Access-List problem

Unanswered Question

I had configured an access list but i vent applied to any where still it is showing drops .if it is removed there will not be any drops.


there the existing network is 202.148.202.128/26


EDGE1(config)#ip access-list standard 98

EDGE1(config-std-nacl)#permit 202.148.202.138 0.0.0.0

EDGE1(config-std-nacl)#exit

EDGE1(config)#exit




EDGE1#sh ip access-lists 98

Standard IP access list 98

10 permit 202.148.202.138 (14 matches)




After creating above standard access-list(still not applied anywhere),when checked ping response heavy packet drops are observed :


EDGE1#ping ip

Target IP address: 202.148.202.138

Repeat count [5]: 1000

Datagram size [100]:

Timeout in seconds [2]:

Extended commands [n]:

Sweep range of sizes [n]:

Type escape sequence to abort.

Sending 1000, 100-byte ICMP Echos to 202.148.202.138, timeout is 2 seconds:

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!.!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!.

Success rate is 97 percent (152/156), round-trip min/avg/max = 1/1/4 ms



-------------------------------------------------------------------------------------


When standard access-list was removed ,Ping response was normal :


EDGE1#conf t

EDGE1(config)#no ip access-list standard 98

EDGE1(config)#exit


EDGE1#sh ip access-lists 98


EDGE1#ping ip

Target IP address: 202.148.202.138

Repeat count [5]: 1000

Datagram size [100]:

Timeout in seconds [2]:

Extended commands [n]:

Sweep range of sizes [n]:

Type escape sequence to abort.

Sending 1000, 100-byte ICMP Echos to 202.148.202.138, timeout is 2 seconds:

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!

Success rate is 100 percent (1000/1000), round-trip min/avg/max = 1/1/16 ms



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Giuseppe Larosa Tue, 07/28/2009 - 09:05
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Mahesh,

be aware that you have created a named ACL with a name="98" like a numeric ACL I would avoid this.


access-list 98 permit host 202.148.202.138


this the original numeric ACL that you can still configure on a device.


the one you have configured is actually a named standard ACL


Hope to help

Giuseppe


Hi all,


Still i am getting the same drops...also the cpu utilisation is getting higher.Once i ve created an access list then itself it is started incresing the matches to about 500-600 even though it is is not applied anywhere.



EDGE1(config)#access-list 98 permit hos

EDGE1(config)#access-list 98 permit host 202.148.202.138

EDGE1(config)#end

EDGE1#sh access-lists 98

Standard IP access list 98

10 permit 202.148.202.138 (56 matches)

EDGE1#sh access-lists 98

Standard IP access list 98

10 permit 202.148.202.138 (56 matches)

EDGE1#sh access-lists 98

Standard IP access list 98

10 permit 202.148.202.138 (56 matches)

EDGE1#sh access-lists 98

Standard IP access list 98

10 permit 202.148.202.138 (56 matches)

EDGE1#sh access-lists 98

Standard IP access list 98

10 permit 202.148.202.138 (56 matches)

EDGE1#sh access-lists 98

Standard IP access list 98

10 permit 202.148.202.138 (56 matches)

EDGE1#sh access-lists 98

Standard IP access list 98

10 permit 202.148.202.138 (56 matches)

EDGE1#sh access-lists 98

Standard IP access list 98

10 permit 202.148.202.138 (56 matches)

EDGE1#sh access-lists 98

Standard IP access list 98

10 permit 202.148.202.138 (56 matches)

EDGE1#ping ip

Target IP address: 202.148.202.138

Repeat count [5]: 100

Datagram size [100]:

Timeout in seconds [2]:

Extended commands [n]:

Sweep range of sizes [n]:

Type escape sequence to abort.

Sending 100, 100-byte ICMP Echos to 202.148.202.138, timeout is 2 seconds:

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!.!!!!!!!!!!!!!!!!!!!!!!

Success rate is 98 percent (98/100), round-trip min/avg/max = 1/1/4 ms

EDGE1#100

% Unknown command or computer name, or unable to find computer address

EDGE1#ping ip

Target IP address: 202.148.202.138

Repeat count [5]: 100

Datagram size [100]:

Timeout in seconds [2]:

Extended commands [n]:

Sweep range of sizes [n]:

Type escape sequence to abort.

Sending 100, 100-byte ICMP Echos to 202.148.202.138, timeout is 2 seconds:

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!.!!!!!!!!!!!!!!!!!!!!

Success rate is 98 percent (98/100), round-trip min/avg/max = 1/1/4 ms

-EDGE1#conf t

Enter configuration commands, one per line. End with CNTL/Z.

EDGE1(config)#no access-list 98 permit host 202.148.202.138

EDGE1(config)#end

Richard Burts Thu, 07/30/2009 - 05:01
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Mahesh


The impact of the above config is to contradict your statement that the access list was not applied. This statement:"match access-group 98" is applying access list 98 and using it to identify traffic which will be policed with the exceed-action of drop. So this is a clear explanation of why you are seeing drops when you create access list 98. If the traffic that matches access list 98 exceeds the configured threshold then that traffic will be dropped.


HTH


Rick

Actions

This Discussion