Monitoring Policy Management
This section shows how to set a statistics baseline and use the show command to view your policy configuration and monitor policy statistics.
Setting a Statistics Baseline
You can set a baseline for policy statistics by using the baseline interface command and the frame-relay policy, ip policy, ipv6 policy, l2tp policy, mpls policy, and vlan policy commands. If you do not enable baselining, show command output fields for baseline counters display the contents of the regular statistics counters.
When you set baseline statistics, you can retrieve statistics beginning at the time when the baselining is set.
To enable a baseline for the statistics for the attachment of the policy list named routeForXYZCorp with statistics enabled to the ingress of an interface, use the following commands:
host1(config)#interface atm 12/0.1
host1(config-subif)#ip policy input routeForXYZCorp statistics enabled baseline enabled
To show baseline counters, run the show ip interface command with the delta keyword:
host1#show ip interface atm 12/0.1 delta
atm12/0.1 is up, line protocol is up
Network Protocols: IP
Internet address is 200.200.1.1/255.255.255.0
Broadcast address is 255.255.255.255
Operational MTU = 9180 Administrative MTU = 0
Operational speed = 155520000 Administrative speed = 0
Discontinuity Time = 1251181
Router advertisement = disabled
Administrative debounce-time = disabled
Operational debounce-time = disabled
Access routing = disabled
Multipath mode = hashed
In Received Packets 5, Bytes 540
In Policed Packets 0, Bytes 0
In Error Packets 0
In Invalid Source Address Packets 0
In Discarded Packets 0
Out Forwarded Packets 5, Bytes 540
Out Scheduler Drops Packets 0, Bytes 0
Out Policed Packets 5, Bytes 540
Out Discarded Packets 0
IP Policy input routeForXYZCorp
classifier-group *
filter
5 Packets 540 Bytes dropped
Policy Management show Commands
Use the following show commands to display statistics for policy lists:
- show classifier-list
- show frame-relay subinterface
- show gre-tunnel
- show interfaces
- show ip interface
- show ipv6 interface
- show l2tp tunnel
- show mpls interface
- show policy-list
- show rate-limit-profile
- show secure policy-list
- show vlan subinterface
You can use the output filtering feature of the show command to include or exclude lines of output based on a text string you specify. See JUNOSe System Basics Configuration Guide, Chapter 2, Command-Line Interface for details.
frame-relay policy
ip policy
ipv6 policy
mpls policy
l2tp policy
vlan policy
- Use to assign a policy list to an interface and enable or disable the recording of routing statistics for bytes and packets affected by the policy.
- If you enable statistics, you can enable or disable baselining of the statistics. The router implements the baseline by reading and storing the statistics at the time the baseline is set and then subtracting this baseline when baseline-relative statistics are retrieved. Unlike other baseline statistics, policy baseline statistics are not stored in nonvolatile storage (NVS).
- Baselining must also be enabled on the interface with the appropriate baseline interface command.
- If you issue the baseline interface command for an interface without first enabling policy statistics baselining on that interface, a warning message indicates:
Policy baseline statistics are not enabled
host1(config-if)#ip policy secondary-input my-policy statistics enabled baseline enabled
show classifier-list
- Use to display CLACL configurations.
- Field descriptions—Fields displayed vary depending on the type and configuration of the CLACL:
- Reference count—Number of times the CLACL is referenced by policies
- Entry count—Number of entries in the classifier list
- Classifier-List—Name of the classifier list
- Entry—Entry number of the classifier list rule
- Color—Packet color to match
- Protocol—Protocol type
- Not Protocol—If true, matches any protocol except the preceding protocol; if false, matches the preceding protocol
- Source IP Address—Number of the network or host from which the packet is sent
- Source IP WildCardMask—Mask that indicates addresses to be matched when specific bits are set
- Not Source Ip Address—If true, matches any source IP address and mask except the preceding source IP address and mask; if false, matches the preceding source IP address and mask
- Destination IP Address—Number of the network or host from which the packet is sent
- Destination IP WildCardMask—Mask that indicates addresses to be matched when specific bits are set
- Not Destination Ip Address—If true, matches any destination IP address and mask except the preceding destination IP address and mask; if false, matches the preceding destination IP address and mask
- Traffic Class—Name of the traffic class to match
- User Packet Class—User packet value to match
- DS Field—DS field value to match
- TOS Byte—ToS value to match
- Precedence—Precedence value to match
- User Priority bits—User priority bits value to match
- Traffic Class Field—Traffic class field value to match
- EXP Bits—MPLS EXP bit value to match
- EXP Mask—Mask applied to EXP bits before matching
- DE Bit—Frame Relay DE bit value to match
- Destination Route Class—Route class used to classify packets based on the packet's destination address
- Source Route Class—Route class used to classify packets based on the packet's source address
- Local—If true, matches packets destined to a local interface; if false, matches packets that are traversing the router
host1#show classifier-list
Classifier Control List Table
---------- ------- ---- -----
GRE Tunnel greClass.1
VLAN lowLatencyLowDrop.1
VLAN excellentEffort.1
VLAN bestEffort.1
VLAN lowLatency.1
IP wstFd.1 source-route-class 44 destination-route-class 55 3 any any
IP XYZCorpPermit.1 local true color green ip any any
IP routeForXYZCorp.1 color red tcp any any
IP XYZCorpIcmpEchoRequests.1 ip any any
IP XYZCorpPrecedence.1 tcp any any tos 5
IP XYZCorpPrecedence67.1 udp any any
IPv6 IPv6Precedence.1 color yellow
IPv6 IPv6Precedence67.1
L2TP l2tpclass.1 color green user-packet-class 8
MPLS mplsClass.1 user-packet-class 10 exp-bits 3 exp-mask 7
Frame relay frMatchDeSet.7 user-packet-class 8 de-bit 0
host1#show classifier-list detailed
Classifier Control List Table
---------- ------- ---- -----
IP Classifier Control List XYZCorpPermit
Reference count: 1
Entry count: 1
Classifier-List XYZCorpPermit Entry 1
Color: green
Protocol: ip
Not Protocol: false
Source IP Address: 0.0.0.0
Source IP WildcardMask: 255.255.255.255
Not Source Ip Address: false
Destination IP Address: 0.0.0.0
Destination IP WildcardMask:255.255.255.255
Not Destination Ip Address: false
GRE Tunnel Classifier Control List greClass
Reference count: 0
Entry count: 2
Classifier-List greClass Entry 1
User Packet Class: 8
DS Field: 3
Classifier-List greClass Entry 2
Color: yellow
VLAN Classifier Control List bestEffort
Reference count: 0
Entry count: 1
Classifier-List bestEffort Entry 1
Color: red
User Packet Class: 15
User Priority bits: 7
IPv6 Classifier Control List IPv6Classifier
Reference count: 0
Entry count: 1
Classifier-List IPv6Classifier Entry 1
User Packet Class: 3
Traffic Class Field: 200
L2TP Classifier Control List l2tpclass
Reference count: 0
Entry count: 1
Classifier-List l2tpclass Entry 1
Color: green
User Packet Class: 8
MPLS Classifier Control List mplsClass
Reference count: 0
Entry count: 1
Classifier-List mplsClass Entry 1
User Packet Class: 10
EXP Bits: 3
EXP Mask: 7
Frame relay Classifier Control List frMatchDeSet
Reference count: 2
Entry count: 1
Classifier-List frMatchDeSet Entry 7
Traffic Class: toBoston
User Packet Class: 8
DE Bit: 0
show frame-relay subinterface
- Use to display information about a subinterface's Frame Relay policy lists.
- Field descriptions related to policy lists
- Frame Relay policy—Type and name of the VLAN policy
- mark-de—DE bit value
- color—Color applied to packet flow for queuing: green, yellow, or red
- classifier-group—Name of the classifier control list used by the policy
- filter—Filter policy action
- forward—Forward policy action
- traffic class—Traffic class in the policy list
- user-packet-class—User packet class in the policy list
host1#show frame-relay subinterface
Frame relay sub-interface SERIAL5/0:1/1.1, status is up
Number of sub-interface down transitions is 0
Time since last status change 03:04:59
No baseline has been set
In bytes: 660 Out bytes: 660
In frames: 5 Out frames: 5
In errors: 0 Out errors: 0
In discards: 0 Out discards: 0
In unknown protos: 0
Frame relay policy output frOutputPolicy
classifier-group frGroupA entry 1
5 packets, 640 bytes
mark-de 1
Frame relay sub-interface SERIAL5/1:1/1.1, status is up
Number of sub-interface down transitions is 0
Time since last status change 03:05:09
No baseline has been set
In bytes: 660 Out bytes: 660
In frames: 5 Out frames: 5
In errors: 0 Out errors: 0
In discards: 0 Out discards: 0
In unknown protos: 0
Frame relay policy input frInputPolicy
classifier-group frMatchDeSet entry 1
5 packets, 660 bytes
color red
show gre tunnel
- Use to display information about GRE tunnels.
- Use the state keyword to display tunnels that are in a specific state: disabled, down, enabled, not-present, or up.
- Use the ip keyword to display tunnels associated with an IP address.
- To display information about a specific tunnel, include the name of the tunnel.
- To display information about tunnels on a specific virtual router, include the name of the virtual router.
- Field descriptions related to policies
- GRE tunnel policy input—Policy for outbound traffic
- GRE tunnel policy output—Policy for inbound traffic
- traffic-class—Name of traffic class
- classifier-group—Name of classifier group
- entry—Identifier for the entry in the classifier group
- packets—Number of packets
- bytes—Number of bytes
- mark—ToS byte setting for the classifier control list
- mask—Mask value corresponding to the ToS
host1#show gre tunnel detail tunnelGre50
GRE tunnel tunnelGre50 is Down
Tunnel operational configuration
Tunnel mtu is '10240'
Tunnel source address is '0.0.0.0'
Tunnel destination address is '0.0.0.0'
Tunnel transport virtual router is source
Tunnel checksum option is disabled
Tunnel sequence number option is disabled
Tunnel up/down trap is enabled
Tunnel-server location is 6/0
Tunnel administrative state is Up
Statistics packets octets discards errors
Data rx 0 0 0 0
Data tx 0 0 0 0
GRE tunnel policy input routeGre25
classifier-group gre6 entry 1
0 packets, 0 bytes
traffic-class best-effort
mark 4 mask 255
GRE tunnel policy output routeGre35
classifier-group gre14 entry 1
0 packets, 0 bytes
traffic-class best-effort
mark 4 mask 255
show interfaces
- Use to display information about a subinterface and its VLAN policy lists.
- You can specify the following keywords:
- delta—Specifies that baselined statistics are to be shown
- brief—Displays the operational status of all configured interfaces
- Subinterface number—Location of the subinterface that carries the VLAN traffic
- Administrative status—Operational state that you configured for this interface: up or down
- VLAN ID—Domain number of the VLAN
- In Bytes—Number of bytes received on the VLAN subinterface
- In Packets—Sum of all unicast, broadcast, and multicast packets received on the VLAN or S-VLAN subinterface
- In Errors—Value is always 0 (zero)
- In Discards—Value is always 0 (zero)
- Out Bytes—Number of bytes sent on the VLAN or stacked VLAN (S-VLAN) subinterface
- Out Packets—Number of packets sent on the VLAN or S-VLAN subinterface
- Out Errors—Value is always 0 (zero)
- Out Discards—Value is always 0 (zero)
- VLAN policy—Type and name of the VLAN policy
host1#show interfaces fastEthernet 1/0.1
FastEthernet1/0.1 is Up, Administrative status is Up
VLAN ID: 100
In: Bytes 4156, Packets 30
Errors 0, Discards 0
Out: Bytes 6406, Packets 45
Errors 0, Discards 0
VLAN policy input vlanPol1
classifier-group vlan20 entry 1
5 packets, 730 bytes
filter
show ip interface
- Use to display information about an IP interface (including policy list statistics).
- Field descriptions related to policy management only
- Network Protocols—Protocols configured on the interface
- Internet address—IP address of the interface
- Broadcast address—Broadcast address used by the interface
- Operational MTU—Operational maximum transmission unit (MTU) for packets sent on this interface
- Administrative MTU—Administrative maximum transmission unit for packets sent on this interface
- Operational speed—Speed known to the IP layer in bits per second; equal to the administrative speed if configured, otherwise inherited from the lower layer
- Administrative speed—Configured speed known to the IP layer in bits per second
- Discontinuity Time—Time since the counters on the interface became invalid—for example, when the line module was reset
- Router Advertisement—When enabled by the ip irdp command, the router advertises its presence via the ICMP Router Discovery Protocol (IRDP)
- Administrative debounce-time—Administrative time delay that an interface must remain in a new state before the routing protocols react to the state change
- Operational debounce-time—Time delay that an interface must remain in a new state before the routing protocols react to the state change
- Access routing—When enabled, an access route is installed to the host on the other end of the interface
- In Received Packets—Packets received on the interface; indicates whether packets are unicast or multicast
- In Received Bytes—Bytes received on the interface; indicates whether bytes are unicast or multicast
- In Policed Packets—Packets policed on the interface; discarded because they exceeded a traffic contract to their destination
- In Policed Bytes—Bytes policed on the interface; discarded because they exceeded a traffic contract to their destination
- In Error Packets—Packets determined to be in error at the interface
- In Invalid Source Address Packets—Packets determined to have originated from an invalid source address
- Out Forwarded Packets—Packets forwarded from the interface; indicates whether packets are unicast or multicast
- Out Forwarded Bytes—Bytes forwarded from the interface; indicates whether bytes are unicast or multicast
- Out Scheduler Drops Packets—Packets dropped by the out scheduler; indicates whether packets are committed, conformed, or exceeded
- Out Scheduler Drops Bytes—Bytes dropped by the out scheduler; indicates whether bytes are committed, conformed, or exceeded
- Policy—Indicates which policy is attached and whether it is on the input or output of the interface
- classifier-group—Name of a CLACL attached to the interface and number of entry
- filter—Number of packets and bytes dropped because of the CLACL
- color—Explicit color applied to packet flow for queuing; green, yellow, or red:
- Packets transmitted—Number of packets sent to the next-hop address
- Bytes transmitted—Number of bytes sent to the next-hop address
- forward—Number of packets and bytes forwarded because of the CLACL
- rate-limit-profile—Name of the rate-limit profile
- committed—Number of packets and bytes within the committed rate limit
- conformed—Number of packets and bytes exceeding the committed rate limit but within the peak rate
- exceeded—Number of packets and bytes exceeding the peak rate
- action—Action performed on the packets matched by the rules in the rate-limit profile
host1#show ip interface serial 2/1:28/24.1
serial2/1:28/24.1 is up, line protocol is up
Network Protocols: IP
Internet address is 172.24.1.101/255.255.255.0
Broadcast address is 255.255.255.255
Operational MTU = 1600 Administrative MTU = 0
Operational speed = 155520000 Administrative speed = 0
Discontinuity Time = 14695
Router advertisement = disabled
Administrative debounce-time = disabled
Operational debounce-time = disabled
Access routing = disabled
In Received Packets 15, Bytes 3135
In Policed Packets 0, Bytes 0
In Error Packets 0
In Invalid Source Address Packets 0
Out Forwarded Packets 0, Bytes 0
Out Scheduler Drops Packets 0, Bytes 0
IP Policy input pl28241
Classifier-group clacl28241X01 entry 1
0 packets, 0 bytes
filter
Classifier-group clacl28241X02 entry 1
1 packets, 202 bytes
filter
Classifier-group clacl28241X03 entry 1
1 packets, 203 bytes
filter
Classifier-group clacl28241X04 entry 1
1 packets, 204 bytes
filter
Classifier-group clacl28241X05 entry 1
1 packets, 205 bytes
filter
host1#show ip interface serial 2/1:2/1.101
serial2/1:2/1.101 is up, line protocol is up
Network Protocols: IP
Internet address is 192.1.2.101/255.255.255.0
Broadcast address is 255.255.255.255
Operational MTU = 1600 Administrative MTU = 0
Router advertisement = disabled
Administrative debounce-time = disabled
Operational debounce-time = disabled
Access routing = disabled
In Received Packets 464, Bytes 686788
In Policed Packets 0, Bytes 0
In Error Packets 0
In Invalid Source Address Packets 0
Out Forwarded Packets 350, Bytes 256728
Out Scheduler Drops Packets 0, Bytes 0
Policy input pl02001
classifier-group clacl02001 entry 1
1 packets, 1596 bytes
next-hop 192.2.2.201
classifier-group clacl02001 entry 2
rate-limit-profile rlp02001
committed: 1 packets, 1596 bytes action: drop
conformed: 2 packets, 1016 bytes action: drop
exceeded: 89 packets, 140956 bytes action: drop
classifier-group clacl02002 entry 1
98 packets, 144716 bytes
next-hop 192.2.2.201
classifier-group clacl02002 entry 2
rate-limit-profile rlp02002
committed: 98 packets, 144716 bytes action: drop
conformed: 0 packets, 0 bytes action: drop
exceeded: 0 packets, 0 bytes action: drop
classifier-group clacl02003 entry 1
15 packets, 20340 bytes
next-hop 192.2.2.201
classifier-group clacl02004 entry 1
20 packets, 25440 bytes
next-hop 192.2.2.201
classifier-group clacl02005 entry 1
20 packets, 30440 bytes
next-hop 192.2.2.201
If you have enabled policy statistics and baselining, consider the difference in standard and baselined statistics. First display standard policy statistics:
host1#show ip interface atm 9/1.1
Policy output 2egress
classifier-group claclWst10 entry 1
98 packets, 12544 bytes
forward
Now display baselined statistics:
host1#show ip interface atm 9/1.1 delta
Policy output 2egress
classifier-group claclWst10 entry 1
10 packets, 1280 bytes
forward
show ipv6 interface
- Use to display detailed or summary information, including policy and classifier information, for a particular IPv6 interface or for all interfaces.
- The default for the show ipv6 interface command is all interface types and all interfaces.
- Use the brief or detail keywords with the show ipv6 interface command to display different levels of information.
- Field descriptions
- Description—Optional description for the interface or address specified
- Network Protocols—Network protocols configured on this interface
- Link local address—Local IPv6 address of this interface
- Internet address—External address of this interface
- Operational MTU—Value of the MTU
- Administrative MTU—Value of the MTU if it has been administratively overridden using the configuration
- Operational speed—Speed of the interface
- Administrative speed—Value of the speed if it has been administratively overridden using the configuration
- Creation type—Method by which the interface was created (static or dynamic)
- ND reachable time—Amount of time (in milliseconds) that the neighbor is expected to remain reachable
- ND duplicate address detection attempts—Number of times that the router attempts to determine a duplicate address
- ND neighbor solicitation retransmission interval—Interval in which the router retransmits neighbor solicitations
- ND proxy—Indicates whether the router will reply to solicitations on behalf of a known neighbor
- ND RA source link layer—Indicates whether the RA includes the link layer
- ND RA interval—Interval (in seconds) of the neighbor discovery router advertisement
- ND RA lifetime—Lifetime (in seconds) of the neighbor discovery router advertisement
- ND RA managed flag—State of the neighbor discovery router advertisement managed flag
- ND RA other config flag—State of the neighbor discovery router advertisement other config flag
- ND RA advertising prefixes—Configured advertisement prefixes for neighbor discovery router advertisement
- In Received Packets, Bytes—Total number of packets and bytes received on this interface
- Unicast Packets, Bytes—Unicast packets and bytes received on the IPv6 interface; link-local received multicast packets (non-multicast-routed frames) are counted as unicast packets
- Multicast Packets, Bytes—Multicast packets and bytes received on the IPv6 interface, which are then multicast-routed and counted as multicast packets
- In Policed Packets—Packets that were received and dropped because of rate limits
- In Invalid Source Address Packets—Packets received with invalid source address (for example, spoofed packets)
- In Error Packets—Number of packets received with errors
- In Discarded Packets—Packets received that were discarded for reasons other than rate limits, errors, and invalid source address
- Unicast Packets, Bytes—Unicast packets and bytes that were sent from this interface
- Multicast Routed Packets, Bytes—Multicast packets and bytes that were sent from this interface
- Out Scheduler Dropped Packets, Bytes—Number of outbound packets and bytes dropped by the scheduler
- Out Policed Packets, Bytes—Number of outbound packets and bytes dropped because of rate limits
- Out Discarded Packets—Number of outbound packets that were discarded for reasons other than those dropped by the scheduler and those dropped because of rate limits
- rate-limit-profile—Name of the profile
- classifier-group entry—Entry index
- Committed—Number of packets and bytes that conform to the committed access rate
- Conformed—Number of packets and bytes that exceed the committed access rate but conform to the peak access rate
- Exceeded—Number of packets and bytes that exceed the peak access rate
- Queue length—Number of bytes in the queue
- Dropped committed packets, bytes—Total number of committed packets and bytes dropped by this interface
- Dropped conformed packets, bytes—Total number of conformed packets and bytes dropped by this interface
- Dropped exceeded packets, bytes—Total number of exceeded packets and bytes dropped by this interface
host1#show ipv6 interface FastEthernet 9/0.6
FastEthernet9/0.6 line protocol VlanSub is up, ipv6 is up
Description: IPv6 interface in Virtual Router Hop6
Network Protocols: IPv6
Link local address: fe80::90:1a00:740:31cd
Internet address: 2001:db8:1::/48
Operational MTU 1500 Administrative MTU 0
Operational speed 100000000 Administrative speed 0
Creation type Static
ND reachable time is 3600000 milliseconds
ND duplicate address detection attempts is 100
ND neighbor solicitation retransmission interval is 1000 milliseconds
ND proxy is enabled
ND RA source link layer is advertised
ND RA interval is 200 seconds, lifetime is 1800 seconds
ND RA managed flag is disabled, other config flag is disabled
ND RA advertising prefixes configured on interface
In Received Packets 0, Bytes 0
