03-24-2010 02:56 PM - edited 03-06-2019 10:18 AM
I've written and applied a QoS policy to clasify some critial data as they traverse our network.
The access-list that I use to match the traffic doesn't seem to be getting any "matches", however, the access-list used for SNMP access to the switch is showing match.
Would you expect an ACL used for QoS to show matches?? I'm pretty sure packets meeting the ACL criteria exist so I'm not sure why the matches don't get counted.
ACL 123 & 124 are used in the QoS policy. ACL 5 is used for SNMP access
A "show access-list" give the following output :-
Standard IP access list 5
10 permit 10.172.0.151 (86970 matches)
Extended IP access list 123
10 permit tcp any host 20.138.65.2 eq 443
20 permit tcp any host 20.138.65.6 eq 443
30 permit tcp any host 20.138.65.7 eq 443
40 permit tcp any host 20.138.65.1 eq 443
50 permit tcp any host 20.138.65.12 eq 443
60 permit tcp any host 20.146.112.18 eq 443
70 permit tcp any host 20.146.112.27 eq 443
80 permit tcp any host 155.231.48.140 eq 443
90 permit tcp any host 155.231.48.196 eq 443
Extended IP access list 124
10 permit udp any any range 16384 32787
20 permit tcp any any eq 2000
Is there any reason why there's no matches shown for ACL's 123 & 124??
03-24-2010 03:15 PM
Hi,
The ACL is processed by hardware; the show ip access-list counter cannot capture the matches.
HTH,
Lei Tian
03-24-2010 10:34 PM
03-25-2010 01:04 AM
Has it anything to do with disabling logging glabally ?
Btw, did you use a route-map or some policy routing for this purpose ?
Please check whether its applied correctly.
If everything is correct, then
maybe you should try explicitly logging the ACL's with logging rate limit and interval
eg: ip access-list logging interval 10.
03-26-2010 12:37 AM
Dear Letian
I have just checked by applying qos policy and acl does get matches.
Myrouter# sh access-list qos-test
Extended IP access list qos-test
10 permit tcp any host 10.1.12.246 eq www (37 matches)
And i am also able to see matches in show policy-map interfaces
Myrouter#sh policy-map interface gig 0/1
GigabitEthernet0/1
Service-policy input: qos
Class-map: qos (match-all)
43 packets, 5593 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: access-group name qos-test
QoS Set
dscp af41
Packets marked 43
Class-map: class-default (match-any)
436951 packets, 245747986 bytes
5 minute offered rate 4625000 bps, drop rate 0 bps
Match: any
Myrouter#sh access-lists qos-test
Extended IP access list qos-test
10 permit tcp any host 10.1.12.246 eq www (43 matches)
So i am quite sure that matches are shown in show acl result.
Now BlueyVIII, you need to check few things.
1) where have you applied the service-policy command ?
2) which direction ?
your acl 123 says that destination 20.138.65.2 is out from this interface where have you applied service-policy. so make sure your service-policy is applied as input on this interface.
Try this and let us know
03-26-2010 01:22 AM
check the configuration again ,
The access-list is fine , As you said you are implementing the QOS while implementing the Class-maps you should match access-list
then it will give the output as expected .
Rgds,
Nithin
A master at anyone is once a begineer .
03-27-2010 06:54 AM
Thanks for replying Guys - I still can't get the matches to show from the "show access-list" command though.
The config I'm using is :--
class-map match-all ImportantData_in
match access-group 123
class-map match-all IP_phone
match access-group 124
!
!
policy-map EndUser
class ImportantData_in
police 32000 8000 exceed-action policed-dscp-transmit
set ip dscp af21
class IP_phone
trust dscp
interface FastEthernet1/0/1
switchport access vlan 386
switchport voice vlan 408
no logging event link-status
srr-queue bandwidth share 10 10 60 20
srr-queue bandwidth shape 10 0 0 0
priority-queue out
mls qos trust device cisco-phone
spanning-tree portfast
service-policy input EndUser
access-list 123 permit tcp any host 20.138.65.2 eq 443
access-list 123 permit tcp any host 20.138.65.6 eq 443
access-list 123 permit tcp any host 20.138.65.7 eq 443
access-list 123 permit tcp any host 20.138.65.1 eq 443
access-list 123 permit tcp any host 20.138.65.12 eq 443
access-list 123 permit tcp any host 20.146.112.18 eq 443
access-list 123 permit tcp any host 20.146.112.27 eq 443
access-list 123 permit tcp any host 155.231.48.140 eq 443
access-list 123 permit tcp any host 155.231.48.196 eq 443
access-list 124 permit udp any any range 16384 32787
access-list 124 permit tcp any any eq 2000
Any idea's??
03-27-2010 07:45 AM
Hi,
As I already said. You will not be able to see matches from the output; on 3750, if the traffic is processed by hardware, the counter of acl or policy-map will not change.
HTH,
Lei Tian
03-29-2010 04:25 PM
Thanks Letian..
Is there a way I can see the counters to see how much traffic is matching the access-list criteria..
I've proved the policy is working by using WireShark to show the DSCP value getting set, however, I'd like to see just how often the policy is applied on each port. The policy-map command would've been perfect for my requirements...
03-29-2010 06:05 PM
Hi,
For 3750s, you will not see match from show policy-map interface; however you have command "show mls qos interface x/x statistics". That command can tell you what DSCP/COS is coming and leaving the interface.
HTH,
Lei Tian
Each time you rate a CSC discussion we'll donate $1 to the American Red Cross Haiti fund up to a maximum donation of $10,000 USD.
12-18-2012 06:31 AM
Ok, I can see the post is pretty old, but still hasnt been responded properly...
First, why would you post "revise your configuration" as a comment, how does that help?!? Of course he revised the configuration before posting an issue here, and if you cant help - dont post anything!
Here´s the thing:
3550, 3560 and 3575 will not show any matches on the QoS extended ACLs as Lei Tian already said, and the "show policy-map interface xx" will also show 0 packets. This happens because on these models the hardware processing of QoS is applied. The only way to check if the packets are properly marked (if what you´re trying to do is QoS marking) is some kind of packet sniffer, like WireShark.
Cheers!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: