Service policy direction

Similar Messages

• Error while applying the Service Policy

  Hi,
  I am getting the below error while applying the service policy to the Interface.
  I have set the mpls exp 4 as well as want to limit the bandwidth to 1Mbps
  PE#sh policy-map setexp-GBoIP
    Policy Map setexp-GBoIP
      Class GBoIP-traffic
        set mpls experimental imposition 4
       police cir 1024000 bc 32000
         conform-action transmit
         exceed-action drop
  PE(config-if)#int vlan 2007
  PE(config-if)#service-policy input setexp-GBoIP
  QoS-ERROR: Addition/Modification made to policymap setexp-GBoIP and class GBoIP-traffic is not valid, command is rejected
  As well as I have created new clas--map with priority and Bandwidth and applied in output direction, I got the belwo error while applying the Service policy in
  PE(config-if)#service-policy out TEST
  bandwidth command is not supported in output direction for this interface
  PE(config-if)#service-policy output TEST
  priority command is not supported in output direction for this interface
  Any idea why so ?
  Thanks in Advance.
  Regards,
  Nilesh

  Check the current value of IGW_AWARDS_S sequence and make sure the MINVALUE in the patch (i.e. 10000) is not greater than the current one.
  OERR: ORA 4007 MINVALUE cannot be made to exceed the current value (Doc ID 19824.1)
  You may also log a SR.
  Thanks,
  Hussein

• Fundamental ACL & Service Policy related questions

  Hi All,
  apologies in advance for seemingly stupid questions but I was forced to ask them as I have ALWAYS had great difficulty in using debug on Cisco platforms. Nothing ever shows up when I set up debug despite configuring "logging console" and setting the level to 7 etc. I have no clue why that is and if it's because all debugging messages go to the debug log instead of being prnted on the console, or what it is...I just don't get it. When I'm saying logging console...please print it on the console! Anyway, that rant aside...
  I have a VERY simple topology like so
                                                                                      A few servers in this VLAN
  ISP <---> 3560G (Physical Routed Port) <--> SVI (VLAN)
                                                                                      ASA5520 <--> Internal VLAN
  With regards to ACLs and their direction, when an ACL is applied to a physical port (or in cases where QoS is enabled and a service-policy) is applied to either a routed physical port on the 3560, saying that the policy is applied in the "in" direction (or 'input' in case of service-policy) does that mean 'inbound' in either direction? As in IF that routed port is my direct connection to the ISP, and I set up "ip access-group myacl in" (or service-policy input myPolicymap) ...will that be applicable if the traffic enters that port from the ISP side OR from the internal network side, or "IN" for it is always JUST the ISP side because it's assuming that all traffic generated from inside the network going out to the Internet is implcitly allowed UNLESS an ACL somewhere in the network restricts that?
  then, in case of an SVI...I believe just like the physical routed port, I can ONLY implement an "Inbound" ACL on this as well. So when I implement either a Heirarchical policy-map or just an access-group "in", then what is "IN" ...traffic entering this VLAN from the internal network and those public servers going out to the Internet AND Traffic entering this VLAN from the ISP/Internet via the physical routed Port OR is it JUST the latter, or is it just the former?
  Now Lastly, when I have the physical ports to which the ASA and each of those physical servers are connected to sitting on the public VLAN, if I apply port-based ACLs or service-policies to them, then again, what direction is the "IN" ACL applied? Both? i.e. traffic coming into it from the public servers and the Internal network through the ASA, and the Internet OR just the traffic coming into it from the Internet, but the traffic going out from the servers to the Internet is not subjected to this ACL or service-policy
  Again, very sorry for a dumb question but I'm seeing bizzare things in my network so was just wondering before I decide on what kind of security I want to plan/design
  Thanks in advance

