any hits when i apply this on outside interface like that
service-policy PM-RATELIMIT interface outside
But when i add permit ip any any in ACL then i receive hits.
Else This map work fine in inside interface but i want to apply it on outside .
Conf are as follows
access-list vlan10_rate_limit extended permit ip host 192.168.12.203 any
class-map CM-RATELIMIT
match access-list vlan10_rate_limit
policy-map PM-RATELIMIT
class CM-RATELIMIT
police input 5000000
the ACL that you have configured is sourcing from the internal host to any on the outside. So you would need to apply that on the inside interface.
If you would like to limit the return traffic towards that host, then you would need to configure ACL with source any and destination the NATed ip address of that internal host.
Similar Messages
-
I have a 7507 that has policy maps for matching voice for QoS. A show access-list shows that traffic is being matched. A show interface shows that packets are being dropped. The end result is though, that latency is high and call quality is suffering. A show queueing on the interface shows that no packets are being dropped. Any suggestions?
class-map match-all 2505PlanoRd
match access-group name PlanoRd2505-voice
policy-map 2505PlanoRd
class 2505PlanoRd
priority 192
class class-default
fair-queue
interface Serial5/0/0/5:0
bandwidth 1536
ip address xx.xx.xx.xx 255.255.255.252
no ip redirects
no ip unreachables
load-interval 30
service-policy output 2505PlanoRd
ip access-list extended PlanoRd2505-voice
permit ip any any dscp ef
permit ip any any dscp cs6
permit ip any host xx.xx.xx.xx
Core-1#sh access-list PlanoRd2505-voice
Extended IP access list PlanoRd2505-voice
10 permit ip any any dscp ef (124045 matches)
20 permit ip any any dscp cs6 (9779 matches)
30 permit ip any host xx.xx.xx.xx (93010 matches)
Core-1#sh queueing int s5/0/0/5:0
Interface Serial5/0/0/5:0 queueing strategy: VIP-based fair queueing
Serial5/0/0/5:0 queue size 0
pkts output 0, wfq drops 0, nobuffer drops 0
WFQ: aggregate queue limit 384 max available buffers 384
Priority Class: limit 48 qsize 0 pkts output 0 drops 0
Non-Priority Class: limit 336 qsize 0 pkts output 0 drops 0
available bandwidth 1344
Class 0: weight 8750 limit 336 qsize 0 pkts output 0 drops 0
Core-1#sh int s5/0/0/5:0
Serial5/0/0/5:0 is up, line protocol is up
Hardware is cyBus CT3
Internet address is xx.xx.xx.xx
MTU 1500 bytes, BW 1536 Kbit, DLY 20000 usec,
reliability 255/255, txload 72/255, rxload 12/255
Encapsulation HDLC, crc 16, loopback not set
Keepalive set (10 sec)
Last input 00:00:00, output 00:00:00, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/32 (size/max/drops/flushes); Total output drops: 510996
Queueing strategy: Class-based queueing
Output queue: 0/40 (size/max)
30 second input rate 77000 bits/sec, 57 packets/sec
30 second output rate 439000 bits/sec, 78 packets/sec
80041948 packets input, 17598546217 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 9 giants, 0 throttles
696964 input errors, 38821 CRC, 302664 frame, 92 overrun, 1 ignored, 355377 abort
113990388 packets output, 96683334345 bytes, 0 underruns
0 output errors, 0 collisions, 10 interface resets
0 output buffer failures, 3437585 output buffers swapped out
10 carrier transitions no alarm present
Timeslot(s) Used: 1-24, Transmitter delay is 0 flags
non-inverted data
This is standard VoIp transport selection based on dscp. -
Removed the icmp inspection from my default policy-map
Hi Experts
i have removed the icmp inspection from my default policy-map in my ASA 5520,now i could not able to ping to 4.2.2.2 from my LAN even though i have configured an ICMP Access-list in my asa like ,but I can't ping 4.2.2.2 for testing the Internet connectivity,what shall i do to allow only my self as admin to ping outside?
icmp permit host 192.168.60.60 echo
icmp permit host 192.168.60.60 echo-reply
thanks
jamilCould you paste the complete config?
-
Hi,
I am trying to bypass some ip network from policy-map rule.It`s not working.Any one please help me to resolve the problem.
class-map match-any http
match not access-group name http-allow
match protocol http host "www.yyyy.com"
match protocol http host "www.xxxx.net"
policy-map http
class http
police 8000 conform-action drop exceed-action drop
ip access-list extended http-allow
permit ip 192.168.100.2 0.0.0.1 any
permit ip any 192.168.100.2 0.0.0.1
permit ip any any
interface FastEthernet0/0 (WAN Interface)
service-policy input httpthe ACL that you have configured is sourcing from the internal host to any on the outside. So you would need to apply that on the inside interface.
If you would like to limit the return traffic towards that host, then you would need to configure ACL with source any and destination the NATed ip address of that internal host. -
Connectivity Issue between ASA 5520 firewall and Cisco Call Manager
Recently i have installed ASA 5520 firewall, Below is the detail for my network
ASA 5520 inside ip: 10.12.10.2/24
Cisco Switch 3560 IP: 10.12.10.1/24 for Data and 10.12.110.2/24 for Voice
Cisco Call Manager 3825 IP: 10.12.110.2/24
The users and the IP phone are getting IP from the DHCP server which configured on cisco 3560 Switch.
the Default Gateway for Data user is 10.12.10.2/24 and
for the voice users is 10.12.110.2/24
now the problem is that the users is not able to ping 10.12.110.2 call manager. please if somebody can help in this regard. i will appreciate the prompt response against this issues.Actually i don't wana to insert new subnet and complicate the nework. i need a simple way to solve the problem. below is the details for the asa 5520 config.
ASA Version 8.2(1)
name x.x.x.x Mobily
interface GigabitEthernet0/0
nameif inside
security-level 99
ip address 10.12.10.2 255.255.255.0
interface GigabitEthernet0/1
nameif outside
security-level 0
ip address x.x.x.x 255.255.255.252
object-group service DM_INLINE_SERVICE_1
service-object tcp-udp
service-object ip
service-object icmp
service-object udp
service-object tcp eq ftp
service-object tcp eq www
service-object tcp eq https
service-object tcp eq ssh
service-object tcp eq telnet
access-list RA_VPN_splitTunnelAcl_1 standard permit Inside-Network 255.255.255.0
access-list RA_VPN_splitTunnelAcl standard permit Inside-Network 255.255.255.0
access-list inside_nat0_outbound extended permit ip Inside-Network 255.255.255.0 10.12.10.16 255.255.255.240
access-list inside_nat0_outbound extended permit object-group DM_INLINE_SERVICE_1 10.12.10.16 255.255.255.240 Inside-Network 255.255.255.0
access-list inside_nat0_outbound_1 extended permit ip Inside-Network 255.255.255.0 10.12.10.16 255.255.255.240
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu mgmt 1500
ip local pool VPN-Pool 172.16.1.1-172.16.1.30 mask 255.255.255.0
ip local pool VPN-Users 10.12.10.21-10.12.10.30 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-641.bin
asdm history enable
arp timeout 14400
global (inside) 2 interface
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound_1
nat (inside) 1 Inside-Network 255.255.255.0
route outside 0.0.0.0 0.0.0.0 Mobily 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http Mgmt-Network 255.255.255.0 mgmt
http Inside-Network 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
telnet Inside-Network 255.255.255.0 inside
telnet timeout 5
ssh Inside-Network 255.255.255.255 inside
<--- More ---> ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy RA_VPN internal
group-policy RA_VPN attributes
dns-server value 86.51.34.17 8.8.8.8
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value RA_VPN_splitTunnelAcl
username admin password LPtK/u1LnvHTA2vO encrypted privilege 15
tunnel-group RA_VPN type remote-access
tunnel-group RA_VPN general-attributes
address-pool VPN-Users
default-group-policy RA_VPN
tunnel-group RA_VPN ipsec-attributes
pre-shared-key *
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
service-policy global_policy global
prompt hostname context
Cryptochecksum:e5a64fa92ae465cd7dabd01ce605307d
: end -
Traceroute issue in ASA (not solved by other threads)
Hello,
I know this has been going on for a long time, but I'm facing the traceroute issue in the ASA. Weirdly enough, I can reach the destination using traceroute with no problem, but I can't see the path to it. I pasted the result below.
I also checked my ASA configuration and the only setting that is not present is the "match any " for the "class-map class_default", because when I enter "class-map class_default" I get the following warning:
ASA(config)# class-map class-default
ERROR: % class-default is a well-known class and is not configurable under class-map
Can you guys help me? I posted below the tracert output and the concerned configuration. I can't find the misfit and I already checked most of the configuration forums.
C:\>tracert www.google.com
Tracing route to www.google.com [173.194.79.104]
over a maximum of 30 hops:
1 <1 ms <1 ms <1 ms 10.0.0.1
2 * * * Request timed out.
3 * * * Request timed out.
4 * * * Request timed out.
5 * * * Request timed out.
6 * * * Request timed out.
7 * * * Request timed out.
8 * * * Request timed out.
9 * * * Request timed out.
10 * * * Request timed out.
11 * * * Request timed out.
12 * * * Request timed out.
13 * * * Request timed out.
14 * * * Request timed out.
15 * * * Request timed out.
16 * * * Request timed out.
17 * * * Request timed out.
18 * * * Request timed out.
19 * * * Request timed out.
20 * * * Request timed out.
21 * * * Request timed out.
22 * * * Request timed out.
23 212 ms 212 ms 212 ms pb-in-f104.1e100.net [173.194.79.104]
Trace complete.
---Router configuration
icmp unreachable rate-limit 10 burst-size 5
object-group service ICMP_Return
service-object icmp echo-reply
service-object icmp time-exceeded
service-object icmp traceroute
service-object icmp unreachable
service-object icmp6 echo-reply
service-object icmp6 time-exceeded
service-object icmp6 unreachable
access-list IF_outside_access_in remark ICMP Return
access-list IF_outside_access_in extended permit object-group ICMP_Return any any
access-group IF_outside_access_in in interface IF_outside
class-map class_default
!--- This does not exit -> match any
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class class-default
set connection decrement-ttl
service-policy global_policy globalHello, it's not. 10.0.0.1 is my default gateway, a local router.
Something that is worth mentioning is, traceroute works for other ASA interfaces (DMZ). It only fails for the external interface.
Look:
c:\> tracert 10.0.100.50
Tracing route to webserver.corp.mycompany.com [10.0.100.50]
over a maximum of 30 hops:
1 3 ms 3 ms 2 ms 10.0.0.1
2 <1 ms <1 ms <1 ms 10.0.0.2 <- This is the ASA
3 1 ms 1 ms 1 ms webserver.corp.mycompany.com [10.0.100.50]
Trace complete.
Any ideas? -
Is there a policy map difference from 8.0 to 9.0?
We have been testing blocking a few select websites (no web filtering yet) with some of our smaller location ASA's. Following the document at:
https://supportforums.cisco.com/docs/DOC-1268
I have been successful at sites which run ASA's with version 8.0 of the IOS on them, but not with 9.0. With 9.0 (2) it appears that when you institute the policy map to make it take effect, it blocks all web traffic, not just the ones specified.
So, I guess I'm asking, is there that large of a difference between 8.0 and 9.0 that would cause this to no longer work properly?You went to the same page I did 7 hours ago. Use the "FILES TYPE EDIT" solution and follow almost all of the instructions...Edit FIREFOX URL, HYPERTEXT TRANSFER PROTOCOL and HYPERTEXT TRANSFER PROTOCOL WITH PRIVACY....It isn't necessary to take the step of "unchecking the "DDE BOX", just follow the instructions to delete the characters in the "DDE Message Box" and the problem is fixed. If you uncheck the "DDE BOX", as instructed, it may come back to bite you.
Thank you for helping,
Sel Warren -
[Trend Micro Ios content filtering] parameter-type command under policy map not available
Hi, all:
I'm trying to configure TrendMicro IOS content filtering. I have this working on a separate box, running 15.1.
On this particular testbed, I have a 2900 running:
System image file is "flash0:c2900-universalk9-mz.SPA.152-3.T1.bin"
And the following licensing:
Technology Package License Information for Module:'c2900'
Technology Technology-package Technology-package
Current Type Next reboot
ipbase ipbasek9 Permanent ipbasek9
security securityk9 Permanent securityk9
uc uck9 Permanent uck9
data datak9 Permanent datak9
Configuration register is 0x2102
CUBE_GOLD_MEX#show ip trm subscription status
Package Name: Security & Productivity (Trial)
Status: Active
Status Update Time: 18:02:51 CST Mon Jul 23 2012
Expiration-Date: Mon Aug 20 02:00:00 2012
Last Req Status: Processed response successfully
Last Req Sent Time: 18:02:51 CST Mon Jul 23 2012
CUBE_GOLD_MEX#
Also, I have the following config lines on it:
ip host trps.trendmicro.com 216.104.8.100
ip name-server 4.2.2.2
ip cef
multilink bundle-name authenticated
parameter-map type urlfpolicy trend tm-pmap
allow-mode on
[snip]
parameter-map type trend-global trend-glob-map
class-map type inspect match-all http-imap
match protocol http
class-map type urlfilter trend match-any drop-category
match url category Abortion
match url category Activist-Groups
match url category Adult-Mature-Content
match url reputation ADWARE
match url reputation DIALER
match url reputation DISEASE-VECTOR
match url reputation HACKING
match url reputation PASSWORD-CRACKING-APPLICATIONS
match url reputation PHISHING
match url reputation POTENTIALLY-MALICIOUS-SOFTWARE
match url reputation SPYWARE
match url reputation VIRUS-ACCOMPLICE
policy-map type inspect urlfilter trend-policy
class type urlfilter trend drop-category
I have not been able to get to the good part of configuring the ZBF.
I've looked over several configuration examples and can't figure out what I'm doing wrong, since I'm not able to see the command 'parameter-map' under the 'policy-map urlfiltering'
XXXXXX(config)#policy-map type inspect urlfilter trend-policy
XXXXXX(config-pmap)#?
Policy-map configuration commands:
class policy criteria
description Policy-Map description
exit Exit from policy-map configuration mode
no Negate or set default values of a command
XXXXXX(config-pmap)#
I thought it might be an issue with version 15.2.3, but according to configuration guides, commands are the same.
Can anyone provide some assistance?
TIA.
c.Hi Carlos,
I am having the same problem. I have seen a few diffenent configuration examples and they all show adding the "parameter type urlfpolicy trend parm-map-name" command but it doesn't exist, at least in 15.2(3)T1 and I see it listed in the the IOS documentation for 15.2. Maybe they forgot it :-)
I guess I will open a TAC case as I do not want to downgrade...
I will keep you posted if I find the answer.
Regards,
Troy -
Dears HI
please i want to limit Input traffic to a port c3750 to 20Mbps , by Policy-Map
#policy-map A-PM
# class A-CM
#police 20000000 ?
<8000-1000000> Normal burst bytes
#police 20000000 3750000 ?
