[c-nsp] Question configure QoS on ES20 Card, Cisco 7609

Nam Nguyen nhnam81 at gmail.com
Wed Oct 2 23:13:04 EDT 2013


Dear all !

At the end of ACL 161, I have defined permit ip any any:
access-list 161 deny   ip any 1.53.0.0 0.0.255.255
access-list 161 deny   ip any 1.52.0.0 0.0.255.255
access-list 161 deny   ip any 1.54.0.0 0.0.255.255
access-list 161 deny   ip any 1.55.0.0 0.0.255.255
access-list 161 permit ip any any

I think it's ok but I couldn't see the counter.

Please help me

Thanks
Nam



On Thu, Sep 26, 2013 at 7:28 PM, Nam Nguyen <nhnam81 at gmail.com> wrote:

> Hi !
>
> at the end of acl i have defined permit ip any any:
> - i need to block some traffic and permit the rest
>
> Nam Nguyen
>
> > On 26-09-2013, at 19:02, Tony <td_miles at yahoo.com> wrote:
> >
> > Hi,
> >
> > The error message seems to be fairly clear, you can't have DENY
> statements in ACL.
> >
> > As to why you are not seeing anything in your counters, you only have
> DENY statements and the end of every ACL is an implicit "deny ip any any"
> this means that your ACL's will not match anything at all, so nothing will
> go into your class.
> >
> > What are you trying to achieve ?
> >
> >
> > regards,
> > Tony.
> >
> >
> >
> >
> >
> > ----- Original Message -----
> > From: Nam Nguyen <nhnam81 at gmail.com>
> > To: cisco-nsp at puck.nether.net
> > Cc:
> > Sent: Thursday, 26 September 2013 8:21 PM
> > Subject: [c-nsp] Question configure QoS on ES20 Card, Cisco 7609
> >
> > Hi all !
> >
> > I have some problem when configure QoS on Cisco ES20 card:
> >
> > - When I applied policy-map on sub-interface (egress), I see error
> > message: "%G_QOS_CLASSIFY-DFC2-3-QOS_CONFIG:
> > error detected: Can not support deny ace in ACL (161)"
> >
> > - When I applied policy-map on sub-interface (ingress), It's okay but I
> > cann't see the counter. Below is example:
> >
> > class-map match-all UP
> >   match access-group 161
> > class-map match-all DOWN
> >   match access-group 160
> > class-map match-any MATCH_ALL
> >   match access-group 100
> >
> > policy-map 3M (This policy-map: I can see counter when issue show
> > policy-map interface)
> >   class MATCH_ALL
> >     police cir 3000000 bc 300000 be 300000
> >      conform-action transmit
> >      exceed-action drop
> >      violate-action drop
> >
> > policy-map ABC (This policy-map apply to ingress ok but I cannot see
> > counter when issue show policy-map interface )
> >   class UP
> >     police cir 1000000 bc 100000 be 100000
> >      conform-action transmit
> >      exceed-action drop
> >      violate-action drop
> >   class MATCH_ALL
> >     police cir 20000000 bc 2000000 be 2000000
> >      conform-action transmit
> >      exceed-action drop
> >      violate-action drop
> >
> > Extended IP access list 100 (class MATCH_ALL)
> >     10 permit ip any any
> >
> > Extended IP access list 160 (class DOWN)
> >     10 deny ip 1.53.0.0 0.0.255.255 any
> >     20 deny ip 1.52.0.0 0.0.255.255 any
> >     30 deny ip 1.54.0.0 0.0.255.255 any
> >     40 deny ip 1.55.0.0 0.0.255.255 any
> > ...
> >
> > Extended IP access list 161 (class UP)
> >     10 deny ip any 1.53.0.0 0.0.255.255
> >     20 deny ip any 1.52.0.0 0.0.255.255
> >     30 deny ip any 1.54.0.0 0.0.255.255
> >     40 deny ip any 1.55.0.0 0.0.255.255
> >     50 deny ip any 101.53.0.0 0.0.63.255
> > ...
> >
> > Result show policy-map interface
> >
> > 7609#sh policy-map int Po1.XYZ
> > Port-channel1.2304332
> >
> >   Service-policy input: ABC
> >
> >     Class-map: UP (match-all)
> >       0 packets, 0 bytes
> >       5 minute offered rate 0000 bps, drop rate 0000 bps
> >       Match: access-group 161
> >       police:
> >           cir 10000000 bps, bc 1000000 bytes, be 1000000 bytes
> >         conformed 0 packets, 0 bytes; actions:
> >           transmit
> >         exceeded 0 packets, 0 bytes; actions:
> >           drop
> >         violated 0 packets, 0 bytes; actions:
> >           drop
> >         conformed 0000 bps, exceed 0000 bps, violate 0000 bps
> >
> >     Class-map: MATCH_ALL (match-any)
> >       0 packets, 0 bytes
> >       5 minute offered rate 0000 bps, drop rate 0000 bps
> >       Match: access-group 100
> >       police:
> >           cir 100000000 bps, bc 10000000 bytes, be 10000000 bytes
> >         conformed 0 packets, 0 bytes; actions:
> >           transmit
> >         exceeded 0 packets, 0 bytes; actions:
> >           drop
> >         violated 0 packets, 0 bytes; actions:
> >           drop
> >         conformed 0000 bps, exceed 0000 bps, violate 0000 bps
> >
> >     Class-map: class-default (match-any)
> >       0 packets, 0 bytes
> >       5 minute offered rate 0000 bps, drop rate 0000 bps
> >       Match: any
> >
> > My 7609 use version: Cisco IOS Software, c7600s72033_rp Software
> > (c7600s72033_rp-ADVIPSERVICESK9-M), Version 12.2(33)SRE5
> >
> > I have searched ES20 configure guide (
> >
> http://www.cisco.com/en/US/docs/routers/7600/install_config/ES20_config_guide/baldcfg_external_docbase_0900e4b18075015d_4container_external_docbase_0900e4b180aab0c7.html
> > ) and see something:
> > Restrictions and Usage Guidelines
> >
> > When configuring the Layer 3 and Layer 4 ACLs on a Cisco 7600 Series ES20
> > line cards, follow these restrictions and usage guidelines:
> >
> > • L3 and L4 ACLs are supported only in ingress.
> >
> > •You cannot simultaneously apply L2 ACL or L3/L4 ACLs on an EVC. You can
> > either apply a L2 ACL, or a L3/L4 ACL within an EVC.
> >
> > •L3 and L4 ACLs are not supported on EVCs in port-channels.
> >
> > •IPv6 ACLs are not supported.
> >
> > •Per ACE counters are not supported.
> >
> > •You can apply a maximum of 4000 unique ACLs.
> >
> > •You can configure a maximum of 8000 ACEs in a ES20 line card.
> >
> > •In a L3 or L4 ACLs, if you apply the ACL name or number without actually
> > creating the ACL, all the packets are permitted. However, in L2 ACLs, if
> > you apply the ACL name,the packets are dropped.
> >
> > •For eq and neq L4 operators, a maximum of 10 ports are used to relay the
> > parameters. However, you can apply the ACLs only on the first port.
> >
> > •Though the ACEs contain many rules based on which network traffic is
> > filtered, only the criterion listed in Table
> > 2-24<
> http://www.cisco.com/en/US/docs/routers/7600/install_config/ES20_config_guide/baldcfg_external_docbase_0900e4b18075015d_4container_external_docbase_0900e4b180aab0c7.html#wp1584674
> >
> > are
> > supported.
> >
> >
> > I see that L3/L4 ACLs are supported on in ingress  and Per ACE counters
> are
> > not supported.
> >
> >
> > Please help me !
> >
> >
> > Nam
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
>



-- 
Nam Nguyen
0983810783


More information about the cisco-nsp mailing list