QoS Class-maps

Trying to understand the class-default for marking
I have the concept of Identify traffic with ACLs
Classify traffic for marking with class-maps
Mark traffic with policy-maps
the policy-map will always have a default-class for unaccounted traffic in the policy-maps
what I don't quite understand is that the there is not a class-map class-default
when servicing the "policy" the class-maps are referenced with "class A" "class B" "class class-default"
when looking for the matches on class class-default there is no reference class-map to go to....
I figured I have to accept this logic means if  traffic was not specifically matched by the collection of class-maps in the config the IOS can assume the traffic would have been/is class-default.
i had put a config together to classify certain traffic as CS0, like SNMP... i wanted to force traffic there as well as having all unaccounted traffic being classified CS0.
but from what i read if i don't have snmp matched in any class-map in the config then this traffic would find itself in
policy-map XXX
     class class-default
     set ip precedence 0
even though class-default does not exist as class-map class-default

Hi,
You want to mark some traffic as CS0? and then count that traffic? but you won't know which traffic had CS0 imposed or was natively IPP 0 like all data traffic not specifically marked.
the class class-default exists just do a show class-map and you'll see it, it is the IOS which creates it.
Doing a show policy-map interface will show you which class-map was matched.

Similar Messages

  • 3850 QoS class-map match-all?

    I would like to create a QoS marking policy that re-marks packet to CS5 if the inbound traffic is SIP *and* if it is marked CS3 when it comes in.  I would have expected the configuration listed below will work.  I only found out when I tried to apply the config that, unlike other IOS devices, "class-map match-all" does not exist in 3850 3.3.x code.  It can only do "class-map match-any" Can anyone suggest a work-around config for 3850 to achieve the same end result?
    ip   access-list extended ACL-QOS-SIP
    permit tcp any range 5060 5061 any
    permit tcp any any range 5060 5061
    ip   access-list extended ACL-QOS-CS3
    permit ip any any dscp cs3
    class-map   match-all CM-QOS-CS5
      match access-group name ACL-QOS-CS3
      match access-group name ACL-QOS-SIP
    policy-map   PM-QOS-MARKING
    class CM-QOS-CS5
         set ip dscp cs5
    Any suggestions would be appreciated.

    jlkeys,  below is configuration I ended up using to resolve the issue:
    ip access-list extended ACL-QOS-SIP
     permit tcp any range 5060 5061 any dscp cs3
    class-map match-any CM-QOS-CS5
      match access-group name ACL-QOS-SIP
    policy-map   PM-QOS-MARKING
     class CM-QOS-CS5
       set ip dscp cs5

  • QoS Class-Map Matching

    Hello,
    When configuring a class-map, I want to match based on DSCP values.  I see that I can configure the match statement either as "match dscp" or "match ip dscp".  The router accepts either one.  Is there a difference between these two, or do they accomplish the same thing?

    Hi,
    "match dscp" matches both IPv4 and IPv6 traffic while "match ip dscp" matches only IPv4 traffic.
    HTH,
    Nagendra

  • Class-map in IOS XR

    Hi, anyone can explain the "sh class-map list type qos" in XR platforms ? is this command used to know how many types of class-maps configured in one router ?

    It is a useful command to help clean up unused class-maps:
    RP/0/RSP0/CPU0:A9K-BNG#show class-map list type qos
    Thu Sep 12 14:58:56.383 EDT
    1) ClassMap: class1    Type: qos
        Referenced by 3 Policymaps
    2) ClassMap: class3    Type: qos
        Referenced by 2 Policymaps
    in this examples the QOS class-maps class1 and class3 which have index 1 and 2 respectively are used by respectively 3 or 2 policy-maps. can't remove them.
    I could technically remove this class-map:
    20) ClassMap: v6    Type: qos
        Referenced by 0 Policymaps
    Not used at all.
    regards
    xander

  • Class Map Statistic Dashlet in Cisco Prime Inf. 2.1

    Dear All , 
    I installed the demo version of Cisco Prime infra . 2.1 and I saw that there is a specific Dashlet to monitor QOS class map . 
    As we have some policy-map configured  , it could be very interresting. 
    After a day spent on Google .. I didn't found how to configure it ..  I found that Cbqos must be enabled on the switch/router 
    So I did it by entering the following cmd 
    snmp-server ifindex persist 
    snmp mib persist cbqos 
    But nothing .  I also deployed the Cisco monitoring template for class map statistics . 
    Do I need another cmd to be entered  or any other device or appliance from Cisco .. ? 
    Thanks a lot 
    Marc 

    PI 1.2 definitely does not include all the regulatory compliance features of LMS. Reference.
    Even though the document says PI 1.2 will do baseline compliance, I haven't figured out how they expect you to do that.

