×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

DROP command not aviable on IOS Ly3/4 Policy-Map

Unanswered Question
Oct 29th, 2014
User Badges:

Hello

 

I am running IOS- c7200-adventerprisek9-mz.152-4.S3   on GNS3.   I wanted to block,  I am trying to block Tor protocol using Ly3/4 policy-map. but while I enter to the policy-map configuration, there is no  Drop option available .

 

Any idea why the policy-map configuration on these IOS does not have DROP command available ??     If wit this IOS , drop command is not supported then What IOS I should use to have Tor protocol in its NBAR library and can block it??

 

 

Thanks

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jody Lemoine Thu, 10/30/2014 - 06:55
User Badges:
  • Gold, 750 points or more
  • Community Spotlight Award,

    Member's Choice, April 2016

Are you sure you're using "policy-map type inspect" when defining your policy map? Different policy map types have different options, depending on what they're designed for and you may be using the wrong one.

Imran Ahmad Thu, 10/30/2014 - 07:25
User Badges:

Im talking about normal Ly3/4 Policy-map  not any type / ly7 policy-maps

Jody Lemoine Thu, 10/30/2014 - 08:12
User Badges:
  • Gold, 750 points or more
  • Community Spotlight Award,

    Member's Choice, April 2016

Okay, so your configuration looks something like this?

policy-map PM_Test
 class CM_Test
  drop

And it isn't taking the drop command? That should be supported in the indicated IOS image.

As for blocking TOR with NBAR, you need NBAR2 for TOR protocol support and I don't think that's supported on the 7200.

Imran Ahmad Thu, 10/30/2014 - 08:54
User Badges:

It is supported on 7200. But my question is not answered why DROP  command not availble?v

Jody Lemoine Thu, 10/30/2014 - 08:59
User Badges:
  • Gold, 750 points or more
  • Community Spotlight Award,

    Member's Choice, April 2016

I just tested it against a 7200 with 15.1.4M7 and the drop command is definitely available. I can't see it being removed in 15.2.4. Can you post the relevant configuration of your class and policy maps?

Imran Ahmad Thu, 10/30/2014 - 09:16
User Badges:

It is availble on 15.x-M.  But it is not availble with 15.x-S   Series

Jody Lemoine Thu, 10/30/2014 - 09:35
User Badges:
  • Gold, 750 points or more
  • Community Spotlight Award,

    Member's Choice, April 2016

Is there a particular reason you need the S series rather than M? If not, it sounds like moving to the M train is the fix.

Imran Ahmad Thu, 10/30/2014 - 09:48
User Badges:

Actually im trying to test to block Tor 

so on M series does not have support for Tor , tht is why im using S series

Jody Lemoine Thu, 10/30/2014 - 09:51
User Badges:
  • Gold, 750 points or more
  • Community Spotlight Award,

    Member's Choice, April 2016

That makes sense. What options do you have available in the policy map for this class? If we can't drop it, perhaps we can police it down to nothing.

Actions

This Discussion