Cisco WAN :: 2951 - Using CCP To Create Service To Be Used In Zone Policy

Jan 16, 2012

Configuring Cisco 2951 router using Cisco Configuration Professional. I have created a zone based firewall on the router and have created a zone policy for network traffic between two LANs or two zones. I need a create a rule for new traffic that should allow a custom user defined service to flow between the two zones associated with with two LANs.

The problem is How do I created a custom service that I can use for the new traffic rule? I created a network service object as shown in the screenshot below:However, when I am adding the new rule, this service object does not appear in the user defined service in the protocols tree box as shown in the screenshot below:
What is the proper way to create a custom user defined service? I was not able to create it using Class map by the way because again I did not find the service object group in the user defined service when creating a class map.

View 2 Replies


Cisco Application :: ACE 20 Service-policy Out Of Service / Still Able To Connect To VIP

Feb 28, 2012

We have a situation where services are stopped on the real servers. The probes fail and we confirm the services are not running on the server. We cannot access the ports from the ACE directly. We can still however acces the VIP on the TCP port (L4 VIP class-map). So we can still telnet to the VIP on the port from thr Client side of the network.This is on ACE 20 Modules deployed in Routed mode. The version of software is A2(3.3).
Tried removing multi-match and loadbalance policies as well as class-map and re-applying then re-appyling the service policy to interface. Same behavior,This is a problem at another level as some services are being monitored by GSS via TCP keep-Alive and this obviuosly causes a problem as the service then never goes off-line.

View 10 Replies View Related

Cisco Firewall :: 2951 Zone Based Firewall

Feb 16, 2011

I am confiuring ZFW on a Cisco 2951 Router. The router has the following interfaces: [code]Port Channel 1, 1.5, 1.10, 1.15, 1.20 have been added to the zone called IN-OUT. All the subinterfaces correspond to an internal VLAN.The router is connected to a MPLS network and has a BGP peer on interface MPPP. Over the MPLS network, an ecrypted DMVPN tunnel to HQ has been built (tunnel 0). EIGRP is the routing protocol running over the tunnel.Traffic coming in from HQ has to be firewalled on this router (don't ask me why!!). As a result, I am configuring ZFW on this router.
1-The router itself does not need to be protected, only the servers in the remote offices. That being said, I am not planning to create any self zone on this router. I don't want to break BGP, therefore the MPPP interface will NOT belong to any zone. Is this the correct way to do it?
2-The tunnel 0 interface will belong to OUT-IN zone that will protect all incoming traffic into this site from HQ. So when writing class-maps for the traffic coming INTO this site, do I need to write any class-maps for EIGRP or ESP? My guess is no, since that traffic will not be coming into the site, but rather just terminating on the router.

View 5 Replies View Related

Cisco Routers :: SR520 Not Criterion In Zone-based Policy Firewall Class-maps

Jan 16, 2012

I'm trying to configure a zone-based firewall on an SR520 and am confused about the 'not' criterion. The 'zone-design-guide' says (my stress): Class- maps define the traffic that the firewall selects for policy application. Layer 4 class-maps sort the traffic based on these criteria listed here. These criteria are specified using the match.where my intention is to let only LAN hosts with IPs in the range to out through the firewall. There may be an easier way of doing this which I'd be pleased to hear about. But, even if there is, I'd also be interested to know what I'm doing wrong in the above.

View 0 Replies View Related

Cisco Firewall :: 2911 - Control Link In Zone-Based Policy High Availability

Jun 26, 2012

I have set up a zone-based policy firewall with HA on two 2911 routers as per the Cisco security configuration guide, for an active/passive LAN-LAN cluster. All works as expected, but there is one problem I find: when the control link between the two devices fails, they go into an active/active state as each member assumes it's the last surviving member. The ARP entries for the Virtual IPs on the neighboring devices point to the device that last claimed the active role (usually the standby device). This works in a way, just sessions don't get synched anymore (control link is the same as data link). Now when the link comes back up, the preemtion works and the active, former standby device goes back to standby. But the ARP entries on the neighboring devices still point to the standby device and nothing goes (also sessions established during the active/active state are lost due to resync with the now active member).
This is a single point of failure and what I need is a way to mitigate that. Under:

application redundancy
group 1
control <interface> protocol 1

only one control interface is allowed. Other manufacturers with similar functionality provide for the possibilty of a backup control link, for example the internal LAN interface or a dedicated backup link.
How would I go about that? Maybe use a port-channel for the control/data link (but I'm out of interfaces)?

View 1 Replies View Related

Cisco Switching/Routing :: Cannot Remove Embedded Service Engine Interface In 2951

Mar 5, 2012

I have removed an embbedded service engine modole from an 2951 router, after reboot the rouiter. the service engine interface still appears; any command can I use to completely remove it.

View 2 Replies View Related

Cisco Firewall :: 1811 / Zone-Based Policy Firewall Configuration

May 16, 2011

I have two 1811's connected in a lab using a ipsec vpn tunnel (using a switch to simulate an internet connection between them).I am trying to configure one of the routers as a ZBPF just to allow a remote windows login (DC on the firewalled side, workstations on the other side).I'm trying to verify that the zbpf is working, but it doesn't seem to stop anything.  I had match icmp added to the class-map, but took it out to test if icmp would fail.  It didn't.  Basically, I don't think the firewall is working at all.  Any thoughts on how I can configure this so that the policies will work between zone-pairs?

Here's an quick drawing:

Here are the configurations:

 Local router:
 hostname sdc-1811-LocalLab
no aaa new-model
resource policy


View 11 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.2 - Can't Delete Service Policy

Oct 23, 2011

We are evaluating Cisco ACS 5.2 and I can not delete a service policy that was created.  The message we receive is " the item that you are trying to delete is being referenced by other items". I am new to ACS, but I did go through each tab in the manager multiple times.

View 5 Replies View Related

Cisco WAN :: 870 Applied ATM Service-policy Output

Nov 30, 2011

I encountered this problem with cisco 870 atm interface. I applied service-policy output, its being accepted but when you do a show run interface, it's not there.

View 5 Replies View Related

Diagnostic Policy Service Cannot Start

Apr 8, 2011

I am Using Windows 7 32-Bit, and my Network usually works fine, and my internet has been working fine up until recently. However about a month (maybe more) I noticed a problem that kept cutting me off occasionally and said Diagnostic Policy was not started, I troubleshooted it and it was fine. Much more recently this has been happening more frequently and troubleshooting it doesn't solve the problem. I can get online for 10-15 Mins then I am cut off again. Restarting the computer often fixes it but not always. I went to Services and found the Diagnostic Policy Service is not running, I press start and receive this error message.

The Diagnostic Policy Service service on local computer started and then stopped. Some services stop automatically if they are not in use by services or programs.I am quite sure my loss of Internet is due to this as this is a network related service and what the troubleshooter always finds to be the problem. Other Computer/Devices in the house connect to the internet fine with no loss of connection so it has nothing to do with that. I have tried various fixes like uninstalling network adapter drivers, and checking permissions in Registry but it has not worked.

View 4 Replies View Related

Cisco :: Possible To Have Service Policy On Layer 2 Uplinks To Routers

Jan 10, 2013

I have the following scenario: Pair of Cisco 887VA routers acting as Layer 3 for Voice/Data VLANs with a pair of 2960 LAN Base switches acting as Cores and possibly then 2960 LAN Lites hanging off them as access switches. Our Service Provider has provided an example config where the class-maps match based on dscp values for the QOS policy applied to the DSL circuits. We can obviously trust the attached phones but I want to be able to mark data traffic on my core switches based on destination IP/port to allow application definition. My major question is can I have a service policy on my Layer 2 uplinks to the routers where the linked classes setting dscp vlaues are based on class-maps matching on the contents of IP access lists based while at the same time not remarking the EF marked packets from the phones?

View 7 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.3 Cannot Work With Two Service Policy Rules

Feb 21, 2013

I have an issue about ACS v5.3 Appliance.I have an ACS v 5.3 wo authenticate wireless users, together with a cisco wlc. One profile is to corporate users and the second profile is to guest.
The corporate users should authenticate with Active Directory and the guest with WLC. Guest users should authenticate with the ACS Local Database. I have configurate two service selection policy that match with protocol Radius. The first rule is to users of Active Directory and the second is to users in
the Local Database of ACS.When i try to authenticate users with active directory is OK, but when try to authenticate users with Local Database (Guest Portal) the ACS try to find the
the internal user in the Active Directory, because math the first rule, and the second profile can not authenticate.When I change the order, first the Rule of internal users and second the rule of users of Active Directory, the internal users can authenticate in to ACS, but
the users in the Active Directory can not authenticate.I think my ACS only authenticate the first rule of radius to Active Directory, no two rules of radius in the same time. Or maybe exists an issue in OS of the ACS.The authentication by separately is OK.

View 5 Replies View Related

Cisco WAN :: 7609-S Service Policy Output Command Not Supported?

Sep 26, 2012

I am facing issue while configuring service-policy output command in Cisco 7609-S router with c7600s72033-adventerprisek9-mz.122-33.SRE2.bin IOS. However, in the same series router having IOS c7600s72033-adventerprisek9-mz.122-33.SRC6.bin is supported service-policy output.Both the switch have WS-SUP720-3BXL  SUP.

View 2 Replies View Related

Cisco Switching/Routing :: 3640 Can't Apply Service-policy?

Mar 21, 2013

I got this 3640, trying to apply a service-policy (output and input), but seems like I do it something wrong...because he only apply the output policy... here the config, I already try to config the service police inside the fa0/0, but is not showed at all, he only show the output, its like I never apply that

View 1 Replies View Related

Cisco WAN :: 2801 Removes Service-policy Output From Tunnel

Jun 6, 2011

I run 2801 with 124-24.T3 and I have following problem: router is connected to internet over pppoe and ISP once per day breaks this link. so I get:
Jun  7 19:31:56.639 MSK: %DIALER-6-UNBIND: Interface Vi2 unbound from profile Di1
Jun  7 19:31:56.663 MSK: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to down
and I also have tunnel interface which endpoint is accessible over internet.
so I get:
Jun  7 19:31:56.679 MSK: %ADJ-5-PARENT: Midchain parent maintenance for IP midchain out of Tunnel1 68844500 - looped chain attempting to stack
Jun  7 19:31:57.635 MSK: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access2, changed state to down
Jun  7 19:31:59.199 MSK: %TUN-5-RECURDOWN: Tunnel1 temporarily disabled due to recursive routing
this is not a problem, problem is that router when interface goes down removes service-policy output  from it, so I receive such message every day from runcid:
ip ospf cost 1
ip ospf mtu-ignore
tunnel source Loopback1
tunnel destination
-  service-policy output tunnel_mpr_gre 
and have to restore policy manually.

View 1 Replies View Related

Cisco WAN :: 887VA ADSL - Service Policy Brings Down Link?

Aug 7, 2012

Have installed an 887VA on the end of a ADSL connection. The provider has specified EF 150 on the link. The router is configured using a Virtual Template.
If the Virtual Template has a service policy applied, we don't have connectivity to their main site - although the CD and PPP lights are lit. As soon as the service policy is removed, we have connectivity.
We've had three sites with the same problem. Two of the sites don't have QoS specified on the link but had the same problem if the service policy was applied.
Hardware - CISCO887VA-SEC-K9
Software - 15.1(4)M4
=== config snippets
class-map match-all Voicematch access-group 10
  policy-map Dscpclass Voice  priority 150class class-default
 interface ATM0
bandwidth 1143
bandwidth receive 12334


View 3 Replies View Related

Cisco Firewall :: ASA5510 / Create NAT Policy For Two DSL Connections?

