I am trying to configure traffic policing on a 7609 with ES20 line card - however it doesn't appear to be working. The customer is randomly getting DoS attacked, and the policy doesn't appear to be dropping any exceed/violate traffic.This is an egress policy on a sub-interface.
View 5 RepliesWe are looking to implement traffic shaping/policing primarily for P2P traffic. As natively the ASA5550 is only capable of p2p inspection if the traffic is tunneled via port 80 is the AIP-SSM the way forward? We have 2 5550s in active/active failover config. As a side note we are also looking to implement an IDS/IPS system so could this module cover all?Is this module going to provide the desired outcome or is there another module/device out there better suited for this? I would prefer to use the ASA5550s as opposed to implementing another product if only that we can make use of the investment we already made on these devices.
View 1 Replies View RelatedI cannot eliminate the lines vty in my Cisco 7609 router when I write show users, I obtain the following thing: [code]
View 2 Replies View RelatedI want to take 100Mb incoming from a service provider and police it off into several VRFs for customers.One of these VRFs will be 30M.I further need to traffic shape this (30Mb) out to 40 x 0.75Mbps (burstable to 30M) customers.
I am using an ASR1001.
I have two servers on one subnet that each need to replicate to a single server on another subnet. They also need to replicate to each other. This replication is unidirectional so I will refer to the 2 server subnet as the source subnet and the single server subnet as the destination subnet. In order to keep this replication running without killing the MPLS links on either end, we are trying to use a policy-map that limits bandwidth from the source subnet.The Problem:We have created a policy that polices traffic during specific times of day and limits the bandwidth as prescribed, however, bandwidth is also being limited between the 2 servers on the source subnet which is not needed or desired.Class 512K set dscp ef police 1024000 bps 1024000 byte conform-action transmit exceed-action dropClass Map match-any 512K (id 4) Match access-group name DAGExtended IP access list DAG 10 permit ip host 10.20.0.3 host 10.20.0.10 time-range DAG-REP (active) (22793 matches) 20 permit ip host 10.20.0.4 host 10.20.0.10 time-range DAG-REP (active) (14156 matches)The service policy is applied on the input side of the 2 interfaces on which our devices are connected.As you can see, the access list identifies the interesting traffic as traffic from two specific hosts to one specific host. The problem we are having is that bandwidth is also being throttled between the two source hosts even though it is not defined to do so.What can I do to limit traffic from the two source devices to the single destination device without limiting bandwidth between the two source devices?
View 1 Replies View RelatedI have lots of PPPoE users that get Virtual Access interfaces created upon login based on a virtual template. I need to traffic shape them. I know how to get it to work on an individual basis, because the policing within a service policy works fine. As soon as i change it to shaping it leaves things wide open.I really dont care how it gets done, I just need to be able to specify a speed to be traffic shaped and apply that to a virtual template. I need to limit speeds on the download and upload, i understand that the upload i will use the policing, but the download i need it to smooth out the flow and be traffic shaped, not policed.
Here is my Policies and classes:
***
policy-map CHILD class class-default bandwidth 1650policy-map PARENT class class-default shape average 1650000 service-policy CHILD****
Here is my Virtual Template:
****
interface Virtual-Template8 description pppoe-auth-FTTH ip unnumbered FastEthernet0/0 ip access-group subs-in-FTTH in ip mtu 1493 timeout absolute 6120 0 peer default ip address pool FTTH-POOL ppp authentication pap pppoe-auth ppp authorization pppoe-auth ppp timeout idle 84600 service-policy output PARENT
[code]....
The results i am getting is unrestrcited throughput, i am seeing about 40mb of throughput when the target is to limit to 1.65MB. As you can see from the output the PARENT class is seeing 279116 packets, but the shaper only saw 59. In all the examples i see on the internet these two numbers should be the same. Why is the shaper not acting on all the traffic crossing that class/policy?
Hardware/IOS:
Cisco IOS Software, 7200 Software (C7200-IK9SU2-M), Version 12.4(12), RELEASE SOFTWARE (fc1)
I have a cisco 7609 running IOS version c7600rsp72043-advipservicesk9-mz.122-33.SRE0a.bin with the following modules..
sh mod
Mod Ports Card Type Model Serial No.
--- ----- -------------------------------------- ------------------ -----------
3 20 7600 ES+ 7600-ES+20G3CXL
[Code]....
