[c-nsp] Question configure QoS on ES20 Card, Cisco 7609
Nam Nguyen
nhnam81 at gmail.com
Thu Sep 26 08:28:06 EDT 2013
Hi !
at the end of acl i have defined permit ip any any:
- i need to block some traffic and permit the rest
Nam Nguyen
> On 26-09-2013, at 19:02, Tony <td_miles at yahoo.com> wrote:
>
> Hi,
>
> The error message seems to be fairly clear, you can't have DENY statements in ACL.
>
> As to why you are not seeing anything in your counters, you only have DENY statements and the end of every ACL is an implicit "deny ip any any" this means that your ACL's will not match anything at all, so nothing will go into your class.
>
> What are you trying to achieve ?
>
>
> regards,
> Tony.
>
>
>
>
>
> ----- Original Message -----
> From: Nam Nguyen <nhnam81 at gmail.com>
> To: cisco-nsp at puck.nether.net
> Cc:
> Sent: Thursday, 26 September 2013 8:21 PM
> Subject: [c-nsp] Question configure QoS on ES20 Card, Cisco 7609
>
> Hi all !
>
> I have some problem when configure QoS on Cisco ES20 card:
>
> - When I applied policy-map on sub-interface (egress), I see error
> message: "%G_QOS_CLASSIFY-DFC2-3-QOS_CONFIG:
> error detected: Can not support deny ace in ACL (161)"
>
> - When I applied policy-map on sub-interface (ingress), It's okay but I
> cann't see the counter. Below is example:
>
> class-map match-all UP
> match access-group 161
> class-map match-all DOWN
> match access-group 160
> class-map match-any MATCH_ALL
> match access-group 100
>
> policy-map 3M (This policy-map: I can see counter when issue show
> policy-map interface)
> class MATCH_ALL
> police cir 3000000 bc 300000 be 300000
> conform-action transmit
> exceed-action drop
> violate-action drop
>
> policy-map ABC (This policy-map apply to ingress ok but I cannot see
> counter when issue show policy-map interface )
> class UP
> police cir 1000000 bc 100000 be 100000
> conform-action transmit
> exceed-action drop
> violate-action drop
> class MATCH_ALL
> police cir 20000000 bc 2000000 be 2000000
> conform-action transmit
> exceed-action drop
> violate-action drop
>
> Extended IP access list 100 (class MATCH_ALL)
> 10 permit ip any any
>
> Extended IP access list 160 (class DOWN)
> 10 deny ip 1.53.0.0 0.0.255.255 any
> 20 deny ip 1.52.0.0 0.0.255.255 any
> 30 deny ip 1.54.0.0 0.0.255.255 any
> 40 deny ip 1.55.0.0 0.0.255.255 any
> ...
>
> Extended IP access list 161 (class UP)
> 10 deny ip any 1.53.0.0 0.0.255.255
> 20 deny ip any 1.52.0.0 0.0.255.255
> 30 deny ip any 1.54.0.0 0.0.255.255
> 40 deny ip any 1.55.0.0 0.0.255.255
> 50 deny ip any 101.53.0.0 0.0.63.255
> ...
>
> Result show policy-map interface
>
> 7609#sh policy-map int Po1.XYZ
> Port-channel1.2304332
>
> Service-policy input: ABC
>
> Class-map: UP (match-all)
> 0 packets, 0 bytes
> 5 minute offered rate 0000 bps, drop rate 0000 bps
> Match: access-group 161
> police:
> cir 10000000 bps, bc 1000000 bytes, be 1000000 bytes
> conformed 0 packets, 0 bytes; actions:
> transmit
> exceeded 0 packets, 0 bytes; actions:
> drop
> violated 0 packets, 0 bytes; actions:
> drop
> conformed 0000 bps, exceed 0000 bps, violate 0000 bps
>
> Class-map: MATCH_ALL (match-any)
> 0 packets, 0 bytes
> 5 minute offered rate 0000 bps, drop rate 0000 bps
> Match: access-group 100
> police:
> cir 100000000 bps, bc 10000000 bytes, be 10000000 bytes
> conformed 0 packets, 0 bytes; actions:
> transmit
> exceeded 0 packets, 0 bytes; actions:
> drop
> violated 0 packets, 0 bytes; actions:
> drop
> conformed 0000 bps, exceed 0000 bps, violate 0000 bps
>
> Class-map: class-default (match-any)
> 0 packets, 0 bytes
> 5 minute offered rate 0000 bps, drop rate 0000 bps
> Match: any
>
> My 7609 use version: Cisco IOS Software, c7600s72033_rp Software
> (c7600s72033_rp-ADVIPSERVICESK9-M), Version 12.2(33)SRE5
>
> I have searched ES20 configure guide (
> http://www.cisco.com/en/US/docs/routers/7600/install_config/ES20_config_guide/baldcfg_external_docbase_0900e4b18075015d_4container_external_docbase_0900e4b180aab0c7.html
> ) and see something:
> Restrictions and Usage Guidelines
>
> When configuring the Layer 3 and Layer 4 ACLs on a Cisco 7600 Series ES20
> line cards, follow these restrictions and usage guidelines:
>
> • L3 and L4 ACLs are supported only in ingress.
>
> •You cannot simultaneously apply L2 ACL or L3/L4 ACLs on an EVC. You can
> either apply a L2 ACL, or a L3/L4 ACL within an EVC.
>
> •L3 and L4 ACLs are not supported on EVCs in port-channels.
>
> •IPv6 ACLs are not supported.
>
> •Per ACE counters are not supported.
>
> •You can apply a maximum of 4000 unique ACLs.
>
> •You can configure a maximum of 8000 ACEs in a ES20 line card.
>
> •In a L3 or L4 ACLs, if you apply the ACL name or number without actually
> creating the ACL, all the packets are permitted. However, in L2 ACLs, if
> you apply the ACL name,the packets are dropped.
>
> •For eq and neq L4 operators, a maximum of 10 ports are used to relay the
> parameters. However, you can apply the ACLs only on the first port.
>
> •Though the ACEs contain many rules based on which network traffic is
> filtered, only the criterion listed in Table
> 2-24<http://www.cisco.com/en/US/docs/routers/7600/install_config/ES20_config_guide/baldcfg_external_docbase_0900e4b18075015d_4container_external_docbase_0900e4b180aab0c7.html#wp1584674>
> are
> supported.
>
>
> I see that L3/L4 ACLs are supported on in ingress and Per ACE counters are
> not supported.
>
>
> Please help me !
>
>
> Nam
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
More information about the cisco-nsp
mailing list