This is a classic misconception and a must interview question from my side
:-)
will permit IP match ICMP traffic? 95% engineers answers it no!
ICMP rides over IP (Protocol 1) and hence will be matched by permit ip.
Mike your issue is 6500 hardware as it processes everything in hardware and
hence you see very few or no ACL hits. Try adding log keyword and the world
will change ;-)
On Mon, Oct 26, 2009 at 5:31 AM, Iwan Hoogendoorn <iwan_at_ipexpert.com> wrote:
> Mike,
>
> If you want to count ping packets you should create an ACL that
> matches ICMP and not IP.
>
> --
> Regards,
>
> Iwan Hoogendoorn
> CCIE #13084 (R&S / Security / SP)
> Sr. Support Engineer IPexpert, Inc.
> URL: http://www.IPexpert.com
>
> On Mon, Oct 26, 2009 at 11:41 AM, mike arnold <haynessmith70_at_gmail.com>
> wrote:
> > Hi,
> >
> > Am classifying traffic on Core 6500 for a customer A by Extended
> > access-list.access-list 101 permit 10.10.10.1 0.0.0.7 host
> > 10.30.30.1 ,Subnet configured on DS switch facing to customer A. Am
> calling
> > this access-list in class-map for classification of traffic and am doing
> > policing for traffic at 4MBps,at egreess interface on core facing to ISP
> > router. The connection to ISP is back to back VRF.i have created a
> virtual
> > interface on core for each customer and a layer 2 trunk is connected to
> ISP
> > router.
> >
> > When i do a extended ping vrf for customer B from DS with source IP of
> > access-list configured i dont see any hit counts on access-list.
> >
> > Secnario:
> >
> > A---DS----CORE---ISP/PE--P----PE---B
> >
> > CORE Configs
> >
> > The configs are on Core.
> >
> > Extended IP access list 101
> > 10 permit ip 10.10.10.0 0.0.0.7 host 10.30.30.1
> >
> > CORE#sh class-map test
> > Class Map match-all test (id 1)
> > Match access-group 101
> > Class Map match-any class-default (id 0)
> > Match any
> >
> > CORE #sh policy-map 4MB
> > Policy Map 4MB
> > Class test
> > police cir 4000000 bc 125000 be 125000
> > conform-action transmit
> > exceed-action transmit
> > violate-action drop
> >
> > CORE #sh run int vlan X
> > Building configuration...
> > Current configuration : 202 bytes
> > !
> > interface Vlan X
> > description connected to ISP for A
> > ip vrf forwarding A
> > ip address 10.X.X.X 255.255.255.254
> > ip flow ingress
> > service-policy output 4MB
> > end
> >
> > DIST#sh run int gig3/1
> > Building configuration...
> > Current configuration : 174 bytes
> > !
> > interface GigabitEthernet3/1
> > description Connected to link customer A
> > ip vrf forwarding A
> > ip address 10.10.10.1 255.255.255.248
> >
> > Thanks
> >
> >
> > Blogs and organic groups at http://www.ccie.net
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
> >
> >
> >
> >
> >
> >
> >
>
>
>
> --
> Regards,
>
> Iwan Hoogendoorn
> CCIE #13084 (R&S / Security / SP)
> Sr. Support Engineer IPexpert, Inc.
> URL: http://www.IPexpert.com
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
Received on Mon Oct 26 2009 - 12:13:51 ART
This archive was generated by hypermail 2.2.0 : Sun Nov 01 2009 - 07:51:01 ART