RE: Config mistake or version issue or bug - Who can prove the

From: Geert Nijs (geert.nijs@simac.be)
Date: Sat Nov 13 2004 - 05:41:15 GMT-3

Have you enabled CEF ??

isn't CEF necessary for the "match protocol" to work ?? (match protocol
uses NBAR, and NBAR needs CEF, no ?)

Regards,
Geert

-----Oorspronkelijk bericht-----
Van: nobody@groupstudy.com [mailto:nobody@groupstudy.com] Namens Kian
Wah Lai
Verzonden: zaterdag 13 november 2004 5:27
Aan: ccie2be
CC: Brian McGahan; Group Study
Onderwerp: Re: Config mistake or version issue or bug - Who can prove
the truth?

i have the same problem as well.

policy-map A
 class class-default
   set fr-de
then applying to a serial link, link protocol will always be down

if i use
policy-map A
 class ICMP (assume it's created)
   set fr-de
the link would have no problem.

no idea what went wrong.

Regards,
Kian Wah
3 routers and one PIX rental at SGD2/hr
http://rack.sgcug.org/
Singapore Cisco User Group

ccie2be wrote:

>What happens if you change the policy-map action from drop to set
>fr-de. That's what I couldn't get to work.
>
>Is this maybe a problem with the set fr-de command rather than the mat
>prot icmp command?
>
>Tim
>----- Original Message -----
>From: "Brian McGahan" <bmcgahan@internetworkexpert.com>
>To: "ccie2be" <ccie2be@nyc.rr.com>; "Group Study"
<ccielab@groupstudy.com>
>Sent: Friday, November 12, 2004 6:49 PM
>Subject: RE: Config mistake or version issue or bug - Who can prove the
>truth?
>
>
>Tim,
>
>Works fine for me:
>
>R1#
>class-map match-all ICMP
> match protocol icmp
>!
> policy-map QOS
> class ICMP
> drop
>!
>interface Ethernet0/0
> ip address 124.0.0.1 255.0.0.0
>!
>interface Serial0/1
> ip address 13.0.0.1 255.0.0.0
> service-policy output QOS
>
>R1#ping 13.0.0.3
>
>Type escape sequence to abort.
>Sending 5, 100-byte ICMP Echos to 13.0.0.3, timeout is 2 seconds: !!!!!
>Success rate is 100 percent (5/5), round-trip min/avg/max = 28/29/32 ms
>R1#
>Rack2AS>4
>[Resuming connection 4 to r4 ... ]
>..
>R4#ping 13.0.0.1
>
>Type escape sequence to abort.
>Sending 5, 100-byte ICMP Echos to 13.0.0.1, timeout is 2 seconds: !!!!!
>Success rate is 100 percent (5/5), round-trip min/avg/max = 1/3/4 ms
>R4#ping 13.0.0.3
>
>Type escape sequence to abort.
>Sending 5, 100-byte ICMP Echos to 13.0.0.3, timeout is 2 seconds: .....
>Success rate is 0 percent (0/5)
>R4#
>Rack2AS>1
>[Resuming connection 1 to r1 ... ]
>
>R1#show policy-map int s0/1
> Serial0/1
>
> Service-policy output: QOS
>
> Class-map: ICMP (match-all)
> 10 packets, 1040 bytes
> 5 minute offered rate 0 bps, drop rate 0 bps
> Match: protocol icmp
> drop
>
> Class-map: class-default (match-any)
> 51 packets, 3452 bytes
> 5 minute offered rate 0 bps, drop rate 0 bps
> Match: any
>
>
>The locally originated traffic on R1 is not affected but transit
>traffic is.
>
>
>HTH,
>
>Brian McGahan, CCIE #8593
>bmcgahan@internetworkexpert.com
>
>Internetwork Expert, Inc.
>http://www.InternetworkExpert.com
>Toll Free: 877-224-8987 x 705
>Outside US: 775-826-4344 x 705
>24/7 Support: http://forum.internetworkexpert.com
>Live Chat: http://www.internetworkexpert.com/chat/
>
>
>
>
>>-----Original Message-----
>>From: ccie2be [mailto:ccie2be@nyc.rr.com]
>>Sent: Friday, November 12, 2004 5:39 PM
>>To: Brian McGahan; Group Study
>>Subject: Re: Config mistake or version issue or bug - Who can prove
>>
>>
>the
>
>
>>truth?
>>
>>Brian,
>>
>>After seeing your post I got all excited - maybe you hit on the
>>
>>
>problem,
>
>
>>but
>>alas no. :-(
>>
>>match prot icmp just doesn't work.
>>
>>r1#sh policy-map int s0/0
>>
>> Serial0/0
>>
>> Service-policy output: PING
>>
>> Class-map: PING (match-all)
>> 0 packets, 0 bytes
>> 5 minute offered rate 0 bps, drop rate 0 bps
>> Match: protocol icmp
>> QoS Set
>> fr-de
>> Packets marked 0
>>
>> Class-map: class-default (match-any)
>> 144 packets, 9976 bytes
>> 5 minute offered rate 0 bps, drop rate 0 bps
>> Match: any
>>
>>
>>I tried applying the srevice on the physcial interface and the p2p
>>subinterface which connects to R2 via dlci 102 and 201 on the R2 side.

>>r2#sh fram pvc 201
>>
>>PVC Statistics for interface Serial0/0 (Frame Relay DTE)
>>
>>DLCI = 201, DLCI USAGE = LOCAL, PVC STATUS = ACTIVE, INTERFACE =
>>Serial0/0.201
>>
>> input pkts 192 output pkts 201 in bytes 21790
>> out bytes 23285 dropped pkts 0 in pkts dropped 0
>> out pkts dropped 0 out bytes dropped 0
>> in FECN pkts 0 in BECN pkts 0 out FECN pkts 0
>> out BECN pkts 0 in DE pkts 0 out DE pkts 0
>> out bcast pkts 181 out bcast bytes 21205
>> 5 minute input rate 0 bits/sec, 0 packets/sec
>> 5 minute output rate 0 bits/sec, 0 packets/sec
>> pvc create time 00:23:27, last time pvc status changed 00:21:57
>>
>>When I change it to match access-group 100, where acl 100 permits
>>
>>
>icmp,
>
>
>>then
>>it works.
>>
>>Go configure!!!
>>
>>BTW, match prot icmp doesn't work when I ping from R1 (where the MQC
>>
>>
>is
>
>
>>configured) or from a different router. So, I'm out of ideas. Have
>>
>>
>you
>
>
>>got
>>anymore?
>>
>>Tim
>>
>>----- Original Message -----
>>From: "Brian McGahan" <bmcgahan@internetworkexpert.com>
>>To: "ccie2be" <ccie2be@nyc.rr.com>; "Group Study"
>>
>>
><ccielab@groupstudy.com>
>
>
>>Sent: Friday, November 12, 2004 5:51 PM
>>Subject: RE: Config mistake or version issue or bug - Who can prove
>>
>>
>the
>
>
>>truth?
>>
>>
>>Try it as transit traffic, not locally originated traffic.
>>
>>Brian McGahan, CCIE #8593
>>bmcgahan@internetworkexpert.com
>>
>>Internetwork Expert, Inc.
>>http://www.InternetworkExpert.com
>>Toll Free: 877-224-8987 x 705
>>Outside US: 775-826-4344 x 705
>>24/7 Support: http://forum.internetworkexpert.com
>>Live Chat: http://www.internetworkexpert.com/chat/
>>
>>
>>
>>
>>>-----Original Message-----
>>>From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
>>>
>>>
>>Of
>>
>>
>>>ccie2be
>>>Sent: Friday, November 12, 2004 2:48 PM
>>>To: Group Study
>>>Subject: Config mistake or version issue or bug - Who can prove the
>>>
>>>
>>truth?
>>
>>
>>>Here's a challenge for all you ccie wannabe's and current ccie's.
>>>
>>>MQC was used to set the DE bit on ping traffic with the following
>>>
>>>
>>class-
>>
>>
>>>map:
>>>
>>>class-map PING
>>> match prot icmp
>>>
>>>policy-map PING
>>> set fr-de
>>>
>>>int s0/0
>>>service-policy out PING
>>>
>>>It didn't work. So begins the troubleshooting.
>>>
>>>Maybe, the service policy has to be within a map-class like this:
>>>
>>>map-class fram PING
>>>service-policy PING
>>>
>>>int s0/0
>>>fram class PING
>>>
>>>Nope, this doesn't work either. What could be wrong?
>>>
>>>How about if the class-map is applied on a p2p sub?
>>>
>>>Nope, doesn't work.
>>>
>>>Could it NBAR? Let's see.
>>>
>>>1st, create the acl like this
>>>
>>>access-list 100 perm icmp any any
>>>
>>>Now, change the class-map to look like this:
>>>
>>>class-map PING
>>> match access-group 100
>>>
>>>And, test again.
>>>
>>>Hurrah !!! It works.
>>>
>>>Who knows why?
>>>
>>>Here's the output of show ver:
>>>
>>>r1#sh ver
>>>Cisco Internetwork Operating System Software
>>>IOS (tm) 3600 Software (C3640-JK9O3S-M), Version 12.3(9), RELEASE
>>>
>>>
>>SOFTWARE
>>
>>
>>>(fc2)
>>>
>>>Copyright (c) 1986-2004 by cisco Systems, Inc.
>>>Compiled Fri 14-May-04 13:16 by dchih
>>>Image text-base: 0x60008B00, data-base: 0x620DE000
>>>
>>>ROM: System Bootstrap, Version 11.1(20)AA2, EARLY DEPLOYMENT RELEASE
>>>SOFTWARE (f
>>>c1)
>>>
>>>r1 uptime is 5 hours, 58 minutes
>>>System returned to ROM by power-on
>>>System image file is "flash:c3640-jk9o3s-mz.123-9.bin"
>>>
>>>Tim
>>>
>>>
>>>
>>>
>_______________________________________________________________________
>
>
>>>Subscription information may be found at:
>>>http://www.groupstudy.com/list/CCIELab.html
>>>
>>>
>
>_______________________________________________________________________
>Subscription information may be found at:
>http://www.groupstudy.com/list/CCIELab.html

This archive was generated by hypermail 2.1.4 : Thu Dec 02 2004 - 06:57:43 GMT-3