[c-nsp] Question configure QoS on ES20 Card, Cisco 7609

Oliver Boehmer (oboehmer) oboehmer at cisco.com
Thu Oct 3 02:58:47 EDT 2013


Nam,

as Tony already said, "deny" clauses are not supported in QoS
classification ACLs on this linecard. So you need to change your qos
semantic. 

Assuming deny was supported, your current qos policy semantic looks like
if( destination is not in (1.52.x.x, etc.) ) then
  police to 1 mbps
else
  police to 2 mbps

if that is the case, you can change the config to

access-list foo permit ip any 1.53.0.0 0.0.255.255
access-list foo permit ip any 1.52.0.0 0.0.255.255
access-list foo permit ip any 1.54.0.0 0.0.255.255
access-list foo permit ip any 1.55.0.0 0.0.255.255
!
class-map FOO
 match access-group foo
!
policy-map BAR
 class FOO

     police cir 2000000 bc 100000 be 100000
      conform-action transmit
      exceed-action drop
      violate-action drop
 class class-default
     police cir 1000000 bc 100000 be 100000
      conform-action transmit
      exceed-action drop
      violate-action drop

If the policy is more complex, it could get trickier..


	oli



On 03/10/2013 05:13, "Nam Nguyen" <nhnam81 at gmail.com> wrote:

>Dear all !
>
>At the end of ACL 161, I have defined permit ip any any:
>access-list 161 deny   ip any 1.53.0.0 0.0.255.255
>access-list 161 deny   ip any 1.52.0.0 0.0.255.255
>access-list 161 deny   ip any 1.54.0.0 0.0.255.255
>access-list 161 deny   ip any 1.55.0.0 0.0.255.255
>access-list 161 permit ip any any
>
>I think it's ok but I couldn't see the counter.
>
>Please help me
>
>Thanks
>Nam
>
>
>
>On Thu, Sep 26, 2013 at 7:28 PM, Nam Nguyen <nhnam81 at gmail.com> wrote:
>
>> Hi !
>>
>> at the end of acl i have defined permit ip any any:
>> - i need to block some traffic and permit the rest
>>
>> Nam Nguyen
>>
>> > On 26-09-2013, at 19:02, Tony <td_miles at yahoo.com> wrote:
>> >
>> > Hi,
>> >
>> > The error message seems to be fairly clear, you can't have DENY
>> statements in ACL.
>> >
>> > As to why you are not seeing anything in your counters, you only have
>> DENY statements and the end of every ACL is an implicit "deny ip any
>>any"
>> this means that your ACL's will not match anything at all, so nothing
>>will
>> go into your class.
>> >
>> > What are you trying to achieve ?
>> >
>> >
>> > regards,
>> > Tony.
>> >
>> >
>> >
>> >
>> >
>> > ----- Original Message -----
>> > From: Nam Nguyen <nhnam81 at gmail.com>
>> > To: cisco-nsp at puck.nether.net
>> > Cc:
>> > Sent: Thursday, 26 September 2013 8:21 PM
>> > Subject: [c-nsp] Question configure QoS on ES20 Card, Cisco 7609
>> >
>> > Hi all !
>> >
>> > I have some problem when configure QoS on Cisco ES20 card:
>> >
>> > - When I applied policy-map on sub-interface (egress), I see error
>> > message: "%G_QOS_CLASSIFY-DFC2-3-QOS_CONFIG:
>> > error detected: Can not support deny ace in ACL (161)"
>> >
>> > - When I applied policy-map on sub-interface (ingress), It's okay but
>>I
>> > cann't see the counter. Below is example:
>> >
>> > class-map match-all UP
>> >   match access-group 161
>> > class-map match-all DOWN
>> >   match access-group 160
>> > class-map match-any MATCH_ALL
>> >   match access-group 100
>> >
>> > policy-map 3M (This policy-map: I can see counter when issue show
>> > policy-map interface)
>> >   class MATCH_ALL
>> >     police cir 3000000 bc 300000 be 300000
>> >      conform-action transmit
>> >      exceed-action drop
>> >      violate-action drop
>> >
>> > policy-map ABC (This policy-map apply to ingress ok but I cannot see
>> > counter when issue show policy-map interface )
>> >   class UP
>> >     police cir 1000000 bc 100000 be 100000
>> >      conform-action transmit
>> >      exceed-action drop
>> >      violate-action drop
>> >   class MATCH_ALL
>> >     police cir 20000000 bc 2000000 be 2000000
>> >      conform-action transmit
>> >      exceed-action drop
>> >      violate-action drop
>> >
>> > Extended IP access list 100 (class MATCH_ALL)
>> >     10 permit ip any any
>> >
>> > Extended IP access list 160 (class DOWN)
>> >     10 deny ip 1.53.0.0 0.0.255.255 any
>> >     20 deny ip 1.52.0.0 0.0.255.255 any
>> >     30 deny ip 1.54.0.0 0.0.255.255 any
>> >     40 deny ip 1.55.0.0 0.0.255.255 any
>> > ...
>> >
>> > Extended IP access list 161 (class UP)
>> >     10 deny ip any 1.53.0.0 0.0.255.255
>> >     20 deny ip any 1.52.0.0 0.0.255.255
>> >     30 deny ip any 1.54.0.0 0.0.255.255
>> >     40 deny ip any 1.55.0.0 0.0.255.255
>> >     50 deny ip any 101.53.0.0 0.0.63.255
>> > ...
>> >
>> > Result show policy-map interface
>> >
>> > 7609#sh policy-map int Po1.XYZ
>> > Port-channel1.2304332
>> >
>> >   Service-policy input: ABC
>> >
>> >     Class-map: UP (match-all)
>> >       0 packets, 0 bytes
>> >       5 minute offered rate 0000 bps, drop rate 0000 bps
>> >       Match: access-group 161
>> >       police:
>> >           cir 10000000 bps, bc 1000000 bytes, be 1000000 bytes
>> >         conformed 0 packets, 0 bytes; actions:
>> >           transmit
>> >         exceeded 0 packets, 0 bytes; actions:
>> >           drop
>> >         violated 0 packets, 0 bytes; actions:
>> >           drop
>> >         conformed 0000 bps, exceed 0000 bps, violate 0000 bps
>> >
>> >     Class-map: MATCH_ALL (match-any)
>> >       0 packets, 0 bytes
>> >       5 minute offered rate 0000 bps, drop rate 0000 bps
>> >       Match: access-group 100
>> >       police:
>> >           cir 100000000 bps, bc 10000000 bytes, be 10000000 bytes
>> >         conformed 0 packets, 0 bytes; actions:
>> >           transmit
>> >         exceeded 0 packets, 0 bytes; actions:
>> >           drop
>> >         violated 0 packets, 0 bytes; actions:
>> >           drop
>> >         conformed 0000 bps, exceed 0000 bps, violate 0000 bps
>> >
>> >     Class-map: class-default (match-any)
>> >       0 packets, 0 bytes
>> >       5 minute offered rate 0000 bps, drop rate 0000 bps
>> >       Match: any
>> >
>> > My 7609 use version: Cisco IOS Software, c7600s72033_rp Software
>> > (c7600s72033_rp-ADVIPSERVICESK9-M), Version 12.2(33)SRE5
>> >
>> > I have searched ES20 configure guide (
>> >
>> 
>>http://www.cisco.com/en/US/docs/routers/7600/install_config/ES20_config_g
>>uide/baldcfg_external_docbase_0900e4b18075015d_4container_external_docbas
>>e_0900e4b180aab0c7.html
>> > ) and see something:
>> > Restrictions and Usage Guidelines
>> >
>> > When configuring the Layer 3 and Layer 4 ACLs on a Cisco 7600 Series
>>ES20
>> > line cards, follow these restrictions and usage guidelines:
>> >
>> > € L3 and L4 ACLs are supported only in ingress.
>> >
>> > €You cannot simultaneously apply L2 ACL or L3/L4 ACLs on an EVC. You
>>can
>> > either apply a L2 ACL, or a L3/L4 ACL within an EVC.
>> >
>> > €L3 and L4 ACLs are not supported on EVCs in port-channels.
>> >
>> > €IPv6 ACLs are not supported.
>> >
>> > €Per ACE counters are not supported.
>> >
>> > €You can apply a maximum of 4000 unique ACLs.
>> >
>> > €You can configure a maximum of 8000 ACEs in a ES20 line card.
>> >
>> > €In a L3 or L4 ACLs, if you apply the ACL name or number without
>>actually
>> > creating the ACL, all the packets are permitted. However, in L2 ACLs,
>>if
>> > you apply the ACL name,the packets are dropped.
>> >
>> > €For eq and neq L4 operators, a maximum of 10 ports are used to relay
>>the
>> > parameters. However, you can apply the ACLs only on the first port.
>> >
>> > €Though the ACEs contain many rules based on which network traffic is
>> > filtered, only the criterion listed in Table
>> > 2-24<
>> 
>>http://www.cisco.com/en/US/docs/routers/7600/install_config/ES20_config_g
>>uide/baldcfg_external_docbase_0900e4b18075015d_4container_external_docbas
>>e_0900e4b180aab0c7.html#wp1584674
>> >
>> > are
>> > supported.
>> >
>> >
>> > I see that L3/L4 ACLs are supported on in ingress  and Per ACE
>>counters
>> are
>> > not supported.
>> >
>> >
>> > Please help me !
>> >
>> >
>> > Nam
>> > _______________________________________________
>> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> > https://puck.nether.net/mailman/listinfo/cisco-nsp
>> > archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>
>
>
>-- 
>Nam Nguyen
>0983810783
>_______________________________________________
>cisco-nsp mailing list  cisco-nsp at puck.nether.net
>https://puck.nether.net/mailman/listinfo/cisco-nsp
>archive at http://puck.nether.net/pipermail/cisco-nsp/




More information about the cisco-nsp mailing list