I configuring QoS policing in a Cisco 2911 in a 128K/256/512 link, but when I apply the configuration in interface I receive the error below:
Configured Percent results in out of range kbps.Allowed range is 8-2000000. The present CIR value is 6.
Current configuration : 191 bytes
!
interface GigabitEthernet0/1
description ***V-SAT***
bandwidth 128
[Code].....
I am trying to configure Crypto PKI in ciscio 2911, Once i configured the root certificate for the router , i can see the validity date wrongly but the same certificate is fine in the other devices . [code]e when i am trying to configure the local certificate.
View 1 Replies View RelatedI had purchased a HWIC-8A in an effort to provide terminal server capabilities into multiple routers. I had found a document that I thought would take me through the configuration but it doesn't appear that the command syntax is the same on the 2911's as it is in the document. Does any know how I would need to get this configured on the 2911 router?
Here is the document I was referencing
[URL]
I have configured Priority Queueing in my Cisco 2911 Router. I have set queue list high, medium, normal and Low. But when I put show interface gi0/2, it is showing the queueing strategy is priority queueing but it is not showing the (size/max/drops) values.
View 1 Replies View RelatedI am trying to configure a shdsl port on a 2911 router for CO mode of operation.The dsl-group auto command does not seem to change the port to operate in CO mode and the link will not come up to a remote router that has a card installed operating in CPE mode.The configuration I have applied for the shdsl controller is.
controller SHDSL 0/1/0
dsl-group auto
!
!
Do I need to use a HWIC-4SHDSL card for the CO mode operation?
I have a 2911 router where I was configuring the device to allow remote desktops connections. Everything is working properly, but for some reason my ACL has disappeared.
View 5 Replies View RelatedPurchased a 2911 router for a customer, and I'm sure I'm missing a module here.
Teleco installed T1 and left connection to smart jack. Router only has 2-3 copper ports.
Can I get away with configuring the blackbox with RJ45 to the copper port on the router ethernet or do I need to purchase a HWIC ?
I have a Cisco 2911 router and a Cisco RV 120W router and i would like to establish a VPN tunnel between theese two. I have defined the settings on the Cisco RV 120W router and i just want the Cisco 2911 to follow those. setting up a connection with Cisco IOS.
View 1 Replies View RelatedWe have built some policers to apply to vlan SVIs on our 7613 so that we can rate limit input and output traffic. We followed the Cisco formula and got this.
policy-map vlan-shape-3meg
class class-default
police cir 3000000 bc 562500 be 1125000 conform-action transmit exceed-action drop violate-action drop
There have been some complaints about this not actually meeting the limit. When I do a show policy-map interface xxx I get this. Based on that it looks like the Be value is being change to match the Bc value.
On a separate note, I noticed that every policer we built with the cisco formula actually ends up with a Tc greater than the max Tc of .125 seconds. It seems odd that a recommended formula would end up creating values outside the maximum allowed limits by the software.
I'm not a QoS expert so if any of this seems like basic stuff it's just because I'm a little slow on QoS.
Vlan2
Service-policy input: temp-remove
class-map: class-default (match-any)
Match: any
police :
[code]....
One other thing...in order to apply policers input and output on an SVI does mls qos vlan-based have to be configured on the trunks tagged with the corresponding Vlan?
We are looking to implement a bandwidth policy for our Internet link. What i would like to know is if we use a policing policy, will the exceeded dropped packets be resubmitted from the source? Will the dropped packets be resubmitted? Are there any differences besides this when using either policing or shaping policies? Is one better than the other?
CISCO ASA 5510 IOS 8.2
I know most QoS capabilities aren't available in multiple context mode, but I need to do some really simple policing on one of my contexts. I just want to apply a hard 20Mbps cap on an interface. I've seen a few places that suggest that basic policing is possible in multiple context mode, but apparently not by the normal commands.
View 5 Replies View RelatedI'm working on QoS policing configuration on an ASA 5505.The ASA is situated behind a cable modem which provides an SLA of 3.2Mbps out.I've configured a QOS policy to place VoIP and other essential traffic (RDP/Citrix/PCoIP) into a priority queue, whilst policing default class to 3.2Mbps to police out to the cable modem.I can see on the outside interface graphs that this is rating the output traffic down to 3.2Mbps as expected, but noticing at certain points of high output traffic drops down to 1.6Mbps. I can't see anything obvious in syslog or any other areas to look, so looking for any pointers as to why the speed is suddenly dropping down. Likewise if I rate the output to 2Mbps, it will suddenly drop down to 1Mbps at high output rates.the ASA is running on 8.0(5) and I enclose a copy of the sample QoS config below and attached a sanitized run config, as well as screenshot taken of the outside interface Bit Rates plus service-policy.
