Policy-map on tunnel or physical interface?

Similar Messages

• Policy maps on port-channel sub-interfaces

  We're trying to implement an enterprise QoS policy and I'm wondering how we can apply our QoS policy maps to several different sub-interfaces on a port-channel. In our case, we have both LAN and WAN connections that connect as VLANs on a switch and terminate as sub-interfaces on a port-channel that combines two Gigabit Ethernet interfaces on our router. The LAN connection will need to have a ingress service-policy to classify traffic as it comes from a customer LAN, and the WAN connections will have to have an egress service-policy to place the traffic classes into LLQ and CBWFQ queues as it leaves the router. Could I put both the ingress and egress service-policies on the physical router interface, or should I put them on the port-channel interface? Or should I apply them to the individual sub-interfaces? For example, I could put the ingress classification service-policy on the LAN sub-interface connection.
  Any thoughts or insight would be helpful. Thanks.

  I can't put it as input because :
  gw-a(config-subif)#service-policy input policy_upload                     
  Traffic Shaping feature not supported in input policy.
  Here's a show during a bandwidth test. You can see the offered rate is properly measured and is _way_ above the target shape rate.
  gw-a#show policy-map interface Port-channel 1.2
  Port-channel1.2
    Service-policy output: policy_upload
      Class-map: class-default (match-any)
        624006 packets, 842239036 bytes
        5 minute offered rate 12774000 bps, drop rate 0 bps
        Match: any
        Queueing
        queue limit 64 packets
        (queue depth/total drops/no-buffer drops) 0/0/0
        (pkts output/bytes output) 0/0
        shape (average) cir 100000, bc 400, be 400
        target shape rate 100000

• ACE - Policy map bound to multiple interface

  Hello,
  I have a policy map bound to multiple VLAN interfaces. The policy is pretty standard, any traffic hitting the VIP is load balanced.
  Now, is it ok to assign the same policy map / VIP to to multiple VLAN interfaces on a virtual context?
  I addition, I should add that one of the clients hitting the vip are the servers configured in the serverfarm of the context.
  Basically the requirement here is that the rservers are client and server at the same time.
  The problem I have is that when one of the servers send an HTTP request to the VIP, the ACE module reset the connection. I can see the dropped conns counter increasing as i generate requests to the ACE.
  Rdgs,
  Thibault.

  Thibault,
  the RESET is probably comming from the server.
  If the server sends a SYN to the VIP, the packet is nated and forwarded to another server which sees a packet coming from a neighbor server (not ACE) and sends the SYN/ACK directly to the client(rserver).
  This one is expecting a packet from the VIP and not the server itself and sends a RST.
  You need to enable client nat for server opening connections to the vip.
  Gilles.

• Regarding policy map

  HI Team,
  If we use the folowing comands for QOS, what is the effect of
     service-policy NIC-QOS-OUT, as i have studied service policy will be applied under physical interfaces. Here policy map has been defined and again it is referred under Parent-QoS-2.5GIG policy map. So please clarify
  policy-map NIC-QoS-OUT
  description #### Common Child Policy ####
    class VIDEO&VOICE-OUT
     police cir percent 20
      priority
    class NICNET-OUT
      bandwidth percent 20
      random-detect dscp-based
    class CONTROL-OUT
      bandwidth percent 10
      random-detect dscp-based
    class INTERNET-SURF-OUT
      bandwidth percent 10
      random-detect dscp-based
    class class-default
      random-detect
  policy-map Parent-QoS-2.5GIG
  description #### Parent QoS Policy for 2.5 GIG Link ####
    class class-default
      shape average 2300000000
     service-policy NIC-QoS-OUT
  policy-map NIC-QOS-OUT
  Thanks in advance,
  Naveen

  The two ASA syslogs you posted were both from an internal host to port 80 on an external host. This would indicate that a sucessful DNS resolution has occured in these two instances.
  If the cause of your problem is bad DNS lookups, you should see evidence in your AIP-SSM event log of the packets being dropped.
  - Bob

• 1 policy-map for more than 1 physical interface

  Hi,
  the situation I want to achieve is, that 2 physical interfaces (here 2 TP GigbitEthernet Ports of a 3750) are limited together from one 'service-policy'/'policy-map'.
  In the example below I have 2 Ports on one switch and the traffic coming in on both ports in total (traffic port #1 + traffic port #2) should be limited to the 'policy-map 5MBits'.
  Right now I have configured a 3750 with:
  class-map match-all EveryMAC
  match access-group name everythingL2
  policy-map 5MBits
  class EveryMAC
  police 5000000 32768 exceed-action drop
  policy-map TEST
  class EveryMAC
  set dscp default
  mac access-list extended everythingL2
  permit any any
  interface GigabitEthernet1/0/1
  description port #1
  switchport access vlan 123
  switchport mode access
  speed 10
  duplex auto
  interface GigabitEthernet1/0/2
  description port #2
  switchport access vlan 123
  switchport mode access
  speed 10
  duplex auto
  interface Vlan123
  service-policy input TEST
  And at the 'other side' a 2950 works with the following config:
  class-map match-all EveryMAC
  match access-group name everythingL2
  policy-map 5MBits
  class EveryMAC
  police 5000000 32768 exceed-action drop
  mac access-list extended everythingL2
  permit any any
  interface FastEthernet0/1
  description port #A
  switchport access vlan 123
  switchport mode access
  speed 10
  duplex auto
  As far as I can see this seems to work. But it would be nice if someone can confirm this or provide an other suggestion.
  thanks in advance
  Mark

  Only thing i can think of is instead of using a MAC ACL , u cud jus use the default class
  Policy Map Test
  class class-default
  police 56000 8000 exceed-action drop
  Class Map match-any class-default (id 0)
  Match any
  You would be saving a MAC-ACL ;-).

• DMVPN per tunnel QOS. show policy-map multipoint not working

  Hi All,
  I have a DMVPN hub which is a 1841 with image c1841-advsecurityk9-mz.151-4.M1.bin .
  I have been using DMVPN and its awesome but now trying to get the QOS sorted out and having issues.
  I have configured the interface like so.
  interface Tunnel1
  ip address 10.255.255.1 255.255.255.0
  no ip redirects
  ip mtu 1400
  ip nhrp authentication xxx
  ip nhrp map multicast dynamic
  ip nhrp map group ADSL1 service-policy output ADSL1
  ip nhrp network-id 1
  ip nhrp redirect
  ip tcp adjust-mss 1360
  no ip split-horizon
  ip ospf 1 area 0
  tunnel source Loopback0
  tunnel mode gre multipoint
  tunnel key 1
  tunnel path-mtu-discovery
  tunnel protection ipsec profile VPN
  end
  policy-map ADSL1
  class class-default
    shape average 1000000
    service-policy Classes
  policy-map Classes
  class Silver
    bandwidth percent 25
    fair-queue
  class Gold
    bandwidth percent 50
    fair-queue
  class Scavanger
    bandwidth percent 5
  class class-default
    fair-queue
  The output of show dmvpn detail shows it has applied the QOS rule.
  NG-SR-WE-RT-2#show dmvpn detail
  Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
      N - NATed, L - Local, X - No Socket
      # Ent --> Number of NHRP entries with same NBMA peer
      NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
      UpDn Time --> Up or Down Time for a Tunnel
  ==========================================================================
  Interface Tunnel1 is up/up, Addr. is 10.255.255.1, VRF ""
     Tunnel Src./Dest. addr: 10.32.0.100/MGRE, Tunnel VRF ""
     Protocol/Transport: "multi-GRE/IP", Protect "VPN"
     Interface State Control: Disabled
  Type:Hub, Total NBMA Peers (v4/v6): 1
  # Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb    Target Network
      1  x.x.x.x    10.255.255.2    UP    1d18h    D    10.255.255.2/32
  NHRP group: ADSL1
  Output QoS service-policy applied: ADSL1
  but my router cannot run show policy-map multipoint... it doesnt come up with a tab but i can write it in by hand.  Even when i write it in by hand it outputs blank.
  I cut the ADSL1 shape down to 512k and it didnt take affect so i dont think the qos is working at all.
  Is my feature set too low?
  Cheers,
  Simon

