11-27-2023 07:53 AM - last edited on 11-29-2023 09:57 AM by Translator
Hello, I have the configuration below on an old Router IOS 12.x and I want to migrate it to an IOS 17.x, but the
drop
action at the end is not accepted as a command on this IOS. I have seen that I can use the
police cir 8000 bc 1500 be 1500 conform-action drop exceed-action drop violate-action drop
command, but I am not sure if there is another way to do it or if this way will be working as expected and if the values I am using here are the right ones.
class-map match-all DROP
match any
class-map match-all ISAKMP
match protocol isakmp
class-map match-all IPSEC
match protocol ipsec
...
!
policy-map NBAR2
class ISAKMP
class IPSEC
class protocolos
class DROP
drop
!
Solved! Go to Solution.
11-27-2023 12:21 PM
read the above document which was suggested (any one read it ?)
11-27-2023 03:06 PM - last edited on 11-29-2023 10:16 AM by Translator
"(any one read it ?)"
I did, and their example shows drop being used for a policy map class action.
Issue, though, command not present.
I asked about licensing of features because in the (distant) past I have seen some QoS features missing in some IOS feature sets.
BTW, I did use Cisco feature navigator, and did see feature differences per license for that platform and IOS train, but didn't notice one specific to a policy map class
drop
command.
11-27-2023 03:54 PM
It's lowest rate, so it won't fully accomplish your goals.
I assume you don't have a Cisco support contract? They would be the best source to quickly explain why this command isn't present when documentation like @balaji.bandi's reference shows it being used.
11-28-2023 06:49 AM - edited 11-28-2023 06:50 AM
Hello, I tested this solution on my customer's Router and worked well. They tested some kind of things that they needed to drop and everything was ok. Thank you very much for your help!!!
11-28-2023 07:25 AM
The "solution" does allow 8k not to be dropped?
11-28-2023 08:26 AM
Glad that was working - as asked is that working Cat8K ?
11-28-2023 08:38 AM
Yes, it is working on the CAT8K, if you want I can share the show version and show license as well.
My customer made a test with SSH and that connection was dropped as expected and the ISAKMP, IPSEC and other services were not affected.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide