Redirection class overlap on policy-map

Hello.
I was asked to implement some rules and one of them is overlaping the other I think becasue is shorter and it´s using the regular expression .*
Regarding the configuration below I always get redirected to http://SITE1 instead of http://SITE2 when I type www.AAA/fr/pages/AAA/index.php because the class REDIRECT_NM_LORO_PMUR_CLASS always win even it´s in the bottom of the policy-map.
Is there some way to order the classes in a policy-map to act as an access-list does? (from the top to the bottom and stop looking up when a match is found), In other words, make the class REDIRECT_PMUR_RAPPORTS_CLASS is done before REDIRECT_NM_LORO_PMUR_CLASS
which is more generic.
Config example:
rserver redirect REDIRECT_PMUR
webhost-redirection http://SITE1 301
inservice
rserver redirect REDIRECT_PMUR_RAPPORTS
webhost-redirection http://SITE2 301
inservice
rserver redirect REDIRECT_PMUR_RESULTATS
webhost-redirection http://SITE3 301
inservice
serverfarm redirect REDIRECT_NM_LORO_PMUR_FARM
rserver REDIRECT_PMUR
    inservice
serverfarm redirect REDIRECT_PMUR_RAPPORTS_FARM
rserver REDIRECT_PMUR_RAPPORTS
    inservice
serverfarm redirect REDIRECT_PMUR_RESULTATS_FARM
rserver REDIRECT_PMUR_RESULTATS
    inservice
class-map type http loadbalance match-any REDIRECT_NM_LORO_PMUR_CLASS
4 match http url /fr/pages.*
class-map type http loadbalance match-any REDIRECT_PMUR_RAPPORTS_CLASS
3 match http url www.AAA/fr/pages/AAA/index.php
class-map type http loadbalance match-any REDIRECT_PMUR_RESULTATS_CLASS
3 match http url www.BBB/fr/pages/BBB/index.php
policy-map type loadbalance first-match POLICY_REDIRECT_NM_LORO_CAT2_FARM
class REDIRECT_PMUR_RESULTATS_CLASS
    serverfarm REDIRECT_PMUR_RESULTATS_FARM
class REDIRECT_PMUR_RAPPORTS_CLASS
    serverfarm REDIRECT_PMUR_RAPPORTS_FARM
class REDIRECT_NM_LORO_PMUR_CLASS
    serverfarm REDIRECT_NM_LORO_PMUR_FARM
class class-default
    serverfarm NM_LoRo_CAT2_FARM
Thank you very much,
Miquel

Hi Miquel,
This is what it seems is happening. Your class-map condition is based on URL and not host-header value so ACE is not even considering www.AAA or www.BBB. It is only looking for fr/pages/xxxxxxxx which only matches 3rd class map and that's why you get the match and hence the corresponding redirection.
Can you try using class map condition based on Host ?
switch/Admin(config-cmap-http-lb)# 2 match http header Host header-value ?
Please try and let me know how it goes.
You can also test my removing that /fr/pages/.* condition and see if it matches or not as well.
Regards,
Kanwal

Similar Messages

Map-class frame-relay , policy map

Does a service-policy output have to be applied to an interface for qos to work?
here is the config but there is nothing applied to the serial interface..
Thanks for your help
policy-map 256/128KVoice
class 256/128KVoice
priority 112
class class-default
fair-queue
map-class frame-relay 256/128KVoice
frame-relay cir 128000
frame-relay bc 1280
frame-relay be 600
frame-relay mincir 128000
no frame-relay adaptive-shaping
frame-relay fair-queue
frame-relay fragment 150
frame-relay ip rtp priority 16384 16380 210
interface Serial0/0
bandwidth 1544
ip address xxx.xxx.xxx.xxx 255.255.255.255
ip route-cache flow
no fair-queue
service-module t1 timeslots 1-24

Hello,
Will QOS will work in this way where class is put on WAN interface where it should be service policy.
router#sh run interface Se0/0/0.1
Building configuration...
Current configuration : 239 bytes
interface Serial0/0/0.1 point-to-point
bandwidth 2048
ip address XXXX
ip nat outside
frame-relay interface-dlci 555
class COS-OUT-S0/0/0.1
end
COS-OUT-S0/0/0.1 is defined as policy map with class of voice and video.
When checking on WAN int #sh policy-map interface Se0/0/0.1 , can see output of service policy input/output with policy map recpective classes and packets match entries.Is QOS working with this configuration?
Appreciate any input on this.
Regards,
Brajesh.

Policy map/ class map/ service policy for IOS xr

Hi,
I need to create a policy map and class map/service policy to limit the amount of bandwidth that can be used on one interface both in and out.
I need the cap for the bandwidth to traverse this circuit to ne 10 Meg.
the IOS xr version we are using is 4.3.4
I was hoping someone could help me out by giving me a configuration example I could follow.
Thank you.

for instance like this:
policy-map police-in
class class-default
police rate 10 mpbs <optionally set burst>
policy-map shape-out-parent
class class-default
shape 10 mpbs <optional burst config>
service-policy shape-out-child
policy-map shape-out-child
class class-default
queue-limit 10 packets
int g 0/0/0/0
service-policy police-in in
service-policy shape-out-parent out
also have a look at CL 2013/2014 (orlando/sanfran) ID 2904 for more QOS details
and the support forum article of "asr9000 quality of service architecture"
xander

Class-Map and Policy-Map Configuration in CM Confusion

Hi,
I'm implementing a green field WAAS deployment for a customer. We currently have a Proof-of-Concept up and running.
I've got some questions regarding custom class-map and policy-map configuration in the CM. I'd like to nail-down the custom class-map and policy-map configuration (and understanding) in the PoC before cutting over the PoC branches to the production WAAS environment.
Assuming a typical WAAS Deployment using WCCP for off-path interception, branch to DC.
==> 61 in LAN (BRANCH ROUTER) <== 62 in WAN (WAN CLOUD) ==> 61 in WAN (DC ROUTER) <== 62 in LAN
We are using two distinct device groups, BRANCH and DATA CENTER.
If the customer has traffic that we need to classify in order to provide TFO only optimisation, should the single class-map include the traffic in both directions? Ie., (assume the SERVER is 10.1.1.1 TCP Port 443). Should the class-map be configured as:
Class-Map
Line 1: DST IP 10.1.1.1 DST Port 443
Line 2: SRC IP 10.1.1.1 SRC Port 443
Or in this case is only the DST line required? And in which Device Group should the custom policy be applied? Or should it be applied to both Device Groups? If it should be applied to both Device Groups, then would it make more sense to have the policy-map in the Branch DG configured to match the DST traffic, and on the Data Center DG have a different class-map match the SRC traffic?
My confusion is how to classify the traffic (SRC or DST or Both - Separate classes for each or different lines within the same class-map), and where to apply the appropriate policy (both Device Groups, just Branch, just DC) and why...
I tried to apply a custom policy and the impact in the PoC was that the TCP Summary report stopped reporting the individual traffic classes showed 'other traffic' only. Can anyone explain why this may have occurred?
I hope this makes sense.

for instance like this:
policy-map police-in
class class-default
police rate 10 mpbs <optionally set burst>
policy-map shape-out-parent
class class-default
shape 10 mpbs <optional burst config>
service-policy shape-out-child
policy-map shape-out-child
class class-default
queue-limit 10 packets
int g 0/0/0/0
service-policy police-in in
service-policy shape-out-parent out
also have a look at CL 2013/2014 (orlando/sanfran) ID 2904 for more QOS details
and the support forum article of "asr9000 quality of service architecture"
xander

Class-map/policy-map

@all...
Can i apply class-map in both inbound/outbound, or is it restricted to outbound only. whereas for policy-map i understand it can be applied either in or out bound...
correct me if i am wrong
ta
hanu

According to this link http://www.pingafrica.org/node/135 i configure my CISC OIOS (tm) C1700 Software (C1700-Y-M), Version 12.3(17a), router to filter HTML trafic. It works perfectly.
Could you tell me how to configure it to not filter traffic for specific IP addresses ex. administrators and other privileged users in my network?
Thanks a lot

Can you add one L3-class to two different policy maps ?

Hi Experts;
                Requirement is to have requests from outside as well as inside from different vlan Server to our Production Servers.At present all requests are coming from inside vlan via policy-map multi-match L3_XYZ. See Example below
policy-map multi-match L3_XYZ
class L3_PROD
   loadbalance vip inservice
   loadbalance policy L7_PROD
   loadbalance vip icmp-reply active
policy-map multi-match L3_OUTSIDE
class L3_PROD
   loadbalance vip inservice
   loadbalance policy L7_PROD
   loadbalance vip icmp-reply active
Many thanks
Regards

Hi Hidayat
yes, class map alone doesn't have any deep meaning and can be reused in many policy maps. Actually policy maps can be reused too, so in your particular example you can put the same policy map on 2 different interfaces. (Sometimes it's a good idea, if requirements are the same for traffic coming from both interfaces or if requirements are diffrent - it's better to create a new one, but class-map definitely can be reused.)

QoS - Create class-map while inside policy-map

The cisco training notes for CME claim you can create a non-existant class-map while in the policy-map. Here is the what the notes say
router(config-pmap)#class class-map-name condition
? Optionally you can define a new class-map by entering the condition after the name of the new class map
Does this work

If my memory serves me, it was on a 7206VXR running a 12.3 cut. Also, I do recall that the '?' will not present this as an option but it still works...
Paresh.

Policy-map issue on 7507

I have a 7507 that has policy maps for matching voice for QoS. A show access-list shows that traffic is being matched. A show interface shows that packets are being dropped. The end result is though, that latency is high and call quality is suffering. A show queueing on the interface shows that no packets are being dropped. Any suggestions?

class-map match-all 2505PlanoRd
match access-group name PlanoRd2505-voice
policy-map 2505PlanoRd
class 2505PlanoRd
priority 192
class class-default
fair-queue
interface Serial5/0/0/5:0
bandwidth 1536
ip address xx.xx.xx.xx 255.255.255.252
no ip redirects
no ip unreachables
load-interval 30
service-policy output 2505PlanoRd
ip access-list extended PlanoRd2505-voice
permit ip any any dscp ef
permit ip any any dscp cs6
permit ip any host xx.xx.xx.xx
Core-1#sh access-list PlanoRd2505-voice
Extended IP access list PlanoRd2505-voice
10 permit ip any any dscp ef (124045 matches)
20 permit ip any any dscp cs6 (9779 matches)
30 permit ip any host xx.xx.xx.xx (93010 matches)
Core-1#sh queueing int s5/0/0/5:0
Interface Serial5/0/0/5:0 queueing strategy: VIP-based fair queueing
Serial5/0/0/5:0 queue size 0
pkts output 0, wfq drops 0, nobuffer drops 0
WFQ: aggregate queue limit 384 max available buffers 384
Priority Class: limit 48 qsize 0 pkts output 0 drops 0
Non-Priority Class: limit 336 qsize 0 pkts output 0 drops 0
available bandwidth 1344
Class 0: weight 8750 limit 336 qsize 0 pkts output 0 drops 0
Core-1#sh int s5/0/0/5:0
Serial5/0/0/5:0 is up, line protocol is up
Hardware is cyBus CT3
Internet address is xx.xx.xx.xx
MTU 1500 bytes, BW 1536 Kbit, DLY 20000 usec,
reliability 255/255, txload 72/255, rxload 12/255
Encapsulation HDLC, crc 16, loopback not set
Keepalive set (10 sec)
Last input 00:00:00, output 00:00:00, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/32 (size/max/drops/flushes); Total output drops: 510996
Queueing strategy: Class-based queueing
Output queue: 0/40 (size/max)
30 second input rate 77000 bits/sec, 57 packets/sec
30 second output rate 439000 bits/sec, 78 packets/sec
80041948 packets input, 17598546217 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 9 giants, 0 throttles
696964 input errors, 38821 CRC, 302664 frame, 92 overrun, 1 ignored, 355377 abort
113990388 packets output, 96683334345 bytes, 0 underruns
0 output errors, 0 collisions, 10 interface resets
0 output buffer failures, 3437585 output buffers swapped out
10 carrier transitions no alarm present
Timeslot(s) Used: 1-24, Transmitter delay is 0 flags
non-inverted data
This is standard VoIp transport selection based on dscp.

