I have the following policy maps in on my 6509:
policy-map Customer
class QoS-voice
shape average 2000000
class class-default
fair-queue
When I apply it to an interface (int vlan1005)- I get:
Router (config-if)#service-policy output Customer
shape average command is not supported for this interface
Configuration failed!
This also happens with priority, bandwidth, etc. How can I configure QoS on this 6509 then?
interface Vlan24
description Internal Wireless Internet
ip address 10.x.0.1 255.255.254.0
[Code]....
So, I am trying to limit the bandwidth used by this vlan. The service-policy output statement works, the service-policy input statement does not. My test is to get on that vlan and go to speedtest.net. My download speeds are about 3.5Mb/s, my upload speeds are about 20Mb/s.
it has something to do with this:
sh mls qos ip
QoS Summary [IPv4]: (* - shared aggregates, Mod - switch module Sid - Switch Id)
Int Sid Mod Dir Class-map DSCP Agg Trust Fl AgForward-By AgPoliced-By
[Code].....
If client gateway = 192.168.64.9 then next-hop = 192.168.64.8 else use default-route 0.0.0.0
I know it's possible to do a route-map match ip-address ACL list. But is it possible to match on gateway?
Some info about hardware and config:
6509-E in VSS (IOS 12.2(17r)SX5) withVS-S720-10G supervisor.
All routes are static, IP for 192.168.64.9 is on SVI vlan.
We have a Catalyst 6509 switch, and we hope to use policy based routing to redirect http traffic to my proxy server, where I can find the configuration example?
View 11 Replies View RelatedI need to setup my 6509 with PBR going to two different Firewalls. The 6509 has vlans and multiple serial interfaces. What/where do I install the policy-maps? I want to direct one of the vlans to one firewall and the other vlans and wan subnets to the other firewall.
View 26 Replies View RelatedI currently have a couple of 6509 chassis (router/switches) with the following hardware blades:
x3 48 ports
x1 NAM
x2 Sup720
Running 12.2(18)SXF3
I am keeping the four Sup720 modules and have purchased new versions of the others blades including two new 6509-E chassis?Can I take my stand-by Sup720 out of the production machine and insert it into the new chassis?
I currently have a couple of 6509 chassis (router/switches) with the following hardware blades:
x3 48 ports
x1 NAM
x2 Sup720
Running 12.2(18)SXF3.I am keeping the four Sup720 modules and have purchased new versions of the others blades including two new 6509-E chassis. Can I take my stand-by Sup720 out of the production machine and insert it into the new chassis?
we're evaulating the Cisco SM 4.2. After adding my ASA 5520 the Policies are discovered from the device except the RA VPN Policies.I tried to trigger the discovery process manually and i got this errormessage Please verify the device "IP address", "hostname", "domain name" and "port number" are correct, there is network connectivity between the CS Manager server and the device, and the device is configured to accept https connections, the device is running, and then retry this operation.which i don't understand because the other policies were retrieved just fine.
View 0 Replies View Relatedsample config for ASA 8.4 L2L VPN using Policy NAT?We could have multiple VPN tunnels terminated on the central ASA and our customer's LAN subnets could be interfering.Basically I need to build something like this [URL]but the problem is that I have ASAs running 8.4
View 2 Replies View RelatedI tried to configure policy-map under Cisco Catalyst WS-C3560V2-24TS(c3560-ipservicesk9-mz.122-50.SE5.bin).
View 4 Replies View RelatedI set up a full mesh LAN-to-LAN VPN for a client with 4 sites. Each site has an ASA 5505 running 8.2(5). Site-to-site VoIP traffic runs in the VPN tunnels, as well as traffic to/from a file-server located at the main site. There are two back-up servers, one at the main site and one at a remote site. The main site has 2 bonded T1s and the other three sites have a single T1. How should I go about setting up my QoS?
My top requirement is that VoIP traffic will never be pushed out of the way for data traffic. My secondary consideration is to give more preference to file-server traffic than to web traffic and to make back-up traffic the least important. I'm currently researching to see if the VoIP provider is DSCP marking EF on the VoIP traffic, but I am going to assume they are for now. I know the IP of the file-server and back-up servers.
i am doind a policy NAT on the folowing scenarion.
acess-list policy_nat extended permit ip host 10.0.0.1 host 192.168.1.1
static (inside,outempresa) 170.66.53.1 access-list policy_nat
I understand that when host A 10.0.0.1 wants to connect to host B192.168.1.1 its going to be translated to 170.66.53.1 when host 192.168.1.1 wants to connect to10.0.0.1 the same entry will change the destination when the packet hits the asa from 170.66.53.1 to 10.0.0.1, is that correct ?
Why my 857 adv security don't have class-map and policy map command ? now i wanna use traffic shaping on this but when i use command class-map it doesn't have. [code]
View 3 Replies View RelatedHow can I configure police-based nat to allow ICMP-only traffic on asaos 8.4.1 or 8.3?On 8.3 it was very simple:global (outside) 1 interface ,access-list outside_nat_outbound extended permit icmp any any,nat (outside) 1 access-list outside_nat_outbound.
View 10 Replies View RelatedI have a L2L tunnel I need to convert from 8.2 to 8.6 and need to understand the static policy Nat conversion. I have single hosts that require a 1-1 nat to addresses given to be my the vendor that reside on my firewall. Other works i have /24s that I static nat my inside host to so that the vendor can access the host for support.Example. server 10.11.103.44(real server on my inside network)
5.5.98.0/24-Defined for local traffic via L2Ltunnel
object-group network Carebridge_Local
description Mckesson Local network list
network-object 5.5.98.0 255.255.255.0
[code]......
How would I accomplish the same in Ver. 8.6
How to migrate a following VPN (site-to-site) config from ASA 8.2 to ASA v8.3,ASA 8.2
View 4 Replies View RelatedI have a weird issue with a QOS policy that I have implemented. Details are below.
This is basically the policy I have created. It is running on a Cisco 877 router (running Advance IP Services 12.4). The internet connection is an Internode ADSL service.
class-map match-any VOIP
match access-group name VOICE-OUT
!
!
[Code]....
I want to setup a vpn tunnel from a Cisco VPN Client in the internet over a fritzbox to the Cisco 876 (Version 15.1(4)M3) so that the vpn tunnel terminates at the Cisco 876.For that reason I used the command "crypto map mymap" on the int fastethernet 1. When I try to connect, the VPN Client opens the window for username and password but then ends with the message "not connected". When I do "debug crypto isakmp" the Cisco 876 shows the message: "phase 2 SA policy not acceptable!". [code]
View 3 Replies View RelatedI am trying to convert QOS policy on 6500 CAT to IOS as below,
1-getting error when try to apply on interface.
2-How can I apply both into one plicy map because IOS convertor puts into two policy maps.
CAT
set qos policer aggregate Limit_WSUS rate 4000 policed-dscp erate 4000 drop burst 1000 eburst 1000set qos policer aggregate Limit_SCCM rate 4000 policed-dscp erate 4000 drop burst 1000 eburst 1000clear qos acl all
#WSUSset qos acl ip WSUS dscp 0 aggregate Limit_WSUS ip host 172.16.9.3 any
set qos acl ip WSUS dscp 0 aggregate Limit_SCCM ip host 172.16.10.5 any
[code]....
I am prepping new ASA 5525-X's for a client that has multiple S2S VPN's. On some of the VPN connections, I need to do a policy nat to translate some of their subnets to a single IP address before it goes over the S2S VPN. However, when I try to use a subnet, I keep getting the following error:
Subnet cannot be used as mapped source in dynamic nat policy.
This works fine on their old ASA's which are running 8.2 code. I figured out I can use a network range, but cannot go over 65535 (or whatever it is) addresses in that range. This is very annoying when they have multiple networks they want to allow over the S2S VPN. Is there anyway around this or am I stuck creating a network range for each subnet?
I have the following very simple policy configured on a Cisco 1841.
policy-map Shape-2Mb class class-default shape average 2000000 interface FastEthernet0/1[code]....
I'd just like some clarification on the best ways to monitor this. Looking at the 'sh policy-map int fa0/1' i get this:
FastEthernet0/1 Service-policy output: Shape-2Mb Class-map: class-default (match-any) [code]...
some of the sections don't make much sense to me. What is the output of that command.
I have devices on Inside interface of ASA that need to get to Internet to get ntp. Hence I want to set up dynamic pat (interface overload) which 8.3 style would be
-object network obj_NTP-DEV
-host 192.168.1.250
-nat (INSIDE,INTERNET) dynamic interface
But I need to limit nat to only Internet destined traffic on ntp port not all ports for traffic from 192.168.1.250.I'm not using this nat set up to control outbound access - I also have incoming RA VPN tunnels to the box and traffic from these sources need to be able to get to 192.168.1.250 and the above simple set up would break that access as all traffic involving 192.168.1.250 would get nat'd
Reading the doco I've sent myself round in a loops trying to figure how you are meant to do such a " Dynamic Policy NAT (overload)" call it what you will config in 8.3
dell 3000 xl os 149gb I set up a home office. to try to transfer files to my new one.oce i found out you can't do it. there was a group policy in place.how do i get rid of it. it's interfering with a lot of stuff, including my firewall. had to buy another.
View 3 Replies View RelatedI keep getting this on a site to site VPN tunnel that I have established to one of our remote offices. EVERYTHING works fine except for the phones. Everytime they try to connect I get a flood of the below error3Nov 01 201116:06:38IKE Initiator unable to find policy: Intf DS3, Src: 10.90.4.6, Dst: 10.10.20.2010.90.4.0 is our phones vla10.10.20.0 is the remote site network .20 is one of the ip phones located thereried running it through packet tracer and get this...I'm not sure where the problem is, as I said ALL domain traffic is flowing back and forth with no issues.
View 12 Replies View RelatedI have setup a basic PBR config to route Http and Https out of a different interface (fa0/0/0) but for some reason http traffic is still going out of the Gi0/1 interface.
Config attached minus the crypto stuff and the publics have been changed.
We are evaluating Cisco ACS 5.2 and I can not delete a service policy that was created. The message we receive is " the item that you are trying to delete is being referenced by other items". I am new to ACS, but I did go through each tab in the manager multiple times.
View 5 Replies View RelatedLast night I had a crack at setting up PBR on my companies Cisco 1811.Joy, I thought, it's actually working. Alas I was wrong, the addresses were getting translated to our ADSLs external ip address but routed over our EFM.What I want to acheive is to send all HTTP(s) traffic from our workstations over the ADSL (FastEthernet1) whilst all other traffic and VPN goes out over our Bonded ADSL (FastEthernet0). There is also a minor failover in place for traffic routed to the ADSL in the route-map PBR_VLAN1. The servers are on IPs 200, 202, 204 and 240.
Anyway, I have re-written the configuration and xxx'd and x.a/b/c'd all the IP addresses I want to keep secret. Need to make sure that the PBR is correct, and will do what I want it to? I have a very small time-frame to get this correct and I dont want to fudge the bucket so to speak.
I've done a similar solution before where I put bandwidth inherit on the Dialer interface of the CPE and it inherited the ATM interface speed (the upload sync rate) and prevented the CPE from maxing out and hitting hardware queuing in the DSLAM. I can't seem to find a way to do this downstream from our ASR1K to the customer though.
Platform is ASR1001 with IOS 3.7.2 or 15.2(4)S
Problem description:We have many xDSL users (ADSL2+ and VDSL2). They all sync at different speeds depending on how far they are from the DSLAM.
Example:
Customer A might be connected at 40000kbps/10000kbps (VDSL2)
Customer B might be connected at 5000kbps/600kbps (ADSL)
When they connect and the PPPoE session comes up, the bandwidth on the Virtual Access Interface is equal to the customer's downstream sync rate, so Customer A's virtual access interface, Virtual-Access 2.13 will say 40000kbps, and Customer B's virtual access interface Virtual-Access 2.39 will say 5000kbps.Using RADIUS, we apply a sub-qos-policy-out to the PPPoE session.I want to shape the customer to 80% of their sync rate so that we do not hit interface congestion in the DSL network which makes VoIP perform poorly.I cannot use an absolute value for the shape, because the sync rate varies for each customer.The problem I have is at present the policy-map is using the interface bandwidth of Gi0/0/1 (1Gbit) instead of the bandwidth of the Virtual Access Interface. Therefore the customer is being limited to 800Mbit which means the QoS policy will never take effect.
RADIUS Config Below:
cisco-avpair += ip:sub-qos-policy-out=QOS-POLICY-OUT-PARENT-DSL
Class Maps
class-map match-any QOS-CLASS-VOIP-RTP-DSL
match protocol rtp audio
match access-group name QOS-VOIP-RTP
class-map match-any QOS-CLASS-VIDEO-RTP-DSL
[code].....
I´m triing to setup a QoS policy on ASA 5515, i read several pages, but my questions are, how setup the real BW?, or is not necessary to do this?
View 7 Replies View RelatedIm having this error on the 7609, but for other policy its working.
Code...
Recently we have purchased a few SRP541W for our small branch office VPN sites. While working with the config I have discoved that when trying to create a IPSec VPN policy, I am limited to only one "remote network" entry. This is typically not how VPN tunnels are bulit. We generally put the following remote networks in the tunnel. How do I open a BUG ticket with Cisco and ask that they change the code?
View 3 Replies View RelatedOn our public wi-fi network we have an acceptable use policy page that users must accept in order to access the internet. However I would like to exclude a few devices from having to do this. We have a couple of Kindle devices from a vendor that they configured to automatically connect to the internet for updates twice a day. But they cannot accept the policy so they are blocked.
View 3 Replies View Relatedhow can I configure policy NAT on ASA5510. I would like to do the following;
9.1.1.9 NAT to 10.1.1.9
If source IP = 1.1.1.1
then NAT to = 10.2.2.9
the rest NAT to = 10.1.1.9
The issue is I want 1.1.1.1 NAT to 10.2.2.9 when access www.example.com. The rest NAT to current NAT.