Cisco Switching/Routing :: Policing Traffic On 4510?
Nov 21, 2012
I have two servers on one subnet that each need to replicate to a single server on another subnet. They also need to replicate to each other. This replication is unidirectional so I will refer to the 2 server subnet as the source subnet and the single server subnet as the destination subnet. In order to keep this replication running without killing the MPLS links on either end, we are trying to use a policy-map that limits bandwidth from the source subnet.The Problem:We have created a policy that polices traffic during specific times of day and limits the bandwidth as prescribed, however, bandwidth is also being limited between the 2 servers on the source subnet which is not needed or desired.Class 512K set dscp ef police 1024000 bps 1024000 byte conform-action transmit exceed-action dropClass Map match-any 512K (id 4) Match access-group name DAGExtended IP access list DAG 10 permit ip host 10.20.0.3 host 10.20.0.10 time-range DAG-REP (active) (22793 matches) 20 permit ip host 10.20.0.4 host 10.20.0.10 time-range DAG-REP (active) (14156 matches)The service policy is applied on the input side of the 2 interfaces on which our devices are connected.As you can see, the access list identifies the interesting traffic as traffic from two specific hosts to one specific host. The problem we are having is that bandwidth is also being throttled between the two source hosts even though it is not defined to do so.What can I do to limit traffic from the two source devices to the single destination device without limiting bandwidth between the two source devices?
View 1 Replies
ADVERTISEMENT
Apr 24, 2012
I am looking to find a command or counter to tell me if a cisco switch port on a 4510 was ever up and passed traffic. I want to shutdown all unused switchports on our access switches. But before I do that I need to make sure device is just not off or the person is away on vacation. If I do sh int interface, is there a counter I can reference.
View 4 Replies
View Related
Mar 22, 2012
I have configured Span port on our 4510. We have an application 5view server to monitor trafic connected to G9/17 Since we have changed the network connection from physical Giga port and add a Port-channel instead, we don't see any more trafic from the new Port-channel to G9/17
We have the configuration below on our 4510 :
monitor session 1 source interface Gi4/6
monitor session 1 source interface Po20
monitor session 1 filter vlan 311 - 312 , 375
monitor session 1 destination interface Gi9/17
From the commands show, we don't see the trafic duplication from the source to the destination port :
Port Source
4510-5567#sh int po20
Port-channel20 is up, line protocol is up (connected)
Hardware is EtherChannel, address is 0016.9de2.a818 (bia 0016.9de2.a818)
[Code].....
View 2 Replies
View Related
Mar 10, 2011
We are looking to implement traffic shaping/policing primarily for P2P traffic. As natively the ASA5550 is only capable of p2p inspection if the traffic is tunneled via port 80 is the AIP-SSM the way forward? We have 2 5550s in active/active failover config. As a side note we are also looking to implement an IDS/IPS system so could this module cover all?Is this module going to provide the desired outcome or is there another module/device out there better suited for this? I would prefer to use the ASA5550s as opposed to implementing another product if only that we can make use of the investment we already made on these devices.
View 1 Replies
View Related
May 29, 2012
Any way of policing traffic on the Nexus 3k platform? I can't find a reference to say policing/shaping is supported.
View 5 Replies
View Related
Jun 6, 2012
I would like to apply policing on a C3750 interface, for all traffic matching 10.0.0.0 / 8, except for sub net 10.0.0.0 / 24. I plan to apply the following configuration, with an ACL that denies 10.0.0.0 / 24 then accept 10.0.0.0 / 8. I am quite sure of the answer but need a confirmation about the following configuration correct ? (10.0.0.0 / 24 will be not blocked, and no policing will be apply on it?)
ip access-list extended TEST
deny tcp 10.0.0.0 0.0.0.255 any eq 5000
permit tcp any 10.0.0.0 0.255.255.255 any eq 5000
[code]....
View 2 Replies
View Related
Feb 25, 2012
I want to take 100Mb incoming from a service provider and police it off into several VRFs for customers.One of these VRFs will be 30M.I further need to traffic shape this (30Mb) out to 40 x 0.75Mbps (burstable to 30M) customers.
I am using an ASR1001.
View 2 Replies
View Related
Jan 17, 2012
I have a customer who requires to identify and police traffic on egress on a 3560 trunk link. I cannot use ingress classifications because we do not know what route the traffic will take yet. The egress interface connects to multipoint wireless equipment with 4 different bandwidth point to point links. So the ingress traffic may be routed via any one of 4 point to point wireless links connected to the single egress interface. Am I correct in assuming we cannot mark on the egress direction then put the traffic in a SRR shaped egress queue based on the marking ? So we would only have the option to egress queue based on markings applied or trusted on the inbound direction ? I had thought of some kind of policy map/aggregate policer configuration based on the exit VLAN but it seems we can only apply this type of config inbound. From reading the 3560 configuration guides it seems the 3560 cannot deploy the kind of requirements this customer needs. Perhaps they should have deployed some kind of Metro switch ?
View 1 Replies
View Related
Dec 11, 2012
dont seem to be able to get policing working inbound on a port 3750X v 15.0(2)
Config is below:
ip access-list extended SMB
permit tcp host 192.168.1.14 host 172.16.1.30
permit tcp host 192.168.1.14 host 172.16.1.31
[Code]....
View 6 Replies
View Related
Jan 3, 2012
Trying to control capacity utilization for guest users connecting to a 2960 switch. No problem for IPv4 users, but IPv6 is giving me fits. What I've found out by trial and error so far implies that there is just enough IPv6 smarts in a WS-C2960-24TT-L running c2960-lanbasek9-mz.150-1.SE to make it impossible to control IPv6 traffic. Blocking IPv6 would be sufficient short term, but MAC filtering on type 0x86DD does not appear to work either. Here are the results I've gotten so far:
What "works":
* Protocol ipv6 or an IPv6 ACL in a class map.
* Using a class map referencing ipv6 protocol or an ipv6 ACL in a policy map.
* IPv4 inbound filters and policing.
* Blocking of IPv4 traffic by a MAC ACL blocking type 0x0800 (IPv4) - note that the docs explicitly state that MAC filters do NOT filter IP traffic, except for on this box on this release they do.
What does not work:
* Applying a policy map referencing a class map referencing protocol ipv6 or an IPv6 ACL to an interface. The service policy is accepted by the parser, but is not inserted into the running configuration.
* "class-default" in a policy map only matches IPv4 traffic, not all other traffic.
* Blocking of IPv6 traffic by a MAC ACL blocking type 0X86DD. No problem applying the access-group to the interface, it just doesn't do anything.
I am aware that this box is not supposed to support IPv6 other than for multicast, but as implemented, this is a hole an abuser could drive a MAC truck through.
My questions:
Is this situation unique to this particular 2960 switch or SW release (I also tried 12.2(58)SE2) or does it afflict all 2960's running LANbase?
Assuming the answers to the first two question are negative, what is the minimum requirement to get working IPv6 policing in an edge switch?
View 0 Replies
View Related
Nov 27, 2011
I am configuring a 3560 to provide internet access for our customers and I need to make sure they don't use more bandwidth than they have contracted for.I see that the 3560 supports the rate-limit command, but was told that I should use traffic shaping and policing along with access lists to manage the bandwidth.Is there a reason that I should avoid using the rate-limit command - it looks much simpler.
View 10 Replies
View Related
May 5, 2013
I am trying to configure traffic policing on a 7609 with ES20 line card - however it doesn't appear to be working. The customer is randomly getting DoS attacked, and the policy doesn't appear to be dropping any exceed/violate traffic.This is an egress policy on a sub-interface.
View 5 Replies
View Related
Feb 8, 2011
I have lots of PPPoE users that get Virtual Access interfaces created upon login based on a virtual template. I need to traffic shape them. I know how to get it to work on an individual basis, because the policing within a service policy works fine. As soon as i change it to shaping it leaves things wide open.I really dont care how it gets done, I just need to be able to specify a speed to be traffic shaped and apply that to a virtual template. I need to limit speeds on the download and upload, i understand that the upload i will use the policing, but the download i need it to smooth out the flow and be traffic shaped, not policed.
Here is my Policies and classes:
***
policy-map CHILD class class-default bandwidth 1650policy-map PARENT class class-default shape average 1650000 service-policy CHILD****
Here is my Virtual Template:
****
interface Virtual-Template8 description pppoe-auth-FTTH ip unnumbered FastEthernet0/0 ip access-group subs-in-FTTH in ip mtu 1493 timeout absolute 6120 0 peer default ip address pool FTTH-POOL ppp authentication pap pppoe-auth ppp authorization pppoe-auth ppp timeout idle 84600 service-policy output PARENT
[code]....
The results i am getting is unrestrcited throughput, i am seeing about 40mb of throughput when the target is to limit to 1.65MB. As you can see from the output the PARENT class is seeing 279116 packets, but the shaper only saw 59. In all the examples i see on the internet these two numbers should be the same. Why is the shaper not acting on all the traffic crossing that class/policy?
Hardware/IOS:
Cisco IOS Software, 7200 Software (C7200-IK9SU2-M), Version 12.4(12), RELEASE SOFTWARE (fc1)
View 11 Replies
View Related
Oct 31, 2011
I am having issues working on my QOS between 4510 and 3550 switch connecting on layer 3 through a service provider. I have class maps and policy map setup on both sides and then policy map attached to interfaces however i dont see any traffic matching in policy map on 3550 switch, i do see some traffic matching on 4510 but the speed with which its increasing has my doubts about it. When i make voip calls ( VOIP switches are sitting behind 3550 and are mainly 3550 pwr 24 port switches with phone ports configured for auto qos voip cisco-phone and trusting cos) i rarely see the RTP matching in class under policy map.
View 5 Replies
View Related
Apr 11, 2013
I am currently running 12.2 (53) and am looking to move up to the 15+ train. Are there any pre-reqs prior to the upgrade that any one is aware of?Unfortunately I have no "lab environment" to test it in. I have production switches with minimal impact to the campus and if done late night I could have it restored back before open of business the following morning. My FW is up to the latest version and I have found nothing in the release notes specifically stating that there would require any stepped upgrades up to v15 and higher.
View 6 Replies
View Related
Jun 11, 2013
We have an issue where switches are failing weekly in a switch closet. In the past month we have gone through several 3750G switches and a couple 4510s. The power supplies have eventually made a popping noise and had to be replaced. on the 4510s we've tried two chassis and gone through several power supplies.The switches have been behind UPS systems so should be receiving conditioned power.Could load from the PoE devices really be causing this? I wouldn't think it's power since they are behind a UPS.
View 5 Replies
View Related
Jul 10, 2012
This has been happening repeatedly time to time! we just replace the part! But now it has come to trouble us again.It happening only in one module like 6 to 10 ports wont work.
we run IOS cat4500e-universalk9.SPA.03.02.00.SG.150-2.SG.bin will there be any bug in it?
View 10 Replies
View Related
Jul 23, 2012
We have multiple switches(Cisco 4510, 4507R, 3560's) within our network. I've been looking over the port settings between them and noticed that not all ports that are connected directly from switch to switch are trunked the same. Some are desirable on one switch and forced truck on the other switch.
View 5 Replies
View Related
Sep 4, 2011
I am using Cisco 4510 Switch with Default LAN Base image. Now I have purchased 10G Upgrade license. The part number for Upgrade license is WS-C4500-10G-LIC. I have received a CD from Cisco (named as 'Includes License and Warranty'). Any License upgradation is required for this license? Or this is only a paper License.
I could not find out any .lic file on the CD. Also there is no paper with PAK.
View 3 Replies
View Related
May 3, 2012
I just upgraded all of our switches on campus to Version 15.0(2)SG4 after about a month of testing. On two switches so far, we are seeing that clients can not connect, and the switch isnt detecting a link. I dont see anything out of the ordinary in int status, port-security, or errors on the interface. Plugging in a different computer does nothing. Only thing that works, is a shut, no shut of the interface. After that, its connected.
View 7 Replies
View Related
Apr 4, 2013
I have a Catalyst 4510 that is running IOS version 15.X that has a bug and Cisco recommends upgrading the IOS. Are there additional steps required to perform an IOS upgrade due to licencing Cisco put in place?
View 5 Replies
View Related
Oct 27, 2010
I am planning to enable MAC address filtering (one port on 4510 & another 3560). I want to allow only that MAC address to communicate via that port with the rest of the network and internet.
4510 has PC connected and 3560 had polycom connected. [code]
View 5 Replies
View Related
Mar 2, 2013
I have cisco 2960 and Catlyst 4510 switches now we are planning to implement IPV6.
i have the fallowing IOS on my switches.
C2960-lanbasek9-mz.122-50.se5
Cat4500e-entservicesk9-mz.122-54.sg1.bin
The above ios will support for IPV6 or I have to purchase new IOS, which version will support.
View 1 Replies
View Related
Feb 21, 2013
I got a 6509 version 12.1(22)E2 that I am replacing with a 4510E version 3.40SG with Supervisor Engine 7-E. The 6509 is configured with 20 channel-group for dual fiver connection to ten 3550 switches with trunking enabled with isl encapsulation. The 6509 is the VTP server to each of the 3550 switch clients. There are 40 Microsoft Servers attached ot the Gig RJ45 port modules.
I have attached the 4510 to the 6509 with dual fiber connection configured as a channel group with trunking enabled. I am configuring the 4510 the same as the 6509 except I have to use trunking with dot1q encapsulation because isl is not supported on the 4510. I no longer want to use VTP with the 4510 and have set the it as transparent mode. Each of the 3550 switches are changed from isl trunking encapsulation to dot1q and VTP mode is changed to transparent when they are moved from the 6509 to the 4510.
I want to move the switches over a few at a time and not all at once. The first 4 switches attached with no problems and ran with no problems for the user access to the servers still on the 6509 for a week. Then I found out DHCP was not working for the devices attached to the switches on the 4510. I moved one of our domain controllers form the 6509 to the 4510 to fix the DHVP problem. I have now added 2 more switches with users that use an application on a server still on the 6509 and they are getting disconnect errors after logging into it and using it. Other applications on different server also on the 6509 are having no problems. I moved the switches back to the 6509 to get the users up during business hours. I now plan on moving the server for the application that was failing to the 4510 in hopes that it will fix the problem.
Is there something I can do to speed up the connection between the 6509 and the 4510 so I can continue this transition without having to move the servers to the 4510 as I move the users?
View 1 Replies
View Related
Sep 26, 2012
I need to convert configuration from CatOS on 4006 to IOS on 4510. I am unable to find the conversion tool.
View 5 Replies
View Related
Nov 30, 2011
We are facing issue related to STP.I am getting MAC FLAP error on Cisco 4510 switch. The effect on network is intermittent Pkt drops in the network. When I checked the specific Ip address I am getting the same with two different. [code] Vlan is created on CORE switch and assign priority 0 than CORE switch should be the Root. but instead Root port is becoming the port where server is connected. Server at last connected to CORE switch via HP switch via other Vlan to CORE switch and creating a loop as shown in Diag. [code] The Priority of Vlan 102 is changed and Root port has been changed due to that. The Bridge ID is the same as CORE switch.
View 7 Replies
View Related
Mar 10, 2013
I am planning on deploying a 2960 switch and will need to uplink it to a 4510 switch. There are 2 TenGig Ports available and I was thinking of uplinking one of them to the 1Gb SFP port on the 2960. Would this work?
View 4 Replies
View Related
May 1, 2012
I just upgrade a license on a cat 4510. The license installed but the EULA was not accepted and it will not upgrade to the new feature set.
View 1 Replies
View Related
Mar 17, 2013
We are getting below errors on our Cisco 4500 Switche PS after Power Down activity.
Switch1
------------------ show power detail ------------------
Power Fan Inline
Supply Model No Type Status Sensor Status
------ ---------------- --------- ----------- ------- -------
PS1 PWR-C45-4200ACV AC 4200W good good good
PS1-1 off
PS1-2 220V good
PS2 PWR-C45-4200ACV AC 4200W err-disable good good
PS2-1 220V good
PS2-2 220V good
*** Power Supplies of different type have been detected***
00:01:02: %C4K_CHASSIS-3-MIXINPOWERDETECTED: Power supplies in the chassis are of different types (AC/DC) or wattage(code)
View 1 Replies
View Related
Oct 23, 2012
I'm having some trouble with a 4510 Switch Line Card. I need some recomendations for troubleshooting it.We have some PoE phones connected to the card number 3. When those phones were restarted, they did not go up again. In order to discard wiring issues, we connected the phone directly to the card 3, and the phone did not go up. If the phone is connected to a different card, it goes up correctly.
Additionally, to restore the service, these phones were migrated to other cards, but when we disconnect the equipment, ports in line card 3 remain in an up / up state (and nothing is connected to those ports!!), and only reflect the actual state after restarting the port.What steps could I do in order to troubleshoot this issue?. What should I look for, or how do I discriminate the problem? Might it be a hardware issue, a PoE issue?
View 3 Replies
View Related
Apr 2, 2012
My internet link is connected on Internet Router & below downwards Cisco ASA 5520 is connected.ASA is connected with core switch cisco 4510 on downwards. our web based mail [URL] is hosted outside.
Lets suppose ISP pool is 4.4.4.0/28.suppose owa server is Static natted on ASA with 4.4.4.4. my machine traffic is going to internet with same ISP with PAT on Cisco ASA & internet is working on my machine. if i want to access {URL} or ip base for mail access, its not working & also it is not pinging. i suppose to ASA is blocking for returning traffic.
is there any way to traffic will go via same Firewall & comeback on same firewall port?
View 1 Replies
View Related
Feb 17, 2013
I've got a Cisco 4510 which shows a system uptime in excess of 56 years. [code]
View 11 Replies
View Related
Apr 23, 2013
Are you only able to have two sessions for port mirroring on a Cisco 4510?
View 1 Replies
View Related