  • Number of class maps (QOS) supported on 7200 and 7600

    Hi,
    Have few queries on class maps for QOS, putting forward for your comments/inputs.
    1. Want to know if there are any limitation (s) on the number of class maps (to be applied inbound/outbound) that can be configured on the 7200 and 7600 routers.
    2. Is there any imitation on the numbers (of class maps) in general or will it depend on the sum total of BW configured in the classes? I mean which one will be the deciding factor i.e. if the limit is wrt to the configured classes or the number of classes can't go beyond the consolidated bandwidth configured on the interface.
    Kindly share details on the same and if there are any recommendations.
    Thanks! in advance.

    From: http://www.cisco.com/en/US/tech/tk543/tk545/technologies_q_and_a_item09186a00800cdfab.shtml
    "Q. How many classes does a Quality of Service (QoS) policy support?
    A. In Cisco IOS versions earlier than 12.2 you could define a maximum of only 256 classes, and you could define up to 256 classes within each policy if the same classes are reused for different policies. If you have two policies, the total number of classes from both policies should not exceed 256. If a policy includes Class-Based Weighted Fair Queueing (CBWFQ) (meaning it contains a bandwidth [or priority] statement within any of the classes), the total number of classes supported is 64.
    In Cisco IOS versions 12.2(12),12.2(12)T, and 12.2(12)S, this limitation of 256 global class-maps was changed, and it is now possible to configure up to 1024 global class-maps and to use 256 class-maps inside the same policy-map."

  • QoS - Create class-map while inside policy-map

    The cisco training notes for CME claim you can create a non-existant class-map while in the policy-map. Here is the what the notes say
    router(config-pmap)#class class-map-name condition
    ? Optionally you can define a new class-map by entering the condition after the name of the new class map
    Does this work

    If my memory serves me, it was on a 7206VXR running a 12.3 cut. Also, I do recall that the '?' will not present this as an option but it still works...
    Paresh.

  • Policy map/ class map/ service policy for IOS xr

    Hi,
    I need to create a policy map and class map/service policy to limit the amount of bandwidth that can be used on one interface both in and out.
    I need the cap for the bandwidth to traverse this circuit to ne 10 Meg.
    the IOS xr version we are using is 4.3.4
    I was hoping someone could help me out by giving me a configuration example I could follow.
    Thank you.

    for instance like this:
    policy-map police-in
    class class-default
    police rate 10 mpbs <optionally set burst>
    policy-map shape-out-parent
    class class-default
    shape 10 mpbs <optional burst config>
    service-policy shape-out-child
    policy-map shape-out-child
    class class-default
    queue-limit 10 packets
    int g 0/0/0/0
    service-policy police-in in
    service-policy shape-out-parent out
    also have a look at CL 2013/2014 (orlando/sanfran) ID 2904 for more QOS details
    and the support forum article of "asr9000 quality of service architecture"
    xander

