Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Traffic Policing - counters to zero, ACL doesn't match

Hi folks,

I have the following configuration

ip access-list extended ACL-LOG
permit ip host x.x.x.x host y.y.y.y

!

class-map match-any LOG
match access-group name ACL-LOG

!
policy-map Policy-A
class LOG
    police 8000 conform-action transmit  exceed-action drop  violate-action drop
class class-default
    fair-queue
     random-detect dscp-based

!

interface Multilink1
description A
bandwidth 256
ip address x.x.x.x/y
ip tcp header-compression iphc-format
no ip mroute-cache
ip ospf message-digest-key 1 md5 7 XXXXXXXXXXX
ppp multilink
ppp multilink interleave
ppp multilink group 1
ppp multilink fragment delay 20
crypto map XXX
max-reserved-bandwidth 95
service-policy output Policy-A
ip rtp header-compression iphc-format

This policy map was working well and suddenly the ACL ceased to match packets so I have the following behavior:

Class-map: LOG (match-any)
      0 packets, 0 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: access-group name ACL-LOG
        0 packets, 0 bytes
        5 minute rate 0 bps
      police:
          cir 8000 bps, bc 1500 bytes, be 1500 bytes
        conformed 0 packets, 0 bytes; actions:
          transmit
        exceeded 0 packets, 0 bytes; actions:
          drop
        violated 0 packets, 0 bytes; actions:
          drop
        conformed 0 bps, exceed 0 bps, violate 0 bps

I deleted the service policy from the interface, I've deleted the policy-map and class-maps and then I've created them again and the problem persists.

How can I solve this issue??
Thanks in advance for your help,
Regards,
Tito
1 REPLY
Hall of Fame Super Bronze

Re: Traffic Policing - counters to zero, ACL doesn't match

You have a crypto applied to the interface so the egress traffic may be leaving the router with a ESP header, not an IP header - hence no match.

Remove the crypto and see if you get the matches working again.

Regards,

Edison

218
Views
0
Helpful
1
Replies