  The mystical difference between debug output going to the console versus showing up in syslog is "logging debug-trace".  On goes to syslog, "no logging debug-trace" goes to console.  I've been bit by this one myself.
  ACLs on physical ports have directionality like the cable plug: "in" is from the cable entering into the switch or firewall, "out" is leaving the device to run along the cable to somewhere else.  On Catalyst switches port ACLs are inbound (receiving packets) only.  Obviously, on directly connected devices, one devices out is the other devices in.
  ACLs on SVI's depend on whether your are running a base image or services image; services images can do IPv4 and IPv6 in both directions.  However, port ACL's trump routed ACL's; if both exist, the port ACL is the only one applied.  I think if a directly connected port has no port ACL, no ACL is applied at all; routed ACL's on SVI's only apply to transitions between VLANs inside the switch, not to traffic entering physical ports.
  -- Jim Leinweber, WI State Lab of Hygiene

• Command "service-policy input policy-name permit-any" will not work

  Hi all,
  have a SG500 with latest Firmware, but this command will not work.
  service-policy input QoS_01 permit-any
  i get this error message:
  % Wrong number of parameters or invalid range, size or characters entered
  without the option "permit-any or deny-any" the command is successfully.
  What is the reason?
  It is important, directly to specify this options. Otherwise to lose the access to the switch.
  Regards
  Stefan

  Hi Tom,
  i have a ACL / ACE and create a QoS "policy table" put the "policy class map" (with class mappings) in it.
  And now i will bind this QoS policy to a Ethernet port.
  cli tutorial example say:
  Use the service-policy Interface Configuration (Ethernet, Port-channel) mode command to bind a policy map to a port/port-channel. Use the no form of this command to detach a policy map from an interface.
  This command is only available in QoS advanced mode.
  Syntax
  service-policy input policy-map-name default-action [permit-any | deny-any]
  no service-policy input
  Example:
  witchxxxxxx(config-if)# service-policy input policy1 permit-any
  A cisco support open a ticket for me.
  -Stefan

• Prevalence between service policy and rate limit

  Hi,
  I have a question, on the wan interface on my router I have configured two QoS configuration: one is based on rate-limit pointing to a an specified traffic but also I have a configuration with a service policy that include the same traffic with a restriction of bandwidth . I do not know what policy has prevalence if the service policy or the rate limit.
  Regards.

  Hi Rajan ,
  Thanks for teh reply.
  I'm but confused with your answer....
  We have SRM 5 implemented at our place and I see that service carts  created in the system using the link "ORDER" when converted to PO's in Sourcing create Purchase orders with HIERARCHY structure i.e. 1 header and 1 item(with the actual service line) but when they are replicated to ECC,we have done an enheancement to create LIMIT PO's for service orders.
  Hence I wanted to know when do we need to create SERVICE HIRERACHY based PO's in SRM and when we need to create LIMIT PO's directly in SRM?
  Also I understand that in SRM,for limit PO's,when the PO item is deleted in PROCESS PO trasnctions,the items are not returned back to sourcing.We dont want this to happen for all types of PO's(both material and Service).We want that when a PO item is deleted,the item should return back to sourcing.
  But other then above functionality,what are the advantages of creating SERVICE based HIERARHCY PO's v/s LIMIT PO's in SRM?
  Please advise.
  Any inputs from Experts on this forum will be appreciated.
  Thanks in advance.

• Service-policy output statement interface vs interface .500 point-to-point

  We are running AutoQoS but have recently migrated our WAN service that puts our IP connectivity to a sub-interface (interface serial0/1:0.500 point-to-point and a frame-relay interface-DLCI). In our prior WAN configuration we bound the IP address directly to the interface s0/1:0.
  After the migration, the auto qos statement service-policy output AutQoS is still on the interface serial 0/1:0 . Should this service-policy statement be moved down to the serial 0/1:0.500 point-to-point in order to be effective? We have been experiencing QoS problems but I understand it could be many different places, but I wanted to start here.
  Thanks
  ryan

  as a rule those are applied in a frame relay policy map.
  Create the LLC policy
  Create the Frame Relay Policy map (and refer to the LLC policy map in the Frame Relay Config)
  Apply the Frame Relay Policy Map to the subinterface (to the DLCI).

• 5520 IPS Service policy config assistance

  I have a 5520 running 7.2(4) (Routed, single context) with an SSM20 running 6.1(1)E2.
  I am struggling a bit with the SSM setup on my 5520. I have created 2 service policies, one applied to a DMZ interface and configured as "in-line". The other applied to the inside interface and configured "promiscuous" (until I get it tuned).
  It appears there is no way (on 7.2) to direct each service policy to its own virtual sensor on the SSM20. For this reason I am struggling a bit in trying to determine which Service Policy is sending the traffic that triggers a particular event. Is there anything in the SSM event log that identifies which Service Policy sent the traffic to the virtual sensor?
  Thanks in advance!
  David

  The ASA does not tell the SSM which policy sent the packet, so the SSM can not report which policy sent it. Only whether to monitor it promiscuous or inline (and in the case of 8.0 which context it came from and which virtual sensor to use).
  Other things that might help.
  Look at the addresses of the alerts.
  If the source address is a DMZ address, then likely the DMZ policy.
  If the source address is a Inside address, then likely the Inside policy.
  If the source address is a Outside address, then look at the destination address.
  If the destination is a DMZ address, then likely the DMZ policy.
  If the desintation is a Inside address, then likely the Inside policy.
  Why?
  In the case of TCP, the SYN packet will determine which policy will affect the rest of the packets.
  And it is the first ips policy that matches which will determine the type of monitoring.
  So a SYN packet coming FROM the DMZ TO the Internet will first be checked by the DMZ policy. So if the DMZ policy matches, then it will be inline monitored (by the DMZ policy).
  Similarly a SYN packet coming FROM the DMZ TO the Inside will first be checked by the DMZ policy then it will the be checked by the Inside policy. If the DMZ policy matches then the SYN and remaining packets for the connection will be inline monitored. If the DMZ policy matches, then the Inside policy will still be checked, but it is the DMZ policy that will determine promiscuous or inline because it is the first policy matched. If the DMZ policy does NOT match the SYN packet, but the Inside policy does, then the connnection will be Promiscuously monitored by the Inside policy.
  In reverse, however, a SYN packet FROM the Inside TO the DMZ will be firt matched against the Inside policy.
  The inside policy matching first would cause the connection to be monitored Promiscuously. The DMZ policy woudl be checked, as well but with the Inside policy matching first it will cause the promisuous monitoring.
  Only if the Inside policy is NOT matched would the a DMZ policy match cause Inline monitoring.
  At least this is is how I think it worked back in 7.2. The above is how it does work in 8.0 when we tested with virtual sensors, and so I assume it worked that way back in 7.2 as well.
  In your alerts above. The first alert has "Actions droppedPacket+deniedFlow+tcpOneWayResetSent " the Deny/Drop actions can only work in Inline mode, so it must have come from the DMZ policy.
  The second alert has "Actions denyPacketRequestedNotPerformed+denyFlowRequestedNotPerformed " and the "NotPerformed" for the Deny/Drop actions generally only happens with Promiscuous mode. So it must have been from the Inside policy.

• Service policy counters not working..

  I have a service policy on a 6509 interface so I can see what the packets per second of a video stream coming out of a DVR (digital video recorder) is. This DVR has 16 security cameras attached and I'm concerned that when someone views all 16 cameras the video stream is going to be huge.
  So I create a service policy to match an access list for all IP from the DVR. But no counters increment unless I add in some other match statement. I added in a match protocol telnet and the service policy counters started to work. I removed the match on telnet and the counters stopped. Telnet has nothing to do with the DVR. Here is the config of the class map, policy map and show commands: (By the way video is streaming through this interface continually during this excercise)
  MATCHING ACCESS LIST ONLY:
  class-map match-any DVR
  match access-group 130
  policy-map DVR-test
  class DVR
  ROC-6509-DU-A#sh access-list 130
  Extended IP access list 130
  10 permit ip host 164.72.2.125 any
  ROC-6509-DU-A#sh policy-map int
  GigabitEthernet2/5
  Service-policy output: DVR-test
  Class-map: DVR (match-any)
  0 packets, 0 bytes
  30 second offered rate 0 bps
  Match: access-group 130
  0 packets, 0 bytes
  30 second rate 0 bps
  Class-map: class-default (match-any)
  0 packets, 0 bytes
  30 second offered rate 0 bps, drop rate 0 bps
  Match: any
  ADDING IN TELNET:
  class-map match-any DVR
  match access-group 130
  match protocol telnet
  policy-map DVR-test
  class DVR
  ROC-6509-DU-A#sh policy-map int
  GigabitEthernet2/5
  Service-policy output: DVR-test
  Class-map: DVR (match-any)
  524025 packets, 70724866 bytes
  30 second offered rate 3991000 bps
  Match: access-group 130
  523896 packets, 70689220 bytes
  30 second rate 3991000 bps
  Match: protocol telnet
  129 packets, 35646 bytes
  30 second rate 0 bps
  Class-map: class-default (match-any)
  18696 packets, 11180265 bytes
  30 second offered rate 129000 bps, drop rate 0 bps
  Match: any
  If I remove the 'match protocol telnet' and clear the counters, no longer do the counters for the access-list 130 increment - put back in match telnet and they start to increment.
  This is a Sup720 with IOS 12.2(18)SXE3
  Is this a bug or do I not have my class map or policy map correct?

  The hardware ASICs do not support collecting the individual policer information.
  Try:
  http://www.cisco.com/univercd/cc/td/doc/product/lan/c3550/1216ea1/3550scg/swqos.htm#xtocid1990743

• Why doesn't "show service-policy url-summary" work?

  Does any one know -- At Cisco Live this year -- this command was shown as an Option to see the number of
  hits on L7 class maps urls.
  It's not an option for me:  Running A3 (2.5)
  Thanks,
  From A2 documentation  (maybe this command was dropped from A3 -- but that would be unfortunate)
  To display the statistics for all policy maps or a specific policy map that is currently in service, use the show service-policy command. This command also allows you to display statistics for a specific class map in a policy or the hit counts for match HTTP URL statements in a Layer 7 HTTP policy map. If you do not enter an option with this command, the ACE displays all enabled policy statistics.
  show service-policy [policy_name [class-map class_name]] [detail | summary | url-summary] [|] [>]
  Syntax Description
  policy_name
  (Optional) Identifier of an existing policy map that is currently in service (applied to an interface) as an unquoted text string with a maximum of 64 alphanumeric characters. If you do not enter the name of an existing policy map, the ACE displays information and statistics for all policy maps.
  class-map class_name
  (Optional) Displays the statistics for the specified class map associated with the policy.
  detail
  (Optional) Displays a more detailed listing of policy map or class map statistics and status information.
  summary
  (Optional) Displays a summary of policy map or class map statistics and status information.
  url-summary
  (Optional) Displays the number of times that a connection is established based on a match HTTP URL statement for a class map in a Layer 7 HTTP policy map.
  The URL hit counter is per match statement per load-balancing Layer 7 policy. If you are using the same combination of Layer 7 policy and class maps with URL match statements in different VIPs, the count is combined. If the ACE configuration exceeds 64K URL and load-balancing policy combinations, this counter displays NA.

  Hi Dan,
  The url-summary has only been added to the ACE module code at this time.  The A2 code train is only for the module, while the A3 train is only for the appliance.  The good news is that later this year, we will have a new software coming out (A4) that will be the exact same image that can be loaded on either the module or the appliance, hence all functionality will be the same for both (except the acceleration and optimization that only the appliance will support.
  Hope this helps,
  Sean

• Policy map/ class map/ service policy for IOS xr

  Hi,
  I need to create a policy map and class map/service policy to limit the amount of bandwidth that can be used on one interface both in and out.
  I need the cap for the bandwidth to traverse this circuit to ne 10 Meg.
  the IOS xr version we are using is 4.3.4
  I was hoping someone could help me out by giving me a configuration example I could follow.
  Thank you.

