[c-nsp] ACL's on policy-map - No hits?

Luan Nguyen luan at netcraftsmen.net
Fri Oct 17 08:31:32 EDT 2008


Yeah, that's QOS limitation on those switches:" The display for the show
policy-map interface user EXEC command shows zeros for the counters
associated with class-map match criteria.  There is no workaround.
(CSCec08205)"
http://www.cisco.com/en/US/docs/switches/metro/catalyst3750m/software/releas
e/12.2_37_se/release/notes/OL12616.html


Luan Nguyen
Chesapeake NetCraftsmen, LLC.
www.NetCraftsmen.net


-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of mb at adv.gcomm.com.au
Sent: Thursday, October 16, 2008 8:38 PM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] ACL's on policy-map - No hits?

Hi,

We have the following policy-map setup on 2960's and 3750's for 
customer facing ports:

class-map match-any LAN_MANAGEMENT
match access-group name LAN_MANAGEMENT
class-map match-any SERVER_MANAGEMENT
match access-group name SERVER_MANAGEMENT

policy-map ACCESS_PORT
class LAN_MANAGEMENT
  set ip dscp af31
class SERVER_MANAGEMENT
  set ip dscp af31
class class-default
  set ip dscp default
  police 10000000 16000 exceed-action policed-dscp-transmit

ip access-list extended LAN_MANAGEMENT
remark telnet traffic
permit tcp any any eq telnet
permit tcp any eq telnet any
remark ssh traffic
permit tcp any any eq 22
permit tcp any eq 22 any
remark snmp traffic
permit udp any any eq snmp
permit udp any eq snmp any
permit udp any any eq snmptrap
permit udp any eq snmptrap any
ip access-list extended SERVER_MANAGEMENT
remark RDP traffic
permit tcp any any eq 3389
permit tcp any eq 3389 any

interface FastEthernet0/1
switchport access vlan 191
switchport mode access
switchport port-security maximum 10
switchport port-security
switchport port-security aging time 10
storm-control broadcast level 20.00
storm-control action trap
spanning-tree portfast
spanning-tree guard root
service-policy input ACCESS_PORT

We see the policer is working(Formatting will prob. be terrible -
Apologies!):

#show mls qos interface fastEthernet 0/1 statistics FastEthernet0/1 
(All statistics are in packets)

  dscp: incoming  -------------------------------

  0 -  4 :      477175            0            0            0           
  0   5 -  9 :           0            0            0            0       
      0  10 - 14 :           0            0            0            0   
          0  15 - 19 :           0            0            0            
0            0  20 - 24 :           0            0            0         
    0            0  25 - 29 :           0            0            0     
        0            0  30 - 34 :           0            0            0 
            0            0  35 - 39 :           0            0          
   0            0            0  40 - 44 :           0            0      
       0            0            0  45 - 49 :           0            0  
           0            0            0  50 - 54 :           0           
  0            0            0            0  55 - 59 :           0       
      0            0            0            0  60 - 64 :           0   
          0            0            0   dscp: outgoing 
-------------------------------

  0 -  4 :      932319            0            0            0           
  0   5 -  9 :           0            0            0            0       
      0  10 - 14 :           0            0            0            0   
          0  15 - 19 :           0            0            0            
0            0  20 - 24 :           0            0            0         
    0            0  25 - 29 :           0            0            0     
        0            0  30 - 34 :           0            0            0 
            0            0  35 - 39 :           0            0          
   0            0            0  40 - 44 :           0            0      
       0            0            0  45 - 49 :           0            0  
           0            0            0  50 - 54 :           0           
  0            0            0            0  55 - 59 :           0       
      0            0            0            0  60 - 64 :           0   
          0            0            0   cos: incoming  
-------------------------------

  0 -  4 :      477191            0            0            0           
  0   5 -  7 :           0            0            0   cos: outgoing 
-------------------------------

  0 -  4 :      932333            0            0            0           
  0   5 -  7 :           0            0            0  Policer: 
Inprofile:        29413 OutofProfile:        19101


But, when performing RDP/SSH etc to/from server connected to port, 
ACL's show no hits?

#sh access-lists Extended IP access list LAN_MANAGEMENT
    10 permit tcp any any eq telnet
    20 permit tcp any eq telnet any
    30 permit tcp any any eq 22
    40 permit tcp any eq 22 any
    50 permit udp any any eq snmp
    60 permit udp any eq snmp any
    70 permit udp any any eq snmptrap
    80 permit udp any eq snmptrap any
Extended IP access list SERVER_MANAGEMENT
    10 permit tcp any any eq 3389
    20 permit tcp any eq 3389 any


Is this to be expected?



-------------------------------------------------------------------------
This e-mail was sent via Data FX Online WebMail http://www.datafx.com.au/


_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/



More information about the cisco-nsp mailing list