Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2364
Views
2
Helpful
21
Replies

policy-map drop

Go to solution
cesarvelandia51
Level 1
Level 1

‎11-27-2023 07:53 AM - last edited on ‎11-29-2023 09:57 AM by Community Manager

Hello, I have the configuration below on an old Router IOS 12.x and I want to migrate it to an IOS 17.x, but the

drop

action at the end is not accepted as a command on this IOS. I have seen that I can use the

police cir 8000 bc 1500 be 1500 conform-action drop exceed-action drop violate-action drop

command, but I am not sure if there is another way to do it or if this way will be working as expected and if the values I am using here are the right ones.

class-map match-all DROP
  match any
class-map match-all ISAKMP
  match protocol isakmp
class-map match-all IPSEC
  match protocol ipsec
...
!
policy-map NBAR2
  class ISAKMP
  class IPSEC
  class protocolos
  class DROP
    drop
!

 

Labels:
1 Accepted Solution

Accepted Solutions

Go to solution
MHM Cisco World
VIP
VIP
In response to cesarvelandia51

‎11-27-2023 11:58 AM

Police 8000 then select violation or exceed.

MHM

View solution in original post

21 Replies 21

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎11-27-2023 08:39 AM

Can you post the error you getting while applying the config on the device, what device is this ?

check below guide :

https://www.cisco.com/c/en/us/td/docs/routers/ios/config/17-x/qos/b-quality-of-service/m_qos-class-lac.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
cesarvelandia51
Level 1
Level 1
In response to balaji.bandi

‎11-27-2023 08:45 AM - last edited on ‎11-29-2023 09:59 AM by Community Manager

drop does not exist...

R1(config-pmap-c)#class DROP
R1(config-pmap-c)#drop
^
% Invalid input detected at '^' marker.

 

 
0 Helpful

Go to solution
Joseph W. Doherty
Hall of Fame
Hall of Fame

‎11-27-2023 08:39 AM - last edited on ‎11-29-2023 10:01 AM by Community Manager

Don't have a real platform, with that IOS to try your config snippet on, by on CML running an IOSv

Cisco IOS Software, IOSv Software (VIOS-ADVENTERPRISEK9-M), Version 15.9(3)M6, RELEASE SOFTWARE (fc1)

got:

inserthostname-here#conf t
Enter configuration commands, one per line. End with CNTL/Z.
inserthostname-here(config)#class-map match-all DROP
inserthostname-here(config-cmap)# match any
inserthostname-here(config-cmap)#class-map match-all ISAKMP
inserthostname-here(config-cmap)# match protocol isakmp
^
% Invalid input detected at '^' marker.

inserthostname-here(config-cmap)#class-map match-all IPSEC
inserthostname-here(config-cmap)# match protocol ipsec
inserthostname-here(config-cmap)#policy-map NBAR2
inserthostname-here(config-pmap)# class ISAKMP
inserthostname-here(config-pmap-c)# class IPSEC
inserthostname-here(config-pmap-c)# class protocolos
class map protocolos not configured
inserthostname-here(config-pmap)# class DROP
inserthostname-here(config-pmap-c)# drop
inserthostname-here(config-pmap-c)#end

inserthostname-here#sh run | beg -map
class-map match-all DROP
match any 
class-map match-all ISAKMP
class-map match-all IPSEC
match protocol ipsec
!
policy-map NBAR2
class ISAKMP
class IPSEC
class DROP
drop

BTW, as it appears you wish to drop all unrecognized traffic, you might try replacing class DROP with (build-in) class-default.

i.e.:

class-map match-all DROP
  match any
class-map match-all ISAKMP
  match protocol isakmp
class-map match-all IPSEC
  match protocol ipsec
...
!
policy-map NBAR2
  class ISAKMP
  class IPSEC
  class protocolos
  class DROP class-default
    drop

 

0 Helpful

Go to solution
cesarvelandia51
Level 1
Level 1
In response to Joseph W. Doherty

‎11-27-2023 08:45 AM - last edited on ‎11-29-2023 10:05 AM by Community Manager

drop does not exist...

R1(config-pmap-c)#class class-default
R1(config-pmap-c)#drop
^
% Invalid input detected at '^' marker.

 

0 Helpful

Go to solution
Joseph W. Doherty
Hall of Fame
Hall of Fame
In response to cesarvelandia51

‎11-27-2023 09:15 AM - last edited on ‎11-29-2023 10:04 AM by Community Manager

Well, that's not totally unexpected.  Class-default being different was a long shot (although it has been different in the past).

As @balaji.bandi asked, what's the specific device?  Specific IOS might be useful to know to.

What does "?" mark show for command options under policy map class?

Could you list "?" options for that 

0 Helpful

Go to solution
cesarvelandia51
Level 1
Level 1
In response to Joseph W. Doherty

‎11-27-2023 09:33 AM - last edited on ‎11-29-2023 10:07 AM by Community Manager

It is a CAT 8300 version 17.9.3a but it has the same behavior as the C7200 version 15.2(4)S4:

R1(config-pmap-c)#class class-default
R1(config-pmap-c)#?
Policy-map class configuration commands:
bandwidth Bandwidth
exit Exit from QoS class action configuration mode
fair-queue Enable Flow-based Fair Queuing in this Class
netflow-sampler NetFlow action
no Negate or set default values of a command
police Police
priority Strict Scheduling Priority for this Class
queue-limit Queue Max Threshold for Tail Drop
random-detect Enable Random Early Detection as drop policy
service-policy Configure QoS Service Policy
set Set QoS values
shape Traffic Shaping
R1(config-pmap-c)#

 

0 Helpful

Go to solution
Joseph W. Doherty
Hall of Fame
Hall of Fame
In response to cesarvelandia51

‎11-27-2023 09:55 AM

Specific IOS variant and/or feature licenses being used?  (In the past, I've been surprised by lack of some features in IOS images like Voice or Service Provider.)

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to Joseph W. Doherty

‎11-27-2023 10:33 AM

hi friend

add one class under policy then check dont use multi.
try this and update me
MHM  

0 Helpful

Go to solution
cesarvelandia51
Level 1
Level 1
In response to MHM Cisco World

‎11-27-2023 11:34 AM - last edited on ‎11-29-2023 10:08 AM by Community Manager

I do not know if this is what you want. I deleted the policy and then I started to create it again:

R1(config-pmap-c)#policy-map NBAR2


R1(config-pmap)#class DROP
R1(config-pmap-c)#?
Policy-map class configuration commands:
bandwidth Bandwidth
exit Exit from QoS class action configuration mode
fair-queue Enable Flow-based Fair Queuing in this Class
netflow-sampler NetFlow action
no Negate or set default values of a command
police Police
priority Strict Scheduling Priority for this Class
queue-limit Queue Max Threshold for Tail Drop
random-detect Enable Random Early Detection as drop policy
service-policy Configure QoS Service Policy
set Set QoS values
shape Traffic Shaping

R1(config-pmap-c)#

 

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to cesarvelandia51

‎11-27-2023 11:38 AM - edited ‎11-27-2023 11:39 AM

Then select 

police

Then add low or none rate and violation drop.

MHM

0 Helpful

Go to solution
cesarvelandia51
Level 1
Level 1
In response to MHM Cisco World

‎11-27-2023 11:42 AM - last edited on ‎11-29-2023 10:14 AM by Community Manager

I do not have the low or none rate option

R1(config-pmap-c)#police ?
<8000-2000000000> Target Bit Rate (bIts per second) (postfix k, m, g
optional; decimal point allo
cir Committed information rate
rate Specify police rate, PCR for hierarchical policies or SCR
for single-level ATM 4.0 policer policies

R1(config-pmap-c)#police ra
R1(config-pmap-c)#police rate ?
<1-2000000000> Rate value (postfix k, m, g optional; decimal point allowed)
percent % of interface bandwidth for rate
0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to cesarvelandia51

‎11-27-2023 11:58 AM

Police 8000 then select violation or exceed.

MHM

Go to solution
cesarvelandia51
Level 1
Level 1
In response to MHM Cisco World

‎11-27-2023 12:02 PM

Ok, great. Just a question, is there any reason to use 8000 or it's just because that is the lowest rate?
I will test it tomorrow on my customers Router and as soon I check it I will let you know the result.

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to cesarvelandia51

‎11-27-2023 12:15 PM

Your Q @Joseph W. Doherty can answer you.

He is king of QoS.

The different between cir and rate and more the king of QoS can help you.

Thanks 

MHM

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card