[c-nsp] Question configure QoS on ES20 Card, Cisco 7609

Tony td_miles at yahoo.com
Thu Sep 26 08:02:45 EDT 2013 

Hi,

The error message seems to be fairly clear, you can't have DENY statements in ACL.

As to why you are not seeing anything in your counters, you only have DENY statements and the end of every ACL is an implicit "deny ip any any" this means that your ACL's will not match anything at all, so nothing will go into your class.

What are you trying to achieve ?


regards,
Tony.





----- Original Message -----
From: Nam Nguyen <nhnam81 at gmail.com>
To: cisco-nsp at puck.nether.net
Cc: 
Sent: Thursday, 26 September 2013 8:21 PM
Subject: [c-nsp] Question configure QoS on ES20 Card, Cisco 7609

Hi all !

I have some problem when configure QoS on Cisco ES20 card:

- When I applied policy-map on sub-interface (egress), I see error
message: "%G_QOS_CLASSIFY-DFC2-3-QOS_CONFIG:
error detected: Can not support deny ace in ACL (161)"

- When I applied policy-map on sub-interface (ingress), It's okay but I
cann't see the counter. Below is example:

class-map match-all UP
  match access-group 161
class-map match-all DOWN
  match access-group 160
class-map match-any MATCH_ALL
  match access-group 100

policy-map 3M (This policy-map: I can see counter when issue show
policy-map interface)
  class MATCH_ALL
    police cir 3000000 bc 300000 be 300000
     conform-action transmit
     exceed-action drop
     violate-action drop

policy-map ABC (This policy-map apply to ingress ok but I cannot see
counter when issue show policy-map interface )
  class UP
    police cir 1000000 bc 100000 be 100000
     conform-action transmit
     exceed-action drop
     violate-action drop
  class MATCH_ALL
    police cir 20000000 bc 2000000 be 2000000
     conform-action transmit
     exceed-action drop
     violate-action drop

Extended IP access list 100 (class MATCH_ALL)
    10 permit ip any any

Extended IP access list 160 (class DOWN)
    10 deny ip 1.53.0.0 0.0.255.255 any
    20 deny ip 1.52.0.0 0.0.255.255 any
    30 deny ip 1.54.0.0 0.0.255.255 any
    40 deny ip 1.55.0.0 0.0.255.255 any
...

Extended IP access list 161 (class UP)
    10 deny ip any 1.53.0.0 0.0.255.255
    20 deny ip any 1.52.0.0 0.0.255.255
    30 deny ip any 1.54.0.0 0.0.255.255
    40 deny ip any 1.55.0.0 0.0.255.255
    50 deny ip any 101.53.0.0 0.0.63.255
...

Result show policy-map interface

7609#sh policy-map int Po1.XYZ
Port-channel1.2304332

  Service-policy input: ABC

    Class-map: UP (match-all)
      0 packets, 0 bytes
      5 minute offered rate 0000 bps, drop rate 0000 bps
      Match: access-group 161
      police:
          cir 10000000 bps, bc 1000000 bytes, be 1000000 bytes
        conformed 0 packets, 0 bytes; actions:
          transmit
        exceeded 0 packets, 0 bytes; actions:
          drop
        violated 0 packets, 0 bytes; actions:
          drop
        conformed 0000 bps, exceed 0000 bps, violate 0000 bps

    Class-map: MATCH_ALL (match-any)
      0 packets, 0 bytes
      5 minute offered rate 0000 bps, drop rate 0000 bps
      Match: access-group 100
      police:
          cir 100000000 bps, bc 10000000 bytes, be 10000000 bytes
        conformed 0 packets, 0 bytes; actions:
          transmit
        exceeded 0 packets, 0 bytes; actions:
          drop
        violated 0 packets, 0 bytes; actions:
          drop
        conformed 0000 bps, exceed 0000 bps, violate 0000 bps

    Class-map: class-default (match-any)
      0 packets, 0 bytes
      5 minute offered rate 0000 bps, drop rate 0000 bps
      Match: any

My 7609 use version: Cisco IOS Software, c7600s72033_rp Software
(c7600s72033_rp-ADVIPSERVICESK9-M), Version 12.2(33)SRE5

I have searched ES20 configure guide (
http://www.cisco.com/en/US/docs/routers/7600/install_config/ES20_config_guide/baldcfg_external_docbase_0900e4b18075015d_4container_external_docbase_0900e4b180aab0c7.html
) and see something:
Restrictions and Usage Guidelines

When configuring the Layer 3 and Layer 4 ACLs on a Cisco 7600 Series ES20
line cards, follow these restrictions and usage guidelines:

• L3 and L4 ACLs are supported only in ingress.

•You cannot simultaneously apply L2 ACL or L3/L4 ACLs on an EVC. You can
either apply a L2 ACL, or a L3/L4 ACL within an EVC.

•L3 and L4 ACLs are not supported on EVCs in port-channels.

•IPv6 ACLs are not supported.

•Per ACE counters are not supported.

•You can apply a maximum of 4000 unique ACLs.

•You can configure a maximum of 8000 ACEs in a ES20 line card.

•In a L3 or L4 ACLs, if you apply the ACL name or number without actually
creating the ACL, all the packets are permitted. However, in L2 ACLs, if
you apply the ACL name,the packets are dropped.

•For eq and neq L4 operators, a maximum of 10 ports are used to relay the
parameters. However, you can apply the ACLs only on the first port.

•Though the ACEs contain many rules based on which network traffic is
filtered, only the criterion listed in Table
2-24<http://www.cisco.com/en/US/docs/routers/7600/install_config/ES20_config_guide/baldcfg_external_docbase_0900e4b18075015d_4container_external_docbase_0900e4b180aab0c7.html#wp1584674>
are
supported.


I see that L3/L4 ACLs are supported on in ingress  and Per ACE counters are
not supported.


Please help me !


Nam
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list