Unicast Packets 0, Bytes 0
Multicast Packets 0, Bytes 0
In Total Dropped Packets 0, Bytes 0
In Policed Packets 0
In Invalid Source Address Packets 0
In Error Packets 0
In Discarded Packets 0
Out Forwarded Packets 8, Bytes 768
Unicast Packets 8, Bytes 768
Multicast Routed Packets 0, Bytes 0
Out Total Dropped Packets 5, Bytes 0
Out Scheduler Dropped Packets 0, Bytes 0
Out Policed Packets 0
Out Discarded Packets 5
IPv6 policy input ipv6InPol25
rate-limit-profile Rlp2Mb classifier-group clgA entry 1
Committed: 0 packets, 0 bytes
Conformed: 0 packets, 0 bytes
Exceeded: 0 packets, 0 bytes
rate-limit-profile Rlp8Mb
Committed: 0 packets, 0 bytes
Conformed: 0 packets, 0 bytes
Exceeded: 0 packets, 0 bytes
IPv6 policy output ipv6PolOut2
rate-limit-profile RlpOutA classifier-group clgB entry 1
Committed: 0 packets, 0 bytes
Conformed: 0 packets, 0 bytes
Exceeded: 0 packets, 0 bytes
rate-limit-profile RlpOutB
Committed: 0 packets, 0 bytes
Conformed: 0 packets, 0 bytes
Exceeded: 0 packets, 0 bytes
IPv6 policy local-input ipv6PolLocIn5
rate-limit-profile Rlp1Mb classifier-group clgC entry 1
Committed: 0 packets, 0 bytes
Conformed: 0 packets, 0 bytes
Exceeded: 0 packets, 0 bytes
rate-limit-profile Rlp5Mb
Committed: 0 packets, 0 bytes
Conformed: 0 packets, 0 bytes
Exceeded: 0 packets, 0 bytes
queue 0: traffic class best-effort, bound to ipv6 FastEthernet9/0.6
Queue length 0 bytes
Forwarded packets 0, bytes 0
Dropped committed packets 0, bytes 0
Dropped conformed packets 0, bytes 0
Dropped exceeded packets 0, bytes 0
show mpls l2transport interface
- Use to display status and configuration information about MPLS Layer 2 interfaces.
- When the keyword l2transport is specified, only Layer 2 circuits for the specified interface are displayed.
- Field descriptions
- Interface—Specifier and status of each interface
- base-LSP/remote-addr—Identifies either the tunnel that is selected to forward the traffic or the address of the router at the other end
- group-id—Group ID number for the interface
- vc-id—VC ID number for the interface
- mtu—Maximum transmission unit for the interface
- state/in/out-label—Status of the Layer 2-over-MPLS connection or the incoming/outgoing VC label
- Mpls Statistics
- pkts—Number of packets received or sent
- hcPkts—Number of high-capacity (64-bit) packets received or sent
- octets—Number of octets received or sent
- hcOctets—Number of high-capacity (64-bit) octets received or sent
- errors—Number of packets that are dropped for some reason at receipt or before being sent
- discardPkts—Number of packets that are discarded due to lack of buffer space at receipt or before being sent
- Queue length—Number of bytes in queue
- Forwarded packets, bytes—Total number of packets and bytes forwarded by this interface
- Dropped committed packets, bytes—Total number of committed packets and bytes dropped by this interface
- Dropped conformed packets, bytes—Total number of conformed packets and bytes dropped by this interface
- Dropped exceeded packets, bytes—Total number of exceeded packets and bytes dropped by this interface
- MPLS policy—Type (input, output) and name of policy
- classifier-group—Name of a CLACL attached to the interface and number of entry
- rate-limit-profile—Name of profile
- Committed—Number of packets and bytes conforming to the committed access rate
- Conformed—Number of packets and bytes that exceed the committed access rate but conform to the peak access rate
- Exceeded—Number of packets and bytes exceeding the peak access rate
host1#show mpls l2transport interface
FastEthernet9/0.1
routed to 222.9.1.3 on base LSP tun mpls:lsp-de090100-24-37
group-id 2 vc-id 900001 mtu 1500
State UP
In Label 48 on stack
0 pkts, 0 hcPkts, 0 octets
0 hcOctets, 0 errors, 0 discardPkts
Out Label 49 on tun mpls:lsp-de090100-24-37
0 pkts, 0 hcPkts, 0 octets
0 hcOctets, 0 errors, 0 discardPkts
queue 0: traffic class best-effort, bound to atm-vc ATM1/0.1
Queue length 0 bytes
Forwarded packets 0, bytes 0
Dropped committed packets 0, bytes 0
Dropped conformed packets 0, bytes 0
Dropped exceeded packets 0, bytes 0
MPLS policy input mplsInputPolicy
classifier-group claclWst50 entry 1
0 packets, 0 bytes
rate-limit-profile rlp
committed: 0 packets, 0 bytes, action: transmit
conformed: 0 packets, 0 bytes, action: transmit
exceeded: 0 packets, 0 bytes, action drop
MPLS policy output mplsOutputPolicy
classifier-group claclWst75 entry 1
0 packets, 0 bytes
rate-limit-profile rlp
committed: 0 packets, 0 bytes, action: transmit
conformed: 0 packets, 0 bytes, action: transmit
exceeded: 0 packets, 0 bytes, action: drop
show policy-list
- Use to display information about policy lists.
- Field descriptions—Fields displayed vary depending on the type of policy and the rules assigned to the policy:
- Policy—Name of the policy list.
- Administrative state—For SNMP use; goes to enable when the policy list is created. Users modifying the policy list commands via telnet see the state as disabled. Modifications of a policy are not applied to an interface until the administrative state is disabled and enabled.
- Reference count—Number of attachments to interfaces or profiles.
- Referenced by interface(s)—List of interfaces to which policy is attached; indicates whether the attachment is at input or output of interface.
- Referenced by profile(s)—List of profiles to which policy is attached; indicates whether the attachment is at input, secondary-input, or output of interface created by the profile.
- Classifier control list—Name of the classifier control list containing policy rules and the precedence assigned to the classifier control list.
- Statistics—Enabled, disabled.
- Rule types are:
- filter—Filter policy action
- forward—Forward policy action
- next-interface—Next-interface policy action
- next-hop—Next-hop policy action
- rate-limit-profile—Rate-limit-profile policy action
- color—Color of a packet; green, yellow, or red
- traffic-class—Traffic class in a policy list
- log—Log policy action
- mark tos—ToS byte in the IP header to a specified value
- mark DS field—DS field value in the IP header to a specified value
- mark TC precedence—Traffic class value in the IPv6 header to a specified value
- mark EXP—Value assigned to EXP bits action
- mark user priority—Value assigned to 802.1p VLAN user priority bit
- mark DE—DE bit action
host1#show policy-list
Policy Table
------ -----
IP Policy routeForABCCorp
Administrative state: enable
Reference count: 0
Classifier control list: ipCLACL10, precedence 75
forward
Virtual-router: default
List:
next-hop 192.0.2.12, order 10, rule 2 (active)
next-hop 192.0.100.109, order 20, rule 3 (reachable)
next-hop 192.120.17.5, order 30, rule 4 (reachable)
interface ip3/1, order 40, rule 5
mark tos 125
rate-limit-profile ipRLP25
Classifier control list: ipCLACL20, precedence 125
filter
IPv6 Policy routeForIPv6
Administrative state: enable
Reference count: 0
Classifier control list: ipv6tc67, precedence 75
color red
mark tc-precedence 7
Frame relay Policy frOutputPolicy
Administrative state: enable
Reference count: 0
Classifier control list: frMatchDeSet, precedence 100
mark-de 1
Frame relay Policy frInputPolicy
Administrative state: enable
Reference count: 0
Classifier control list: frMatchDeSet, precedence 100
color red
GRE Tunnel Policy routeGre50
Administrative state: enable
Reference count: 0
Classifier control list: gre8, precedence 150
color red
mark dsfield 20
filter
L2TP Policy routeForl2tp
Administrative state: enable
Reference count: 0
Classifier control list: *, precedence 100
color red
rate-limit-profile l2tpRLP20
MPLS Policy routeForMpls
Administrative state: enable
Reference count: 0
Classifier control list: *, precedence 200
mark-exp 2 mask 7
rate-limit-profile mplsRLP5
VLAN Policy routeForVlan
Administrative state: enable
Reference count: 0
Classifier control list: lowLatencyLowDrop, precedence 100
traffic-class lowLatencyLowDrop
color green
mark-user-priority 7
Classifier control list: lowLatency, precedence 100
traffic-class lowLatency (suspended)
Classifier control list: excellentEffort, precedence 100
traffic-class excellentEffort
Classifier control list: bestEffort, precedence 100
traffic-class bestEffort
show rate-limit-profile
- Rate-Limit-Profile—Name of the rate-limit profile
- Profile Type—One-rate or two-rate profile
- Reference Count—Number of policy lists that reference this rate-limit profile
- Committed rate—Target rate for the traffic, in bits per second
- Committed burst—Amount of bandwidth allocated to accommodate bursty traffic, in bytes
- Excess burst—Amount of bandwidth allocated to accommodate a packet in progress when the rate is in excess of the burst
- Peak rate—Amount of bandwidth allocated to accommodate traffic flow in excess of the committed rate, in bits per second
- Peak burst—Amount of bandwidth allocated to accommodate bursty traffic in excess of the peak rate, in bytes
- Mask—Value of mask applied to ToS byte in IP packet header
- Committed rate action—Policy action (drop, transmit, or mark) taken when traffic flow does not exceed the committed rate
- Conformed rate action—Policy action (drop, transmit, or mark) taken when traffic flow exceeds the committed rate but remains below the peak rate
- Exceeded rate action—Policy action (drop, transmit, or mark) taken when traffic flow exceeds the peak rate
host1#show rate-limit-profile
Rate Limit Profile Table
---- ----- ------- -----
IP Rate-Limit-Profile: rlp
Profile Type: one-rate
Reference count: 0
Committed rate: 0
Committed burst: 8192
Excess burst: 0
Mask: 255
Committed rate action: transmit
Conformed rate action: transmit
Exceeded rate action: drop
IP Rate-Limit-Profile: rlp
Profile Type: two-rate
Reference count: 0
Committed rate: 0
Committed burst: 8192
Peak rate: 0
Peak burst: 8192
Mask: 255
Committed rate action: transmit
Conformed rate action: transmit
Exceeded rate action: drop
L2TP Rate-Limit-Profile: L2tpRlp
Profile Type: two-rate
Reference count: 0
Committed rate: 0
Committed burst: 8192
Peak rate: 0
Peak burst: 8192
Committed rate action: transmit
Conformed rate action: transmit
Exceeded rate action: drop
show secure policy-list
- Use to display information about secure policy lists, which are used for packet mirroring.
- You must have CLI access level 13 or above to use this command; the level can be modified by an administrator.
- Field descriptions
- Policy—Type (IP or L2TP) and name of the policy list
- Administrative state—Set to enable when the policy list is created.
- Reference count—Number of attachments to interfaces or profiles
- Classifier control list—Name of the classifier control list, which is always *; (contains mirror policy rule and has precedence value to determine order within policy)
- precedence—Precedence assigned to the classifier control list
- mirror—Mirror action
- analyzer-ip-address—IP address of analyzer device
- analyzer-virtual-router—Virtual router where the analyzer interface is configured
- analyzer-udp-port—UDP port used to communicate with analyzer device
- mirror-id—Unique identifier of the mirrored session
- session-id—Unique identifier of the user session
NOTE: A status of unreachable after the session-id indicates that the analyzer interface is either not in analyzer mode or that it is in a down state.
- Referenced by interface(s)—Interfaces to which policy is attached; indicates whether the attachment is at secure input or secure output of interface; also indicates the virtual router at which the interface attachment exists
- Referenced by profile(s)—Not currently supported; always null
- statistics—Not currently supported; always disabled
host1#show secure policy-list
Policy Table
------ -----
Secure IP Policy secureIpPolicy
Administrative state: enable
Reference count: 2
Classifier control list: *, precedence 100
mirror analyzer-ip-address 192.168.1.1 analyzer-virtual-router default analyzer-udp-port 3000 mirror-id 6789 session-id 6543
Referenced by interface(s):
ATM5/0.1 secure-input policy, statistics disabled, virtual-router default
ATM5/0.1 secure-output policy, statistics disabled, virtual-router default
Referenced by profile(s):
No profile references
L2TP Secure Policy secureL2tpPolicy
Administrative state: enable
Reference count: 2
Classifier control list: *, precedence 100
mirror analyzer-ip-address 192.168.2.1 analyzer-virtual-router default analyzer-udp-port 3000 mirror-id 6789 session-id 6543 (unreachable)
Referenced by interface(s):
TUNNEL l2tp:1/msn.pwh.com/1 secure-input policy, statistics disabled
TUNNEL l2tp:1/msn.pwh.com/1 secure-output policy, statistics disabled
Referenced by profile(s):
No profile references
show vlan subinterface
- Subinterface number—Location of the subinterface that carries the VLAN traffic
- VLAN ID—Domain number of the VLAN
- VLAN policy—Type and name of the VLAN policy
- filter—Number of packets and bytes that have been policed by the policy
host1#show vlan subinterface fastEthernet 1/0.1
VLAN ID is 100
VLAN policy input vlanPol1
classifier-group claclVlanBos entry 1
5 packets, 730 bytes
filter