Policy-map multi-match

Hi Guys,
I need explanation on multi-match policy on ACE. How does it work ?
Lets take this example-
policy-map multi-match CLIENT-VIPS
class VIP1-80
    loadbalance vip inservice
    loadbalance policy VIP1-POLICY
policy-map type loadbalance first-match VIP1-POLICY
class class-default
    serverfarm SERVERFARM1
class-map match-all VIP1-80
2 match virtual-address 192.168.1.200 tcp eq http
This will work for sure looking for functional diffrence if I make POLICY CLIENT_VIPS to frist match,what difrence will come in this case. will it not just match class VIP1-80 and redirect request to serverfarm.
Or this is something where multiple class can be called under CLIENT_VIPS like Inspection ?
Thanks
Ajay

HI Ajay,
Say if you have 2 class-maps on different ports 80 & 443
policy-map multi-match CLIENT-VIPS
class VIP1-80
    loadbalance vip inservice
    loadbalance policy VIP1-POLICY1
class VIP1-443
    loadbalance vip inservice
    loadbalance policy VIP1-POLICY2
class-map match-all VIP1-80
2 match virtual-address 192.168.1.200 tcp eq http
class-map match-all VIP1-443
2 match virtual-address 192.168.1.200 tcp eq https
Regards,
Siva

DMVPN per tunnel QOS. show policy-map multipoint not working

Hi All,
I have a DMVPN hub which is a 1841 with image c1841-advsecurityk9-mz.151-4.M1.bin .
I have been using DMVPN and its awesome but now trying to get the QOS sorted out and having issues.
I have configured the interface like so.
interface Tunnel1
ip address 10.255.255.1 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication xxx
ip nhrp map multicast dynamic
ip nhrp map group ADSL1 service-policy output ADSL1
ip nhrp network-id 1
ip nhrp redirect
ip tcp adjust-mss 1360
no ip split-horizon
ip ospf 1 area 0
tunnel source Loopback0
tunnel mode gre multipoint
tunnel key 1
tunnel path-mtu-discovery
tunnel protection ipsec profile VPN
end
policy-map ADSL1
class class-default
shape average 1000000
service-policy Classes
policy-map Classes
class Silver
bandwidth percent 25
fair-queue
class Gold
bandwidth percent 50
fair-queue
class Scavanger
bandwidth percent 5
class class-default
fair-queue
The output of show dmvpn detail shows it has applied the QOS rule.
NG-SR-WE-RT-2#show dmvpn detail
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
    N - NATed, L - Local, X - No Socket
    # Ent --> Number of NHRP entries with same NBMA peer
    NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
    UpDn Time --> Up or Down Time for a Tunnel
==========================================================================
Interface Tunnel1 is up/up, Addr. is 10.255.255.1, VRF ""
   Tunnel Src./Dest. addr: 10.32.0.100/MGRE, Tunnel VRF ""
   Protocol/Transport: "multi-GRE/IP", Protect "VPN"
   Interface State Control: Disabled
Type:Hub, Total NBMA Peers (v4/v6): 1
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb    Target Network
    1 x.x.x.x    10.255.255.2    UP    1d18h    D    10.255.255.2/32
NHRP group: ADSL1
Output QoS service-policy applied: ADSL1
but my router cannot run show policy-map multipoint... it doesnt come up with a tab but i can write it in by hand. Even when i write it in by hand it outputs blank.
I cut the ADSL1 shape down to 512k and it didnt take affect so i dont think the qos is working at all.
Is my feature set too low?
Cheers,
Simon

Ray,
There could be multiple reasons for it not to function, the config on hub seems just fine, we'd need to inspect the spokes and check (most likely) in debugs if correct group is being sent from spoke.
Also coexistance of other service-policy etc etc.
The feature is quite simple (some level of simplification), spoke says he is in group X when registering, hub assigns this NHRP mapping a service-policy.
M.

Policy MAP Issue on ASA

Hi i have configured following Policy MAp to restrict 12.203 to use 5mb bandwidth.
Issue is that i dont recieve any hits when i apply this on outside interface like that
service-policy PM-RATELIMIT interface outside
But when i add permit ip any any in ACL then i receive hits.
Else This map work fine in inside interface but i want to apply it on outside .
Conf are as follows
access-list vlan10_rate_limit extended permit ip host 192.168.12.203 any
class-map CM-RATELIMIT
match access-list vlan10_rate_limit
policy-map PM-RATELIMIT
class CM-RATELIMIT
police input 5000000

the ACL that you have configured is sourcing from the internal host to any on the outside. So you would need to apply that on the inside interface.
If you would like to limit the return traffic towards that host, then you would need to configure ACL with source any and destination the NATed ip address of that internal host.

1 policy-map for more than 1 physical interface

Hi,
the situation I want to achieve is, that 2 physical interfaces (here 2 TP GigbitEthernet Ports of a 3750) are limited together from one 'service-policy'/'policy-map'.
In the example below I have 2 Ports on one switch and the traffic coming in on both ports in total (traffic port #1 + traffic port #2) should be limited to the 'policy-map 5MBits'.
Right now I have configured a 3750 with:
class-map match-all EveryMAC
match access-group name everythingL2
policy-map 5MBits
class EveryMAC
police 5000000 32768 exceed-action drop
policy-map TEST
class EveryMAC
set dscp default
mac access-list extended everythingL2
permit any any
interface GigabitEthernet1/0/1
description port #1
switchport access vlan 123
switchport mode access
speed 10
duplex auto
interface GigabitEthernet1/0/2
description port #2
switchport access vlan 123
switchport mode access
speed 10
duplex auto
interface Vlan123
service-policy input TEST
And at the 'other side' a 2950 works with the following config:
class-map match-all EveryMAC
match access-group name everythingL2
policy-map 5MBits
class EveryMAC
police 5000000 32768 exceed-action drop
mac access-list extended everythingL2
permit any any
interface FastEthernet0/1
description port #A
switchport access vlan 123
switchport mode access
speed 10
duplex auto
As far as I can see this seems to work. But it would be nice if someone can confirm this or provide an other suggestion.
thanks in advance
Mark

Only thing i can think of is instead of using a MAC ACL , u cud jus use the default class
Policy Map Test
class class-default
police 56000 8000 exceed-action drop
Class Map match-any class-default (id 0)
Match any
You would be saving a MAC-ACL ;-).