  • Default class map is dropping all Packets

    Hello I have a Cisco 871 router that used to have Access list based security. now I am trying the ZBFW for the first time.  I thought I had a pretty good program until I found all my traffic was getting dropped. This is my first stab at ZBFWs and I am a bit confused esp with the default class part. Any help is greatly appreciated!!!!
    The router is for my house and thus also has to have priority for gaming. I will add the gaming and voice QOS once I get it working,
    Guest VLAN has access to 2 IP's in Data for printing.
    Cisco871#sh run
    Building configuration...
    Current configuration : 8005 bytes
    version 12.4
    no service pad
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    service sequence-numbers
    hostname Cisco871
    boot-start-marker
    boot-end-marker
    logging buffered 4096
    no logging console
    aaa new-model
    aaa authentication login default local
    aaa authorization exec default local
    aaa session-id common
    clock summer-time PST recurring
    crypto pki trustpoint TP-self-signed-4004039535
    enrollment selfsigned
    subject-name cn=IOS-Self-Signed-Certificate-4004039535
    revocation-check none
    rsakeypair TP-self-signed-4004039535
    crypto pki certificate chain TP-self-signed-4004039535
    certificate self-signed 01
      3082024C 308201B5 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
      31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
      69666963 6174652D 34303034 30333935 3335301E 170D3038 30323037 30373532
      32375A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
      4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D34 30303430
      33393533 3530819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
      8100CEC2 7B89C73F AB4860EE 729C3B64 82139630 239A2301 8EA8B4C4 05505E25
      B0F24E7F 26ECEC53 3E266E80 F3104F61 BDDC5592 40E12537 2262D272 08D38F8E
      147F5059 7F632F5E 635B9CDF 652FFE82 C2F45C60 5F619AF0 72E640E0 E69EA9EF
      41C6B06C DD8ACF4B 0A1A33CF AF3C6BFB 73AD6BE0 BD84DD7F 435BD943 0A22E0E5
      F4130203 010001A3 74307230 0F060355 1D130101 FF040530 030101FF 301F0603
      551D1104 18301682 144C7570 696E2E44 61627567 61626F6F 732E6F72 67301F06
      03551D23 04183016 801473C6 E0784818 29A89377 23A22F5E BDD430CE E282301D
      0603551D 0E041604 1473C6E0 78481829 A8937723 A22F5EBD D430CEE2 82300D06
      092A8648 86F70D01 01040500 03818100 299AD241 442F976F 4F030B33 C477B069
      D356C518 8132E61B 1220F999 A30A4E0C D337DCE5 C408E3BC 0439BB66 543CF585
      8B26AA77 91FA510B 14796239 F272A306 C942490C A44336E0 A9430B81 9FC62524
      E55017FA 5C5463D7 B3492753 42315BEC 32B78F24 D10B0CA7 D1844CD5 C3E466B9
      3543BD68 A4B2692D 05CBF6DC C93C8142
                quit
    ip cef
    no ip dhcp use vrf connected
    ip dhcp excluded-address 10.0.0.1 10.0.0.5
    ip dhcp excluded-address 172.16.15.1 172.16.15.5
    ip dhcp excluded-address 172.16.15.14
    ip dhcp excluded-address 172.16.17.1 172.16.17.5
    ip dhcp excluded-address 192.168.19.1 192.168.19.5
    ip dhcp pool MyNetNative
       import all
       network 10.0.0.0 255.255.255.248
       default-router 10.0.0.1
       domain-name MyNetNet.org
       dns-server 4.2.2.1 4.2.2.6 8.8.8.8 208.67.220.220
       lease 0 2
    ip dhcp pool MyNetData
       import all
       network 172.16.15.0 255.255.255.240
       dns-server 172.16.15.14 4.2.2.1 4.2.2.6 8.8.8.8 208.67.220.220
       default-router 172.16.15.1
       domain-name MyDomain.org
    ip dhcp pool MyNetVoice
       import all
       network 172.16.17.0 255.255.255.240
       dns-server 172.16.15.14
       default-router 172.16.17.1
       domain-name MyDomain.org
    ip dhcp pool MyNetGuest
       import all
       network 192.168.19.0 255.255.255.240
       default-router 192.168.19.1
       domain-name MyNetGuest.org
       dns-server 4.2.2.1 4.2.2.6 8.8.8.8 208.67.220.220
    ip domain name MyDomain.org
    ip name-server 172.16.15.14
    ip name-server 4.2.2.4
    ip inspect log drop-pkt
    multilink bundle-name authenticated
    parameter-map type inspect TCP_PARAM
    parameter-map type inspect global
    username MyAdmin privilege 15 secret 5 MyPassword
    archive
    log config
      hidekeys
    class-map type inspect match-all MyNetGuest-access-list
    match access-group 110
    class-map type inspect match-any Base-protocols
    match protocol http
    match protocol https
    match protocol ftp
    match protocol ssh
    match protocol dns
    match protocol ntp
    match protocol ica
    match protocol pptp
    match protocol icmp
    match protocol tcp
    match protocol udp
    class-map type inspect match-all MyNetGuest-Class
    match class-map MyNetGuest-access-list
    match class-map Base-protocols
    class-map type inspect match-all MyNetNet-access-list
    match access-group 100
    class-map type inspect match-any Voice-protocols
    match protocol h323
    match protocol skinny
    match protocol sip
    class-map type inspect match-any Extended-protocols
    match protocol pop3
    match protocol pop3s
    match protocol imap
    match protocol imaps
    match protocol smtp
    class-map type inspect match-all MyNetNet-Class
    match class-map MyNetNet-access-list
    match class-map Voice-protocols
    match class-map Extended-protocols
    match class-map Base-protocols
    policy-map type inspect MyNetNet-zone_to_MyNetWAN-zone_policy
    class type inspect MyNetNet-Class
      inspect
    class class-default
    policy-map type inspect MyNetNet-zone_to_MyNetGuest-zone_policy
    class type inspect MyNetNet-Class
      inspect
    class class-default
    policy-map type inspect MyNetGuest-zone_to_MyNetNet-zone_policy
    class type inspect MyNetGuest-access-list
      inspect
    class class-default
    policy-map type inspect MyNetGuest-zone_to_MyNetWAN-zone_policy
    class type inspect MyNetGuest-Class
      inspect
    class class-default
    policy-map type inspect MyNetNet-zone
    class class-default
      pass
    zone security MyNetNet-zone
    zone security MyNetGuest-zone
    zone security MyNetWAN-zone
    zone-pair security MyNetNet->MyNetGuest source MyNetNet-zone destination MyNetGuest-zone
    service-policy type inspect MyNetNet-zone_to_MyNetGuest-zone_policy
    zone-pair security MyNetNet->MyNetWAN source MyNetNet-zone destination MyNetWAN-zone
    service-policy type inspect MyNetNet-zone_to_MyNetWAN-zone_policy
    zone-pair security MyNetGuest->MyNetWAN source MyNetGuest-zone destination MyNetWAN-zone
    service-policy type inspect MyNetGuest-zone_to_MyNetWAN-zone_policy
    zone-pair security MyNetGuest->MyNetNet source MyNetGuest-zone destination MyNetNet-zone
    service-policy type inspect MyNetGuest-zone_to_MyNetNet-zone_policy
    interface FastEthernet0
    description Cisco-2849-Switch
    switchport mode trunk
    speed 100
    interface FastEthernet1
    interface FastEthernet2
    interface FastEthernet3
    description SBS-Server
    switchport access vlan 10
    spanning-tree portfast
    interface FastEthernet4
    description WAN
    no ip address
    ip mtu 1492
    ip nat outside
    ip virtual-reassembly
    zone-member security MyNetWAN-zone
    ip tcp adjust-mss 1452
    duplex auto
    speed auto
    no cdp enable
    interface Vlan1
    description MyNetNative
    ip address 10.0.0.1 255.255.255.248
    ip nat inside
    ip virtual-reassembly
    zone-member security MyNetNet-zone
    ip tcp adjust-mss 1452
    interface Vlan10
    description MyNetData
    ip address 172.16.15.1 255.255.255.240
    ip nat inside
    ip virtual-reassembly
    zone-member security MyNetNet-zone
    interface Vlan20
    description MyNetVoice
    ip address 172.16.17.1 255.255.255.240
    ip nat inside
    ip virtual-reassembly
    zone-member security MyNetNet-zone
    interface Vlan69
    description MyNetGuest
    ip address 192.168.19.1 255.255.255.240
    ip nat inside
    ip virtual-reassembly
    zone-member security MyNetGuest-zone
    ip http server
    ip http authentication local
    ip http secure-server
    ip http timeout-policy idle 60 life 86400 requests 10000
    access-list 100 remark MyNetnet
    access-list 100 permit ip 10.0.0.0 0.0.0.7 any
    access-list 100 permit ip 172.16.15.0 0.0.0.31 any
    access-list 100 permit ip 172.16.17.0 0.0.0.15 any
    access-list 110 remark MyNetGuest
    access-list 110 permit ip 192.168.19.0 0.0.0.15 host 172.16.15.2
    access-list 110 permit ip 192.168.19.0 0.0.0.15 host 172.16.15.3
    access-list 110 deny   ip 192.168.19.0 0.0.0.15 10.0.0.0 0.0.0.7
    access-list 110 deny   ip 192.168.19.0 0.0.0.15 172.16.15.0 0.0.0.31
    access-list 110 deny   ip 192.168.19.0 0.0.0.15 172.16.17.0 0.0.0.15
    access-list 110 permit ip 192.168.19.0 0.0.0.15 any
    control-plane
    banner login ^CC
    You know if you should be here or not.
             if not please leave
    NOW
    ^C
    line con 0
    no modem enable
    line aux 0
    line vty 0 4
    privilege level 15
    transport input telnet ssh
    scheduler max-task-time 5000
    ntp server 172.16.15.14
    webvpn cef
    end
    Cisco871#sh zone security
    zone self
      Description: System defined zone
    zone MyNetNet-zone
      Member Interfaces:
        Vlan1
        Vlan10
        Vlan20
    zone MyNetGuest-zone
      Member Interfaces:
        Vlan69
    zone MyNetWAN-zone
      Member Interfaces:
        FastEthernet4
    Cisco871#sh zone-pair security
    Zone-pair name MyNetNet->MyNetGuest
        Source-Zone MyNetNet-zone  Destination-Zone MyNetGuest-zone
        service-policy MyNetNet-zone_to_MyNetGuest-zone_policy
    Zone-pair name MyNetNet->MyNetWAN
        Source-Zone MyNetNet-zone  Destination-Zone MyNetWAN-zone
        service-policy MyNetNet-zone_to_MyNetWAN-zone_policy
    Zone-pair name MyNetGuest->MyNetWAN
        Source-Zone MyNetGuest-zone  Destination-Zone MyNetWAN-zone
        service-policy MyNetGuest-zone_to_MyNetWAN-zone_policy
    Zone-pair name MyNetGuest->MyNetNet
        Source-Zone MyNetGuest-zone  Destination-Zone MyNetNet-zone
        service-policy MyNetGuest-zone_to_MyNetNet-zone_policy
    Cisco871#sh int faste4
    FastEthernet4 is up, line protocol is up
      Hardware is PQUICC_FEC, address is 0016.9d29.a667 (bia 0016.9d29.a667)
      Description: WAN
      Internet address is 10.38.177.98/25
      MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec,
         reliability 255/255, txload 1/255, rxload 1/255
      Encapsulation ARPA, loopback not set
      Keepalive set (10 sec)
      Full-duplex, 100Mb/s, 100BaseTX/FX
      ARP type: ARPA, ARP Timeout 04:00:00
      Last input 00:00:00, output 00:34:50, output hang never
      Last clearing of "show interface" counters never
      Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
      Queueing strategy: fifo
      Output queue: 0/40 (size/max)
      5 minute input rate 2000 bits/sec, 3 packets/sec
      5 minute output rate 0 bits/sec, 0 packets/sec
         593096 packets input, 73090812 bytes
         Received 592752 broadcasts, 0 runts, 0 giants, 0 throttles
         0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
         0 watchdog
         0 input packets with dribble condition detected
         9940 packets output, 1016025 bytes, 0 underruns
         0 output errors, 0 collisions, 3 interface resets
         0 babbles, 0 late collision, 0 deferred
         0 lost carrier, 0 no carrier
         0 output buffer failures, 0 output buffers swapped out
    Zone-pair: MyNetNet->MyNetWAN
      Service-policy inspect : MyNetNet-zone_to_MyNetWAN-zone_policy
        Class-map: MyNetNet-Class (match-all)
          Match: class-map match-all MyNetNet-access-list
            Match: access-group 100
          Match: class-map match-any Voice-protocols
            Match: protocol h323
              0 packets, 0 bytes
              30 second rate 0 bps
            Match: protocol skinny
              0 packets, 0 bytes
              30 second rate 0 bps
            Match: protocol sip
              0 packets, 0 bytes
              30 second rate 0 bps
          Match: class-map match-any Extended-protocols
            Match: protocol pop3
              0 packets, 0 bytes
              30 second rate 0 bps
            Match: protocol pop3s
              0 packets, 0 bytes
              30 second rate 0 bps
            Match: protocol imap
              0 packets, 0 bytes
              30 second rate 0 bps
            Match: protocol imaps
              0 packets, 0 bytes
              30 second rate 0 bps
            Match: protocol smtp
              0 packets, 0 bytes
              30 second rate 0 bps
          Match: class-map match-any Base-protocols
            Match: protocol http
              0 packets, 0 bytes
              30 second rate 0 bps
            Match: protocol https
              0 packets, 0 bytes
              30 second rate 0 bps
            Match: protocol ftp
              0 packets, 0 bytes
              30 second rate 0 bps
            Match: protocol ssh
              0 packets, 0 bytes
              30 second rate 0 bps
            Match: protocol dns
              0 packets, 0 bytes
              30 second rate 0 bps
            Match: protocol ntp
              0 packets, 0 bytes
              30 second rate 0 bps
            Match: protocol ica
              0 packets, 0 bytes
              30 second rate 0 bps
            Match: protocol pptp
              0 packets, 0 bytes
              30 second rate 0 bps
            Match: protocol icmp
              0 packets, 0 bytes
              30 second rate 0 bps
            Match: protocol tcp
              0 packets, 0 bytes
              30 second rate 0 bps
            Match: protocol udp
              0 packets, 0 bytes
              30 second rate 0 bps
          Inspect
            Session creations since subsystem startup or last reset 0
            Current session counts (estab/half-open/terminating) [0:0:0]
            Maxever session counts (estab/half-open/terminating) [0:0:0]
            Last session created never
            Last statistic reset never
            Last session creation rate 0
            Maxever session creation rate 0
            Last half-open session total 0
        Class-map: class-default (match-any)
          Match: any
          Drop (default action)
            5196 packets, 256211 bytes
    Cisco871#sh log
    Syslog logging: enabled (1 messages dropped, 0 messages rate-limited,
                    0 flushes, 0 overruns, xml disabled, filtering disabled)
    No Active Message Discriminator.
    No Inactive Message Discriminator.
        Console logging: disabled
        Monitor logging: level debugging, 0 messages logged, xml disabled,
                         filtering disabled
        Buffer logging:  level debugging, 1745 messages logged, xml disabled,
                         filtering disabled
        Logging Exception size (4096 bytes)
        Count and timestamp logging messages: disabled
        Persistent logging: disabled
    No active filter modules.
    ESM: 0 messages dropped
        Trap logging: level informational, 1785 message lines logged
    Log Buffer (4096 bytes):
    001779: *Feb 15 11:00:55.979: %FW-6-DROP_UDP_PKT: Dropping Other pkt 172.16.15.6:61806 => 168.94.0.1:53 with ip ident 511 due to  policy match failure
    001780: *Feb 15 11:00:59.739: %FW-6-DROP_TCP_PKT: Dropping Other pkt 172.16.15.6:4399 => 168.94.69.30:443 due to  policy match failure -- ip ident 515 tcpflags 0x7002 seq.no 974122240 ack 0
    001781: *Feb 15 11:01:26.507: %FW-6-DROP_UDP_PKT: Dropping Other pkt 172.16.15.6:51991 => 168.94.0.1:53 with ip ident 625 due to  policy match failure
    001783: *Feb 15 11:01:57.891: %FW-6-DROP_UDP_PKT: Dropping Other pkt 172.16.15.6:64470 => 168.94.0.1:53 with ip ident 677 due to  policy match failure