% Unrecognized command
As you know Normal Burst Bytes of 20Mbps is 3750000 , so why i cant issue this number ?
PLEASE HELP MEHi Rawa,
I dont't agree that the normal burst size would be 3750000.
Go through the following links to calculate the correct burst size:
https://supportforums.cisco.com/thread/151681and https://learningnetwork.cisco.com/thread/53215
Thanks
Ankur
"Please rate the post if found useful" -
Policy-map going into suspended mode over a GRE
Hi
I have a GRE tunnel over another GRE tunnel. When I apply a nested policy on the Child GRE the policy map does not attach, what is the cause. The sho policy-map int Tux/x showed that it is suspended I am not making a breakthrough here. The hard ware platform is ASR 1001
Thanks
DonDownload RecBoot. You can kick it out of recovery mode with that. You may have an underlying issue though causing that. A restore may be in order.
Check out the new remodeled MacOSG website! 24-hour Apple-related news & support.
MacOSG: An Apple User Group iTunes: MacOSG Podcast Follow us on Twitter: MacOSG -
Ok I am going insane here! I have a policy map on one of my 5k's but not the other and seem to create it either. They are in an active/active pair. Here is the policy, can someone help me understand what it is and maybe why I cant create it on my other device?
policy-map type control-plane copp-system-policy-customized
class copp-system-class-hsrp-vrrp
police cir 1024 kbps bc 256000 bytes
class copp-system-class-l3dest-miss
police cir 64 kbps bc 16000 bytesYes vPC pair. The issue is I enter the commands but they do not show in the running config on one of the two units...
N5K1
N5K2
show policy-map type control-plane
policy-map type control-plane copp-system-policy-customized
class copp-system-class-igmp
police cir 1024 kbps bc 65535 bytes
class copp-system-class-pim-hello
police cir 1024 kbps bc 4800000 bytes
class copp-system-class-bridging
police cir 20000 kbps bc 4800000 bytes
class copp-system-class-arp
police cir 1024 kbps bc 3600000 bytes
class copp-system-class-dhcp
police cir 1024 kbps bc 4800000 bytes
class copp-system-class-mgmt
police cir 12000 kbps bc 4800000 bytes
class copp-system-class-lacp
police cir 1024 kbps bc 4800000 bytes
class copp-system-class-lldp
police cir 2048 kbps bc 4800000 bytes
class copp-system-class-udld
police cir 2048 kbps bc 4800000 bytes
class copp-system-class-isis
police cir 1024 kbps bc 4800000 bytes
class copp-system-class-msdp
police cir 9600 kbps bc 4800000 bytes
class copp-system-class-cdp
police cir 1024 kbps bc 4800000 bytes
class copp-system-class-fip
police cir 1024 kbps bc 4800000 bytes
class copp-system-class-bgp
police cir 9600 kbps bc 4800000 bytes
class copp-system-class-eigrp
police cir 9600 kbps bc 4800000 bytes
class copp-system-class-exception
police cir 64 kbps bc 4800000 bytes
class copp-system-class-glean
police cir 1024 kbps bc 4800000 bytes
class copp-system-class-hsrp-vrrp
police cir 1024 kbps bc 256000 bytes
class copp-system-class-icmp-echo
police cir 64 kbps bc 3600000 bytes
class copp-system-class-ospf
police cir 9600 kbps bc 4800000 bytes
class copp-system-class-pim-register
police cir 9600 kbps bc 4800000 bytes
class copp-system-class-rip
police cir 9600 kbps bc 4800000 bytes
class copp-system-class-l3dest-miss
police cir 64 kbps bc 16000 bytes
class copp-system-class-mcast-miss
police cir 256 kbps bc 3200000 bytes
class copp-system-class-excp-ip-frag
police cir 64 kbps bc 3200000 bytes
class copp-system-class-excp-same-if
police cir 64 kbps bc 3200000 bytes
class copp-system-class-excp-ttl
police cir 64 kbps bc 3200000 bytes
class copp-system-class-default
police cir 512 kbps bc 6400000 bytes
class copp-system-class-rpf-fail
police cir 512 kbps bc 3200000 bytes
class copp-system-class-mcast-last-hop
police cir 512 kbps bc 3200000 bytes
policy-map type control-plane copp-system-policy-default
class copp-system-class-igmp
police cir 1024 kbps bc 65535 bytes
class copp-system-class-pim-hello
police cir 1024 kbps bc 4800000 bytes
class copp-system-class-bridging
police cir 20000 kbps bc 4800000 bytes
class copp-system-class-arp
police cir 1024 kbps bc 3600000 bytes
class copp-system-class-dhcp
police cir 1024 kbps bc 4800000 bytes
class copp-system-class-mgmt
police cir 12000 kbps bc 4800000 bytes
class copp-system-class-lacp
police cir 1024 kbps bc 4800000 bytes
class copp-system-class-lldp
police cir 2048 kbps bc 4800000 bytes
class copp-system-class-udld
police cir 2048 kbps bc 4800000 bytes
class copp-system-class-isis
police cir 1024 kbps bc 4800000 bytes
class copp-system-class-msdp
police cir 9600 kbps bc 4800000 bytes
class copp-system-class-cdp
police cir 1024 kbps bc 4800000 bytes
class copp-system-class-fip
police cir 1024 kbps bc 4800000 bytes
class copp-system-class-bgp
police cir 9600 kbps bc 4800000 bytes
class copp-system-class-eigrp
police cir 9600 kbps bc 4800000 bytes
class copp-system-class-exception
police cir 64 kbps bc 4800000 bytes
class copp-system-class-glean
police cir 1024 kbps bc 4800000 bytes
class copp-system-class-hsrp-vrrp
police cir 1024 kbps bc 256000 bytes
class copp-system-class-icmp-echo
police cir 64 kbps bc 3600000 bytes
class copp-system-class-ospf
police cir 9600 kbps bc 4800000 bytes
class copp-system-class-pim-register
police cir 9600 kbps bc 4800000 bytes
class copp-system-class-rip
police cir 9600 kbps bc 4800000 bytes
class copp-system-class-l3dest-miss
police cir 64 kbps bc 16000 bytes
class copp-system-class-mcast-miss
police cir 256 kbps bc 3200000 bytes
class copp-system-class-excp-ip-frag
police cir 64 kbps bc 3200000 bytes
class copp-system-class-excp-same-if
police cir 64 kbps bc 3200000 bytes
class copp-system-class-excp-ttl
police cir 64 kbps bc 3200000 bytes
class copp-system-class-default
police cir 512 kbps bc 6400000 bytes
class copp-system-class-rpf-fail
police cir 512 kbps bc 3200000 bytes
class copp-system-class-mcast-last-hop
police cir 512 kbps bc 3200000 bytes
policy-map type control-plane copp-system-policy-scaled-l2
class copp-system-class-igmp
police cir 4096 kbps bc 264000 bytes
class copp-system-class-pim-hello
police cir 1024 kbps bc 4800000 bytes
class copp-system-class-bridging
police cir 20000 kbps bc 4800000 bytes
class copp-system-class-arp
police cir 1024 kbps bc 3600000 bytes
class copp-system-class-dhcp
police cir 1024 kbps bc 4800000 bytes
class copp-system-class-mgmt
police cir 12000 kbps bc 4800000 bytes
class copp-system-class-lacp
police cir 1024 kbps bc 4800000 bytes
class copp-system-class-lldp
police cir 2048 kbps bc 4800000 bytes
class copp-system-class-udld
police cir 2048 kbps bc 4800000 bytes
class copp-system-class-isis
police cir 2048 kbps bc 4800000 bytes
class copp-system-class-msdp
