I've written and applied a QoS policy to clasify some critial data as they traverse our network.
The access-list that I use to match the traffic doesn't seem to be getting any "matches", however, the access-list used for SNMP access to the switch is showing match.
Would you expect an ACL used for QoS to show matches?? I'm pretty sure packets meeting the ACL criteria exist so I'm not sure why the matches don't get counted.
ACL 123 & 124 are used in the QoS policy. ACL 5 is used for SNMP access
A "show access-list" give the following output :-
Standard IP access list 5
10 permit 10.172.0.151 (86970 matches)
Extended IP access list 123
10 permit tcp any host 184.108.40.206 eq 443
20 permit tcp any host 220.127.116.11 eq 443
30 permit tcp any host 18.104.22.168 eq 443
40 permit tcp any host 22.214.171.124 eq 443
50 permit tcp any host 126.96.36.199 eq 443
60 permit tcp any host 188.8.131.52 eq 443
70 permit tcp any host 184.108.40.206 eq 443
80 permit tcp any host 220.127.116.11 eq 443
90 permit tcp any host 18.104.22.168 eq 443
Extended IP access list 124
10 permit udp any any range 16384 32787
20 permit tcp any any eq 2000
Is there any reason why there's no matches shown for ACL's 123 & 124??
Has it anything to do with disabling logging glabally ?
Btw, did you use a route-map or some policy routing for this purpose ?
Please check whether its applied correctly.
If everything is correct, then
maybe you should try explicitly logging the ACL's with logging rate limit and interval
eg: ip access-list logging interval 10.
I have just checked by applying qos policy and acl does get matches.
Myrouter# sh access-list qos-test
Extended IP access list qos-test
10 permit tcp any host 10.1.12.246 eq www (37 matches)
And i am also able to see matches in show policy-map interfaces
Myrouter#sh policy-map interface gig 0/1
Service-policy input: qos
Class-map: qos (match-all)
43 packets, 5593 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: access-group name qos-test
Packets marked 43
Class-map: class-default (match-any)
436951 packets, 245747986 bytes
5 minute offered rate 4625000 bps, drop rate 0 bps
Myrouter#sh access-lists qos-test
Extended IP access list qos-test
10 permit tcp any host 10.1.12.246 eq www (43 matches)
So i am quite sure that matches are shown in show acl result.
Now BlueyVIII, you need to check few things.
1) where have you applied the service-policy command ?
2) which direction ?
your acl 123 says that destination 22.214.171.124 is out from this interface where have you applied service-policy. so make sure your service-policy is applied as input on this interface.
Try this and let us know
check the configuration again ,
The access-list is fine , As you said you are implementing the QOS while implementing the Class-maps you should match access-list
then it will give the output as expected .
A master at anyone is once a begineer .
Thanks for replying Guys - I still can't get the matches to show from the "show access-list" command though.
The config I'm using is :--
class-map match-all ImportantData_in
match access-group 123
class-map match-all IP_phone
match access-group 124
police 32000 8000 exceed-action policed-dscp-transmit
set ip dscp af21
switchport access vlan 386
switchport voice vlan 408
no logging event link-status
srr-queue bandwidth share 10 10 60 20
srr-queue bandwidth shape 10 0 0 0
mls qos trust device cisco-phone
service-policy input EndUser
access-list 123 permit tcp any host 126.96.36.199 eq 443
access-list 123 permit tcp any host 188.8.131.52 eq 443
access-list 123 permit tcp any host 184.108.40.206 eq 443
access-list 123 permit tcp any host 220.127.116.11 eq 443
access-list 123 permit tcp any host 18.104.22.168 eq 443
access-list 123 permit tcp any host 22.214.171.124 eq 443
access-list 123 permit tcp any host 126.96.36.199 eq 443
access-list 123 permit tcp any host 188.8.131.52 eq 443
access-list 123 permit tcp any host 184.108.40.206 eq 443
access-list 124 permit udp any any range 16384 32787
access-list 124 permit tcp any any eq 2000
As I already said. You will not be able to see matches from the output; on 3750, if the traffic is processed by hardware, the counter of acl or policy-map will not change.
Is there a way I can see the counters to see how much traffic is matching the access-list criteria..
I've proved the policy is working by using WireShark to show the DSCP value getting set, however, I'd like to see just how often the policy is applied on each port. The policy-map command would've been perfect for my requirements...
For 3750s, you will not see match from show policy-map interface; however you have command "show mls qos interface x/x statistics". That command can tell you what DSCP/COS is coming and leaving the interface.
Each time you rate a CSC discussion we'll donate $1 to the American Red Cross Haiti fund up to a maximum donation of $10,000 USD.
Ok, I can see the post is pretty old, but still hasnt been responded properly...
First, why would you post "revise your configuration" as a comment, how does that help?!? Of course he revised the configuration before posting an issue here, and if you cant help - dont post anything!
Here´s the thing:
3550, 3560 and 3575 will not show any matches on the QoS extended ACLs as Lei Tian already said, and the "show policy-map interface xx" will also show 0 packets. This happens because on these models the hardware processing of QoS is applied. The only way to check if the packets are properly marked (if what you´re trying to do is QoS marking) is some kind of packet sniffer, like WireShark.