    Hello Charlie,
    I would recomend you to investigate a little bit more about how the ZBFW features works
    Now I am going to help you on this one at least, then I will give you a few links you could use to study
    We are going to study traffic from MyNetNet-zone to the MyNetWan-zone
    First the zone-pair
    zone-pair security MyNetNet->MyNetWAN source MyNetNet-zone destination MyNetWAN-zone
    service-policy type inspect MyNetNet-zone_to_MyNetWAN-zone_policy
    so lets go policy-map
    policy-map type inspect MyNetNet-zone_to_MyNetWAN-zone_policy
    class type inspect MyNetNet-Class
      inspect
    class class-default
    Finally to the class map
    class-map type inspect match-all MyNetNet-Class
    match class-map MyNetNet-access-list
    match class-map Voice-protocols
    match class-map Extended-protocols
    match class-map Base-protocols
    That keyword MATCH-ALL is the one causing the issues!!
    Why?
    Because you are telling the ZBFW to inspect traffic only if matches all of those class-maps so a packet will need to math the base protocols and the extended protocol and as you know that is not possible ( Just one protocol )
    So here are the links
    http://blogg.kvistofta.nu/cisco-ios-zone-based-policy-firewall/
    https://supportforums.cisco.com/thread/2138873
    http://pktmaniac.info/2011/08/zone-based-firewalls-something-to-keep-in-mind/
    http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00808bc994.shtml
    You have some work to do
    Please remember to rate all the helpful posts
    Julio
    CCSP