police cir 9600 kbps bc 4800000 bytes
class copp-system-class-cdp
police cir 1024 kbps bc 4800000 bytes
class copp-system-class-fip
police cir 1024 kbps bc 4800000 bytes
class copp-system-class-bgp
police cir 9600 kbps bc 4800000 bytes
class copp-system-class-eigrp
police cir 9600 kbps bc 4800000 bytes
class copp-system-class-exception
police cir 64 kbps bc 4800000 bytes
class copp-system-class-glean
police cir 1024 kbps bc 4800000 bytes
class copp-system-class-hsrp-vrrp
police cir 1024 kbps bc 256000 bytes
class copp-system-class-icmp-echo
police cir 64 kbps bc 3600000 bytes
class copp-system-class-ospf
police cir 9600 kbps bc 4800000 bytes
class copp-system-class-pim-register
police cir 9600 kbps bc 4800000 bytes
class copp-system-class-rip
police cir 9600 kbps bc 4800000 bytes
class copp-system-class-l3dest-miss
police cir 64 kbps bc 16000 bytes
class copp-system-class-mcast-miss
police cir 256 kbps bc 3200000 bytes
class copp-system-class-excp-ip-frag
police cir 64 kbps bc 3200000 bytes
class copp-system-class-excp-same-if
police cir 64 kbps bc 3200000 bytes
class copp-system-class-excp-ttl
police cir 64 kbps bc 3200000 bytes
class copp-system-class-default
police cir 512 kbps bc 6400000 bytes
class copp-system-class-rpf-fail
police cir 512 kbps bc 3200000 bytes
class copp-system-class-mcast-last-hop
police cir 512 kbps bc 3200000 bytes
policy-map type control-plane copp-system-policy-scaled-l3
class copp-system-class-igmp
police cir 4096 kbps bc 264000 bytes
class copp-system-class-pim-hello
police cir 1024 kbps bc 4800000 bytes
class copp-system-class-bridging
police cir 20000 kbps bc 4800000 bytes
class copp-system-class-arp
police cir 4000 kbps bc 3600000 bytes
class copp-system-class-dhcp
police cir 1024 kbps bc 4800000 bytes
class copp-system-class-mgmt
police cir 12000 kbps bc 4800000 bytes
class copp-system-class-lacp
police cir 1024 kbps bc 4800000 bytes
class copp-system-class-lldp
police cir 2048 kbps bc 4800000 bytes
class copp-system-class-udld
police cir 2048 kbps bc 4800000 bytes
class copp-system-class-isis
police cir 2048 kbps bc 4800000 bytes
class copp-system-class-msdp
police cir 9600 kbps bc 4800000 bytes
class copp-system-class-cdp
police cir 1024 kbps bc 4800000 bytes
class copp-system-class-fip
police cir 1024 kbps bc 4800000 bytes
class copp-system-class-bgp
police cir 9600 kbps bc 4800000 bytes
class copp-system-class-eigrp
police cir 9600 kbps bc 4800000 bytes
class copp-system-class-exception
police cir 64 kbps bc 4800000 bytes
class copp-system-class-glean
police cir 4000 kbps bc 4800000 bytes
class copp-system-class-hsrp-vrrp
police cir 1024 kbps bc 256000 bytes
class copp-system-class-icmp-echo
police cir 4000 kbps bc 3600000 bytes
class copp-system-class-ospf
police cir 9600 kbps bc 4800000 bytes
class copp-system-class-pim-register
police cir 9600 kbps bc 4800000 bytes
class copp-system-class-rip
police cir 9600 kbps bc 4800000 bytes
class copp-system-class-l3dest-miss
police cir 64 kbps bc 16000 bytes
class copp-system-class-mcast-miss
police cir 512 kbps bc 3200000 bytes
class copp-system-class-excp-ip-frag
police cir 64 kbps bc 3200000 bytes
class copp-system-class-excp-same-if
police cir 64 kbps bc 3200000 bytes
class copp-system-class-excp-ttl
police cir 64 kbps bc 3200000 bytes
class copp-system-class-default
police cir 512 kbps bc 6400000 bytes
class copp-system-class-rpf-fail
police cir 512 kbps bc 3200000 bytes
class copp-system-class-mcast-last-hop
police cir 512 kbps bc 3200000 bytes
NEXUS5K001# show policy-map interface control-plane
Control Plane
service-policy input: copp-system-policy-customized
class-map copp-system-class-igmp (match-any)
match protocol igmp
police cir 1024 kbps , bc 65535 bytes
conformed 834102 bytes; action: transmit
violated 0 bytes;
class-map copp-system-class-pim-hello (match-any)
match protocol pim
police cir 1024 kbps , bc 4800000 bytes
conformed 0 bytes; action: transmit
violated 0 bytes;
class-map copp-system-class-bridging (match-any)
match protocol bridging
police cir 20000 kbps , bc 4800000 bytes
conformed 184965072 bytes; action: transmit
violated 0 bytes;
class-map copp-system-class-arp (match-any)
match protocol arp
match protocol nd
police cir 1024 kbps , bc 3600000 bytes
conformed 1711299342 bytes; action: transmit
violated 467458 bytes;
class-map copp-system-class-dhcp (match-any)
match protocol dhcp
police cir 1024 kbps , bc 4800000 bytes
conformed 96669859 bytes; action: transmit
violated 0 bytes;
class-map copp-system-class-mgmt (match-any)
match protocol mgmt
police cir 12000 kbps , bc 4800000 bytes
conformed 3420991988 bytes; action: transmit
violated 0 bytes;
class-map copp-system-class-lacp (match-any)
match protocol lacp
police cir 1024 kbps , bc 4800000 bytes
conformed 5003732 bytes; action: transmit
violated 0 bytes;
class-map copp-system-class-lldp (match-any)
match protocol lldp_dcx
police cir 2048 kbps , bc 4800000 bytes
conformed 8283269 bytes; action: transmit
violated 0 bytes;
class-map copp-system-class-udld (match-any)
match protocol udld
police cir 2048 kbps , bc 4800000 bytes
conformed 0 bytes; action: transmit
violated 0 bytes;
class-map copp-system-class-isis (match-any)
match protocol isis_dce
police cir 1024 kbps , bc 4800000 bytes
conformed 0 bytes; action: transmit
violated 0 bytes;
class-map copp-system-class-msdp (match-any)
match protocol msdp
police cir 9600 kbps , bc 4800000 bytes
conformed 0 bytes; action: transmit
violated 0 bytes;
class-map copp-system-class-cdp (match-any)
match protocol cdp
police cir 1024 kbps , bc 4800000 bytes
conformed 5995146 bytes; action: transmit
violated 0 bytes;
class-map copp-system-class-fip (match-any)
match protocol fip
police cir 1024 kbps , bc 4800000 bytes
conformed 7396000 bytes; action: transmit
violated 0 bytes;
class-map copp-system-class-bgp (match-any)
match protocol bgp
police cir 9600 kbps , bc 4800000 bytes
conformed 52049287 bytes; action: transmit
violated 0 bytes;
class-map copp-system-class-eigrp (match-any)
match protocol eigrp
match protocol eigrp6
police cir 9600 kbps , bc 4800000 bytes
conformed 0 bytes; action: transmit
violated 0 bytes;
class-map copp-system-class-exception (match-any)
match protocol exception
police cir 64 kbps , bc 4800000 bytes
conformed 16415315 bytes; action: transmit
violated 0 bytes;
class-map copp-system-class-glean (match-any)
match protocol glean
police cir 1024 kbps , bc 4800000 bytes
conformed 94203992002 bytes; action: transmit
violated 5920334550 bytes;
class-map copp-system-class-hsrp-vrrp (match-any)
match protocol hsrp_vrrp
match protocol hsrp6
police cir 1024 kbps , bc 256000 bytes
conformed 54227844 bytes; action: transmit
violated 0 bytes;
class-map copp-system-class-icmp-echo (match-any)
match protocol icmp_echo
police cir 64 kbps , bc 3600000 bytes
conformed 184940591 bytes; action: transmit
violated 46970 bytes;
class-map copp-system-class-ospf (match-any)
match protocol ospf
match protocol ospf3
police cir 9600 kbps , bc 4800000 bytes
conformed 0 bytes; action: transmit
violated 0 bytes;
class-map copp-system-class-pim-register (match-any)
match protocol reg
police cir 9600 kbps , bc 4800000 bytes
conformed 0 bytes; action: transmit
violated 0 bytes;
class-map copp-system-class-rip (match-any)
match protocol rip
police cir 9600 kbps , bc 4800000 bytes
conformed 0 bytes; action: transmit
violated 0 bytes;
class-map copp-system-class-l3dest-miss (match-any)
match protocol unicast
police cir 64 kbps , bc 16000 bytes
conformed 4214 bytes; action: transmit
violated 0 bytes;
class-map copp-system-class-mcast-miss (match-any)
match protocol multicast
police cir 256 kbps , bc 3200000 bytes
conformed 0 bytes; action: transmit
violated 0 bytes;
class-map copp-system-class-excp-ip-frag (match-any)
match protocol ip_frag
police cir 64 kbps , bc 3200000 bytes
conformed 0 bytes; action: transmit
violated 0 bytes;
class-map copp-system-class-excp-same-if (match-any)
match protocol same-if
police cir 64 kbps , bc 3200000 bytes
conformed 17075590565 bytes; action: transmit
violated 370668351863 bytes;
class-map copp-system-class-excp-ttl (match-any)
match protocol ttl
police cir 64 kbps , bc 3200000 bytes
conformed 1243144216 bytes; action: transmit
violated 1611787 bytes;
class-map copp-system-class-default (match-any)
match protocol default
police cir 512 kbps , bc 6400000 bytes
conformed 157079876 bytes; action: transmit
violated 0 bytes;
class-map copp-system-class-rpf-fail (match-any)
police cir 512 kbps , bc 3200000 bytes
conformed 0 bytes; action: transmit
violated 0 bytes;
class-map copp-system-class-mcast-last-hop (match-any)
police cir 512 kbps , bc 3200000 bytes
conformed 0 bytes; action: transmit
violated 0 bytes;
NEXUS5K001# show running copp all
!Command: show running-config copp all
!Time: Wed Mar 31 13:35:40 2010
version 6.0(2)N1(2a)
control-plane
scale-factor 1.00 module 1
scale-factor 1.00 module 2
scale-factor 1.00 module 3
control-plane
service-policy input copp-system-policy-customized
NEXUS5K001#
Nexus 5000 Switch
Cisco Nexus Operating System (NX-OS) Software
TAC support: http://www.cisco.com/tac
Copyright (c) 2002-2013, Cisco Systems, Inc. All rights reserved.
The copyrights to certain works contained in this software are
owned by other third parties and used and distributed under
license. Certain components of this software are licensed under
the GNU General Public License (GPL) version 2.0 or the GNU
Lesser General Public License (LGPL) Version 2.1. A copy of each
such license is available at
http://www.opensource.org/licenses/gpl-2.0.php and
http://www.opensource.org/licenses/lgpl-2.1.php
NEXUS5K002# show policy-map type control-plane
policy-map type control-plane copp-system-policy-customized
class copp-system-class-igmp
police cir 1024 kbps bc 65535 bytes
class copp-system-class-pim-hello
police cir 1024 kbps bc 4800000 bytes
class copp-system-class-bridging
police cir 20000 kbps bc 4800000 bytes
class copp-system-class-arp
police cir 1024 kbps bc 3600000 bytes
class copp-system-class-dhcp
police cir 1024 kbps bc 4800000 bytes
class copp-system-class-mgmt
police cir 12000 kbps bc 4800000 bytes
class copp-system-class-lacp
police cir 1024 kbps bc 4800000 bytes
class copp-system-class-lldp
police cir 2048 kbps bc 4800000 bytes
class copp-system-class-udld
police cir 2048 kbps bc 4800000 bytes
class copp-system-class-isis
police cir 1024 kbps bc 4800000 bytes
class copp-system-class-msdp
police cir 9600 kbps bc 4800000 bytes
class copp-system-class-cdp
police cir 1024 kbps bc 4800000 bytes
class copp-system-class-fip
police cir 1024 kbps bc 4800000 bytes
class copp-system-class-bgp
police cir 9600 kbps bc 4800000 bytes
class copp-system-class-eigrp
police cir 9600 kbps bc 4800000 bytes
class copp-system-class-exception
police cir 64 kbps bc 4800000 bytes
class copp-system-class-glean
police cir 1024 kbps bc 4800000 bytes
class copp-system-class-hsrp-vrrp
police cir 1024 kbps bc 256000 bytes
class copp-system-class-icmp-echo
police cir 64 kbps bc 3600000 bytes
class copp-system-class-ospf
police cir 9600 kbps bc 4800000 bytes
class copp-system-class-pim-register
police cir 9600 kbps bc 4800000 bytes
class copp-system-class-rip
police cir 9600 kbps bc 4800000 bytes
class copp-system-class-l3dest-miss
police cir 64 kbps bc 16000 bytes
class copp-system-class-mcast-miss
police cir 256 kbps bc 3200000 bytes
class copp-system-class-excp-ip-frag
police cir 64 kbps bc 3200000 bytes
class copp-system-class-excp-same-if
police cir 64 kbps bc 3200000 bytes
class copp-system-class-excp-ttl
police cir 64 kbps bc 3200000 bytes
class copp-system-class-default
police cir 512 kbps bc 6400000 bytes
class copp-system-class-rpf-fail
police cir 512 kbps bc 3200000 bytes
class copp-system-class-mcast-last-hop
police cir 512 kbps bc 3200000 bytes
policy-map type control-plane copp-system-policy-default
class copp-system-class-igmp
police cir 1024 kbps bc 65535 bytes
class copp-system-class-pim-hello
police cir 1024 kbps bc 4800000 bytes
class copp-system-class-bridging
police cir 20000 kbps bc 4800000 bytes
class copp-system-class-arp
police cir 1024 kbps bc 3600000 bytes
class copp-system-class-dhcp
police cir 1024 kbps bc 4800000 bytes
class copp-system-class-mgmt
police cir 12000 kbps bc 4800000 bytes
class copp-system-class-lacp
police cir 1024 kbps bc 4800000 bytes
class copp-system-class-lldp
police cir 2048 kbps bc 4800000 bytes
class copp-system-class-udld
police cir 2048 kbps bc 4800000 bytes
class copp-system-class-isis
police cir 1024 kbps bc 4800000 bytes
class copp-system-class-msdp
police cir 9600 kbps bc 4800000 bytes
class copp-system-class-cdp
police cir 1024 kbps bc 4800000 bytes
class copp-system-class-fip
police cir 1024 kbps bc 4800000 bytes
class copp-system-class-bgp
police cir 9600 kbps bc 4800000 bytes
class copp-system-class-eigrp
police cir 9600 kbps bc 4800000 bytes
class copp-system-class-exception
police cir 64 kbps bc 4800000 bytes
class copp-system-class-glean
police cir 1024 kbps bc 4800000 bytes
class copp-system-class-hsrp-vrrp
police cir 1024 kbps bc 256000 bytes
class copp-system-class-icmp-echo
police cir 64 kbps bc 3600000 bytes
class copp-system-class-ospf
police cir 9600 kbps bc 4800000 bytes
class copp-system-class-pim-register
police cir 9600 kbps bc 4800000 bytes
class copp-system-class-rip
police cir 9600 kbps bc 4800000 bytes
class copp-system-class-l3dest-miss