  Ray,
  There could be multiple reasons for it not to function, the config on hub seems just fine, we'd need to inspect the spokes and check (most likely) in debugs if correct group is being sent from spoke.
  Also coexistance of other service-policy etc etc.
  The feature is quite simple (some level of simplification), spoke says he is in group X when registering, hub assigns this NHRP mapping a service-policy.
  M.

• How is a GRE tunnel applied to a physical interface?

  Within a tunnel's configuration we use the commands, source and destination for the tunnel but how does the physical interface know to use the tunnel? Do the tunnel's source settings override the physical interface? If we only configure a tunnel with the correct source would that interface then send all information out encapsulated in GRE?
  If we also configure IPSec on the interface and specify a crypto map to only encrypt the matching traffic would this matching traffic only use the GREtunnel or is all information regardless if it's encrypted in IPSec also be encapsulated in GRE?
  Also, I read here: https://supportforums.cisco.com/docs/DOC-3067
  "Bind crypto map to the physical (outside) interface if you are running Cisco IOS  Software Release 12.2.15 or later. If not, then the crypto map must be applied to the tunnel interface as well as the physical interace."
  Why was it necessary to apply the crypto map to both the physical and tunnel interfaces, and why is it not necessary with newer IOS versions?
  Thanks for any help!  -mark

  Mark Mattix wrote:I did some reading on EIGRP and is it correct that the EIGRP Header and Payload (TLV) are encapsulated in an IP packet and addressed to the address, 224.0.0.10? Is this the reason why multicast traffic must be encapsulated first in GRE to travel over the internet? Olivier Pelerin> This is correct
  When I set up a site to site VPN using GRE tunnels and an IPSec config on the interfaces would this be considered, IPSec over GRE, or GRE over IPSec? I don't understand that difference.
  Olivier Pelerin> See the diagram below - this explain GRE over IPSEC. That's a diagram I did here for a training
  On the example packet I posted above, is the public address that's routed over the internet part of the IPSec packet/suite? I guess a better question is, what portions of the packet make up IPSec and which portion is just regular IPv4 addressing?
  Olivier Pelerin> the diagram below should answer that
  I've been wrong in thinking that GRE and IPSec go hand in hand when infact it's possible to only use IPSec and no type of tunnel. If IPSec is set up on the interfaces and the tunnels are configured at both end points, what does your information first get encapsulated by, GRE or IPSec? In your example packet format Olpeleri, is looks like the IP packet is first encapsulated in GRE then encapsulated by IPSec. Is this correct? If so when information leaves our LAN and heads to the internet, does it first go through the tunnel to be encapsulated by GRE then out the physical link that adds the IPSec encapsulation?
  Olivier Pelerin> Correct. GRE first then encryption
  Sorry for all these questions, I'm just trying to learn how this works! Thanks again for the help!
  [red = encrypted]

• Policy-map input on an interface VLAN

  Hi there,
  I have a problem with a policy-map on an interface VLAN on my Cisco 6509-E.
  The switch has the IOS Version 12.2(33)SXI10, RELEASE SOFTWARE (fc2).
  I have configured this policy-map:
  policy-map PM-10Mbit
    class class-default
     police cir 10000000 bc 1875000 be 3750000    conform-action transmit     exceed-action drop     violate-action drop
   I bind this map on a physical interface
  interface GigabitEthernet2/2
   description <removed>
   ip vrf forwarding <removed>
   ip address <removed>
   ip access-group <removed> out
   service-policy input PM-10Mbit
   service-policy output PM-10Mbit
  and get this result:
  show policy-map interface
  GigabitEthernet2/2
    Service-policy input: PM-10Mbit
      class-map: class-default (match-any)
        Match: any
        police :
          10000000 bps 1875000 limit 1875000 extended limit
        Earl in slot 5 :
          6428065284 bytes
          5 minute offered rate 14696 bps
          aggregate-forwarded 6294160565 bytes action: transmit
          exceeded 133904719 bytes action: drop
          aggregate-forward 584 bps exceed 0 bps
    Service-policy output: PM-10Mbit
      class-map: class-default (match-any)
        Match: any
        police :
          10000000 bps 1875000 limit 1875000 extended limit
        Earl in slot 4 :
          10335145381 bytes
          5 minute offered rate 21536 bps
          aggregate-forwarded 10142894661 bytes action: transmit
          exceeded 192250720 bytes action: drop
          aggregate-forward 128 bps exceed 0 bps
        Earl in slot 5 :
          263335780 bytes
          5 minute offered rate 176 bps
          aggregate-forwarded 263335780 bytes action: transmit
          exceeded 0 bytes action: drop
          aggregate-forward 448 bps exceed 0 bps
  But when I bind it on an interface VLAN i see no incoming traffic:
  show policy-map interface
   Vlan1012
    Service-policy input: PM-100Mbit
      class-map: class-default (match-any)
        Match: any
        police :
          100000000 bps 18750000 limit 18750000 extended limit
        Earl in slot 4 :
          0 bytes
          30 second offered rate 0 bps
          aggregate-forwarded 0 bytes action: transmit
          exceeded 0 bytes action: drop
          aggregate-forward 0 bps exceed 0 bps
        Earl in slot 5 :
          0 bytes
          30 second offered rate 0 bps
          aggregate-forwarded 0 bytes action: transmit
          exceeded 0 bytes action: drop
          aggregate-forward 0 bps exceed 0 bps
    Service-policy output: PM-100Mbit
      class-map: class-default (match-any)
        Match: any
        police :
          100000000 bps 18750000 limit 18750000 extended limit
        Earl in slot 4 :
          1005376843668 bytes
          30 second offered rate 33016448 bps
          aggregate-forwarded 1005362388151 bytes action: transmit
          exceeded 14455517 bytes action: drop
          aggregate-forward 30943792 bps exceed 0 bps
        Earl in slot 5 :
          1828318775 bytes
          30 second offered rate 1296 bps
          aggregate-forwarded 1828318775 bytes action: transmit
          exceeded 0 bytes action: drop
          aggregate-forward 1272 bps exceed 0 bps
  Is this a bug or am I doing something wrong here?

  Hello
  As I understand it , this is command is required in mls qos because on a SVI ( L3 vlan interface) runs in a vlan-based mode which differs from normal L3 routed interfaces which run in interface mode.
  As per cisco ="In VLAN-based mode, the policy map that is attached to the Layer 2 interface is ignored, and QoS is driven by the policy map that is attached to the corresponding VLAN interface."
  Lastly regards
  Try matching on all traffic incoming on the trunk interface on that switch for it to successfully police incoming traffic:
  class-map V102
  match input-interface x/x
  Policy-map POLICE
  class V102
  Police xxxx xxxx
  res
  Paul

• Show policy-map interface | Question about QOS show command output

  I hope this is the correct place for this question. If not, please let me know.
  When I issue the show policy-map interface command (in this case on a  3845) there is some output I don't understand.  I have included some output below and formatted the lines I am confused about as "computer code" which show up as red on my screen.  A list of the individual lines i'm confused about is below, followed by those liens in the context of the show policy-map command's output.
  Any help with this will be greatly appreciated. Thanks in advance.
  5 minute offered rate 46000 bps, drop rate 0 bps
   5 minute rate 10000 bps
   bandwidth remaining 50% (768 kbps)
  show policy-map interface
  --- previous output omitted ---
  GigabitEthernet0/0
    Service-policy input: QoS_IN
  class-map: Silver (match-any)
        164691299 packets, 23570752398 bytes
        5 minute offered rate 46000 bps, drop rate 0 bps
        Match: access-group name MAINFRAME
          4371992 packets, 2311242335 bytes
          5 minute rate 0 bps
        Match: access-group name KRONOS
          13334297 packets, 3051409140 bytes
          5 minute rate 5000 bps
        Match: access-group name EMAIL
          97652823 packets, 10323856470 bytes
          5 minute rate 10000 bps
        Match: access-group name VOIP-CONTROL
          20782858 packets, 1481676784 bytes
          5 minute rate 0 bps
        Match: access-group name LOGIXWEB
          0 packets, 0 bytes
          5 minute rate 0 bps
        Match: access-group name GRINDLOG
          0 packets, 0 bytes
          5 minute rate 0 bps
        Match: access-group name CITRIX
          46895 packets, 14669179 bytes
          5 minute rate 0 bps
        Match: access-group name CORP_WEB
          28502414 packets, 6387897396 bytes
          5 minute rate 4000 bps
        QoS Set
          dscp af31
            Packets marked 164691269
  show policy-map interface s0/0/0:0
  Serial0/0/0:0
    Service-policy output: QoS_OUT
  --- previous output omitted ---
      Class-map: Silver (match-any)
        86590227 packets, 12051546524 bytes
        5 minute offered rate 3000 bps, drop rate 0 bps
        Match: access-group name MAINFRAME
          7641084 packets, 2701232492 bytes
          5 minute rate 0 bps
        Match: access-group name KRONOS
          6975052 packets, 1555404656 bytes
          5 minute rate 0 bps
        Match: access-group name EMAIL
          58438150 packets, 5433636586 bytes
          5 minute rate 3000 bps
        Match: access-group name VOIP-CONTROL
          355083 packets, 41252455 bytes
          5 minute rate 0 bps
        Match: access-group name LOGIXWEB
          0 packets, 0 bytes
          5 minute rate 0 bps
        Match: access-group name GRINDLOG
          0 packets, 0 bytes
          5 minute rate 0 bps
        Match: access-group name CITRIX
          19 packets, 4967 bytes
          5 minute rate 0 bps
        Match: access-group name CORP_WEB
          13180836 packets, 2320015236 bytes
          5 minute rate 0 bps
        Queueing
        queue limit 64 packets
        (queue depth/total drops/no-buffer drops) 0/18156/0
        (pkts output/bytes output) 86421413/12004278837
        bandwidth remaining 50% (768 kbps)

  this is my configuration
  DGMGRL> show configuration
  Configuration
  Name: matrix
  Enabled: YES
  Protection Mode: MaxPerformance
  Databases:
  stdby1 - Primary database
  stdby2 - Physical standby database
  stdby3 - Physical standby database
  Fast-Start Failover: DISABLED
  Current status for "matrix":
  SUCCESS
  --- this is my first successful switchover -----
  DGMGRL> switchover to stdby2
  Performing switchover NOW, please wait...
  New primary database "stdby2" is opening...
  Operation requires shutdown of instance "stdby1" on database "stdby1"
  Shutting down instance "stdby1"...
  ORA-01109: database not open
  Database dismounted.
  ORACLE instance shut down.
  Operation requires startup of instance "stdby1" on database "stdby1"
  Starting instance "stdby1"...
  ORACLE instance started.
  Database mounted.
  Switchover succeeded, new primary is "stdby2"
  -------------------this is my second switchover -------------
  DGMGRL> switchover to stdby1
  Performing switchover NOW, please wait...
  New primary database "stdby1" is opening...
  Operation requires shutdown of instance "stdby2" on database "stdby2"
  Shutting down instance "stdby2"...
  ORA-01109: database not open
  Database dismounted.
  ORACLE instance shut down.
  Operation requires startup of instance "stdby2" on database "stdby2"
  Starting instance "stdby2"...
  Unable to connect to database
  ORA-12514: TNS:listener does not currently know of service requested in connect descriptor
  Failed.
  You are no longer connected to ORACLE
  Please connect again.
  Unable to start instance "stdby2"
  You must start instance "stdby2" manually
  Switchover succeeded, new primary is "stdby1"
  DGMGRL>
  Edited by: user6981287 on Jan 7, 2010 12:57 AM
  Edited by: user6981287 on Jan 7, 2010 1:00 AM

• Crypto Map on Loopback interface or Physical Interface

  Dear All,
  When we try to apply the crypto map on any physical interface or the loopback interface on WS-6506-E, it is showing the error. But the same i could apply on VLAN interface. Can anyone explain me what is the issue..?
  6506(config)#interface loopback 3
  6506(config-if)#crypto map XXXX
  ERROR: Crypto Map configuration is not supported on the given interface
  Any hardware limitation?

  This was proven to break CEF in the past and is a bad design choice by default.
  Newer release do not allow you to configure this.
  If you're curious if it will work for you check releases prior to 15.x.
  M.

• Can't apply policy route-map on C3750 stack vlan interface

  Hi All.
  I've come up with this problem and i could see some people have had the same issue. I've tried to overlook and check other replies but it didn't help me. So I'm hoping someone could spot the problem. Here are the details:
  2 x WS-C3750G-24T-E in stack
  Cisco IOS Software, C3750 Software (C3750-ADVIPSERVICESK9-M), Version 12.2(46)SE, RELEASE SOFTWARE (fc2)
  switch#sh sdm prefe
  The current template is "desktop IPv4 and IPv6 routing" template.
  The selected template optimizes the resources in
  the switch to support this level of features for
  8 routed interfaces and 1024 VLANs.
    number of unicast mac addresses:                  1.5K
    number of IPv4 IGMP groups + multicast routes:    1K
    number of IPv4 unicast routes:                    2.75K
      number of directly-connected IPv4 hosts:        1.5K
      number of indirect IPv4 routes:                 1.25K
    number of IPv6 multicast groups:                  1.125k
    number of directly-connected IPv6 addresses:      1.5K
    number of indirect IPv6 unicast routes:           1.25K
    number of IPv4 policy based routing aces:         0.25K
    number of IPv4/MAC qos aces:                      0.5K
    number of IPv4/MAC security aces:                 0.5K
    number of IPv6 policy based routing aces:         0.25K
    number of IPv6 qos aces:                          0.5K
    number of IPv6 security aces:                     0.5K
  There are 2 ISPs, G1/0/1 and G2/0/1. After creating a route-map i can apply a policy route-map to Vlan5 and it accepts without any errors. But when you do sh run vlan5 the command is not there, it's not applied.
  Any help will be appretiated.
  Thanks.

  Hi Jon.
  Thanks for your reply. I didn't put those configs as they're basic without use of VRF and WCCP. Also i've checked or tried to find the list of unsupported commands and didn't see them in that list. See config below with some extras:
  track 11 rtr 1 reachability
  track 22 rtr 2 reachability
  ip routing
  no ip dhcp use vrf connected
  interface GigabitEthernet1/0/1
  description ISP1
  no switchport
  ip address 9.9.9.2 255.255.255.252
  no ip proxy-arp
  no ip mroute-cache
  speed 100
  duplex full
  ipv6 address 2B01:4B8:0:3::2/64
  ipv6 ospf 1 area 0
  no mdix auto
  no cdp enable
  interface GigabitEthernet2/0/1
  description ISP2
  no switchport
  ip address 9.9.9.5 255.255.255.252
  ip ospf cost 10000
  speed 1000
  duplex full
  ipv6 address 2B01:4B8:0:7::2/64
  ipv6 enable
  ipv6 ospf cost 10000
  ipv6 ospf 1 area 0
  interface Vlan5
  description Company Ext Subnet
  ip address 9.9.8.1 255.255.255.128
  no ip proxy-arp
  no ip mroute-cache
  ipv6 address 2B01:4B8:1:22::1/64
  ipv6 ospf 1 area 15
  access-list 111 permit tcp any any eq www
  route-map pbr1 permit 10
  match ip address 111
  set interface GigabitEthernet2/0/1 GigabitEthernet1/0/1
  route-map pbr1 permit 20
  set interface GigabitEthernet1/0/1 GigabitEthernet2/0/1
  route-map pbr2 permit 10
  match ip address 111
  set ip next-hop verify-availability 9.9.9.6 1 track 11
  set ip next-hop 9.9.9.1
  route-map pbr2 permit 20
  set ip next-hop verify-availability 9.9.9.1 1 track 22
  set ip next-hop 9.9.9.6
  I've tried to apply both policies pbr1 and pbr2, it allowed to do that without errors but at the end it wasn't there.
  Cheers,