access-list VoIP-Traffic-OUT extended permit tcp 172.16.6.0 255.255.255.0 host 68.98.217.252 eq h323
access-list VoIP-Traffic-OUT extended permit udp 172.16.6.0 255.255.255.0 host 68.98.217.252 object-group rtp
access-list VoIP-Traffic-OUT extended permit tcp 172.16.6.0 255.255.255.0 host 68.98.217.252 eq 2000
access-list VMs-Traffic-Out extended permit tcp 172.16.6.0 255.255.255.0 192.168.168.0 255.255.255.0 eq 3389
access-list VMs-Traffic-Out extended permit tcp 172.16.6.0 255.255.255.0 192.168.168.0 255.255.255.0 eq citrix-ica
access-list VMs-Traffic-Out extended permit tcp 172.16.6.0 255.255.255.0 192.168.168.0 255.255.255.0 eq 4172
[code]....
I want to take 100Mb incoming from a service provider and police it off into several VRFs for customers.One of these VRFs will be 30M.I further need to traffic shape this (30Mb) out to 40 x 0.75Mbps (burstable to 30M) customers.
I am using an ASR1001.
I'm working in my lab trying to do proof of concept for traffic policing on the ASA 5510 running 8.0(4). I have two laptops running Ubuntu one on the outside and one on the inside. Both laptops have 100Mbps interfaces. My tests consists of downloading a file from one laptop using HTTP. Without any QoS I can see speeds close to 100Mbps which I would expect. On a side note, try using XP and you won't come close to those speeds. Anyhow, I implement policing using the config below and expect to see the max rate on the laptops during the transfer max out close to the CIR. However, I see speeds much higher on the laptops.
When I set the CIR to 10000 bps with bc at 1500 bytes I get speeds that range from 300Kbps to 700Kbps. I would expect to see speeds max out at the CIR which would be 10Kbps.I'm having a hard time understanding why my numbers don't match.
Any way of policing traffic on the Nexus 3k platform? I can't find a reference to say policing/shaping is supported.
View 5 Replies View RelatedI have two servers on one subnet that each need to replicate to a single server on another subnet. They also need to replicate to each other. This replication is unidirectional so I will refer to the 2 server subnet as the source subnet and the single server subnet as the destination subnet. In order to keep this replication running without killing the MPLS links on either end, we are trying to use a policy-map that limits bandwidth from the source subnet.The Problem:We have created a policy that polices traffic during specific times of day and limits the bandwidth as prescribed, however, bandwidth is also being limited between the 2 servers on the source subnet which is not needed or desired.Class 512K set dscp ef police 1024000 bps 1024000 byte conform-action transmit exceed-action dropClass Map match-any 512K (id 4) Match access-group name DAGExtended IP access list DAG 10 permit ip host 10.20.0.3 host 10.20.0.10 time-range DAG-REP (active) (22793 matches) 20 permit ip host 10.20.0.4 host 10.20.0.10 time-range DAG-REP (active) (14156 matches)The service policy is applied on the input side of the 2 interfaces on which our devices are connected.As you can see, the access list identifies the interesting traffic as traffic from two specific hosts to one specific host. The problem we are having is that bandwidth is also being throttled between the two source hosts even though it is not defined to do so.What can I do to limit traffic from the two source devices to the single destination device without limiting bandwidth between the two source devices?
View 1 Replies View RelatedI would like to apply policing on a C3750 interface, for all traffic matching 10.0.0.0 / 8, except for sub net 10.0.0.0 / 24. I plan to apply the following configuration, with an ACL that denies 10.0.0.0 / 24 then accept 10.0.0.0 / 8. I am quite sure of the answer but need a confirmation about the following configuration correct ? (10.0.0.0 / 24 will be not blocked, and no policing will be apply on it?)
ip access-list extended TEST
deny tcp 10.0.0.0 0.0.0.255 any eq 5000
permit tcp any 10.0.0.0 0.255.255.255 any eq 5000
[code]....
I have a customer who requires to identify and police traffic on egress on a 3560 trunk link. I cannot use ingress classifications because we do not know what route the traffic will take yet. The egress interface connects to multipoint wireless equipment with 4 different bandwidth point to point links. So the ingress traffic may be routed via any one of 4 point to point wireless links connected to the single egress interface. Am I correct in assuming we cannot mark on the egress direction then put the traffic in a SRR shaped egress queue based on the marking ? So we would only have the option to egress queue based on markings applied or trusted on the inbound direction ? I had thought of some kind of policy map/aggregate policer configuration based on the exit VLAN but it seems we can only apply this type of config inbound. From reading the 3560 configuration guides it seems the 3560 cannot deploy the kind of requirements this customer needs. Perhaps they should have deployed some kind of Metro switch ?
