ACL for QoS

Unanswered Question
Mar 24th, 2010

I've written and applied a QoS policy to clasify some critial data as they traverse our network.

The access-list that I use to match the traffic doesn't seem to be getting any "matches", however, the access-list used for SNMP access to the switch is showing match.

Would you expect an ACL used for QoS to show matches?? I'm pretty sure packets meeting the ACL criteria exist so I'm not sure why the matches don't get counted.

ACL 123 & 124 are used in the QoS policy.  ACL 5 is used for SNMP access

A "show access-list" give the following output :-

Standard IP access list 5
    10 permit 10.172.0.151 (86970 matches)
Extended IP access list 123
    10 permit tcp any host 20.138.65.2 eq 443
    20 permit tcp any host 20.138.65.6 eq 443
    30 permit tcp any host 20.138.65.7 eq 443
    40 permit tcp any host 20.138.65.1 eq 443
    50 permit tcp any host 20.138.65.12 eq 443
    60 permit tcp any host 20.146.112.18 eq 443
    70 permit tcp any host 20.146.112.27 eq 443
    80 permit tcp any host 155.231.48.140 eq 443
    90 permit tcp any host 155.231.48.196 eq 443
Extended IP access list 124
    10 permit udp any any range 16384 32787
    20 permit tcp any any eq 2000

Is there any reason why there's no matches shown for ACL's 123 & 124??

I have this problem too.
2 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (2 ratings)
Loading.
Lei Tian Wed, 03/24/2010 - 15:15

Hi,

The ACL is processed by hardware; the show ip access-list counter cannot capture the matches.

HTH,

Lei Tian

Tharak Abraham Thu, 03/25/2010 - 01:04

Has it anything to do with disabling logging glabally ?

Btw, did you use a route-map or some policy routing for this purpose ?

Please check whether its applied correctly.

If everything is correct, then

maybe you should try explicitly logging the ACL's with logging rate limit and interval

eg: ip access-list logging interval 10.


Jonn cos Fri, 03/26/2010 - 00:37

Dear Letian

I have just checked by applying qos policy and acl does get matches.

Myrouter# sh access-list qos-test

Extended IP access list qos-test
     10 permit tcp any host 10.1.12.246 eq www (37 matches)

And i am also able to see matches in show policy-map interfaces

Myrouter#sh policy-map interface gig 0/1
  GigabitEthernet0/1

  Service-policy input: qos

    Class-map: qos (match-all)
       43 packets, 5593 bytes
       5 minute offered rate 0 bps, drop rate 0 bps
       Match: access-group name qos-test
       QoS Set
         dscp af41
           Packets marked 43

    Class-map: class-default (match-any)
       436951 packets, 245747986 bytes
       5 minute offered rate 4625000 bps, drop rate 0 bps
       Match: any
Myrouter#sh access-lists qos-test
Extended IP access list qos-test
     10 permit tcp any host 10.1.12.246 eq www (43 matches)

So i am quite sure that matches are shown in show acl result.

Now BlueyVIII, you need to check few things.

1) where have you applied the service-policy command ?

2) which direction ?

your acl 123 says that destination 20.138.65.2 is out from this interface where have you applied service-policy. so make sure your service-policy is applied as input on this interface.

Try this and let us know

gandrath.nithin Fri, 03/26/2010 - 01:22

check the configuration again ,

The access-list is fine , As you said you are implementing the QOS while implementing the Class-maps you should match access-list

then it will give the output as expected .

Rgds,

Nithin

A master at anyone is once a begineer .

BlueyVIII Sat, 03/27/2010 - 06:54

Thanks for replying Guys - I still can't get the matches to show from the "show access-list" command though.

The config I'm using is :--

class-map match-all ImportantData_in
match access-group 123
class-map match-all IP_phone
match access-group 124
!
!
policy-map EndUser
class ImportantData_in
  police 32000 8000 exceed-action policed-dscp-transmit
  set ip dscp af21
class IP_phone
  trust dscp


interface FastEthernet1/0/1
switchport access vlan 386
switchport voice vlan 408
no logging event link-status
srr-queue bandwidth share 10 10 60 20
srr-queue bandwidth shape 10 0 0 0
priority-queue out
mls qos trust device cisco-phone
spanning-tree portfast
service-policy input EndUser

access-list 123 permit tcp any host 20.138.65.2 eq 443
access-list 123 permit tcp any host 20.138.65.6 eq 443
access-list 123 permit tcp any host 20.138.65.7 eq 443
access-list 123 permit tcp any host 20.138.65.1 eq 443
access-list 123 permit tcp any host 20.138.65.12 eq 443
access-list 123 permit tcp any host 20.146.112.18 eq 443
access-list 123 permit tcp any host 20.146.112.27 eq 443
access-list 123 permit tcp any host 155.231.48.140 eq 443
access-list 123 permit tcp any host 155.231.48.196 eq 443
access-list 124 permit udp any any range 16384 32787
access-list 124 permit tcp any any eq 2000

Any idea's??

Lei Tian Sat, 03/27/2010 - 07:45

Hi,

As I already said. You will not be able to see matches from the output; on 3750, if the traffic is processed by hardware, the counter of acl or policy-map will not change.

HTH,

Lei Tian

BlueyVIII Mon, 03/29/2010 - 16:25

Thanks Letian..

Is there a way I can see the counters to see how much traffic is matching the access-list criteria..

I've proved the policy is working by using WireShark to show the DSCP value getting set, however, I'd like to see just how often the policy is applied on each port. The policy-map command would've been perfect for my requirements...

Lei Tian Mon, 03/29/2010 - 18:05

Hi,

For 3750s, you will not see match from show policy-map interface; however you have command "show mls qos interface x/x statistics". That command can tell you what DSCP/COS is coming  and leaving the interface.

HTH,
Lei Tian

Each time you rate a CSC     discussion we'll donate $1 to the American Red Cross Haiti fund up to   a   maximum donation of $10,000 USD.

https://supportforums.cisco.com/docs/DOC-8895

mateja.jovanovic Tue, 12/18/2012 - 06:31

Ok, I can see the post is pretty old, but still hasnt been responded properly...

First, why would you post "revise your configuration" as a comment, how does that help?!? Of course he revised the configuration before posting an issue here, and if you cant help - dont post anything!

Here´s the thing:

3550, 3560 and 3575 will not show any matches on the QoS extended ACLs as Lei Tian already said, and the "show policy-map interface xx" will also show 0 packets. This happens because on these models the hardware processing of QoS is applied. The only way to check if the packets are properly marked (if what you´re trying to do is QoS marking) is some kind of packet sniffer, like WireShark.

Cheers!

Actions

This Discussion