cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
338
Views
0
Helpful
4
Replies

Acess list problem

mahesh_kv3
Level 1
Level 1

I had configured an access list but i vent applied to any where still it is showing drops .if it is removed there will not be any drops.

there the existing network is 202.148.202.128/26

EDGE1(config)#ip access-list standard 98

EDGE1(config-std-nacl)#permit 202.148.202.138 0.0.0.0

EDGE1(config-std-nacl)#exit

EDGE1(config)#exit

EDGE1#sh ip access-lists 98

Standard IP access list 98

10 permit 202.148.202.138 (14 matches)

After creating above standard access-list(still not applied anywhere),when checked ping response heavy packet drops are observed :

EDGE1#ping ip

Target IP address: 202.148.202.138

Repeat count [5]: 1000

Datagram size [100]:

Timeout in seconds [2]:

Extended commands [n]:

Sweep range of sizes [n]:

Type escape sequence to abort.

Sending 1000, 100-byte ICMP Echos to 202.148.202.138, timeout is 2 seconds:

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!.!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!.

Success rate is 97 percent (152/156), round-trip min/avg/max = 1/1/4 ms

-------------------------------------------------------------------------------------

When standard access-list was removed ,Ping response was normal :

EDGE1#conf t

EDGE1(config)#no ip access-list standard 98

EDGE1(config)#exit

EDGE1#sh ip access-lists 98

EDGE1#ping ip

Target IP address: 202.148.202.138

Repeat count [5]: 1000

Datagram size [100]:

Timeout in seconds [2]:

Extended commands [n]:

Sweep range of sizes [n]:

Type escape sequence to abort.

Sending 1000, 100-byte ICMP Echos to 202.148.202.138, timeout is 2 seconds:

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!

Success rate is 100 percent (1000/1000), round-trip min/avg/max = 1/1/16 ms

4 Replies 4

jbrenesj
Level 3
Level 3

Are you sure it's not applied anywhere?

What type of switch/router is this? and its IOS version

we need to check the TCAM resources

Hi all,

Iam sure like i vent applied any where...iam planned to apply in an SNMP command string.

this is a CISCO7606 series

IOS version is 12.2(17r)SX3

How to see this Ternary CAM resources???

Many thanks

Mahesh

Hi all,

also i ve found like some configs like below(as iam new o the setup)

class-map match-all SNMP

match access-group 98

policy-map SNMPRESTRICT

class SNMP

police cir 128000 pir 130000 conform-action transmit exceed-action drop

control-plane

service-policy input SNMPRESTRICT

what wud be the impact of this???does this is triggering the packet drops once we create the access-list.

Hi Mahesh,

This standard ACL is being used to restrict the SNMP traffic from the host address.

The Idea is to police the SNMP traffic from the host to 128Kbps when hitting the CPU or control-plane queues. The idea is right here but the implementation is wrong.

What the above ACL is doing that it is basically restricting any traffic originated from that host to CPU queues to 128Kbps and when it will hit the CPU/control-plane you will see the drops. This is what you are oberving when you are sending 1000 packets to that source.

What you need to do is to change the standard ACL to an extended ACL and match the SNMP traffic well known ports to have the restricted SNMP traffic control plane policing.

-amit singh

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco