Cisco WAN :: ASR1002 - Show Policy Map Interface With Nested Class-Maps
Jul 18, 2011
I have a requirement to provide stats on a per-department, per-destination basis between sites. If I take Voice as an example I have 5 child classes referring to the 5 departments each matching EF and a particular access-list that matches the department's subnet. I tie these 5 child classes into a parent Voice class-map.
Now when I issue a "show policy-map interface" command I see stats for the parent class-map only whereas I would expect to see a breakdown for each of the child classes which is what is required.
I am doing this on an ASR1002 running 3.2.2.
View 1 Replies
ADVERTISEMENT
Sep 6, 2012
Im having a (from google-fu) seemingly unique issue with load balancing. So for background, I am running the ACE 4710 device in "on a stick" mode, so I am using NAT and all that good stuff. I am also utilizing class maps and host header matching so I can save on IP space. [code]
Basically, as soon as I add that ACL_CLASS_beta.mainsite.com class map, all I get back from the ACE is RST packets and it comes back with an L7 LB Policy Miss.
It SEEMS like it should work, but it doesnt seem to like matching on those source addresses at all.
View 1 Replies
View Related
Jul 15, 2012
I'm trying wrap my head around bandwidth guarantee for nested maps. I tried adding a new class to two of my policy-maps today, and got this error: 3945E-1(config-pmap-c)#bandwidth 3000 Insufficient bandwidth 3000 kbps for the bandwidth guarantee
I'm not sure how it knows that with the nested maps and how it's computed. I have a 100mb WAN connectin going to 19 branches. I have a class-map that identifies traffic to the individual branch and within that class, a policy-map is applied to prioritize voice over video etc.
Here's the QoS setup:
class-map Branch1-Policy
match access-group branch-1-acl
*
*
[code]....
I was adding the Video-Conf class to both Traffic-6calls and Traffic-10calls when I got the above error. How would that percentage be calculated? I know by default i can only reserve up to 75% of interface bandwidth. The platform is 3945E running 15.1(3)
View 1 Replies
View Related
Jan 16, 2012
I'm trying to configure a zone-based firewall on an SR520 and am confused about the 'not' criterion. The 'zone-design-guide' says (my stress): Class- maps define the traffic that the firewall selects for policy application. Layer 4 class-maps sort the traffic based on these criteria listed here. These criteria are specified using the match.where my intention is to let only LAN hosts with IPs in the range 192.168.1.1 to 192.168.1.7 out through the firewall. There may be an easier way of doing this which I'd be pleased to hear about. But, even if there is, I'd also be interested to know what I'm doing wrong in the above.
View 0 Replies
View Related
Aug 21, 2012
I'm currently looking at doing some re-design work for a platform we manage on the ACE.I want to be able to run a single VIP and only do a sticky session based around specific URL's not all. I've got the following configuration to apply a sticky session to a URL. [code]Notice, under the Policy-map type loadbalance http first-match WEB-POLICY-L7 i have two class statements, one that matches the URL L7 policy and applies a sticky farm and the second class falls into the default.Am i right in saying with this configuration, any http traffic hitting the VIP 192.168.1.1 that does NOT match /urltobedefined.co.uk/test sticky sessions are NOT applied. But traffic hitting 192.168.1.1 that does match /urltobedefined.co.uk/test will apply the sticky policy?
View 2 Replies
View Related
Mar 26, 2013
I got myself lately Cisco SR520 router with some basic firewall functions built in. This is going to be used for my home broadband, so no need to be really super secure, as it would be for some business. I managed to configure it, however there are few things on the firewall side, which I don't understand.
This router had some default configuration in it's flash, when I bought it. There are class maps.... how it works or how to add/edit rules. Also, do I need to use class maps, or can they be replaced by ACL's to certain extend? How to add/edit class maps rules to allow certain port (eg. 3333). Pease see below part of the default config:
class-map type inspect match-any SDM-Voice-permit
match protocol sip
class-map type inspect match-any sdm-cls-icmp-access
match protocol icmp
match protocol tcp
[Code]...
View 1 Replies
View Related
Feb 1, 2012
Why my 857 adv security don't have class-map and policy map command ? now i wanna use traffic shaping on this but when i use command class-map it doesn't have. [code]
View 3 Replies
View Related
Mar 13, 2013
I have configured a vlan interface on a 3750 switch. there is aprox 4Mb active traffic flowing through the interface, but when I do a "show interface vlan (vlanid)" the output show zero bits in and zero bits out. Its a typical L3 config with one IP on the vllan interface acting as the gateway for the VLAN devices. Is this a normal behaviur ? and if so is there any way to get the traffic in/out stats. The end PC/devices are connected to this switch via an L2 TRUNK and I dont have access to the L2 switch on which the actual devices connect. so cant get the real time stats of those interfaces.
View 2 Replies
View Related
Mar 11, 2012
We have an ASR1002 with asr1000rp1-adventerprisek9.03.05.01.S.152-1.S1.bin software.I couldn't find any documentation on how to attach an L2 interface, in my case a subinterface with a single dot1q vlan, to a BDI interface.I'm able to create a bridge-domain interface but it's down down.The command bridge-domain on the subinterface url...
View 2 Replies
View Related
Jun 30, 2010
How to configure SSH on a ASR 1002 and apply it to the Management Interface?
View 3 Replies
View Related
Apr 16, 2013
I have a router asr1002 and I need that my loopback interface will be accessible from internet ISP adderss space I have
46.xx.x.64 255.255.255.192
interface TenGigabitEthernet0/2/0.301
description -=ISP=-
encapsulation dot1Q 301
ip address 46.xx.x.66 255.255.255.248
[code]...
packets transmitted 9received 0packet loss 100 %time 8063 ms
View 1 Replies
View Related
Feb 13, 2012
I have a 1t3/e3 card in a new 2951. When I statred the router, I found no interface corresponding to this module when do "show ip interface brief"
View 3 Replies
View Related
Feb 7, 2012
In my Cisco ASA 5510 in release 8.2, I have an extrage behavior in the output of "show service-police" command. The issue is that I create a class-map to limit trafic in one of ASA interfaces and I applied in a service policy. This is the configuration:
access-list ACL-Limitada extended permit ip host srv-proxy any
access-list ACL-Limitada extended permit ip any host srv-proxy
access-list ACL-Limitada extended permit tcp 192.168.10.0 255.255.255.0 any eq ftp-data
access-list ACL-Limitada extended permit tcp 192.168.10.0 255.255.255.0 any eq ftp
access-list ACL-Limitada extended permit tcp any 192.168.10.0 255.255.255.0 eq ftp-data
access-list ACL-Limitada extended permit tcp any 192.168.10.0 255.255.255.0 eq ftp
[code]...
View 1 Replies
View Related
Mar 28, 2013
We use Cacti to get interfaces statistics of a ASR1002 router (version 03.04.02.S.151-3.S2).A new GRE tunnel has been created, but unfortunately we are not able to get basic interface average during the day.What is surprising is the fact the graphs are built on the night only.
It seems as soon as we exceed some level of Bandwidth (~ 700-800k) the tool does not get the information.The OID I try to get are ifHCInOctets (.1.3.6.1.2.1.31.1.1.1.6) and ifHCOutOctets (.1.3.6.1.2.1.31.1.1.1.10) and some other interface statistics for both 64 and 32 bits. [code]
View 2 Replies
View Related
Sep 6, 2012
Class and Policy maps are defined properly but when I am going to apply the policy-map on interface ,throwing an error as "'set' command is not supported in a 2nd level policymap".
Class/Policy map configuration given below ....
class-map match-any cm_traffic_control
match access-group name acl_traffic_control
class-map match-any BE
match access-group name be
[Code] ....
View 8 Replies
View Related
Nov 15, 2012
When I try to apply an ACL to a port on my SGE2010P, I get the following error:Can't bind acl/policy-map to an interface when the security suite is enabled in a per-port mode.I don't see an option where I can set the security suite mode.
View 10 Replies
View Related
Aug 30, 2010
i've got a Cisco 877 router connected to an ADSL link. i'm using the show dsl interface atm just to have a look on its performance. i've tried to search on Cisco website on how to interpret the output but a blog gave me more info [URL]. My question now is, what readings do i consider? is it on the left (ATU-R) or on the right (ATU-C)?
