RE: No hit counts for Access-list. from Ryan West on 2009-10-26 (Ccielab archives 10/2009)

From: Ryan West <rwest_at_zyedge.com>
Date: Mon, 26 Oct 2009 09:29:38 -0400

Rick,

You should get ACL hits for class-map hits, although the behavior may be different on a 6500.

        Class-map: xo-out (match-any)
          35652148 packets, 7992116020 bytes
          5 minute offered rate 10000 bps, drop rate 0 bps
          Match: access-group name xo-out
            35652157 packets, 7992116755 bytes
            5 minute rate 10000 bps

Extended IP access list xo-out
10 permit ip host x.x.x.x any (71305108 matches)
20 permit ip any host x.x.x.x (88200420 matches)

-ryan

-----Original Message-----
From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of Rick Mur
Sent: Monday, October 26, 2009 9:23 AM
To: Iwan Hoogendoorn
Cc: mike arnold; Cisco certification
Subject: Re: No hit counts for Access-list.

Try putting the ACL on the interface instead of in the class-map. I don't
know if you see ACL hits if it's used within a class-map.

If you issue the 'show policy-map interface' you should see traffic being
matched by that class. Which is another way of seeing if the traffic really
hits your QoS policy.

And a ACL that matches IP traffic also matches ICMP traffic, so no need for
changing that :-)

--
Regards,
Rick Mur
CCIE2 #21946 (R&S / Service Provider)
Sr. Support Engineer  IPexpert, Inc.
URL: http://www.IPexpert.com
On Mon, Oct 26, 2009 at 1:31 PM, Iwan Hoogendoorn <iwan_at_ipexpert.com> wrote:
> Mike,
>
> If you want to count ping packets you should create an ACL that
> matches ICMP and not IP.
>
> --
> Regards,
>
> Iwan Hoogendoorn
> CCIE #13084 (R&S / Security / SP)
> Sr. Support Engineer   IPexpert, Inc.
> URL: http://www.IPexpert.com
>
> On Mon, Oct 26, 2009 at 11:41 AM, mike arnold <haynessmith70_at_gmail.com>
> wrote:
> > Hi,
> >
> > Am classifying traffic on Core 6500 for a  customer A by Extended
> > access-list.access-list 101 permit 10.10.10.1 0.0.0.7 host
> > 10.30.30.1 ,Subnet configured on DS switch facing to customer A. Am
> calling
> > this access-list in class-map for classification of traffic and am doing
> > policing for traffic at 4MBps,at egreess interface on core facing to ISP
> > router. The connection to ISP is back to back VRF.i have created a
> virtual
> > interface on core for each customer and a layer 2 trunk is connected to
> ISP
> > router.
> >
> > When i do a extended ping vrf for customer B from DS with source IP of
> > access-list configured i dont see any hit counts on access-list.
> >
> > Secnario:
> >
> > A---DS----CORE---ISP/PE--P----PE---B
> >
> > CORE Configs
> >
> > The configs are on Core.
> >
> > Extended IP access list 101
> > 10 permit ip 10.10.10.0 0.0.0.7 host 10.30.30.1
> >
> > CORE#sh class-map test
> > Class Map match-all test (id 1)
> > Match access-group 101
> > Class Map match-any class-default (id 0)
> > Match any
> >
> > CORE #sh policy-map 4MB
> > Policy Map 4MB
> > Class test
> > police cir 4000000 bc 125000 be 125000
> > conform-action transmit
> > exceed-action transmit
> > violate-action drop
> >
> > CORE #sh run int vlan X
> > Building configuration...
> > Current configuration : 202 bytes
> > !
> > interface Vlan X
> > description connected to ISP for A
> > ip vrf forwarding A
> > ip address 10.X.X.X 255.255.255.254
> > ip flow ingress
> > service-policy output 4MB
> > end
> >
> > DIST#sh run int gig3/1
> > Building configuration...
> > Current configuration : 174 bytes
> > !
> > interface GigabitEthernet3/1
> > description Connected to link customer A
> > ip vrf forwarding A
> > ip address 10.10.10.1 255.255.255.248
> >
> > Thanks
> >
> >
> > Blogs and organic groups at http://www.ccie.net
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
> >
> >
> >
> >
> >
> >
> >
>
>
>
> --
> Regards,
>
> Iwan Hoogendoorn
> CCIE #13084 (R&S / Security / SP)
> Sr. Support Engineer   IPexpert, Inc.
> URL: http://www.IPexpert.com
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net

Received on Mon Oct 26 2009 - 09:29:38 ART

This archive was generated by hypermail 2.2.0 : Sun Nov 01 2009 - 07:51:00 ART