Radius accounting for QoS pppoe policy-map

Hi folks
I have a radius pushing an AVPAIR ip:sub-qos-policy-out to a virtual template for clients connected to a BRAS through PPPOE.
The AVPAIR is correctly applied to each and every pppoe session but the following link http://www.cisco.com/c/en/us/td/docs/ios/12_2sb/feature/guide/sbbbrs1c.html is indicating that I should be able to push back to the RADIUS some traffic info per class-map/policy map. This would allow some Quota stuff and getting some info about traffic used per customer
From what I have been able to configure, i'm not getting any of this stats back to the RADIUS
the debug radius accounting :
*Mar 12 05:29:00.419: RADIUS/ENCODE(0000000E):Orig. component type = PPPoE
*Mar 12 05:29:00.419: RADIUS/ENCODE(0000000E): Acct-session-id pre-pended with Nas Port = 0/0/3/0
*Mar 12 05:29:00.419: RADIUS(0000000E): Config NAS IP: 0.0.0.0
*Mar 12 05:29:00.419: RADIUS(0000000E): sending
*Mar 12 05:29:00.419: RADIUS/ENCODE: Best Local IP-Address 192.168.38.133 for Radius-Server 192.168.38.131
*Mar 12 05:29:00.419: RADIUS(0000000E): Send Accounting-Request to 192.168.38.131:1813 id 1646/55, len 299
*Mar 12 05:29:00.419: RADIUS: authenticator ED 94 CF EE BD 73 30 7E - 93 07 A4 C3 50 A6 03 DE
*Mar 12 05:29:00.419: RADIUS: Acct-Session-Id [44] 18 "0/0/3/0_00000005"
*Mar 12 05:29:00.419: RADIUS: Framed-Protocol [7] 6 PPP [1]
*Mar 12 05:29:00.419: RADIUS: Framed-IP-Address [8] 6 10.10.10.2
*Mar 12 05:29:00.419: RADIUS: User-Name [1] 9 "olivier"
*Mar 12 05:29:00.419: RADIUS: Vendor, Cisco [26] 35
*Mar 12 05:29:00.419: RADIUS: Cisco AVpair [1] 29 "connect-progress=LAN Ses Up"
*Mar 12 05:29:00.419: RADIUS: Vendor, Cisco [26] 29
*Mar 12 05:29:00.419: RADIUS: Cisco AVpair [1] 23 "nas-tx-speed=10000000"
*Mar 12 05:29:00.419: RADIUS: Vendor, Cisco [26] 29
*Mar 12 05:29:00.419: RADIUS: Cisco AVpair [1] 23 "nas-rx-speed=10000000"
*Mar 12 05:29:00.419: RADIUS: Acct-Session-Time [46] 6 2582
*Mar 12 05:29:00.419: RADIUS: Acct-Input-Octets [42] 6 7232
*Mar 12 05:29:00.419: RADIUS: Acct-Output-Octets [43] 6 7232
*Mar 12 05:29:00.419: RADIUS: Acct-Input-Packets [47] 6 517
*Mar 12 05:29:00.419: RADIUS: Acct-Output-Packets [48] 6 517
*Mar 12 05:29:00.419: RADIUS: Acct-Authentic [45] 6 RADIUS [1]
*Mar 12 05:29:00.419: RADIUS: Acct-Status-Type [40] 6 Watchdog [3]
*Mar 12 05:29:00.419: RADIUS: NAS-Port-Type [61] 6 Virtual [5]
*Mar 12 05:29:00.419: RADIUS: Vendor, Cisco [26] 15
*Mar 12 05:29:00.419: RADIUS: cisco-nas-port [2] 9 "0/0/3/0"
*Mar 12 05:29:00.419: RADIUS: NAS-Port [5] 6 50331648
*Mar 12 05:29:00.419: RADIUS: NAS-Port-Id [87] 9 "0/0/3/0"
*Mar 12 05:29:00.419: RADIUS: Vendor, Cisco [26] 41
*Mar 12 05:29:00.419: RADIUS: Cisco AVpair [1] 35 "client-mac-address=aabb.cc00.6430"
*Mar 12 05:29:00.419: RADIUS: Service-Type [6] 6 Framed [2]
*Mar 12 05:29:00.419: RADIUS: NAS-IP-Address [4] 6 192.168.38.133
*Mar 12 05:29:00.419: RADIUS: Ascend-Session-Svr-K[151] 10
*Mar 12 05:29:00.419: RADIUS: 37 39 38 32 45 41 38 30 [ 7982EA80]
*Mar 12 05:29:00.419: RADIUS: Acct-Delay-Time [41] 6 0
*Mar 12 05:29:00.419: RADIUS(0000000E): Started 5 sec timeout
*Mar 12 05:29:00.419: RADIUS: Received from id 1646/55 192.168.38.131:1813, Accounting-response, len 20
*Mar 12 05:29:00.419: RADIUS: authenticator A7 0E 79 40 C5 B5 CF DC - 09 46 27 48 52 BE 01 7D
What I get in the freeradius log :
Tue Mar 11 22:30:04 2014
Acct-Session-Id = "0/0/3/0_00000005"
Framed-Protocol = PPP
Framed-IP-Address = 10.10.10.2
User-Name = "olivier"
Cisco-AVPair = "connect-progress=LAN Ses Up"
Cisco-AVPair = "nas-tx-speed=10000000"
Cisco-AVPair = "nas-rx-speed=10000000"
Acct-Session-Time = 2646
Acct-Input-Octets = 7428
Acct-Output-Octets = 7428
Acct-Input-Packets = 531
Acct-Output-Packets = 531
Acct-Authentic = RADIUS
Acct-Status-Type = Interim-Update
NAS-Port-Type = Virtual
Cisco-NAS-Port = "0/0/3/0"
NAS-Port = 50331648
NAS-Port-Id = "0/0/3/0"
Cisco-AVPair = "client-mac-address=aabb.cc00.6430"
Service-Type = Framed-User
NAS-IP-Address = 192.168.38.133
X-Ascend-Session-Svr-Key = "7982EA80"
Acct-Delay-Time = 0
Acct-Unique-Session-Id = "523eac6ae326a778"
Timestamp = 1394602204
Request-Authenticator = Verified
user config in the users file on the freeradius server :
olivier Cleartext-Password := "olivier"
Service-Type = Framed-User,
Cisco-AVPair += "ip:addr-pool=pppoepool",
Cisco-AVpair += "ip:sub-qos-policy-out=TEST"
I see that the policy map name is pulled correctly from the radius server and applied to the session :
#sh policy-map session uid 14
SSS session identifier 14 -
Service-policy output: TEST
Class-map: TEST (match-all)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: any
police:
cir 8000 bps, bc 1500 bytes
conformed 0 packets, 0 bytes; actions:
transmit
exceeded 0 packets, 0 bytes; actions:
drop
conformed 0 bps, exceed 0 bps
Class-map: class-default (match-any)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: any
Any input very welcome