View 1 Replies View RelatedI am trying to configure traffic policing on a 7609 with ES20 line card - however it doesn't appear to be working. The customer is randomly getting DoS attacked, and the policy doesn't appear to be dropping any exceed/violate traffic.This is an egress policy on a sub-interface.
View 5 Replies View Relateddont seem to be able to get policing working inbound on a port 3750X v 15.0(2)
Config is below:
ip access-list extended SMB
permit tcp host 192.168.1.14 host 172.16.1.30
permit tcp host 192.168.1.14 host 172.16.1.31
[Code]....
Trying to control capacity utilization for guest users connecting to a 2960 switch. No problem for IPv4 users, but IPv6 is giving me fits. What I've found out by trial and error so far implies that there is just enough IPv6 smarts in a WS-C2960-24TT-L running c2960-lanbasek9-mz.150-1.SE to make it impossible to control IPv6 traffic. Blocking IPv6 would be sufficient short term, but MAC filtering on type 0x86DD does not appear to work either. Here are the results I've gotten so far:
What "works":
* Protocol ipv6 or an IPv6 ACL in a class map.
* Using a class map referencing ipv6 protocol or an ipv6 ACL in a policy map.
* IPv4 inbound filters and policing.
* Blocking of IPv4 traffic by a MAC ACL blocking type 0x0800 (IPv4) - note that the docs explicitly state that MAC filters do NOT filter IP traffic, except for on this box on this release they do.
What does not work:
* Applying a policy map referencing a class map referencing protocol ipv6 or an IPv6 ACL to an interface. The service policy is accepted by the parser, but is not inserted into the running configuration.
* "class-default" in a policy map only matches IPv4 traffic, not all other traffic.
* Blocking of IPv6 traffic by a MAC ACL blocking type 0X86DD. No problem applying the access-group to the interface, it just doesn't do anything.
I am aware that this box is not supposed to support IPv6 other than for multicast, but as implemented, this is a hole an abuser could drive a MAC truck through.
My questions:
Is this situation unique to this particular 2960 switch or SW release (I also tried 12.2(58)SE2) or does it afflict all 2960's running LANbase?
Assuming the answers to the first two question are negative, what is the minimum requirement to get working IPv6 policing in an edge switch?
I have lots of PPPoE users that get Virtual Access interfaces created upon login based on a virtual template. I need to traffic shape them. I know how to get it to work on an individual basis, because the policing within a service policy works fine. As soon as i change it to shaping it leaves things wide open.I really dont care how it gets done, I just need to be able to specify a speed to be traffic shaped and apply that to a virtual template. I need to limit speeds on the download and upload, i understand that the upload i will use the policing, but the download i need it to smooth out the flow and be traffic shaped, not policed.
Here is my Policies and classes:
***
policy-map CHILD class class-default bandwidth 1650policy-map PARENT class class-default shape average 1650000 service-policy CHILD****
Here is my Virtual Template:
****
interface Virtual-Template8 description pppoe-auth-FTTH ip unnumbered FastEthernet0/0 ip access-group subs-in-FTTH in ip mtu 1493 timeout absolute 6120 0 peer default ip address pool FTTH-POOL ppp authentication pap pppoe-auth ppp authorization pppoe-auth ppp timeout idle 84600 service-policy output PARENT
[code]....
The results i am getting is unrestrcited throughput, i am seeing about 40mb of throughput when the target is to limit to 1.65MB. As you can see from the output the PARENT class is seeing 279116 packets, but the shaper only saw 59. In all the examples i see on the internet these two numbers should be the same. Why is the shaper not acting on all the traffic crossing that class/policy?
Hardware/IOS:
Cisco IOS Software, 7200 Software (C7200-IK9SU2-M), Version 12.4(12), RELEASE SOFTWARE (fc1)
I'm trying to configure policing and/or shaping on a setup of 2 x ASA 5505 Sec Plus. The units are placed in office A and office B and each have a ISP connection to the internet and a leased line with a capacity of 4/4 Mbit/s for interoffice communication.
On each ASA there's four subnets. VLAN 200 is used to connect the offices through the leased line.
Subnets:
Outside = 2
Data = 10
Voice = 100
Linknet = 200
I've read a lot of articles and posts about shaping and policing on the ASA but still can't get it to work like I wan't to. I'm trying to limit all traffic besides IP-telephony traffic to 3 Mbit/s and thus reserving 900 Kbit/s for voice traffic. I tried setting a service-policy on the linknet interface on each ASA and set Traffic match to Any traffic and QoS settings for both input and output.
I can see traffic passing the policy when I run the "show service-policy police" command but it never seems to be high enough to be policed which is strange since the ASDM monitoring shows that I'm pushing 3900 kbit/s. I file transfers verifies that policing does'nt work.
I am configuring a 3560 to provide internet access for our customers and I need to make sure they don't use more bandwidth than they have contracted for.I see that the 3560 supports the rate-limit command, but was told that I should use traffic shaping and policing along with access lists to manage the bandwidth.Is there a reason that I should avoid using the rate-limit command - it looks much simpler.
View 10 Replies View RelatedI am having one router CISCO2911/K9 (Cisco 2911 w/3 GE,4 EHWIC,2 DSP,1 SM,256MB CF,512MB DRAM,IPB). But now my management asking me to upgrade this router as CISCO2911-SEC/K9.
What will be the BOM for this up gradation.
We are looking to implement traffic shaping/policing primarily for P2P traffic. As natively the ASA5550 is only capable of p2p inspection if the traffic is tunneled via port 80 is the AIP-SSM the way forward? We have 2 5550s in active/active failover config. As a side note we are also looking to implement an IDS/IPS system so could this module cover all?Is this module going to provide the desired outcome or is there another module/device out there better suited for this? I would prefer to use the ASA5550s as opposed to implementing another product if only that we can make use of the investment we already made on these devices.
View 1 Replies View RelatedI am looking at this doc to use an ASA + 2911 to do Policy Based Routing with multiple ISPs.From the linked doc, under the PBR scenario, what should the IP addresses be for the routers connection to the ISPs? It isnt labeled.
View 4 Replies View RelatedWhat specific commands are needed to configure qos on a router?
Two sites:
Cisco 2911 (site 1 ) Cisco 2911 (Site 2)
Data Vlan
Management Vlan
I want to configure QOS on Site 1 where the Data Vlan traffic is always marked higher than the management Vlan coming from Site 1.
I have one router 2911 with the following image c2900-universalk9-mz.SPA.151-4.M4.bin I have two IPS on this routers and I tried to configure the IP SLA on this and I`m not able to do it and I don´t know why. I can configure almost everything but not the IP SLA command.this is the config:
track 10 ip sla 1 reachability
delay down 10 up 1
!
track 20 ip sla 2 reachability
delay down 10 up 1
!
[code]....
What I need to do in this case? or why cannot configure the IP SLA?
I have a cisco 2911 router that is located in my head office LAN and I use this router to connect to my branch networks. I want to configure IP SLA Monitor on this router to track my WAN Links but it does not support the command IP SLA Monitor. My IOS VERSION is c2900-universalk9-mz.SPA.151-2.T1.bin. how I can configure IP SLA on my router.
View 4 Replies View RelatedI have a router Cisco 2911 with two possible Wan interfaces out and a backup configuration using IP SLA. When the Primary Interface goes down the traffic is automatically rerouted through the Backup Interface, but the problem I have is that when the traffic is going through the Backup Interface (because the Primary is down) if the Backup Interface also goes down, if the Primary goes up, the traffic is not automatically rerouted to the Primary Interface. And it looks to me like it keeps trying to goes out the Backup Interface and cannot see that the Primary is down. I guess that the pings are going out the backup Interface and as it is down the router doen't receive any anwer to the ping and doesn't change to the Primary.
The main configuration related to the IP SLA is this:
!
track 1 ip sla 1 reachability
!
interface GigabitEthernet0/0
description backup Interface
ip address 175.xx.xx.10 255.255.255.252
ip nat outside
[Code]....
We have 2911 with HWIC-4ESW. System image file is "flash0:c2900-universalk9-mz.SPA.152-1.T1.bin"_2911#sh inv NAME: "CISCO2911/K9 chassis", DESCR: "CISCO2911/K9 chassis" PID: CISCO2911/K9 , VID: V05 , SN: FGL16011005
[Code]....
The problem was that HWIC-4ESW no longer pass traffic although showing that the interfaces are up rebooting the router solved the problem. What IOS is more stable and not subject to this problem?
Recently i attempted to build a LAN 2 LAN VPN tunnel from an Asa to a 2911 running zone based firewall. This was a standard IPSec psk tunnel nothing fancy. I got the tunnel to establish but i could only get traffic to encap on the Asa side and decap on the 2911 side. I couldn't get return traffic.I followed this doc here for classic IPSec in the last example. URL
And I am sure the Asa is right I built a ton of those but I am new to zfw. I did not see anything about a NAT exempt rule. But since everything uses real IPs instead of NAT I wasnt sure and I could not find any info. Do I need to do NAT exempt? If so do you use a route map on the end of you NAT overload config line like in the past?
Also I have a zone-pair to "self" and I was not sure if I needed anything there to be able to ping the inside interface of the 2911 when the tunnel is up from the remote end.
