Re: No hit counts for Access-list.

Hi Experts,

Thanks for all to contribute for solving my problem.

Robert i have seen that the hit counts in policy-map are many but the hit
count's on ACL is none but i want to be more sure about my configs so that
the reason i post it.

Marcin u r correct 6500 is using hardware to process the packets but can u
link me to any detailed document for 6500 for PFC,DFC,and MSFC,How do they
work for different traffic.

I tried with log command before but it gives me error that class-map will
not work properly if ACL is configured with log.

Thanks
On Mon, Oct 26, 2009 at 5:43 PM, Marcin Zgola <MZgola_at_netrixllc.com> wrote:

> When 6500 uses hardware to process packets you will not see any matches.
> Matches are only shown in software.
>
> To force software packet switching you can add log statement at the end
> of each line for your ACL.
>
> I am pretty sure this is a case.
>
>
>
> -----Original Message-----
> From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
> Robert Steeneken
> Sent: Monday, October 26, 2009 8:35 AM
> To: Ryan West
> Cc: Rick Mur; Iwan Hoogendoorn; mike arnold; Cisco certification
> Subject: Re: No hit counts for Access-list.
>
> Just checked my 6500 who has a service-policy for two years now, and the
> acl
> hits are very very low, while the show service policy interface shows
> alot
> of packets per second.
>
> On Mon, Oct 26, 2009 at 2:29 PM, Ryan West <rwest_at_zyedge.com> wrote:
>
> > Rick,
> >
> > You should get ACL hits for class-map hits, although the behavior may
> be
> > different on a 6500.
> >
> > Class-map: xo-out (match-any)
> > 35652148 packets, 7992116020 bytes
> > 5 minute offered rate 10000 bps, drop rate 0 bps
> > Match: access-group name xo-out
> > 35652157 packets, 7992116755 bytes
> > 5 minute rate 10000 bps
> >
> > Extended IP access list xo-out
> > 10 permit ip host x.x.x.x any (71305108 matches)
> > 20 permit ip any host x.x.x.x (88200420 matches)
> >
> > -ryan
> >
> > -----Original Message-----
> > From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf
> Of
> > Rick Mur
> > Sent: Monday, October 26, 2009 9:23 AM
> > To: Iwan Hoogendoorn
> > Cc: mike arnold; Cisco certification
> > Subject: Re: No hit counts for Access-list.
> >
> > Try putting the ACL on the interface instead of in the class-map. I
> don't
> > know if you see ACL hits if it's used within a class-map.
> >
> > If you issue the 'show policy-map interface' you should see traffic
> being
> > matched by that class. Which is another way of seeing if the traffic
> really
> > hits your QoS policy.
> >
> > And a ACL that matches IP traffic also matches ICMP traffic, so no
> need for
> > changing that :-)
> >
> > --
> >
> > Regards,
> >
> > Rick Mur
> > CCIE2 #21946 (R&S / Service Provider)
> > Sr. Support Engineer IPexpert, Inc.
> > URL: http://www.IPexpert.com <http://www.ipexpert.com/>
> >
> >
> > On Mon, Oct 26, 2009 at 1:31 PM, Iwan Hoogendoorn <iwan_at_ipexpert.com>
> > wrote:
> >
> > > Mike,
> > >
> > > If you want to count ping packets you should create an ACL that
> > > matches ICMP and not IP.
> > >
> > > --
> > > Regards,
> > >
> > > Iwan Hoogendoorn
> > > CCIE #13084 (R&S / Security / SP)
> > > Sr. Support Engineer IPexpert, Inc.
> > > URL: http://www.IPexpert.com <http://www.ipexpert.com/>
> > >
> > > On Mon, Oct 26, 2009 at 11:41 AM, mike arnold
> <haynessmith70_at_gmail.com>
> > > wrote:
> > > > Hi,
> > > >
> > > > Am classifying traffic on Core 6500 for a customer A by Extended
> > > > access-list.access-list 101 permit 10.10.10.1 0.0.0.7 host
> > > > 10.30.30.1 ,Subnet configured on DS switch facing to customer A.
> Am
> > > calling
> > > > this access-list in class-map for classification of traffic and am
> > doing
> > > > policing for traffic at 4MBps,at egreess interface on core facing
> to
> > ISP
> > > > router. The connection to ISP is back to back VRF.i have created a
> > > virtual
> > > > interface on core for each customer and a layer 2 trunk is
> connected to
> > > ISP
> > > > router.
> > > >
> > > > When i do a extended ping vrf for customer B from DS with source
> IP of
> > > > access-list configured i dont see any hit counts on access-list.
> > > >
> > > > Secnario:
> > > >
> > > > A---DS----CORE---ISP/PE--P----PE---B
> > > >
> > > > CORE Configs
> > > >
> > > > The configs are on Core.
> > > >
> > > > Extended IP access list 101
> > > > 10 permit ip 10.10.10.0 0.0.0.7 host 10.30.30.1
> > > >
> > > > CORE#sh class-map test
> > > > Class Map match-all test (id 1)
> > > > Match access-group 101
> > > > Class Map match-any class-default (id 0)
> > > > Match any
> > > >
> > > > CORE #sh policy-map 4MB
> > > > Policy Map 4MB
> > > > Class test
> > > > police cir 4000000 bc 125000 be 125000
> > > > conform-action transmit
> > > > exceed-action transmit
> > > > violate-action drop
> > > >
> > > > CORE #sh run int vlan X
> > > > Building configuration...
> > > > Current configuration : 202 bytes
> > > > !
> > > > interface Vlan X
> > > > description connected to ISP for A
> > > > ip vrf forwarding A
> > > > ip address 10.X.X.X 255.255.255.254
> > > > ip flow ingress
> > > > service-policy output 4MB
> > > > end
> > > >
> > > > DIST#sh run int gig3/1
> > > > Building configuration...
> > > > Current configuration : 174 bytes
> > > > !
> > > > interface GigabitEthernet3/1
> > > > description Connected to link customer A
> > > > ip vrf forwarding A
> > > > ip address 10.10.10.1 255.255.255.248
> > > >
> > > > Thanks
> > > >
> > > >
> > > > Blogs and organic groups at http://www.ccie.net
> > > >
> > > >
> _______________________________________________________________________
> > > > Subscription information may be found at:
> > > > http://www.groupstudy.com/list/CCIELab.html
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > >
> > >
> > >
> > > --
> > > Regards,
> > >
> > > Iwan Hoogendoorn
> > > CCIE #13084 (R&S / Security / SP)
> > > Sr. Support Engineer IPexpert, Inc.
> > > URL: http://www.IPexpert.com <http://www.ipexpert.com/>
> > >
> > >
> > > Blogs and organic groups at http://www.ccie.net
> > >
> > >
> _______________________________________________________________________
> > > Subscription information may be found at:
> > > http://www.groupstudy.com/list/CCIELab.html
> >
> >
> > Blogs and organic groups at http://www.ccie.net
> >
> >
> _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
> >
> > Blogs and organic groups at http://www.ccie.net
> >
> >
> _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Mon Oct 26 2009 - 22:56:25 ART