  for instance like this:
  policy-map police-in
  class class-default
  police rate 10 mpbs <optionally set burst>
  policy-map shape-out-parent
  class class-default
  shape 10 mpbs <optional burst config>
  service-policy shape-out-child
  policy-map shape-out-child
  class class-default
  queue-limit 10 packets
  int g 0/0/0/0
  service-policy police-in in
  service-policy shape-out-parent out
  also have a look at CL 2013/2014 (orlando/sanfran) ID 2904 for more QOS details
  and the support forum article of "asr9000 quality of service architecture"
  xander

• Can't apply service-policy to atm int?

  Attempted to apply service-policy output MPLS-EGRESS to ATM Int:
  class-map match-any GOLD
  match mpls experimental topmost 5
  match ip precedence 5
  class-map match-any BRONZE
  match mpls experimental topmost 3
  match ip precedence 3
  class-map match-any SILVER
  match mpls experimental topmost 4
  match ip precedence 4
  policy-map MPLS-EGRESS
  class GOLD
  priority percent 5
  set mpls experimental topmost 5
  class SILVER
  bandwidth percent 10
  random-detect
  set mpls experimental topmost 4
  class BRONZE
  bandwidth percent 20
  random-detect
  set mpls experimental topmost 3
  class class-default
  set mpls experimental topmost 0
  fair-queue
  random-detect
  interface ATM4/0.102 point-to-point
  description TRUNK LINK TO PE_B
  bandwidth 16000
  ip address xxx.xxx.xxx.xxx 255.255.255.252
  no ip redirects
  no ip proxy-arp
  ip ospf message-digest-key xxx
  no snmp trap link-status
  mpls ip
  pvc PE_B 10/102
  tx-ring-limit 3
  oam-pvc manage
  encapsulation aal5snap
  service-policy output MPLS-EGRESS
  And it *appears* to apply without error, but logs show:
  Jul 28 09:34:32.550 aest: %SCHED-3-SEMLOCKED: Virtual Exec attempted to lock a semaphore, already locked by itself -Traceback= 0x61317864 0x62658A88 0x620F0A4C 0x60DD3668 0x60DD5648 0x6135ABD8 0x61379744 0x62644508 0x626444EC
  Jul 28 09:34:33.870 aest: I/f ATM4/0.102 VC 10/102 class GOLD requested bandwidth 0 (kbps), available only 0 (kbps)
  And ATM4/0.102 does not include the service-policy output MPLS-EGRESS when I do a show run nor when I do a sho policy-map interface?

  Resolved my own issue - I needed:
  vbr-nrt 32000 16000
  under the atm sub int...

• Web service VS Direct DB access

  Hi,
  I am completely new to data warehouse.
  Recently, i need to build a data warehouse that get data from one of the transaction databases for data analysis.
  I am struggling whether i should get the required data by web service or directly access the database. Could anyone advise please? Thanks.
  Regards,
  Shirley

  Hi Hua Min,
  Thanks for your reply.
  I am sorry that i haven't make my question clear. Let me describe more detail here.
  In my data warehouse project, data is extracted from a system (e.g. SystemA) that containing all the transactions information to the database of my data warehouse for further data analysis.  I am thinking of two ways to access the required data from
  SystemA. 1) SystemA provides some web services for required data retrieval or 2) Create a read-only database access role in the database of SystemA for my ETL tool to connect to SystemA's DB directly to grab the required data. Both ways should work but I am
  not sure which way is a better way. Thanks.
  Regards,
  Shirley

• Service Policy won't attach to interface - NO error

  Hi,
  Am doing some simple CE VoIP QoS for a IPSEC/GRE Customer. I try to ATTACH the policy to the tunnel outbound and the command is accepted without any error but nothing appears in the config.
  Here's the base config:
  class-map match-all IPSEC-VPN
  match access-group name IKE_ACL
  class-map match-all ROUTING
  match ip dscp cs6
  class-map match-all NETWORK-MANAGEMENT
  match ip dscp cs2
  class-map match-any VOICE-SIGNAL
  match protocol rtp
  match ip precedence 3
  match ip dscp cs3
  match ip dscp af31
  match ip dscp af32
  class-map match-any VOICE-BEARER
  match ip precedence 5
  match ip dscp ef
  match ip dscp cs5
  policy-map SHAPE-ADSL-UPLINK
  class class-default
  bandwidth remaining percent 50
  random-detect
  random-detect ecn
  policy-map VoIP-QoS
  class VOICE-BEARER
  priority percent 34
  class VOICE-SIGNAL
  bandwidth percent 5
  class ROUTING
  bandwidth percent 2
  class NETWORK-MANAGEMENT
  bandwidth percent 2
  class IPSEC-VPN
  bandwidth percent 2
  class class-default
  (config)# int t203
  (config-if)#service-policy output SHAPE-ADSL-UPLINK
  NOTHING appears in the config and sh policy-map int t100 shows an unapplied policy.
  Using:
  c836-k9o3s8y6-mz.123-8.T5
  Another bug?
  Thx

  Policy should read (nested):
  policy-map SHAPE-ADSL-UPLINK
  class class-default
  bandwidth remaining percent 50
  random-detect
  random-detect ecn
  service-policy VoIP-QoS

• Service-policy output not working in Cisco 3560 switch

  We got some Cisco catalyst 3560 that we want to control the bandwidth
  on the ports. Can this be done, and how do i do it?
  Ive got 3550s that can do policy-map with the interface command;
  service-policy output(and input) <policyname>
  But 3560 only seems to handle service-policy input.
  If i try to configure output, it says the following:
  SW(config-if)#service-policy output 4mbit-out
  police command is not supported for this interface
  Configuration failed!
  Warning: Assigning a policy map to the output side of an interface not
  supported
  Any workarounds or new ways to accomplish bandwith-control on a 3560 ?
  regards,
  Rajib

  The 3560 & 3750 (& 2960) don't support egress policy-maps. They do however support queueing so it is possible to achieve similar results by applying an ingress policer to your user ports to classify (& police?) the traffic, at the egress port you can then queue the traffic based on it's DSCP or CoS value that it was classified with (same as 3550).
  It is also possible to restrict the bandwidth in use at an egress port with the interface command 'srr-queue bandwidth limit <10-90>' where 10-90 represents a percentage of the links bandwidth. For example if you want to restrict a 100Mbps port to 10Mbps you would use the command 'srr-queue bandwidth limit 10'
  HTH
  Andy

• OWSM user name token service policy for a proxy service at OSB

  Hi Friends,
  I am facing an issue while trying for the OWSM user name token service policy Authentication for a proxy service at OSB. I am using the PS4 SOA suite with AIA foundation pack. very first I am login into the EM console and choose the domain<soaosb_domain> form web logic domain I moved to security->security provide configuration. Inside the security provide configuration we have to key store section and I expand that and we have a configure button inside the keys tore. I click that button and it open a new page. In that page I got the Java key store (JKS) as the default key store and in the access Attributes I keep the default key store path and fill password and confirm password fields. Then in Identity certificates I fill the signature key and Encryption key with key Alias as 'orakey' and same password which I am mentioned at access Attributes. I got the message like the key store is created successfully. Then I restarted the server and again I am login into the EM console and choose the domain<soaosb_domain> form web logic domain I moved to security. In security I choose the credentials. In credentials we have create key. In the create key I add the key as hari-key and provide the hari as a user and his password.
  While trying to test the proxy service i am getting the [OSB Security - OWSM: 387253] Failed to initialize OWSM Credential Manager. Please validate the Key store Configuration.
  can anyone please look at this and suggest me how can I proceed for this.
  Thanks
  Hari

  anyone please respond to the above request.
  Thanks
  Hari