  • Class-Map and Policy-Map Configuration in CM Confusion

    Hi,
    I'm implementing a green field WAAS deployment for a customer. We currently have a Proof-of-Concept up and running.
    I've got some questions regarding custom class-map and policy-map configuration in the CM. I'd like to nail-down the custom class-map and policy-map configuration (and understanding) in the PoC before cutting over the PoC branches to the production WAAS environment.
    Assuming a typical WAAS Deployment using WCCP for off-path interception, branch to DC.
     ==> 61 in LAN (BRANCH ROUTER) <== 62 in WAN        (WAN CLOUD)        ==> 61 in WAN (DC ROUTER) <== 62 in LAN
    We are using two distinct device groups, BRANCH and DATA CENTER.
    If the customer has traffic that we need to classify in order to provide TFO only optimisation, should the single class-map include the traffic in both directions? Ie., (assume the SERVER is 10.1.1.1 TCP Port 443). Should the class-map be configured as:
    Class-Map
    Line 1: DST IP 10.1.1.1 DST Port 443
    Line 2: SRC IP 10.1.1.1 SRC Port 443
    Or in this case is only the DST line required? And in which Device Group should the custom policy be applied? Or should it be applied to both Device Groups? If it should be applied to both Device Groups, then would it make more sense to have the policy-map in the Branch DG configured to match the DST traffic, and on the Data Center DG have a different class-map match the SRC traffic?
    My confusion is how to classify the traffic (SRC or DST or Both - Separate classes for each or different lines within the same class-map), and where to apply the appropriate policy (both Device Groups, just Branch, just DC) and why...
    I tried to apply a custom policy and the impact in the PoC was that the TCP Summary report stopped reporting the individual traffic classes showed 'other traffic' only. Can anyone explain why this may have occurred?
    I hope this makes sense.

    for instance like this:
    policy-map police-in
    class class-default
    police rate 10 mpbs <optionally set burst>
    policy-map shape-out-parent
    class class-default
    shape 10 mpbs <optional burst config>
    service-policy shape-out-child
    policy-map shape-out-child
    class class-default
    queue-limit 10 packets
    int g 0/0/0/0
    service-policy police-in in
    service-policy shape-out-parent out
    also have a look at CL 2013/2014 (orlando/sanfran) ID 2904 for more QOS details
    and the support forum article of "asr9000 quality of service architecture"
    xander

  • How to get OIDs of indexes for class-map ?

    I have policy-map configured on cisco router with some class-maps inside. I need to draw a graph traffic passing through these classes. To make a graphs I use Cacti  which use SNMP query to draw the graphs (object name cbQosObjectsIndex).
    How to get OIDs of class-map indexes ?
    I tried to do this by following query:
    #snmpwalk -c community_string -v 2c 192.168.0.252 1.3.6.1.4.1.9.9.166.1.5.1.1.1
    but the answer was:
    iso.3.6.1.4.1.9.9.166.1.5.1.1.1 = No Such Object available on this agent at this OID
    The information i need is contained at the OID 1.3.6.1.4.1.9.9.166.1.15.1.1.7:
    # snmpwalk -c community_string -v 2c 192.168.0.252 1.3.6.1.4.1.9.9.166.1.15.1.1.7
    iso.3.6.1.4.1.9.9.166.1.15.1.1.7.1251.1277 = Gauge32: 0
    iso.3.6.1.4.1.9.9.166.1.15.1.1.7.1251.13363 = Gauge32: 0
    iso.3.6.1.4.1.9.9.166.1.15.1.1.7.1251.13383 = Gauge32: 0
    iso.3.6.1.4.1.9.9.166.1.15.1.1.7.1251.13435 = Gauge32: 734000
    iso.3.6.1.4.1.9.9.166.1.15.1.1.7.1251.13481 = Gauge32: 233000

    Because 192.168.0.252 1.3.6.1.4.1.9.9.166.1.5.1.1.1 is marked "non-accessible" according to http://tools.cisco.com/Support/SNMP/do/BrowseOID.do?local=en&translate=Translate&objectInput=cbQosObjectsIndex
    You'll need to obtain the indices as explained in this blog post:
    http://pierky.wordpress.com/2009/04/09/cisco-class-based-qos-snmp-mib-and-statistics-monitor-for-nms/
    Joe wrote a very illustrative post on the subject of snmptables: https://supportforums.cisco.com/message/3051004#3051004
    And if your IOS supports it, you would want to configure the following to keep the indices from changing after every reboot or OIR:
    "snmp mib persist cbqos"

  • IPv6 class-map or IOS problem

    Hello, sorry because of my bad English at first,
    I have a problem with my IPv6 ACL, IPv6 Class-map or IOS I'm not sure so I'm asking you.
    I have one 1721 router with one Ethernet and one FastEthernet interface, on Fa interface is 3 subinterfaces, and Eth interface is connected to 10 Mbps link to another 1721 router. I'm working on QoS for VoIPv6. My softphone emulator address is FEC2::1/64.
    This is my configuration:
    class-map match-any v6
       match access-group name v6
      policy-map v6
       class v6
        set ip dscp ef
    ipv6 access-list v6 permit FEC2::/64 any
    Question is, why is output of command show policy-map interface Fa0/0 showing that not a single one packet of IPv6 is not beeing marked:
    R1#sho policy-map interface fa0
      FastEthernet0
       Service-policy input: v6
         Class-map: v6 (match-any)
           0 packets, 0 bytes
           5 minute offered rate 0 bps, drop rate 0 bps
           Match: access-group name v6
             0 packets, 0 bytes
             5 minute rate 0 bps
           QoS Set
            ip dscp ef
               Packets marked 0
         Class-map: class-default (match-any)
           92 packets, 9134 bytes
           5 minute offered rate 0 bps, drop rate 0 bps
           Match: any
    This exact configuration, with IPv4 is working fine. My IOS version is c1700-y-mz.122-11.T11.bin
    If IOS version is too old, can you tell my what version will work so I can purchase it?
    Thanks

    If you are thinking of IPv6 prefix I tried everything. From /128 for single host to /64, nothing works.

  • Match-any or Match All For Class-map On Nexus?

      I have an access-list MANAGEMENT
            permit udp any eq snmp any
            permit udp any any eq snmp
            permit tcp any any eq telnet
            permit tcp any eq telnet any
           permit tcp any any eq 22
           permit tcp any eq 22 any
    My question does it matter if I use a match-any or match-all. I want to match anything in the access-list to classify the traffic correctly
     class-map type qos match-any MANAGEMENT
                match access-group name MANAGEMENT
    Or
    class-map type qos match-all MANAGEMENT
                match access-group name MANAGEMENT
    I understand a match-any is an or and a match-all is an and function. Does this apply to an access-list for  a class-map?
    Thanks

    It applies to match statements within the class map. In your case, you're only using one match statement, so there will be no difference between match-all and match-any, no matter how many entries are in the ACL. If your class map had two different ACLs in two different match statements , then the and/or logic of match-all and match-any would come into play.

  • Total drops for class-map class-default

    Hi,
    I have a gigabit ethernet interface on a 2951 configured with 4x sub interfaces providing connectivity to our four WAN sites. Each sub interface services a 100mb connection to another site.
    I have configured a QoS policy and attached to each sub interface with the primary function of limiting each sub interface to 100mbs. I am now seeing drops (total drops) on the class default and not sure why. I would not expect to see any drops on this interface as it never even reaches 15mb (15%) capacity.
    Any ideas?
            Class-map: class-default (match-any)
              175934881 packets, 95319007968 bytes
              5 minute offered rate 23000 bps, drop rate 0000 bps
              Match: any
              queue limit 64 packets
              (queue depth/total drops/no-buffer drops) 0/340/0
              (pkts output/bytes output) 314212026/180287074028
    policy-map PM-Branch-QoS
    class CM-OAM
      set dscp af11
    class CM-Network
      set dscp cs6
    class CM-VC
      bandwidth percent 5
    class CM-Citrix
      set dscp af21
    class CM-CAPWAP
      set dscp af22
    policy-map PM-WAN
    class class-default
      shape peak 100000000
       service-policy PM-Branch-QoS

    Disclaimer
    The  Author of this posting offers the information contained within this  posting without consideration and with the reader's understanding that  there's no implied or expressed suitability or fitness for any purpose.  Information provided is for informational purposes only and should not  be construed as rendering professional advice of any kind. Usage of this  posting's information is solely at reader's own risk.
    Liability Disclaimer
    In  no event shall Author be liable for any damages whatsoever (including,  without limitation, damages for loss of use, data or profit) arising out  of the use or inability to use the posting's information even if Author  has been advised of the possibility of such damage.
    Posting
    I would not expect to see any drops on this interface as it never even reaches 15mb (15%) capacity.
    Your expectations might be incorrect.  Often percentage of bandwidth capacity measurements are misunderstood.
    Let's assume your ingress is 100 Mbps.  Let's also assume your measuring over a five minute period.  Lastly, assume the ingress transmits at 100% for 1 minute and then stops for 4 minutes.  Bandwidth utilization across the 1 minute would be 100% and 0% for the other 4 minutes, but it would be 20% for the 5 minutes.
    But if the 100 Mbps was sent at 100% for each 12 seconds, and not sent for each 48 seconds, 5 minute utilization would still be 20% but unlike the prior 1 minute stats of 100% and 0%, each minute would now also be 20%.
    So these first two examples show how bandwidth utilization don't reveal what's happening within the measured time period.
    Since ingress was same bandwidth as egress, in the above, there would be no queuing.
    If ingress is gig, though, suppose gig ingress arrives for 6 seconds and stops for a remaining 4 minutes and 54 seconds.  This too would measure as 20% usage across 5 minutes, but since it will take 60 seconds to transmit the same traffic at 100 Mbps, packets will need to be queued.  If queuing buffers are insufficient to hold all the packets, some will be dropped.
    The above is a long way of saying, if your ingress rate exceeds your egress rate, there can be a need to queue packets, and if queuing is insufficient, packets will be dropped, this even if utilization is "low".  Most likely, you have occasional "bursts" if ingress bandwidth exceeds the egress bandwidth.
    From your actual stats, the drop rate percentage is so low, you might not need to concern yourself with the few drops you're seeing.  If it is a concern, you might be able to reduce the drop rate by increasing egress buffering, but doing so, also increases egress queuing delay.

  • Policer with IPv6 class-map on Catalyst 3750

    Hi,
    I've the following problem.
    It's my goal to ratelimit incoming IPv6 traffic dependent on the destination IP address range.
    On a Catalyst 3750 (Image: c3750-ipservicesk9-mz.122-55.SE1.bin) I've set up the configuration as follows:
    mls qos
    ipv6 access-list DESTINATION-RANGE-A
     permit ipv6 any 2007::/16
    ipv6 access-list DESTINATION-RANGE-B
     permit ipv6 any 2B03::/16
    class-map match-all A
     match access-group name DESTINATION-RANGE-A
    class-map match-all B
     match access-group name DESTINATION-RANGE-B
    policy-map RL-POLICY
     class A
      police 2000000 8000 exceed-action drop
     class B
      police 6000000 8000 exceed-action drop
    interface GigabitEthernet1/0/7
     switchport access vlan 90
     load-interval 30
     service-policy input RL-POLICY
    The last CLI command which should bind the policy to the specific interface, leads to the following error message
    QoS: class(A) IPv6 class not supported on interface GigabitEthernet1/0/7
    Are hardware/software limitations the reason for this behavior or is there any misconfiguration?
    Thanks in advance for your help!
    Regards,
    Jens

    If you are thinking of IPv6 prefix I tried everything. From /128 for single host to /64, nothing works.

Maybe you are looking for

  • How to turn off LED near modem connector

    T500 has an amazingly bright green LED on the left side between the modem port and the DVD drive. It is on all the time, from what I can tell. Any way to turn it off - find it very annoying...

  • Folder with question mark after unpartitioning hard drive

    I am running Snow Leopard on my Mac Book Pro.I unpartitioned my hard drive with Boot Camp. Now when I start up I get a folder with a question mark (not a flashing question mark) and then the apple logo. I repaired the disk permissions but there is no

  • System crashes on clicking bc- bsp- sap node in SICF

    Hi all    I was trying to change the logon settings for a BSP application. when i clicked the bc->bsp->sap node in the transaction SICF, the system crashed with a exeception a popup window displays [Sapfewdbg Exception Exception #1 has occured and du

  • Question Marks in Folders

    I started LR5 yesterday and now have some folders with ? marks on the file symbol. What did I do???

  • Maps are not showing

    Hi, Maps in iPhoto are not displayed on my home wifi. It worked last week end on another wifi but not on mine. I reset my wifi router and it worked during 5 minutes, then iPhoto could not show me the full maps with all pictures neither the maps for t