[c-nsp] ACL's on policy-map - No hits?
Luan Nguyen
luan at netcraftsmen.net
Fri Oct 17 08:31:32 EDT 2008
Yeah, that's QOS limitation on those switches:" The display for the show
policy-map interface user EXEC command shows zeros for the counters
associated with class-map match criteria. There is no workaround.
(CSCec08205)"
http://www.cisco.com/en/US/docs/switches/metro/catalyst3750m/software/releas
e/12.2_37_se/release/notes/OL12616.html
Luan Nguyen
Chesapeake NetCraftsmen, LLC.
www.NetCraftsmen.net
-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of mb at adv.gcomm.com.au
Sent: Thursday, October 16, 2008 8:38 PM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] ACL's on policy-map - No hits?
Hi,
We have the following policy-map setup on 2960's and 3750's for
customer facing ports:
class-map match-any LAN_MANAGEMENT
match access-group name LAN_MANAGEMENT
class-map match-any SERVER_MANAGEMENT
match access-group name SERVER_MANAGEMENT
policy-map ACCESS_PORT
class LAN_MANAGEMENT
set ip dscp af31
class SERVER_MANAGEMENT
set ip dscp af31
class class-default
set ip dscp default
police 10000000 16000 exceed-action policed-dscp-transmit
ip access-list extended LAN_MANAGEMENT
remark telnet traffic
permit tcp any any eq telnet
permit tcp any eq telnet any
remark ssh traffic
permit tcp any any eq 22
permit tcp any eq 22 any
remark snmp traffic
permit udp any any eq snmp
permit udp any eq snmp any
permit udp any any eq snmptrap
permit udp any eq snmptrap any
ip access-list extended SERVER_MANAGEMENT
remark RDP traffic
permit tcp any any eq 3389
permit tcp any eq 3389 any
interface FastEthernet0/1
switchport access vlan 191
switchport mode access
switchport port-security maximum 10
switchport port-security
switchport port-security aging time 10
storm-control broadcast level 20.00
storm-control action trap
spanning-tree portfast
spanning-tree guard root
service-policy input ACCESS_PORT
We see the policer is working(Formatting will prob. be terrible -
Apologies!):
#show mls qos interface fastEthernet 0/1 statistics FastEthernet0/1
(All statistics are in packets)
dscp: incoming -------------------------------
0 - 4 : 477175 0 0 0
0 5 - 9 : 0 0 0 0
0 10 - 14 : 0 0 0 0
0 15 - 19 : 0 0 0
0 0 20 - 24 : 0 0 0
0 0 25 - 29 : 0 0 0
0 0 30 - 34 : 0 0 0
0 0 35 - 39 : 0 0
0 0 0 40 - 44 : 0 0
0 0 0 45 - 49 : 0 0
0 0 0 50 - 54 : 0
0 0 0 0 55 - 59 : 0
0 0 0 0 60 - 64 : 0
0 0 0 dscp: outgoing
-------------------------------
0 - 4 : 932319 0 0 0
0 5 - 9 : 0 0 0 0
0 10 - 14 : 0 0 0 0
0 15 - 19 : 0 0 0
0 0 20 - 24 : 0 0 0
0 0 25 - 29 : 0 0 0
0 0 30 - 34 : 0 0 0
0 0 35 - 39 : 0 0
0 0 0 40 - 44 : 0 0
0 0 0 45 - 49 : 0 0
0 0 0 50 - 54 : 0
0 0 0 0 55 - 59 : 0
0 0 0 0 60 - 64 : 0
0 0 0 cos: incoming
-------------------------------
0 - 4 : 477191 0 0 0
0 5 - 7 : 0 0 0 cos: outgoing
-------------------------------
0 - 4 : 932333 0 0 0
0 5 - 7 : 0 0 0 Policer:
Inprofile: 29413 OutofProfile: 19101
But, when performing RDP/SSH etc to/from server connected to port,
ACL's show no hits?
#sh access-lists Extended IP access list LAN_MANAGEMENT
10 permit tcp any any eq telnet
20 permit tcp any eq telnet any
30 permit tcp any any eq 22
40 permit tcp any eq 22 any
50 permit udp any any eq snmp
60 permit udp any eq snmp any
70 permit udp any any eq snmptrap
80 permit udp any eq snmptrap any
Extended IP access list SERVER_MANAGEMENT
10 permit tcp any any eq 3389
20 permit tcp any eq 3389 any
Is this to be expected?
-------------------------------------------------------------------------
This e-mail was sent via Data FX Online WebMail http://www.datafx.com.au/
_______________________________________________
cisco-nsp mailing list cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
More information about the cisco-nsp
mailing list