877ROUTER#sh dsl int atm0 ATU-R (DS) ATU-C (US)Modem Status: Showtime (DMTDSL_SHOWTIME)DSL Mode: ITU G.992.1 (G.DMT)ITU STD NUM: 0x01 0x01Vendor ID: 'ALCB' 'ALCB'Vendor Specific: 0x0000 0x0000Vendor Country: 0x00 0x0FCapacity Used: 31% 85%Noise Margin: 34.0 dB 10.0 dBOutput Power: 16.0 dBm 12.0 dBmAttenuation: 10.0 dB 6.0 dBDefect Status: None None Last Fail Code: NoneSelftest Result: 0x00Subfunction: 0x15Interrupts: 1453 (2
[code]....
View 3 Replies
View Related
Oct 8, 2009
i have an Issue with my cisco 2801.in the logs shown me the interface FE0/0 cames up some times but never show the down state, I receive my internet service on this interface but never lost the conection, just this logs information
Oct 7 18:39:32.412: %LINK-3-UPDOWN: Interface FastEthernet0/0, changed state to up
Oct 7 18:39:41.448: %LINK-3-UPDOWN: Interface FastEthernet0/0, changed state to up
Oct 7 21:57:20.775: %LINK-3-UPDOWN: Interface FastEthernet0/0, changed state to up
Oct 8 02:29:31.350: %LINK-3-UPDOWN: Interface FastEthernet0/0, changed state to up
Oct 8 02:55:12.362: %LINK-3-UPDOWN: Interface FastEthernet0/0, changed state to up
[code].....
the IOS Version that is running is
flash:c2801-adventerprisek9-mz.124-24.T1.bin
View 4 Replies
View Related
Jul 15, 2012
I'm trying to troubleshoot one of our site today and can't seem to issue the show dsl interface command on a 1841 router. Does the same command is used for SHDSL or am I running with an IOS bug?
#sh dsl?
% Unrecognized command
#sh ver
Cisco IOS Software, 1841 Software (C1841-BROADBAND-M), Version 12.4(15)T7, RELEASE SOFTWARE (fc3)
Technical Support: {URL}
Compiled Wed 13-Aug-08 15:42 by prod_rel_team
#sh inv
NAME: "chassis", DESCR: "1841 chassis"
PID: CISCO1841 , VID: V05 , SN: FHK13212639
NAME: "WIC/HWIC 0", DESCR: "WAN Interface Card - ATM (With multi line G.SHDSL module)"
PID: WIC-1SHDSL-V3 , VID: V02 , SN: FOC132041KD
View 4 Replies
View Related
Jul 24, 2012
I'm unable to apply a policing limit in a switchport of the CISCO861 router. This is my configuration:interface FastEthernet0, service-policy input wired-input,service-policy output wired-output end.
View 3 Replies
View Related
Aug 29, 2011
I have configured a qos policy and I am trying to apply the policy to a vlan interface which is physically connected to a switch module port of a 3845 Router.When I try to apply, the message configuration failed appears.
View 4 Replies
View Related
May 1, 2013
I have a 3560G that I cannot apply a policy route-map to one of the VLAN interfaces. I am running up to date software, c3560-ipservicesk9-mz.150-2.SE2 and it accepts the command, but does not show it in the sh run of the interface. I updated to this code as I had seen previously someone said it needed to be version 15 before you could apply route-maps to VLAN interfaces.
View 4 Replies
View Related
Feb 24, 2013
I have encounterd a broplem on my Cisco 805 model.
When i use the command "show ip interface brief" the status shows "up" but the protocol is "down" on my serial interface.
The link between my to sites is down after this happend.
View 1 Replies
View Related
Mar 4, 2011
Is it possible to establish PBR rules that set the ip next-hop to point directly to the inside interface of the ASA5550?Or, do I need to direct this PBR traffic first to a directly connected router interface and then default route to the ASA?At a high level, here's what we have:
ISP 1 - with /21 IP PrefixNo BGP Routing3845 Edge Router - Default Route to ISP 1PIX535 Firewalls (HA) - Default Route to Edge RouterLAN Core/Distribution - Default Route to PIX535 Inside InterfaceAll applications/services use this egress path for PAT/NAT/DMZ/VPN/Etc.
Here's what we are adding:
ISP 2 - with /24 IP PrefixNo BGP Routing3925E Edge Router - Default Route to ISP 2ASA5550 Firewalls (HA) - Default Route to Edge RouterSame connectivity to LAN Core/Distribution
Goals:Maintain ISP 1 for nowMigrate only end user Internet traffic to ISP 2No disruptions to applications/services using current DefGW to PIX535
Question: how to best use PBR to selectively direct traffic to the ASA inside interface?
View 4 Replies
View Related
Apr 23, 2012
I'm trying to add an outbound policy on Layer3 interface on a 6500. The will be used to prioritize voice traffic. The environment contains 2 sites with 2 6500's each with VSS and a metro Ethernet link between them. I seem to be having problems prioritizing the voice across this link.
View 1 Replies
View Related
Mar 23, 2012
I read the User Guide section on Internet Access Policy for the Linksys E3000 but I could not find this menu to create a policy from the web interface. I have the latest firmware version (1.0.04 Build 6,)
View 1 Replies
View Related
Dec 20, 2012
We are running ACS 4.0 so understandably so we are looking to upgrading to a Cisco supportable version of ACS. The limitation of our current version of ACS does not support nested AD groups. The latest version of ACS (I think it is 5.4) will?
View 1 Replies
View Related
Jan 16, 2012
I'm troubleshooting a 3750 switch stack problem where computers are showing input and CRC errors. I'd like to be able to execute a "show interface" command that will show me only the line showing the switch port and the line showing the input errors, but so far I can't figure out a way of combining those two parameters.
If I do "show interface | include Ethernet[0-9]�" I get all the lines showing the port numbers:
GigabitEthernet1/0/1 is up, line protocol is up (connected)
GigabitEthernet1/0/2 is up, line protocol is up (connected)
GigabitEthernet1/0/3 is up, line protocol is up (connected)
[Code].....
View 9 Replies
View Related
Nov 5, 2012
C1921, running version 15.1(4)M2, with licence for "IP base" feature set only.Trying to pass multicast via a PPTP VPN from a Windows XP machine to work around a non multicast-aware WAN link
1. With the IP Base feature set I am able to create a plain PPTP VPN without any encryption; the Windows XP machine can bring it up and unicast data passes through it OK in both directions.
2. But when trying to send multicast, only one-way traffic is observed:i. Windows XP host on far end of PPTP VPN and a local PC both running old Microsoft tool "MPING.EXE", sending and listening for traffic on the groiup 225.100.101.102i. The distant host receives and echoes back the packets received from the local machine + sending its own (confirmed with Wireshark running at the far end)ii. But the local machine directly connected to the C1921 router does not hear any packets from the far end; Wireshark shows only the ones it is sending.
3. Group status ("show ip igmp membership") as far as the C1921 is concerned shows both ends (192.168.50.10 (local end) and 192.168.50.201 (distant end via the PPTP VPN)) joined to the group [code]
4. But "show ip mroute" for that group shows an error; for the source on the far end of the PPTP VPN (having the IP address 192.168.50.201), the source interface is incorrectly shown as GigabitEthernet0/0 (should be Virtual-Access2.1 for that PPTP VPN) and the outgoing interface is shown as Virtual-Access2.1 [code]
5. I have tried adding static mroutes and messing about with parameters for the virtual-template interface for the PPTP VPN, but the problem remains. And if I put another local PC onto a different Ethernet port of the router, the multicast traffic does flow both ways - so the issue is solely with the PPTP VPN.After a week of head-scratching I am getting more and more convinced that it's a bug... but wonder if it is already-known, has a workaround, or a fix in newer firmware?
View 1 Replies
View Related
May 17, 2012
I'm dealing with a 4506 switch that whn I try to apply "sh auth sess int xx" I get "Invalid Input Detected" ... Is there any way that I can get the authenticated session over a port even if I can't apply "sh auth sess int"?
View 1 Replies
View Related
May 8, 2012
Is there any way of showing the currently assigned ip address for an interface configured to use DHCP on an ASA 5505?
View 2 Replies
View Related
Aug 22, 2012
I'm probably overlooking something very simple but is there a command to show the uptime of a router interface in days,hours,minutes?
View 3 Replies
View Related
Mar 5, 2013
I have a really weired thing happening on 6509 device with one of my customers.The device has a SUP 2 (MSFC2) with version 12.2.18SXF17B.
any VLAN interface once administratively down or simply down shows on "show interface status" output as VLAN.While it supposed to show "Routed". However once the port is up it is shows "routed" like it should.
View 5 Replies
View Related
