07-28-2009 07:25 AM - edited 03-06-2019 06:58 AM
I had configured an access list but i vent applied to any where still it is showing drops .if it is removed there will not be any drops.
there the existing network is 202.148.202.128/26
EDGE1(config)#ip access-list standard 98
EDGE1(config-std-nacl)#permit 202.148.202.138 0.0.0.0
EDGE1(config-std-nacl)#exit
EDGE1(config)#exit
EDGE1#sh ip access-lists 98
Standard IP access list 98
10 permit 202.148.202.138 (14 matches)
After creating above standard access-list(still not applied anywhere),when checked ping response heavy packet drops are observed :
EDGE1#ping ip
Target IP address: 202.148.202.138
Repeat count [5]: 1000
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 1000, 100-byte ICMP Echos to 202.148.202.138, timeout is 2 seconds:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!.!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!.
Success rate is 97 percent (152/156), round-trip min/avg/max = 1/1/4 ms
-------------------------------------------------------------------------------------
When standard access-list was removed ,Ping response was normal :
EDGE1#conf t
EDGE1(config)#no ip access-list standard 98
EDGE1(config)#exit
EDGE1#sh ip access-lists 98
EDGE1#ping ip
Target IP address: 202.148.202.138
Repeat count [5]: 1000
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 1000, 100-byte ICMP Echos to 202.148.202.138, timeout is 2 seconds:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!
Success rate is 100 percent (1000/1000), round-trip min/avg/max = 1/1/16 ms
07-28-2009 09:17 AM
Are you sure it's not applied anywhere?
What type of switch/router is this? and its IOS version
we need to check the TCAM resources
07-28-2009 09:21 PM
Hi all,
Iam sure like i vent applied any where...iam planned to apply in an SNMP command string.
this is a CISCO7606 series
IOS version is 12.2(17r)SX3
How to see this Ternary CAM resources???
Many thanks
Mahesh
07-28-2009 09:27 PM
Hi all,
also i ve found like some configs like below(as iam new o the setup)
class-map match-all SNMP
match access-group 98
policy-map SNMPRESTRICT
class SNMP
police cir 128000 pir 130000 conform-action transmit exceed-action drop
control-plane
service-policy input SNMPRESTRICT
what wud be the impact of this???does this is triggering the packet drops once we create the access-list.
07-28-2009 11:16 PM
Hi Mahesh,
This standard ACL is being used to restrict the SNMP traffic from the host address.
The Idea is to police the SNMP traffic from the host to 128Kbps when hitting the CPU or control-plane queues. The idea is right here but the implementation is wrong.
What the above ACL is doing that it is basically restricting any traffic originated from that host to CPU queues to 128Kbps and when it will hit the CPU/control-plane you will see the drops. This is what you are oberving when you are sending 1000 packets to that source.
What you need to do is to change the standard ACL to an extended ACL and match the SNMP traffic well known ports to have the restricted SNMP traffic control plane policing.
-amit singh
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: