Re: No hit counts for Access-list. from Iwan Hoogendoorn on 2009-10-26 (Ccielab archives 10/2009)

From: Iwan Hoogendoorn <iwan_at_ipexpert.com>
Date: Mon, 26 Oct 2009 13:31:00 +0100

Mike,

If you want to count ping packets you should create an ACL that
matches ICMP and not IP.

-- 
Regards,
Iwan Hoogendoorn
CCIE #13084 (R&S / Security / SP)
Sr. Support Engineer  IPexpert, Inc.
URL: http://www.IPexpert.com
On Mon, Oct 26, 2009 at 11:41 AM, mike arnold <haynessmith70_at_gmail.com> wrote:
> Hi,
>
> Am classifying traffic on Core 6500 for a  customer A by Extended
> access-list.access-list 101 permit 10.10.10.1 0.0.0.7 host
> 10.30.30.1 ,Subnet configured on DS switch facing to customer A. Am calling
> this access-list in class-map for classification of traffic and am doing
> policing for traffic at 4MBps,at egreess interface on core facing to ISP
> router. The connection to ISP is back to back VRF.i have created a virtual
> interface on core for each customer and a layer 2 trunk is connected to ISP
> router.
>
> When i do a extended ping vrf for customer B from DS with source IP of
> access-list configured i dont see any hit counts on access-list.
>
> Secnario:
>
> A---DS----CORE---ISP/PE--P----PE---B
>
> CORE Configs
>
> The configs are on Core.
>
> Extended IP access list 101
> 10 permit ip 10.10.10.0 0.0.0.7 host 10.30.30.1
>
> CORE#sh class-map test
> Class Map match-all test (id 1)
> Match access-group 101
> Class Map match-any class-default (id 0)
> Match any
>
> CORE #sh policy-map 4MB
> Policy Map 4MB
> Class test
> police cir 4000000 bc 125000 be 125000
> conform-action transmit
> exceed-action transmit
> violate-action drop
>
> CORE #sh run int vlan X
> Building configuration...
> Current configuration : 202 bytes
> !
> interface Vlan X
> description connected to ISP for A
> ip vrf forwarding A
> ip address 10.X.X.X 255.255.255.254
> ip flow ingress
> service-policy output 4MB
> end
>
> DIST#sh run int gig3/1
> Building configuration...
> Current configuration : 174 bytes
> !
> interface GigabitEthernet3/1
> description Connected to link customer A
> ip vrf forwarding A
> ip address 10.10.10.1 255.255.255.248
>
> Thanks
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>
>
-- 
Regards,
Iwan Hoogendoorn
CCIE #13084 (R&S / Security / SP)
Sr. Support Engineer  IPexpert, Inc.
URL: http://www.IPexpert.com
Blogs and organic groups at http://www.ccie.net

Received on Mon Oct 26 2009 - 13:31:00 ART

This archive was generated by hypermail 2.2.0 : Sun Nov 01 2009 - 07:51:00 ART