The circuit has been tested as clean , so for the moment we have to assume that it is not a circuit issue We also have another idential 7600 in another POP with similar config that does not display the same problem
The top device of my network is cisco router 7609. There are two part subnet of my network, each part use same device type, same running-configs and same network topple: sw6506(to campus)--->sw3560(to buildings)<--->linksys sr324(to offices). IP addresses for manager vlan is 192.168.1.0/24.Suppose we name two part subnet as A and B. the problem is from 7609 I can telnet to every device of part A quickly, but when telnet to each sw3560 of part B,it responses very slowly. And only sw3560 of part B are response slowly, other devices of part B are ok.If I telnet to linksys sr324 first, then from linksys sr324 telnet to the current sw3560, it's ok.I try to capture packets of manage vlan, but there seems no strange things in it.No users of part B report problems, it seems the network is running well. Compare two sw6506s, the only diffirent thing is, there are "overrun" count at each interface in use of part B's sw6506. Each interface traffic is far less than it's capability, but it's "overun" count still increasing at working hours everyday.
View 1 Replies View RelatedI have FWSM v4.0 installed on Cisco 7609 router and when I want to configure FWSM services on it, VLAN traffic is not passing through the FWSM or not Reaching upto fwsm
View 1 Replies View RelatedIm looking for MIB for monitoring 6500 line card from availability prespective;
View 1 Replies View RelatedI see differrent voltage in line card ws-6704. Iam afraid of something went wrong with my 6500 switch. two 6500 switch is redundant.
View 3 Replies View Related[code]...
Primary clock is CSC 1 Board State is Waiting to retry download after persistent failures (RTRY WAIT) Insertion time: 00:00:16 (13:54:07 ago)
Im wondering if the Adaptive Security Services Module has some of the same function as a ASA 5500.Can we configure a IPSec VPN tunnel, SSL VPN tunnel or IPS on a C6500 with ASA-SM or do we need a specific line card for those tasks?
View 1 Replies View RelatedI am pursuing a case of Cisco 7600 where the customer has asked me to highlight the major difference between teh new ES20 line cards and the SIP 400 cards
View 0 Replies View RelatedWe bought a Cisco line card WS-X4648-RJ45-E for Cisco 4507 R-E. Later on I found that this module is not working with the chassis becuase supervisor engine 4 we are using. Supervisor Engine 6 is required for WS-X4648-RJ45-E. Now I want to go for WS-X4548-RJ45. Is it possible to return the line card? Is there any possible way to exchange?
View 6 Replies View RelatedI urgently want to replace a faulty line card WS-X6748-SFP with a new one. The switch concern is a 5609-V-E operating in Virtual Switching System mode.How long do you suggest the down time will be?
View 1 Replies View RelatedCisco Catalyst 6509 Chassis.We have moved a line card from slot 8 to slot 6, but config remains for the line card in slot 8 and nothing is seen in slot 6.
We are running on IOS Verison 12.2 (33SXH2A) i.e. VSS.Blade model number is WS-X6748.
when replacing a line card on a 6500, i gather there is no config stored on the card, its all held on the sup, so when i put in another card the config will be the same?
View 2 Replies View RelatedI have 4506 chassis whose sup engine is WS-X45-SUP6L-E and recently brought line card WS-X4648-RJ45E. When i inserted very same line card on chassis is not support.
View 3 Replies View Relateddirect me to a document detailing the order that line cards are supposed to boot in a 6500? I'm noticing random boot sequences in some of my chassis,?Note: We currently run Sup720 3CXL for the most part.
View 6 Replies View RelatedThe WS-X68xx series line card has a fabric of 40Gbps and a 16 Port 10GE has a 4:1 oversubscription rate. The WS-X6908-10G has a fabric speed of 80Gbps and has a 1:1 oversubscription rate.
If I mixed the 68xx and 69xx series line card, do I get 80Gbps for the 6900x and 40gbps for the 68xx line card? Or would the 69xx series line card be downgraded to 40Gbps?
From my understanding, the 68xx series has a DFC card and thus the fabric speed operates independently.
We currently have a WS-C6506 chassis with a line-card WS-X6408A-GBIC. Currently we need to replace the chassis by a Ws-6504-E and also the line-card. My question is: What must buy line-card and meets the same specifications of WS-X6408A-GBIC?.
View 4 Replies View RelatedWe are planning to replace a few line cards in the existing 6509-E chassis. The sup installed is a VS-S720-10G-3C but the line cards are legacy. As a result we are not able to enable the VSS functionality. We are looking to replace the existing line cards with the following:
1. 1 x WS-X6716-10G-3C
2. 1 x WS-X6724-SFP
3. 4 x WS-X6724-GE-TX
What are the requirements in terms of IOS and Roman.