Cisco sever is working fine. When you do use non-standard or non-RFC requests from your NAS to the AAA server for instance, you have to configure your server accordingly to instruct it how to handle this kind of requests.
This is typically done with something called "dictionary", which should be included in your radius server. The server typically decodes all RFC 2865 VSAs (or should), but when a new NAS model is introduced into the network, you can modify it to add any VSAs not appearing in the dictionary, which is your case.
As an example, imagine you want to change the attribute cisco-vsa-port-string to tagged-string, your dictionary will look somethign similar than:
And finally you will have to modify with a text editor, or XML editor and change type="tagged-string" supposing your device comply with RFC 2868. Probably
the AAA server will have to restarted for taking this
changes into account.
Also,since this does apply to all devices for this vendor, you've got other option more, which is define your own dictionary for a specific vendor, or even if you wish for a specific NAS or group or NASes.
In NavisRadius you could associate a dictionary to a
device adding a client-class:
# Client-IP Client-Secret Client-Class
10.0.0.1 secret taos-old
And then specifying the dictionary later in client_properties for this device:
# This file contains information about client classes # and is used to set per-client specific information.
# TAOS Devices in OLD mode with RFC conflicts
taos-old
Client-Dictionary=max_dictionary
# Other devices now, etc.
Hope it helps

[Trend Micro Ios content filtering] parameter-type command under policy map not available

Hi, all:
I'm trying to configure TrendMicro IOS content filtering. I have this working on a separate box, running 15.1.
On this particular testbed, I have a 2900 running:
System image file is "flash0:c2900-universalk9-mz.SPA.152-3.T1.bin"
And the following licensing:
Technology Package License Information for Module:'c2900'
Technology    Technology-package           Technology-package
              Current       Type           Next reboot
ipbase        ipbasek9      Permanent      ipbasek9
security      securityk9    Permanent      securityk9
uc            uck9          Permanent      uck9
data          datak9        Permanent      datak9
Configuration register is 0x2102
CUBE_GOLD_MEX#show ip trm subscription status
       Package Name: Security & Productivity (Trial)
             Status: Active
Status Update Time: 18:02:51 CST Mon Jul 23 2012
    Expiration-Date: Mon Aug 20 02:00:00 2012
    Last Req Status: Processed response successfully
Last Req Sent Time: 18:02:51 CST Mon Jul 23 2012
CUBE_GOLD_MEX#
Also, I have the following config lines on it:
ip host trps.trendmicro.com 216.104.8.100
ip name-server 4.2.2.2
ip cef
multilink bundle-name authenticated
parameter-map type urlfpolicy trend tm-pmap
allow-mode on
[snip]
parameter-map type trend-global trend-glob-map
class-map type inspect match-all http-imap
match protocol http
class-map type urlfilter trend match-any drop-category
match url category Abortion
match url category Activist-Groups
match url category Adult-Mature-Content
match url reputation ADWARE
match url reputation DIALER
match url reputation DISEASE-VECTOR
match url reputation HACKING
match url reputation PASSWORD-CRACKING-APPLICATIONS
match url reputation PHISHING
match url reputation POTENTIALLY-MALICIOUS-SOFTWARE
match url reputation SPYWARE
match url reputation VIRUS-ACCOMPLICE
policy-map type inspect urlfilter trend-policy
class type urlfilter trend drop-category
I have not been able to get to the good part of configuring the ZBF.
I've looked over several configuration examples and can't figure out what I'm doing wrong, since I'm not able to see the command 'parameter-map' under the 'policy-map urlfiltering'
XXXXXX(config)#policy-map type inspect urlfilter trend-policy
XXXXXX(config-pmap)#?
Policy-map configuration commands:
class        policy criteria
description Policy-Map description
exit         Exit from policy-map configuration mode
no           Negate or set default values of a command
XXXXXX(config-pmap)#
I thought it might be an issue with version 15.2.3, but according to configuration guides, commands are the same.
Can anyone provide some assistance?
TIA.
c.

Hi Carlos,
I am having the same problem. I have seen a few diffenent configuration examples and they all show adding the "parameter type urlfpolicy trend parm-map-name" command but it doesn't exist, at least in 15.2(3)T1 and I see it listed in the the IOS documentation for 15.2. Maybe they forgot it :-)
I guess I will open a TAC case as I do not want to downgrade...
I will keep you posted if I find the answer.
Regards,
Troy

Best practice for web servers behind a router (NAT, ACL, policy-map, VLAN)

Hi,
I'm a new Network admin, and I have some configuration questions about my installation (see attachment).
I have 3 web servers behind a router.
Public interface: 3 public ip adresses
Private interface: router on a stick config ( 3 sub-interfaces, 3 different networks, 3 VLAN)
I would to know the best way to redirect http traffic to the right server.
My idea is to map a public address to a private address, via NAT, but I'm not sure for the configuration. I could also redirect via Policy-map and filter by url content.
So if you have some advise for this case, it would be really appreciated.
Thank you.
Chris.

Hello Christophe,
As I understand you want 1st that ;
if somebody go to A.local.com from internet then he will redirect to 192.168.1.10 in your internal network.
That means, you need static mapping between your public @ip address and your local ip address.
for this example, your local interface is Fa0/0.1 and I dont your public interface because it is not mention in your diagram. I will suppose S0/0 for public interface.
that is the config for the Web Server1. You can do the same with the remaining servers:
interface fa0/0.1
ip nat inside
interface serial0/0
ip nat outside
ip nat inside source static 192.168.1.10 172.1.2.3
static mapping from local to public.
I suppose you have done the dns mapping in your network and the ISP have done the same in his network.
ip route 171.1.2.3 interface serial0/0
or
ip route 0.0.0.0 0.0.0.0 interface serial0/0.
After these step for each web server, you will get the mapping.
Now you can restrict access to this ip only to http or https protocol on your isp and after on your local network
like
ip access-list extended ACL_WebServer1
permit ip any 192.168.1.10 eq www
deny ip any 192.168.1.10
exit
interface fa0/0.1
ip acess-group ACL_WebServer1 in
no shut
exit
That is the first step.
Second step : you want to filter traffic by url, that means layer 5 to 7 filtering.
I am not sure that it is possible using cisco router with (ZBF + Regex).
Check the first step and let us know !
Please rate and mark as correct if it is the case.
Regards,

Redirection class overlap on policy-map

Similar Messages

Maybe you are looking for