police cir 64 kbps bc 16000 bytes
class copp-system-class-mcast-miss
police cir 256 kbps bc 3200000 bytes
class copp-system-class-excp-ip-frag
police cir 64 kbps bc 3200000 bytes
class copp-system-class-excp-same-if
police cir 64 kbps bc 3200000 bytes
class copp-system-class-excp-ttl
police cir 64 kbps bc 3200000 bytes
class copp-system-class-default
police cir 512 kbps bc 6400000 bytes
class copp-system-class-rpf-fail
police cir 512 kbps bc 3200000 bytes
class copp-system-class-mcast-last-hop
police cir 512 kbps bc 3200000 bytes
policy-map type control-plane copp-system-policy-scaled-l2
class copp-system-class-igmp
police cir 4096 kbps bc 264000 bytes
class copp-system-class-pim-hello
police cir 1024 kbps bc 4800000 bytes
class copp-system-class-bridging
police cir 20000 kbps bc 4800000 bytes
class copp-system-class-arp
police cir 1024 kbps bc 3600000 bytes
class copp-system-class-dhcp
police cir 1024 kbps bc 4800000 bytes
class copp-system-class-mgmt
police cir 12000 kbps bc 4800000 bytes
class copp-system-class-lacp
police cir 1024 kbps bc 4800000 bytes
class copp-system-class-lldp
police cir 2048 kbps bc 4800000 bytes
class copp-system-class-udld
police cir 2048 kbps bc 4800000 bytes
class copp-system-class-isis
police cir 2048 kbps bc 4800000 bytes
class copp-system-class-msdp
police cir 9600 kbps bc 4800000 bytes
class copp-system-class-cdp
police cir 1024 kbps bc 4800000 bytes
class copp-system-class-fip
police cir 1024 kbps bc 4800000 bytes
class copp-system-class-bgp
police cir 9600 kbps bc 4800000 bytes
class copp-system-class-eigrp
police cir 9600 kbps bc 4800000 bytes
class copp-system-class-exception
police cir 64 kbps bc 4800000 bytes
class copp-system-class-glean
police cir 1024 kbps bc 4800000 bytes
class copp-system-class-hsrp-vrrp
police cir 1024 kbps bc 256000 bytes
class copp-system-class-icmp-echo
police cir 64 kbps bc 3600000 bytes
class copp-system-class-ospf
police cir 9600 kbps bc 4800000 bytes
class copp-system-class-pim-register
police cir 9600 kbps bc 4800000 bytes
class copp-system-class-rip
police cir 9600 kbps bc 4800000 bytes
class copp-system-class-l3dest-miss
police cir 64 kbps bc 16000 bytes
class copp-system-class-mcast-miss
police cir 256 kbps bc 3200000 bytes
class copp-system-class-excp-ip-frag
police cir 64 kbps bc 3200000 bytes
class copp-system-class-excp-same-if
police cir 64 kbps bc 3200000 bytes
class copp-system-class-excp-ttl
police cir 64 kbps bc 3200000 bytes
class copp-system-class-default
police cir 512 kbps bc 6400000 bytes
class copp-system-class-rpf-fail
police cir 512 kbps bc 3200000 bytes
class copp-system-class-mcast-last-hop
police cir 512 kbps bc 3200000 bytes
policy-map type control-plane copp-system-policy-scaled-l3
class copp-system-class-igmp
police cir 4096 kbps bc 264000 bytes
class copp-system-class-pim-hello
police cir 1024 kbps bc 4800000 bytes
class copp-system-class-bridging
police cir 20000 kbps bc 4800000 bytes
class copp-system-class-arp
police cir 4000 kbps bc 3600000 bytes
class copp-system-class-dhcp
police cir 1024 kbps bc 4800000 bytes
class copp-system-class-mgmt
police cir 12000 kbps bc 4800000 bytes
class copp-system-class-lacp
police cir 1024 kbps bc 4800000 bytes
class copp-system-class-lldp
police cir 2048 kbps bc 4800000 bytes
class copp-system-class-udld
police cir 2048 kbps bc 4800000 bytes
class copp-system-class-isis
police cir 2048 kbps bc 4800000 bytes
class copp-system-class-msdp
police cir 9600 kbps bc 4800000 bytes
class copp-system-class-cdp
police cir 1024 kbps bc 4800000 bytes
class copp-system-class-fip
police cir 1024 kbps bc 4800000 bytes
class copp-system-class-bgp
police cir 9600 kbps bc 4800000 bytes
class copp-system-class-eigrp
police cir 9600 kbps bc 4800000 bytes
class copp-system-class-exception
police cir 64 kbps bc 4800000 bytes
class copp-system-class-glean
police cir 4000 kbps bc 4800000 bytes
class copp-system-class-hsrp-vrrp
police cir 1024 kbps bc 256000 bytes
class copp-system-class-icmp-echo
police cir 4000 kbps bc 3600000 bytes
class copp-system-class-ospf
police cir 9600 kbps bc 4800000 bytes
class copp-system-class-pim-register
police cir 9600 kbps bc 4800000 bytes
class copp-system-class-rip
police cir 9600 kbps bc 4800000 bytes
class copp-system-class-l3dest-miss
police cir 64 kbps bc 16000 bytes
class copp-system-class-mcast-miss
police cir 512 kbps bc 3200000 bytes
class copp-system-class-excp-ip-frag
police cir 64 kbps bc 3200000 bytes
class copp-system-class-excp-same-if
police cir 64 kbps bc 3200000 bytes
class copp-system-class-excp-ttl
police cir 64 kbps bc 3200000 bytes
class copp-system-class-default
police cir 512 kbps bc 6400000 bytes
class copp-system-class-rpf-fail
police cir 512 kbps bc 3200000 bytes
class copp-system-class-mcast-last-hop
police cir 512 kbps bc 3200000 bytes
NEXUS5K002# show policy-map interface control-plane
Control Plane
service-policy input: copp-system-policy-customized
class-map copp-system-class-igmp (match-any)
match protocol igmp
police cir 1024 kbps , bc 65535 bytes
conformed 1099702577173 bytes; action: transmit
violated 0 bytes;
class-map copp-system-class-pim-hello (match-any)
match protocol pim
police cir 1024 kbps , bc 4800000 bytes
conformed 0 bytes; action: transmit
violated 0 bytes;
class-map copp-system-class-bridging (match-any)
match protocol bridging
police cir 20000 kbps , bc 4800000 bytes
conformed 1117682720167 bytes; action: transmit
violated 0 bytes;
class-map copp-system-class-arp (match-any)
match protocol arp
match protocol nd
police cir 1024 kbps , bc 3600000 bytes
conformed 7392073468 bytes; action: transmit
violated 0 bytes;
class-map copp-system-class-dhcp (match-any)
match protocol dhcp
police cir 1024 kbps , bc 4800000 bytes
conformed 1554060880 bytes; action: transmit
violated 0 bytes;
class-map copp-system-class-mgmt (match-any)
match protocol mgmt
police cir 12000 kbps , bc 4800000 bytes
conformed 3360293230 bytes; action: transmit
violated 0 bytes;
class-map copp-system-class-lacp (match-any)
match protocol lacp
police cir 1024 kbps , bc 4800000 bytes
conformed 1100653025235 bytes; action: transmit
violated 0 bytes;
class-map copp-system-class-lldp (match-any)
match protocol lldp_dcx
police cir 2048 kbps , bc 4800000 bytes
conformed 1101335075091 bytes; action: transmit
violated 0 bytes;
class-map copp-system-class-udld (match-any)
match protocol udld
police cir 2048 kbps , bc 4800000 bytes
conformed 0 bytes; action: transmit
violated 0 bytes;
class-map copp-system-class-isis (match-any)
match protocol isis_dce
police cir 1024 kbps , bc 4800000 bytes
conformed 0 bytes; action: transmit
violated 0 bytes;
class-map copp-system-class-msdp (match-any)
match protocol msdp
police cir 9600 kbps , bc 4800000 bytes