Sep 20, 2012

How to configure our ASA to nat our to internetconnections, at the moment the first work fine,
ISP1                        NAT
ASA5510      LAN
ISP2                         NAT

View 1 Replies View Related

Cisco Switching/Routing :: Cat 2960 - Map / Service-Policy Input Is Not Working

Nov 10, 2011

I have some trouble with that policy-map on my 2960 or 3560 switches with LAN base 12.2(53)SE2. I want to use that feature to catch video traffic from webcams in laptops  which can't send dscp values out of the box. This is my test config to check if the function is working: catch every traffic from my workstation for testing, access-list 101 permit ip any any, class-map match-all CL_TEST

1. I can't see any counters with the command "sh policy-map interface  FastEthernet 0/1". Cisco tells that this command is not possible. But how I can see if the policy is working correct?
2. When I did the configuration I can't see any packets with dscp af41 on the out going interface on the switch with "sh mls qos int gi0/1 statistic" as I expected. After reloading the switch I see the pakets with af41. Okay for that moment. But.After that I changed something in the policy-map. Only "set ip dscp ef" for a second test.

Generating some traffic I see only packets with af41 as before I changed the policy-map. No traffic with ef on the outgoing interface.

View 4 Replies View Related

Cisco WAN :: 1941 / Cannot Apply Service Policy On Multiple Serial Ports

Jul 18, 2011

I've run a across a strange issue that I've not encountered before and after the things I've tried am beginning to think it's a limitation of the router itself.  What I have are 3 Cisco 1941 routers that are all endpoints for a customer's MPLS network. STL is the headquarters and both remote offices have a link back this router.  Each of the remote locations only have 1 serial interface.  It is a flat network with few routes and a small shoretel voip system running across it.  Each router is running C1900 Software (C1900-UNIVERSALK9-M), Version 15.0(1)M5, RELEASE SOFTWARE (fc2).
QoS is configured as follows on each router:
class-map match-any AutoQoS-VoIP-Remark
match ip dscp ef
match ip dscp cs3
match ip dscp af31
class-map match-any AutoQoS-VoIP-Control-UnTrust
match access-group name AutoQoS-VoIP-Control
class-map match-any AutoQoS-VoIP-RTP-UnTrust

If I try to apply the policy map to serial0/0/0, I get the following error: 
% policy map utoQos-Policy-Untrust not configured
I've tried to create a different policy map with the same settings and get the same error.  We thought that when it was first set up, each interface belonged to the same network, so we separated things out (hence the .252 mask).  I'm not sure what else to try and I'm hoping its something painfully simple that I'm missing. 

View 2 Replies View Related

Cisco Firewall :: ASA5510 Delete Default Service Policy Rules?

Jan 7, 2013

We have a problem with some websites being blocked every now and then. Everyone inside can access this external website for weeks, and then suddenly it's not available for a few hours, and then it comes back. All without me making any changes to the firewall, ASA5510. The external website that has nothing to do with us can be accessed from anywhere outside our network, example on my iphone through Verizon.
We have not set up any rules about blocking websites, all I found was the Default Service Policy. After backing up and then deleting the rule we are able to access all sites.

View 2 Replies View Related

Cisco Switching/Routing :: WS6724-SFP / Flapping Interfaces With Service Policy

Jun 2, 2013

i just configured a C6K VSS with Sup2T, 15.1SY IOS software and a WS6724-SFP module with the follwing cos config:
auto qos default 
table-map cos-discard-class-map
map from  0 to 0
map from  1 to 8
map from  2 to 16

After applying the service policy to one interfac of the WS6724-SFP module the policy is deployed to all interfaces of the module. So far it should be ok but after a short time all interface of the module begin to go down an up and down and up ... flapping.

View 1 Replies View Related

Cisco Firewall :: Negative Counters In ASA 5510 (show Service-policy)

Feb 7, 2012

In my Cisco ASA 5510 in release 8.2, I have an extrage behavior in the output of "show service-police" command. The issue is that I create a class-map to limit trafic in one of ASA interfaces and I applied in a service policy. This is the configuration: 
access-list ACL-Limitada extended permit ip host srv-proxy any
access-list ACL-Limitada extended permit ip any host srv-proxy
access-list ACL-Limitada extended permit tcp any eq ftp-data
access-list ACL-Limitada extended permit tcp any eq ftp
access-list ACL-Limitada extended permit tcp any eq ftp-data
access-list ACL-Limitada extended permit tcp any eq ftp


View 1 Replies View Related

Cisco Switching/Routing :: 3750 - Use MLS QoS Trust DSCP With Service-policy?

Dec 24, 2012

i would like to know the possibility to use mls qos trust dscp with service-policy in the IOS ver.12.2(25)SEE2.The specific version is not possible to configure like below.
Cat3750(config-if)#do sh run int f1/0/1
Building configuration...

View 8 Replies View Related

Cisco Switching/Routing :: 3750 Service Policy Output Not Supported

Jan 26, 2009

I have a 3750 switch (c3750-ipbasek9-mz.122-46.SE.bin) were i want to add bandwitdh limit pr. interface, doing the following:
ip access-list extended customer_A
permit ip any any 
class-map match-all BW_10Mbps

When i trie to apply the "service-policy output 10 Mbps" to the interface, it says the service-policy output is not supported on the switch. Is this a software related isue ?

View 4 Replies View Related

Cisco Switching/Routing :: Service Policy Input Not Working 6509 VSS

Jan 6, 2013

interface Vlan24
description Internal Wireless Internet
ip address 10.x.0.1


So, I am trying to limit the bandwidth used by this vlan. The service-policy output statement works, the service-policy input statement does not. My test is to get on that vlan and go to My download speeds are about 3.5Mb/s, my upload speeds are about 20Mb/s.
it has something to do with this:
sh mls qos ip
QoS Summary [IPv4]:  (* - shared aggregates, Mod - switch module Sid - Switch Id)
Int  Sid Mod Dir  Class-map DSCP  Agg  Trust Fl   AgForward-By   AgPoliced-By


View 1 Replies View Related

Cisco AAA/Identity/Nac :: Assign QoS Service Policy Via RADIUS To Catalyst 45k / 3750?

May 4, 2011

is there a way to assigen a QoS service policy via Radius to an Caltalyst 4500/3750 Switchport?
in detail, we would like to assign this policy
policy-map SET_EF     class class-default       set dscp ef
to an interface. All traffic should be marked with a defined DSCP value.
This works find when doing it statically with
interface FastEthernet2/1         service-policy input SET_EF
but we would need to assign such a policy via Radius during the 802.1x Authentication. different users should get differnt policies. We use Cisco ACS 5.2 as Radius Server and there actually is a field for that in the Authorization Profile Common Tasks Configuration. in detail, this uses the cisco-av-pair "sub-policy-In=<policy name>" attribute to assign a service policy to an NAS.
we found also two other attributes "sub-qos-policy-in" and "ip:sub-qos-polcy-in" for that. CCO says that "ip:sub-qos-polcy-in" works with Catalyst 65k [URL]
unfortunately this seems to not work on Catalyst 45k and 37k.
In the ACS Logs we can see that these attributes are attached to the Radius Reply, but unfortunately they are ignored by the switch.
it is interesing that when entering "show aaa attributes" on the Catalyst 45k, these attributes are displayd - so for my understanding the switch should understand these attibutes (?)
4503-E#sh aaa attributes         AAA ATTRIBUTE LIST:        Type=1     Name=disc-cause-ext                 Format=Enum        Type=2     Name=Acct-Status-Type               Format=Enum


View 1 Replies View Related

Cisco Routers :: SRP541W Unable To Create IPSEC Policy To ANY (

Feb 26, 2012

Unfortunately, it does not appear as if the SRP500 series will allow you to create an ipsec policy where the local or remote traffic selection is It wants a specific network. I have a scenario where I want to send all traffic over the vpn tunnel.
Is there a workaround to this or a special way to input "ANY" as the remote network?

View 3 Replies View Related

Cisco WAN :: Unable To Configure Service Policy Output Command In 2921 Router

Apr 25, 2011

I am not able to configure Service policy output command in Cisco 2921 router.While configuring I am getting below error.Same config is working fine in Cisco 3845  router.I am suspectting the problem with license in IOS.

View 3 Replies View Related

Cisco Firewall :: ASA 5510 / Blocking / Shunning Hosts With Service Policy Rules?

Dec 20, 2012

I have an ASA 5510 deployed and we are getting a tonne of port scanning traffic (who isn't these days) and ping traffic.The threat scanning thresholds seem a bit too high and was wondering if there is a way to use a Service Policy Rule to perform a Shun/Block of the hosts rather than the firewall simply blocking the request via the ACL and sending a reply.
In other words, if I do nothing, I know the ACL is protecting the resources but it is still replying to the client connection. I want the end result to be the same as a "Shun" where the connection is dropped and no reply is sent. how to employ Service Policy Rules to thwart Port Scanning and/or IP Spoofing? 

View 2 Replies View Related

Cisco Firewall :: 2901 / ZBFW - DMZ-Zone To In-Zone Access

Jun 9, 2012

I have a Cisco 2901 which terminates a Class C address pool. I have split the Class C address pool into 3 sub-nets and 2 zones and created a non-addressable pool (private pool):
dmz-zone : x.x.x.0 TO x.x.x.127 (x.x.x.0/25)
in-zone: x.x.x.128 TO x.x.x.159 (x.x.x.128/27) & x.x.x.160 TO x.x.x.191 (x.x.x.160/27)
private-zone: 192.168.x.0 TO 192.168.x.255 (192.168.x.0/24)
I have configured private-zone NAT to use address pool x.x.x.161 TO x.x.x.189 within the in-zone.
Within the:
dmz-zone - are servers for : DNS, Syslog, SIP & HTTP/HTTPS in-zone - is a SMTP mail server which is behind VPN Gateway/NAT, TomCat (Application Server) and PostgreSQL Server private-zone - is where all standard users are operating from and they can access the SIP & HTTP/HTTPS servers within dmz-zone My problem is that I cannot seem to configure the ZBFW to allow the dmz-zone HTTP/HTTP server to redirect to in-zone TomCat server.
I do not want to make the TomCat server generally visible and am instead using the Apache proxy/ajp13 to connect from dmz-zone server to in-zone server.However I cannot seem to get anything (including icmp) to work from dmz-zone to in-zone.
I have Policy:

POLICY-DMZ-IN (dmz-zone to in-zone) which has:
any any udp/tcp inspect
any any icmp inspect
unmatched traffic DROP/LOG
But I still cannot get anything from dmz-zone to in-zone...Could the POLICY-DMZ-IN be being overridden by other dmz-zone to out-zone policies?

NOTE: I have routing rules for each of various sub-nets and all out-zone to dmz-zone, out-zone to in-zone and private-zone to out-zone, in-zone and dmz-zone routing works ok, so it appears problem is with ZBFW not routing table.

View 4 Replies View Related

Cisco Firewall :: How To Create Mixed Service Ports On ASA 8.4(2)

May 14, 2013

How to create a mixed service ports on ASA 8.4(2)?I need to create a service group which has ICMP, TCP ports and also different UDP ports.Normally you would create different service group based on TCP/UDP/TCP-UDP/ICMP/Protocol and add then to new nested service group.But I want to create a new service group where you can define everything without the need to different service groups and nesting them into a new one.

View 1 Replies View Related

Broadband :: Create Another Network On One TWC Internet Service?

Feb 3, 2013

I fought with trying to hang two old BEFSR41 routers on an incoming TWC cable internet. I have a couple of streams going out and one coming in... and I think there are some collissions going on that cause little Urps in the streams. I thought I could put them on two different subnets. Ha. No luck at all so far. The scheme they gave me used a fixed IP and a subnet of now I think I understand why TWC assigned a subnet of 255....252 - so I could only use ONE router. Their little toy is still routing, mine does it's thing.. that's it. In order to add another router and a totally different group of PC's on the same bandwidth... I'd have to get into their box and change the subnet scheme to something more open.. 255.....248, or maybe back down to 255...255.0 I guess..

View 1 Replies View Related

Cisco Switching/Routing :: 7604 WS-X6724-SFP - Can Apply Service Policy To Dot1q Main Port

Jul 9, 2012

Example config

int g2/24
service-policy output test
int g2/24.10
encap dot1q 10
ip address
service-policy output test

View 5 Replies View Related

Copyrights 2005-15, All rights reserved