cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2363
Views
2
Helpful
21
Replies

policy-map drop

cesarvelandia51
Level 1
Level 1

Hello, I have the configuration below on an old Router IOS 12.x and I want to migrate it to an IOS 17.x, but the

drop

action at the end is not accepted as a command on this IOS. I have seen that I can use the

police cir 8000 bc 1500 be 1500 conform-action drop exceed-action drop violate-action drop

command, but I am not sure if there is another way to do it or if this way will be working as expected and if the values I am using here are the right ones.

class-map match-all DROP
  match any
class-map match-all ISAKMP
  match protocol isakmp
class-map match-all IPSEC
  match protocol ipsec
...
!
policy-map NBAR2
  class ISAKMP
  class IPSEC
  class protocolos
  class DROP
    drop
!

 

1 Accepted Solution

Accepted Solutions

Police 8000 then select violation or exceed.

MHM

View solution in original post

21 Replies 21

balaji.bandi
Hall of Fame
Hall of Fame

Can you post the error you getting while applying the config on the device, what device is this ?

check below guide :

https://www.cisco.com/c/en/us/td/docs/routers/ios/config/17-x/qos/b-quality-of-service/m_qos-class-lac.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

drop does not exist...

R1(config-pmap-c)#class DROP
R1(config-pmap-c)#drop
^
% Invalid input detected at '^' marker.

 

 

Joseph W. Doherty
Hall of Fame
Hall of Fame

Don't have a real platform, with that IOS to try your config snippet on, by on CML running an IOSv

Cisco IOS Software, IOSv Software (VIOS-ADVENTERPRISEK9-M), Version 15.9(3)M6, RELEASE SOFTWARE (fc1)

got:

inserthostname-here#conf t
Enter configuration commands, one per line. End with CNTL/Z.
inserthostname-here(config)#class-map match-all DROP
inserthostname-here(config-cmap)# match any
inserthostname-here(config-cmap)#class-map match-all ISAKMP
inserthostname-here(config-cmap)# match protocol isakmp
^
% Invalid input detected at '^' marker.

inserthostname-here(config-cmap)#class-map match-all IPSEC
inserthostname-here(config-cmap)# match protocol ipsec
inserthostname-here(config-cmap)#policy-map NBAR2
inserthostname-here(config-pmap)# class ISAKMP
inserthostname-here(config-pmap-c)# class IPSEC
inserthostname-here(config-pmap-c)# class protocolos
class map protocolos not configured
inserthostname-here(config-pmap)# class DROP
inserthostname-here(config-pmap-c)# drop
inserthostname-here(config-pmap-c)#end

inserthostname-here#sh run | beg -map
class-map match-all DROP
match any
class-map match-all ISAKMP
class-map match-all IPSEC
match protocol ipsec
!
policy-map NBAR2
class ISAKMP
class IPSEC
class DROP
drop

BTW, as it appears you wish to drop all unrecognized traffic, you might try replacing class DROP with (build-in) class-default.

i.e.:

class-map match-all DROP
  match any
class-map match-all ISAKMP
  match protocol isakmp
class-map match-all IPSEC
  match protocol ipsec
...
!
policy-map NBAR2
  class ISAKMP
  class IPSEC
  class protocolos
  class DROP class-default
    drop

 

drop does not exist...

R1(config-pmap-c)#class class-default
R1(config-pmap-c)#drop
^
% Invalid input detected at '^' marker.

 

Well, that's not totally unexpected.  Class-default being different was a long shot (although it has been different in the past).

As @balaji.bandi asked, what's the specific device?  Specific IOS might be useful to know to.

What does "?" mark show for command options under policy map class?

Could you list "?" options for that 

It is a CAT 8300 version 17.9.3a but it has the same behavior as the C7200 version 15.2(4)S4:

R1(config-pmap-c)#class class-default
R1(config-pmap-c)#?
Policy-map class configuration commands:
bandwidth Bandwidth
exit Exit from QoS class action configuration mode
fair-queue Enable Flow-based Fair Queuing in this Class
netflow-sampler NetFlow action
no Negate or set default values of a command
police Police
priority Strict Scheduling Priority for this Class
queue-limit Queue Max Threshold for Tail Drop
random-detect Enable Random Early Detection as drop policy
service-policy Configure QoS Service Policy
set Set QoS values
shape Traffic Shaping
R1(config-pmap-c)#

 

Specific IOS variant and/or feature licenses being used?  (In the past, I've been surprised by lack of some features in IOS images like Voice or Service Provider.)

hi friend

add one class under policy then check dont use multi.
try this and update me
MHM  

I do not know if this is what you want. I deleted the policy and then I started to create it again:

R1(config-pmap-c)#policy-map NBAR2


R1(config-pmap)#class DROP
R1(config-pmap-c)#?
Policy-map class configuration commands:
bandwidth Bandwidth
exit Exit from QoS class action configuration mode
fair-queue Enable Flow-based Fair Queuing in this Class
netflow-sampler NetFlow action
no Negate or set default values of a command
police Police
priority Strict Scheduling Priority for this Class
queue-limit Queue Max Threshold for Tail Drop
random-detect Enable Random Early Detection as drop policy
service-policy Configure QoS Service Policy
set Set QoS values
shape Traffic Shaping

R1(config-pmap-c)#

 

Then select 

police

Then add low or none rate and violation drop.

MHM

I do not have the low or none rate option

R1(config-pmap-c)#police ?
<8000-2000000000> Target Bit Rate (bIts per second) (postfix k, m, g
optional; decimal point allo
cir Committed information rate
rate Specify police rate, PCR for hierarchical policies or SCR
for single-level ATM 4.0 policer policies

R1(config-pmap-c)#police ra
R1(config-pmap-c)#police rate ?
<1-2000000000> Rate value (postfix k, m, g optional; decimal point allowed)
percent % of interface bandwidth for rate

Police 8000 then select violation or exceed.

MHM

Ok, great. Just a question, is there any reason to use 8000 or it's just because that is the lowest rate?
I will test it tomorrow on my customers Router and as soon I check it I will let you know the result.

Your Q @Joseph W. Doherty can answer you.

He is king of QoS.

The different between cir and rate and more the king of QoS can help you.

Thanks 

MHM

Review Cisco Networking for a $25 gift card