The current IOS is: Cisco IOS Software, s72033_rp Software (s72033_rp-IPSERVICESK9_WAN-M), Version 12.2(33)SXI2a, RELEASE SOFTWARE (fc2)
And the ROM Version is: ROM: System Bootstrap, Version 12.2(17r)SX7, RELEASE SOFTWARE (fc1)
Do I need an upgrade?
Is it possible to use a 10GE interface on a sup720 and an interface from a 671610GE line card and create a port channel. I haven't found specific documentation on CCO stating you can. I have found the QOS queuing is differnet between the sup and line card.
View 1 Replies View RelatedCisco announced EOL for ws-x6148A-GE-45AF line card and proposed WS-X6148E-GE-45AT. However this card seems not to be supported by the SUP2T-10G supervisor. Which alternative card should I take for this EOL line card, or can I use the proposed line card (use extra daughter card DFC4)?
I'm looking for an alternative line card for the 650x-E chassis with Supervisor 2T iso 6148-GE-45AF
On a number of 6500 chassis it appears that linecard 3 did exist at somepoint, but was removed.Problem is that when issuing the 'show int desc' or 'show ip int brie' the ports for the still appear, and indeed same with 'show run' and 'show conf'.
View 1 Replies View RelatedI need to pull a WS-X4712-SFP+E line card from an online 4507 chassis, can this be done, or does it need to be offline?
View 2 Replies View RelatedI've 4500 Core Switch with 4507R chassis, Sup V-10GE(WS-X4516-10GE) along with 2 WS-X4306-GB line Cards, but now I require a line card for 14 more fiber up links and I cannot go with 3 of 4306 as there are only 2 slots left. I've checked and found that E series line cards does not work with Sup V Engine.
As per the link below, I found that "WS-X4448-GB-SFP" is compatible..
[ URL]
I am writing with regard to a high memory utilization that we have on a pair of line card WS-X6748-GE-TX and WS-X6724-SFP for a VSS 6500. I am enclosing a little part of the "show tech"of this VSS 6500 where is possible to see the high memory utilization of the line cards 1/1, 1/2, 2/1, and 2/2, in despite of having some ports in state connected. In addition of this, the IOS installed on VSS 6500 is s72033-ipservicesk9_wan-vz.122-33.SXI6.bin for checking if there are some bugs affecting the behaviour of the Switch for this case.
System Resources
PFC operating mode: PFC3C
Supervisor redundancy mode: administratively sso, operationally sso
Switching resources: Sw/Mod Part number Series CEF mode
1/1 WS-X6748-GE-TX CEF720 CEF
1/2 WS-X6724-SFP CEF720 CEF
[code]....
ES20+ QoS. As I understand for these cards QoS is MQC; i.e. similar to that of normal WAN cards
1- If i have 7600 with ES+ card only then I dont need to configure global command "mls qos" and the concept of trust boundries "mls qos trust dscp" will not exist , correct ?
2- For below output, why "show mls qos queuing" is giving an O/P similar to that of WS-X6xxx LAN modules.Also why it is WRR when scheduling is not configured.I expected that command will not work with this module as it is similar to WAN modules.
Does Nexus 7K support Multiple VDCs sharing ports on a single line card. One of our cisco parnter engineers stated that cisco doenst recommend using same line card for multiple VDCs.The second VDC (Non-Default VDC) will be used four our Outside, and DMZ Segment, and to phyiscally segregate our Firewall from our Internal/Inside Core Switch without using a physical DMZ Switch.I know Cisco used the Nexus in this way in their PCI DSS 2.0 Compliance Document. Module is N7K-M148GT-11L
Mod Ports Module-Type Model Status
--- ----- -------------------------------- ------------------ ------------
1 48 10/100/1000 Mbps Ethernet XL Mod N7K-M148GT-11L
Mod Ports Module-Type Model Status
--- ----- -------------------------------- ------------------ ------------
1 48 10/100/1000 Mbps Ethernet XL Mod N7K-M148GT-11L
We have configured ASA 5510. We have configure Ethernet 0/0 ( Outside ) connected with ADSL line and Ethernet 0/1 ( Inside ) Local LAN. we have configured NAT and all the traffic is passing through outside interface. Now we have connected ethernet 0/3 ( leasedline ) interface with static public IP. Now we want to allow SMTP traffic to pass through from this interface.
How to configure it if we want our local lan SMTP traffic sending through new leased line ( Static Public IP ).
Cisco 2500 series access servers show line usage with the "show line" command:
View 2 Replies View Related