Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
593
Views
0
Helpful
4
Replies

Access-List problem

mahesh_kv3
Level 1
Level 1

‎07-28-2009 07:26 AM - edited ‎03-04-2019 05:34 AM

I had configured an access list but i vent applied to any where still it is showing drops .if it is removed there will not be any drops.

there the existing network is 202.148.202.128/26

EDGE1(config)#ip access-list standard 98

EDGE1(config-std-nacl)#permit 202.148.202.138 0.0.0.0

EDGE1(config-std-nacl)#exit

EDGE1(config)#exit

EDGE1#sh ip access-lists 98

Standard IP access list 98

10 permit 202.148.202.138 (14 matches)

After creating above standard access-list(still not applied anywhere),when checked ping response heavy packet drops are observed :

EDGE1#ping ip

Target IP address: 202.148.202.138

Repeat count [5]: 1000

Datagram size [100]:

Timeout in seconds [2]:

Extended commands [n]:

Sweep range of sizes [n]:

Type escape sequence to abort.

Sending 1000, 100-byte ICMP Echos to 202.148.202.138, timeout is 2 seconds:

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!.!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!.

Success rate is 97 percent (152/156), round-trip min/avg/max = 1/1/4 ms

-------------------------------------------------------------------------------------

When standard access-list was removed ,Ping response was normal :

EDGE1#conf t

EDGE1(config)#no ip access-list standard 98

EDGE1(config)#exit

EDGE1#sh ip access-lists 98

EDGE1#ping ip

Target IP address: 202.148.202.138

Repeat count [5]: 1000

Datagram size [100]:

Timeout in seconds [2]:

Extended commands [n]:

Sweep range of sizes [n]:

Type escape sequence to abort.

Sending 1000, 100-byte ICMP Echos to 202.148.202.138, timeout is 2 seconds:

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!

Success rate is 100 percent (1000/1000), round-trip min/avg/max = 1/1/16 ms

Labels:
0 Helpful
4 Replies 4

Giuseppe Larosa
Hall of Fame
Hall of Fame

‎07-28-2009 09:05 AM

Hello Mahesh,

be aware that you have created a named ACL with a name="98" like a numeric ACL I would avoid this.

access-list 98 permit host 202.148.202.138

this the original numeric ACL that you can still configure on a device.

the one you have configured is actually a named standard ACL

Hope to help

Giuseppe

0 Helpful

mahesh_kv3
Level 1
Level 1
In response to Giuseppe Larosa

‎07-28-2009 08:36 PM

Hi all,

Still i am getting the same drops...also the cpu utilisation is getting higher.Once i ve created an access list then itself it is started incresing the matches to about 500-600 even though it is is not applied anywhere.

EDGE1(config)#access-list 98 permit hos

EDGE1(config)#access-list 98 permit host 202.148.202.138

EDGE1(config)#end

EDGE1#sh access-lists 98

Standard IP access list 98

10 permit 202.148.202.138 (56 matches)

EDGE1#sh access-lists 98

Standard IP access list 98

10 permit 202.148.202.138 (56 matches)

EDGE1#sh access-lists 98

Standard IP access list 98

10 permit 202.148.202.138 (56 matches)

EDGE1#sh access-lists 98

Standard IP access list 98

10 permit 202.148.202.138 (56 matches)

EDGE1#sh access-lists 98

Standard IP access list 98

10 permit 202.148.202.138 (56 matches)

EDGE1#sh access-lists 98

Standard IP access list 98

10 permit 202.148.202.138 (56 matches)

EDGE1#sh access-lists 98

Standard IP access list 98

10 permit 202.148.202.138 (56 matches)

EDGE1#sh access-lists 98

Standard IP access list 98

10 permit 202.148.202.138 (56 matches)

EDGE1#sh access-lists 98

Standard IP access list 98

10 permit 202.148.202.138 (56 matches)

EDGE1#ping ip

Target IP address: 202.148.202.138

Repeat count [5]: 100

Datagram size [100]:

Timeout in seconds [2]:

Extended commands [n]:

Sweep range of sizes [n]:

Type escape sequence to abort.

Sending 100, 100-byte ICMP Echos to 202.148.202.138, timeout is 2 seconds:

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!.!!!!!!!!!!!!!!!!!!!!!!

Success rate is 98 percent (98/100), round-trip min/avg/max = 1/1/4 ms

EDGE1#100

% Unknown command or computer name, or unable to find computer address

EDGE1#ping ip

Target IP address: 202.148.202.138

Repeat count [5]: 100

Datagram size [100]:

Timeout in seconds [2]:

Extended commands [n]:

Sweep range of sizes [n]:

Type escape sequence to abort.

Sending 100, 100-byte ICMP Echos to 202.148.202.138, timeout is 2 seconds:

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!.!!!!!!!!!!!!!!!!!!!!

Success rate is 98 percent (98/100), round-trip min/avg/max = 1/1/4 ms

-EDGE1#conf t

Enter configuration commands, one per line. End with CNTL/Z.

EDGE1(config)#no access-list 98 permit host 202.148.202.138

EDGE1(config)#end

0 Helpful

mahesh_kv3
Level 1
Level 1
In response to Giuseppe Larosa

‎07-28-2009 09:23 PM

Hi ,

Also i ve seen the configuration like

class-map match-all SNMP

match access-group 98

policy-map SNMPRESTRICT

class SNMP

police cir 128000 pir 130000 conform-action transmit exceed-action drop

control-plane

service-policy input SNMPRESTRICT

what s the impact of the above configs???

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to mahesh_kv3

‎07-30-2009 05:01 AM

Mahesh

The impact of the above config is to contradict your statement that the access list was not applied. This statement:"match access-group 98" is applying access list 98 and using it to identify traffic which will be policed with the exceed-action of drop. So this is a clear explanation of why you are seeing drops when you create access list 98. If the traffic that matches access list 98 exceeds the configured threshold then that traffic will be dropped.

HTH

Rick

HTH

Rick
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card