Troubleshooting Avc With Dns-As - Cisco Catalyst 4500 Series Software Configuration Manual

Troubleshooting AVC with DNS-AS

Troubleshooting AVC with DNS-AS
Problem
There are no entries in the binding table The binding table may be empty because of one or both of these reasons:
Unsuccessful DNS snooping or packet
logging.
The DNS server does not return correct
values
The QoS policy you applied to the port
is removed.
Catalyst 4500 Series Switch, Cisco IOS Software Configuration Guide - Cisco IOS XE 3.9.xE and IOS 15.2(5)Ex
45-24
Possible Causes and Solutions
Metadata is not maintained in DNS server—complete task
•
Metadata Streams, page 45-7
The entry is not maintained in the trusted domain list—complete task
•
an Entry in the Trusted Domain List, page 45-10
To ensure DNS snooping and packet logging, you must attach the policy map
(containing the relevant class maps that will determine traffic class) to the
interface—See the example in the
section.
Verify that the correct DNS-AS metadata is maintained in the DNS system
Using Linux dig:
•
dig TXT +short www.example.org [dns-server-ip]
"CISCO-CLS=app-name:example|app-class:TD|business:YES|app-id:CU/28
202"
Using Windows nslookup:
•
C:\Windows\system32>NSLookup.exe -q=TXT
[dns-server-ip]
www.example.org text =
"CISCO-CLS=app-name:example|app-class:TD|business:YES|app-id:CU/28
202"
When the DNS-AS client recognises an application, along with saving the "A"
record response in the binding table, the system utilises the TCAM to save the IP
address of the application. A single application can in effect have multiple IP
addresses, each utilising additional space in the TCAM. When the TCAM is
exhausted, QoS policies cease to be applied.
To avoid the problem, monitor TCAM utilisation on a regular basis. Enter the
show platform tcam utilisation command in privilege EXEC mode, to display
information about TCAM availability.
Chapter 45 Configuring AVC with DNS-AS
Configuring QoS for AVC with DNS-AS
www.example.org
Generating
Making