• Crypto Map on Tunnel interface

  hi guys, when i trying to apply crypto map on tunnel interface , debug is (
  crypto map is configured on tunnel interface.  Currently only GDOI crypto map is supported on tunnel interface )
  why i can't apply simple crypto map on tunnel interface? anyone knows?
  thanks

  This was proven to break CEF in the past and is a bad design choice by default.
  Newer release do not allow you to configure this.
  If you're curious if it will work for you check releases prior to 15.x.
  M.

• CBWFQ: Question about the output of "show policy-map interface" command

  Hi everyone,
  I have a question about the output of "show policy-map interface" command.
  The following is the output of this command and lower side of the output shows
  (total queued/total drops/no-buffer drops) 0/342/0
  If the packets drop occur due to the situation of no enough buffer,
  "no-buffer drops" counted up. But "no-buffer drops" has not been counted up.
  The "no-buffer drops" is 0 (zero) but "total drops" are counted as 342.
  I guess there are other factors except "no-buffer drops" to add "total drops".
  But I can not find any information about "other factors".
  So I would like to know the "other factors" added to "total drops".
  reserch-3725#sh policy-map interface fastethernet0/1
  FastEthernet0/1
  Service-policy output: shaping
  Class-map: kdpc (match-all)
  146956873 packets, 115209221595 bytes
  5 minute offered rate 156000 bps, drop rate 0 bps
  Match: access-group name YOKOHAMA_to_CHINO
  Traffic Shaping
  Target/Average Byte Sustain Excess Interval Increment
  Rate Limit bits/int bits/int (ms) (bytes)
  9360000/9360000 58500 234000 234000 25 29250
  Adapt Queue Packets Bytes Packets Bytes Shaping
  Active Depth Delayed Delayed Active
  - 0 146956724 3539850811 2960247 3851843541 no
  Class-map: class-default (match-any)
  552458414 packets, 249687580329 bytes
  5 minute offered rate 242000 bps, drop rate 0 bps
  Match: any
  Traffic Shaping
  Target/Average Byte Sustain Excess Interval Increment
  Rate Limit bits/int bits/int (ms) (bytes)
  3072000/3072000 19200 76800 76800 25 9600
  Adapt Queue Packets Bytes Packets Bytes Shaping
  Active Depth Delayed Delayed Active
  - 0 552453209 573909865 30358216 2926188156 no
  Service-policy : policy1
  Class-map: dlsw (match-all)
  979578 packets, 264843255 bytes
  5 minute offered rate 0 bps, drop rate 0 bps
  Match: access-group name acl-dlsw
  Queueing
  Output Queue: Conversation 137
  Bandwidth 128 (kbps) Max Threshold 64 (packets)
  (pkts matched/bytes matched) 20922/17371500
  (depth/total drops/no-buffer drops) 0/0/0
  Class-map: telnet (match-all)
  29938 packets, 1806058 bytes
  5 minute offered rate 0 bps, drop rate 0 bps
  Match: access-group name acl-telnet
  Queueing
  Output Queue: Conversation 138
  Bandwidth 64 (kbps) Max Threshold 64 (packets)
  (pkts matched/bytes matched) 639/38900
  (depth/total drops/no-buffer drops) 0/0/0
  Class-map: class-default (match-any)
  551448911 packets, 249420939729 bytes
  5 minute offered rate 242000 bps, drop rate 0 bps
  Match: any
  Queueing
  Flow Based Fair Queueing
  Maximum Number of Hashed Queues 128
  (total queued/total drops/no-buffer drops) 0/342/0
  Your information would be appreciated.

  Details infomatiuon regarding show policy-map interface
  http://www.cisco.com/en/US/tech/tk543/tk545/technologies_tech_note09186a008010dd6a.shtml
  http://www.cisco.com/en/US/tech/tk543/tk760/technologies_tech_note09186a0080108e2d.shtml
  http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123cgcr/qos_r/qos_s2g.htm#wp1146884

• Bandwith monitoring on physical interface or on tunnel interface ?

  Hi All,
  I would like to ask you a question .i am using solarwind monitoring tool for bandwith monioring.
  I would like to know which interface we should use for monitoring ? Physical interface or tunnel interface .
  I am using GRE tunnel in each of my remote locations.
  and in some locations when i compare my physical interface graph and tunnel interface graph ,there is always hugh difference ,tunnel interface always has high utilization.  but for some sides physical interface and tunnel interface graph are same .
  please do let me know which is the best for monitoing .

  Hi ,
  Genrally it can be posible due bandwidth configuration on tunnel interface but ther is no harm in monitoring both the interface,it is genarlly a benfit only for you as if tunnel goes down it will raise an alarm also for the same.
  For exact monitoring for tunnel interface i would suggest you to check  - VPNTTG (VPN Tunnel Traffic Grapher).
  Advantage of VPNTTG over other SNMP based monitoring softwares is following: Other (commonly used) softwares are working with static OID numbers, i.e. whenever tunnel disconnects and reconnects, it gets assigned a new OID number. This means that the historical data, gathered on the connection, is lost each time. However, VPNTTG works with VPN peers IP address and it stores for each VPN tunnel historical monitoring data into the Database.
  Hope that helps out your query !!
  If helpful do rate the valauble post.
  Regards
  Ganesh.H

• Tunnel interface to physical interface

  Hi All,
  I was wondering if it is possible to build a site to site vpn connection one side using tunnel interface and the other end using a physical interface.
  My plan is to use a 3945 router, build multiple tunnel interfaces on the router to connect 50 clients. By using tunnel interface on the router i could leverage on the vrf feature to isolate clients  but if i use tunnel interface on my end  i am not certain if the tunnel will come up if my client is using 1) ASA 2) PIX 3) vpn concentrator - which doesnt support tunnel interface.
  Thanks for your help in advance.
  Lou

  Mark Mattix wrote:I did some reading on EIGRP and is it correct that the EIGRP Header and Payload (TLV) are encapsulated in an IP packet and addressed to the address, 224.0.0.10? Is this the reason why multicast traffic must be encapsulated first in GRE to travel over the internet? Olivier Pelerin> This is correct
  When I set up a site to site VPN using GRE tunnels and an IPSec config on the interfaces would this be considered, IPSec over GRE, or GRE over IPSec? I don't understand that difference.
  Olivier Pelerin> See the diagram below - this explain GRE over IPSEC. That's a diagram I did here for a training
  On the example packet I posted above, is the public address that's routed over the internet part of the IPSec packet/suite? I guess a better question is, what portions of the packet make up IPSec and which portion is just regular IPv4 addressing?
  Olivier Pelerin> the diagram below should answer that
  I've been wrong in thinking that GRE and IPSec go hand in hand when infact it's possible to only use IPSec and no type of tunnel. If IPSec is set up on the interfaces and the tunnels are configured at both end points, what does your information first get encapsulated by, GRE or IPSec? In your example packet format Olpeleri, is looks like the IP packet is first encapsulated in GRE then encapsulated by IPSec. Is this correct? If so when information leaves our LAN and heads to the internet, does it first go through the tunnel to be encapsulated by GRE then out the physical link that adds the IPSec encapsulation?
  Olivier Pelerin> Correct. GRE first then encryption
  Sorry for all these questions, I'm just trying to learn how this works! Thanks again for the help!
  [red = encrypted]