RE: CBWFQ and logging

From: Victor Cappuccio (cvictor@protokolgroup.com)
Date: Sun Oct 01 2006 - 15:29:58 ART

• Next message: Daniel Fredrick: "Re: IEWB vol1Lab13 8.2"
• Previous message: Brian Dennis: "RE: ospf authentication"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi Dave.

I disagree; please look at Joe's original post. :)
Please try that on the routers

R6(config)#ip access-list extended 101
R6(config-ext-nacl)#permit tcp any any eq ftp log
R6(config-ext-nacl)#class-map foo
R6(config-cmap)#match access-group 101
access-lists with 'log' keyword are not supported

Notice that in my reply to Joe, I'm telling him that
I do not think that there is a way to do Packet Logging using
MQC. So the only way we have is to use show policy-map interface
And observe the values inside the output

Sorry I know that my English sucks so I apologize if I began Confusion here.

Thanks!!
Victor.-

-----Mensaje original-----
De: nobody@groupstudy.com [mailto:nobody@groupstudy.com] En nombre de
Schulz, Dave
Enviado el: Miircoles, 27 de Septiembre de 2006 12:10 a.m.
Para: Victor Cappuccio; Joe Clyde; ccielab@groupstudy.com
Asunto: RE: CBWFQ and logging

Victor -

You may want to just log the packets based on your access-lists by
adding the log keyword. HTH

Dave Schulz,
Email: dschulz@dpsciences.com

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Victor Cappuccio
Sent: Tuesday, September 26, 2006 9:27 PM
To: 'Joe Clyde'; ccielab@groupstudy.com
Subject: RE: CBWFQ and logging

Hi Joe,

I would highly appreciate to know, if you find the way to log packets
that
matches a class map, but for now just this:

R5#show policy-map int e0/0
 Ethernet0/0

  Service-policy output: p2p

    Class-map: p2p (match-all)
      0 packets, 0 bytes <------
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: protocol kazaa2
      Match: protocol fasttrack
      Match: protocol gnutella
      Match: protocol napster
      drop

    Class-map: class-default (match-any)
      0 packets, 0 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: any

--> Here you can see how many packets have been drop by the Router in
number
of bytes and number of packets

I just lab this out but matching another Class of Traffic (ICMP)

R2(config)#access-list 123 permit icmp any any
R2(config)#class-map ICMP
R2(config-cmap)#ma access-gr 123
R2(config-cmap)#exit
R2(config)#policy-map ICMP
R2(config-pmap)#class ICMP
R2(config-pmap-c)#drop
R2(config-pmap-c)#exit
R2(config-pmap)#int f0/0
R2(config-if)#do ping 155.1.2.7

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 155.1.2.7, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
R2(config-if)#service-policy output ICMP
R2(config-if)#do ping 155.1.2.7 rep 2

Type escape sequence to abort.
Sending 2, 100-byte ICMP Echos to 155.1.2.7, timeout is 2 seconds:
..
Success rate is 0 percent (0/2)
R2(config-if)#do show policy int f0/0
 FastEthernet0/0

  Service-policy output: ICMP

    Class-map: ICMP (match-all)
      2 packets, 228 bytes <<<------ see denied 2 ICMP Echos to that IP
Add
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: access-group 123
      drop

    Class-map: class-default (match-any)
      5 packets, 360 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: any

R2(config-if)#! The only problem with this "Type of Log" is that is
subject
R2(config-if)#! to the Clear conters
R2(config-if)#do clear count
Clear "show interface" counters on all interfaces [confirm]
R2(config-if)#
R2(config-if)#
*Mar 2 13:27:34.591: %CLEAR-5-COUNTERS: Clear counter on all interfaces
by
console
R2(config-if)#do ping 155.1.2.7 rep 1

Type escape sequence to abort.
Sending 1, 100-byte ICMP Echos to 155.1.2.7, timeout is 2 seconds:
.
Success rate is 0 percent (0/1)
R2(config-if)#do show policy int f0/0
 FastEthernet0/0

  Service-policy output: ICMP

    Class-map: ICMP (match-all)
      1 packets, 114 bytes <--- Because the previous clear count
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: access-group 123
      drop

    Class-map: class-default (match-any)
      3 packets, 514 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: any
R2(config-if)#

Saludos,
Victor.-

-----Mensaje original-----
De: nobody@groupstudy.com [mailto:nobody@groupstudy.com] En nombre de
Joe
Clyde
Enviado el: Martes, 26 de Septiembre de 2006 05:06 p.m.
Para: ccielab@groupstudy.com
Asunto: CBWFQ and logging

Is there a way to log the traffic that you drop through a service
policy? When I try to match, under the class-map, on an access list with

the "log" statement I get an error...
r2(config)#ip access-list extended 101
r2(config-ext-nacl)#permit tcp any any eq ftp log
r2(config)#class-map foo
r2(config-cmap)#match access-group 101
****access-lists with 'log' keyword are not supported****

Here is an example config (unrelated to the above access list)...can you

log the dropped traffic and if so, how? It seems like you can't use an
access list, so are there options under the class-map, policy-map, or
service-policy?

EG.

class-map match-all p2p
  match protocol kazaa2
  match protocol fasttrack
  match protocol gnutella
  match protocol napster

policy-map p2p
  class p2p
   drop

interface FastEthernet0/0
 description to-->r1
 ip address 150.50.12.2 255.255.255.0
 duplex auto
 speed auto
 service-policy output p2p

• Next message: Daniel Fredrick: "Re: IEWB vol1Lab13 8.2"
• Previous message: Brian Dennis: "RE: ospf authentication"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Wed Nov 01 2006 - 07:29:03 ART