conformed 0 bytes; action: transmit
violated 0 bytes;
class-map copp-system-class-cdp (match-any)
match protocol cdp
police cir 1024 kbps , bc 4800000 bytes
conformed 1100822976136 bytes; action: transmit
violated 0 bytes;
class-map copp-system-class-fip (match-any)
match protocol fip
police cir 1024 kbps , bc 4800000 bytes
conformed 1334982352 bytes; action: transmit
violated 0 bytes;
class-map copp-system-class-bgp (match-any)
match protocol bgp
police cir 9600 kbps , bc 4800000 bytes
conformed 55322608 bytes; action: transmit
violated 0 bytes;
class-map copp-system-class-eigrp (match-any)
match protocol eigrp
match protocol eigrp6
police cir 9600 kbps , bc 4800000 bytes
conformed 0 bytes; action: transmit
violated 0 bytes;
class-map copp-system-class-exception (match-any)
match protocol exception
police cir 64 kbps , bc 4800000 bytes
conformed 7678996 bytes; action: transmit
violated 0 bytes;
class-map copp-system-class-glean (match-any)
match protocol glean
police cir 1024 kbps , bc 4800000 bytes
conformed 22710843199 bytes; action: transmit
violated 0 bytes;
class-map copp-system-class-hsrp-vrrp (match-any)
match protocol hsrp_vrrp
match protocol hsrp6
police cir 1024 kbps , bc 256000 bytes
conformed 12316200612 bytes; action: transmit
violated 0 bytes;
class-map copp-system-class-icmp-echo (match-any)
match protocol icmp_echo
police cir 64 kbps , bc 3600000 bytes
conformed 50470007 bytes; action: transmit
violated 0 bytes;
class-map copp-system-class-ospf (match-any)
match protocol ospf
match protocol ospf3
police cir 9600 kbps , bc 4800000 bytes
conformed 3366 bytes; action: transmit
violated 0 bytes;
class-map copp-system-class-pim-register (match-any)
match protocol reg
police cir 9600 kbps , bc 4800000 bytes
conformed 0 bytes; action: transmit
violated 0 bytes;
class-map copp-system-class-rip (match-any)
match protocol rip
police cir 9600 kbps , bc 4800000 bytes
conformed 12510 bytes; action: transmit
violated 0 bytes;
class-map copp-system-class-l3dest-miss (match-any)
match protocol unicast
police cir 64 kbps , bc 16000 bytes
conformed 15136 bytes; action: transmit
violated 0 bytes;
class-map copp-system-class-mcast-miss (match-any)
match protocol multicast
police cir 256 kbps , bc 3200000 bytes
conformed 0 bytes; action: transmit
violated 0 bytes;
class-map copp-system-class-excp-ip-frag (match-any)
match protocol ip_frag
police cir 64 kbps , bc 3200000 bytes
conformed 0 bytes; action: transmit
violated 0 bytes;
class-map copp-system-class-excp-same-if (match-any)
match protocol same-if
police cir 64 kbps , bc 3200000 bytes
conformed 0 bytes; action: transmit
violated 0 bytes;
class-map copp-system-class-excp-ttl (match-any)
match protocol ttl
police cir 64 kbps , bc 3200000 bytes
conformed 8531281 bytes; action: transmit
violated 0 bytes;
class-map copp-system-class-default (match-any)
match protocol default
police cir 512 kbps , bc 6400000 bytes
conformed 33212075608 bytes; action: transmit
violated 0 bytes;
class-map copp-system-class-rpf-fail (match-any)
police cir 512 kbps , bc 3200000 bytes
conformed 0 bytes; action: transmit
violated 0 bytes;
class-map copp-system-class-mcast-last-hop (match-any)
police cir 512 kbps , bc 3200000 bytes
conformed 0 bytes; action: transmit
violated 0 bytes;
NEXUS5K002# show running copp all
!Command: show running-config copp all
!Time: Wed Mar 31 13:38:37 2010
version 6.0(2)N1(2a)
control-plane
scale-factor 1.00 module 1
scale-factor 1.00 module 2
scale-factor 1.00 module 3
policy-map type control-plane copp-system-policy-customized
class copp-system-class-hsrp-vrrp
police cir 1024 kbps bc 256000 bytes
class copp-system-class-l3dest-miss
police cir 64 kbps bc 16000 bytes
control-plane
service-policy input copp-system-policy-customized
NEXUS5K002# -
HI experts,
i am using
Cisco Adaptive Security Appliance Software Version 8.0(4)
Device Manager Version 6.4(9)
i configure Nat but when i use packet tracer in firewall to see packet flow i found my inside packet is not able to reach to outside interface.what is the problem i don't understand. should i create access rule for the or anything else.
please healpe..
regards
SuhasHi,
Pease find the whole configuration & packet tracer screen shot..
ASA Version 8.0(4)
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 172.16.30.0 outside
interface Ethernet0/0
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
interface Ethernet0/1
nameif outside
security-level 0
ip address 172.16.30.2 255.255.255.0
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
interface Management0/0
nameif management
security-level 0
ip address 10.10.10.1 255.255.255.0
boot system disk0:/
boot system disk0:/asa825-33-k8.bin
ftp mode passive
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-649-103.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 1 192.168.1.0 255.255.255.0
route outside 0.0.0.0 0.0.0.0 172.16.30.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.10 255.255.255.255 inside
http 10.10.10.2 255.255.255.255 management
no snmp-server location
no snmp-server contact
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 192.168.1.10 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username cisco password 3USUcOPFUiMCO4Jk encrypted
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
message-length maximum client auto
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
service-policy global_policy global
prompt hostname context
Cryptochecksum:0fbad53e0533429878e448f1f87415fc
: end
ciscoasa(config)#
This image for INSIDE HOST TO INSIDE INTERFACE
This image for INSIDE HOST TO OUTSIDE INTERFACE
This image for INSIDE HOST TO OUTSIDE NEXT HOP INTERFACE -
HI Team,
If we use the folowing comands for QOS, what is the effect of
service-policy NIC-QOS-OUT, as i have studied service policy will be applied under physical interfaces. Here policy map has been defined and again it is referred under Parent-QoS-2.5GIG policy map. So please clarify
policy-map NIC-QoS-OUT
description #### Common Child Policy ####
class VIDEO&VOICE-OUT
police cir percent 20
priority
class NICNET-OUT
bandwidth percent 20
random-detect dscp-based
class CONTROL-OUT
bandwidth percent 10
random-detect dscp-based
class INTERNET-SURF-OUT
bandwidth percent 10
random-detect dscp-based
class class-default
random-detect
policy-map Parent-QoS-2.5GIG
description #### Parent QoS Policy for 2.5 GIG Link ####
class class-default
shape average 2300000000
service-policy NIC-QoS-OUT
policy-map NIC-QOS-OUT
Thanks in advance,
NaveenThe two ASA syslogs you posted were both from an internal host to port 80 on an external host. This would indicate that a sucessful DNS resolution has occured in these two instances.
If the cause of your problem is bad DNS lookups, you should see evidence in your AIP-SSM event log of the packets being dropped.
- Bob -
Tracback and reload after "sh policy-map type inspect zone-pair"
Hi all
hitting the issue that the device reloads after issueing "sh policy-map type inspect zone-pair"
Patrick
For image:
Cisco IOS Software, ISR4400 Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 15.4(2)S, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2014 by Cisco Systems, Inc.
Compiled Wed 26-Mar-14 21:38 by mcpre
Uptime = 00:09:36
Happens in isr4400-universalk9.03.12.00.S.154-2.S-std.SPA.bin and isr4400-universalk9.03.11.01.S.154-1.S1-std.SPA.bin.
CMD: 'h policy-map type inspect zone-pair'' 15:25:08 CET Fri May 23 2014
Exception to IOS Thread:
Frame pointer 0x7FE738ADCE70, PC = 0x2824D9F
UNIX-EXT-SIGNAL: Segmentation fault(11), Process = SSH Process
-Traceback= 1#0f900c654b45d2459c0c267ce51d6164 :400000+2424D9F :400000+974FE12 :400000+974FAB8 :400000+974F5E2 :400000+27A9BB0 :400000+28297C6 :400000+281182C :400000+2810189 :400000+975962A :400000+9759522 :400000+98645DA :400000+975991D :400000+AC061C :400000+ABF735 :400000+ABDAAD :400000+3FCC510
Fastpath Thread backtrace:
-Traceback= 1#0f900c654b45d2459c0c267ce51d6164 c:7FE7877A2000+BE012
Auxiliary Thread backtrace:
-Traceback= 1#0f900c654b45d2459c0c267ce51d6164 pthread:7FE782EFD000+A7C9
RAX = 00007FE738ADCEC4 RBX = 00007FE735F40608
RCX = 0000000000000001 RDX = 000000000000001F
RSP = 00007FE738ADCE70 RBP = 00007FE738ADCE70
RSI = 0000000000000000 RDI = 00007FE738ADCEC4
R8 = 0000000000000001 R9 = 0000000000000000
R10 = 0000000000000002 R11 = 0000000000000002
R12 = 000000000000001D R13 = C88E990B00000000
R14 = C4CEAD38E77F0000 R15 = A0ED3436E77F0001
RFL = 0000000000010202 RIP = 0000000002824D9F
CS = 0033 FS = 0000 GS = 0000
ST0 = 0000 0000000000000000 ST1 = 0000 0000000000000000
ST2 = 0000 0000000000000000 ST3 = 0000 0000000000000000
ST4 = 0000 0000000000000000 ST5 = 0000 0000000000000000
ST6 = 0000 0000000000000000 ST7 = 0000 0000000000000000
X87CW = 037F X87SW = 0000 X87TG = 0000 X87OP = 0000
X87IP = 0000000000000000 X87DP = 0000000000000000
XMM0 = 00000000000000000000000000000000
XMM1 = 00000000000000000000000000000000
XMM2 = 00000000000000000000000000000000
XMM3 = 00000000000000000000000000000000
XMM4 = 00000000000000000000000000000000
XMM5 = 00000000000000000000000000000000
XMM6 = 00000000000000000000000000000000
XMM7 = 5C5C5C5C5C5C5C5C5C5C5C5C5C5C5C5C
XMM8 = 36363636363636363636363636363636
XMM9 = 36363636363636363636363636363636
XMM10 = 5C5C5C5C5C5C5C5C5C5C5C5C5C5C5C5C
XMM11 = 5C5C5C5C5C5C5C5C5C5C5C5C5C5C5C5C
XMM12 = 00000000000000000000000000000000
XMM13 = 00000000000000000000000000000000
XMM14 = 00000000000000006F6F6B6B67676767
XMM15 = 00000000000000000000000020202020
MXCSR = 00001F80Disclaimer
The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
Liability Disclaimer
In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
Posting
I believe tracebacks are normally indicative of a bug. This might be something more suitable to raise with TAC. -
DMVPN per tunnel QOS. show policy-map multipoint not working
Hi All,
I have a DMVPN hub which is a 1841 with image c1841-advsecurityk9-mz.151-4.M1.bin .
I have been using DMVPN and its awesome but now trying to get the QOS sorted out and having issues.
I have configured the interface like so.
interface Tunnel1
ip address 10.255.255.1 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication xxx
ip nhrp map multicast dynamic
ip nhrp map group ADSL1 service-policy output ADSL1
ip nhrp network-id 1
ip nhrp redirect
ip tcp adjust-mss 1360
no ip split-horizon
ip ospf 1 area 0
tunnel source Loopback0
tunnel mode gre multipoint
tunnel key 1
tunnel path-mtu-discovery
tunnel protection ipsec profile VPN
end
policy-map ADSL1
class class-default
shape average 1000000
service-policy Classes
policy-map Classes
class Silver
bandwidth percent 25
fair-queue
class Gold
bandwidth percent 50
fair-queue
class Scavanger
bandwidth percent 5
class class-default
fair-queue
The output of show dmvpn detail shows it has applied the QOS rule.
NG-SR-WE-RT-2#show dmvpn detail
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
N - NATed, L - Local, X - No Socket
# Ent --> Number of NHRP entries with same NBMA peer
NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
UpDn Time --> Up or Down Time for a Tunnel
==========================================================================
Interface Tunnel1 is up/up, Addr. is 10.255.255.1, VRF ""
Tunnel Src./Dest. addr: 10.32.0.100/MGRE, Tunnel VRF ""
Protocol/Transport: "multi-GRE/IP", Protect "VPN"
Interface State Control: Disabled
Type:Hub, Total NBMA Peers (v4/v6): 1
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb Target Network
1 x.x.x.x 10.255.255.2 UP 1d18h D 10.255.255.2/32
NHRP group: ADSL1
Output QoS service-policy applied: ADSL1
but my router cannot run show policy-map multipoint... it doesnt come up with a tab but i can write it in by hand. Even when i write it in by hand it outputs blank.
I cut the ADSL1 shape down to 512k and it didnt take affect so i dont think the qos is working at all.
Is my feature set too low?
Cheers,
SimonRay,
There could be multiple reasons for it not to function, the config on hub seems just fine, we'd need to inspect the spokes and check (most likely) in debugs if correct group is being sent from spoke.
Also coexistance of other service-policy etc etc.
The feature is quite simple (some level of simplification), spoke says he is in group X when registering, hub assigns this NHRP mapping a service-policy.
M.
Maybe you are looking for
-
Problems with ID3 Tags in iTunes - Desperate need of assistance!
Hello all... Desperately need some help. I just spent a very (very) long time going through my entire music collection making sure all album art is present and all tags are corrected to my preferences. Now I want to back up the entire drive (F: drive
-
IPod isn't recognized by iTunes and iTunes opens very slow!!
Hey! So here's my very urgent problem (go on vacation tomorrow!!!): Everytime I click to open iTunes, it takes about 5 minutes until it opens! I have a Windows XP and have also updated iTunes to the newest software. I don't know what the problem is..
-
All, I got new sun server v490's which seems to have have a problem powering up. I plug the power cords and turnkey to diagnostic to enable the power button all I see is the amber light. How to power it up????????????????? Thanks Joe
-
I need a RAW converter program and the adovbe system has been recommended. how shall I proceed?
I need a RAW converter program and the Adobe system has been recommended. How do I proceed?
-
Problems initially loading web pages
Hello, I have a macbook pro running safari 5.0.3 and for about a month I have been having problems logging on to the internet. I am using Mac Os 10.5.8. I have checked the diagnostics for the network and most of the time the items are all green, some