[c-nsp] Question configure QoS on ES20 Card, Cisco 7609
Tony
td_miles at yahoo.com
Thu Sep 26 08:02:45 EDT 2013
Hi,
The error message seems to be fairly clear, you can't have DENY statements in ACL.
As to why you are not seeing anything in your counters, you only have DENY statements and the end of every ACL is an implicit "deny ip any any" this means that your ACL's will not match anything at all, so nothing will go into your class.
What are you trying to achieve ?
regards,
Tony.
----- Original Message -----
From: Nam Nguyen <nhnam81 at gmail.com>
To: cisco-nsp at puck.nether.net
Cc:
Sent: Thursday, 26 September 2013 8:21 PM
Subject: [c-nsp] Question configure QoS on ES20 Card, Cisco 7609
Hi all !
I have some problem when configure QoS on Cisco ES20 card:
- When I applied policy-map on sub-interface (egress), I see error
message: "%G_QOS_CLASSIFY-DFC2-3-QOS_CONFIG:
error detected: Can not support deny ace in ACL (161)"
- When I applied policy-map on sub-interface (ingress), It's okay but I
cann't see the counter. Below is example:
class-map match-all UP
match access-group 161
class-map match-all DOWN
match access-group 160
class-map match-any MATCH_ALL
match access-group 100
policy-map 3M (This policy-map: I can see counter when issue show
policy-map interface)
class MATCH_ALL
police cir 3000000 bc 300000 be 300000
conform-action transmit
exceed-action drop
violate-action drop
policy-map ABC (This policy-map apply to ingress ok but I cannot see
counter when issue show policy-map interface )
class UP
police cir 1000000 bc 100000 be 100000
conform-action transmit
exceed-action drop
violate-action drop
class MATCH_ALL
police cir 20000000 bc 2000000 be 2000000
conform-action transmit
exceed-action drop
violate-action drop
Extended IP access list 100 (class MATCH_ALL)
10 permit ip any any
Extended IP access list 160 (class DOWN)
10 deny ip 1.53.0.0 0.0.255.255 any
20 deny ip 1.52.0.0 0.0.255.255 any
30 deny ip 1.54.0.0 0.0.255.255 any
40 deny ip 1.55.0.0 0.0.255.255 any
...
Extended IP access list 161 (class UP)
10 deny ip any 1.53.0.0 0.0.255.255
20 deny ip any 1.52.0.0 0.0.255.255
30 deny ip any 1.54.0.0 0.0.255.255
40 deny ip any 1.55.0.0 0.0.255.255
50 deny ip any 101.53.0.0 0.0.63.255
...
Result show policy-map interface
7609#sh policy-map int Po1.XYZ
Port-channel1.2304332
Service-policy input: ABC
Class-map: UP (match-all)
0 packets, 0 bytes
5 minute offered rate 0000 bps, drop rate 0000 bps
Match: access-group 161
police:
cir 10000000 bps, bc 1000000 bytes, be 1000000 bytes
conformed 0 packets, 0 bytes; actions:
transmit
exceeded 0 packets, 0 bytes; actions:
drop
violated 0 packets, 0 bytes; actions:
drop
conformed 0000 bps, exceed 0000 bps, violate 0000 bps
Class-map: MATCH_ALL (match-any)
0 packets, 0 bytes
5 minute offered rate 0000 bps, drop rate 0000 bps
Match: access-group 100
police:
cir 100000000 bps, bc 10000000 bytes, be 10000000 bytes
conformed 0 packets, 0 bytes; actions:
transmit
exceeded 0 packets, 0 bytes; actions:
drop
violated 0 packets, 0 bytes; actions:
drop
conformed 0000 bps, exceed 0000 bps, violate 0000 bps
Class-map: class-default (match-any)
0 packets, 0 bytes
5 minute offered rate 0000 bps, drop rate 0000 bps
Match: any
My 7609 use version: Cisco IOS Software, c7600s72033_rp Software
(c7600s72033_rp-ADVIPSERVICESK9-M), Version 12.2(33)SRE5
I have searched ES20 configure guide (
http://www.cisco.com/en/US/docs/routers/7600/install_config/ES20_config_guide/baldcfg_external_docbase_0900e4b18075015d_4container_external_docbase_0900e4b180aab0c7.html
) and see something:
Restrictions and Usage Guidelines
When configuring the Layer 3 and Layer 4 ACLs on a Cisco 7600 Series ES20
line cards, follow these restrictions and usage guidelines:
• L3 and L4 ACLs are supported only in ingress.
•You cannot simultaneously apply L2 ACL or L3/L4 ACLs on an EVC. You can
either apply a L2 ACL, or a L3/L4 ACL within an EVC.
•L3 and L4 ACLs are not supported on EVCs in port-channels.
•IPv6 ACLs are not supported.
•Per ACE counters are not supported.
•You can apply a maximum of 4000 unique ACLs.
•You can configure a maximum of 8000 ACEs in a ES20 line card.
•In a L3 or L4 ACLs, if you apply the ACL name or number without actually
creating the ACL, all the packets are permitted. However, in L2 ACLs, if
you apply the ACL name,the packets are dropped.
•For eq and neq L4 operators, a maximum of 10 ports are used to relay the
parameters. However, you can apply the ACLs only on the first port.
•Though the ACEs contain many rules based on which network traffic is
filtered, only the criterion listed in Table
2-24<http://www.cisco.com/en/US/docs/routers/7600/install_config/ES20_config_guide/baldcfg_external_docbase_0900e4b18075015d_4container_external_docbase_0900e4b180aab0c7.html#wp1584674>
are
supported.
I see that L3/L4 ACLs are supported on in ingress and Per ACE counters are
not supported.
Please help me !
Nam
_______________________________________________
cisco-nsp mailing list cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
More information about the cisco-nsp
mailing list