topic Re: Match named access-list is not supported for this interface when trying to ratelimit by output policy with trunk interface in Switching

Match named access-list is not supported for this interface when trying to ratelimit by output policy with trunk interface

danielchau — Sat, 09 Mar 2019 00:38:29 GMT

Hello,

Currently have a cisco 7600 router with IOS 12.2(33)SRE12 and would like to rate limit the udp traffic from a host. Currently have this setup:

ip access-list extended LIMIT-UDP-IN
remark LIMIT-UDP-IN
permit udp host 1.2.3.4 any

!

ip access-list extended LIMIT-UDP-OUT
remark LIMIT-UDP-OUT
permit udp any host 1.2.3.4
!

class-map match-any LIMIT-Traffic-IN
match access-group name LIMIT-UDP-IN

class-map match-any LIMIT-Traffic-OUT
match access-group name LIMIT-UDP-OUT

policy-map LIMIT-2Mbps-OUT-UDP
class LIMIT-Traffic-OUT
police cir 3600000 bc 8000 be 8000 conform-action transmit exceed-action drop violate-action drop
shape average 1600000

policy-map LIMIT-2Mbps-IN-UDP
class LIMIT-Traffic-IN
police cir 3600000 bc 8000 be 8000 conform-action transmit exceed-action drop violate-action drop

There is no problem of apply the input proicy to the interface, but when apply the output policy:

ROUTER(config-if)#service-policy output LIMIT-2Mbps-OUT-UDP

Match named access-list is not supported for this interface

Would you please let me know how can i fix this?

Thanks

Daniel

Re: Match named access-list is not supported for this interface when trying to ratelimit by output policy with trunk interface

Georg Pauwen — Mon, 19 Nov 2018 08:07:31 GMT

Hello,

you are running a very outdated IOS version. Try to match on a numbered access list:

ip access-list 101 permit udp host 1.2.3.4 any
remark LIMIT-UDP-IN

ip access-list 102 permit udp any host 1.2.3.4
remark LIMIT-UDP-OUT

class-map match-any LIMIT-Traffic-IN
match access-group 101

class-map match-any LIMIT-Traffic-OUT
match access-group 102

Re: Match named access-list is not supported for this interface when trying to ratelimit by output policy with trunk interface

danielchau — Mon, 19 Nov 2018 10:06:54 GMT

Hello George,

Thanks for your suggestion, now it shows

Match numbered access-list is not supported for this interface

Not sure why it only have problem of "service-policy output " only? service-policy input can apply successfully without any problem....

Re: Match named access-list is not supported for this interface when trying to ratelimit by output policy with trunk interface

Samer R. Saleem — Mon, 19 Nov 2018 11:38:53 GMT

apologies replied by mistake

Re: Match named access-list is not supported for this interface when trying to ratelimit by output policy with trunk interface

Georg Pauwen — Mon, 19 Nov 2018 12:29:24 GMT

Hello,

which interface are you applying the service policy to ?

Re: Match named access-list is not supported for this interface when trying to ratelimit by output policy with trunk interface

danielchau — Mon, 19 Nov 2018 15:08:33 GMT

Hello Georg

Basically a 1G Trunk port.

interface GigabitEthernet3/1

switchport
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 2-100
switchport mode trunk
mls qos trust dscp
service-policy input LIMIT-2Mbps-IN-UDP
end

Router#sh int gigabitEthernet 3/1
GigabitEthernet3/1 is up, line protocol is up (connected)
Hardware is C6k 1000Mb 802.3, address is
MTU 1500 bytes, BW 1000000 Kbit/sec, DLY 10 usec,
reliability 255/255, txload 17/255, rxload 45/255
Encapsulation ARPA, loopback not set

Re: Match named access-list is not supported for this interface when trying to ratelimit by output policy with trunk interface

Richard Burts — Mon, 19 Nov 2018 16:35:13 GMT

It looks like you are trying to apply a layer 3 access list (does not matter whether numbered or named) to an interface operating at layer 2. Where is the layer 3 interface for the device you want to control?

HTH

Rick

Re: Match named access-list is not supported for this interface when trying to ratelimit by output policy with trunk interface

danielchau — Tue, 20 Nov 2018 05:21:21 GMT

Hello Richard,

I have also tried on a layer3 port, say i have this config in the other router now

access-list 192 remark **LIMIT-UDP-OUT**
access-list 192 permit udp any host 1.2.3.4

class-map match-any LIMIT-Traffic-OUT
match access-group 192

policy-map LIMIT-6Mbps-OUT-UDP
class LIMIT-Traffic-OUT
shape average 6600000
!
!

But it now have this error.

Router (config-subif)#service-policy output LIMIT-6Mbps-OUT-UDP
shape average command is not supported in output direction for this interface
Configuration failed on GigabitEthernet5/1.3252

I am not sure if the direction is wrong? "permit udp any host 1.2.3.4" I always confusing with the output like the BGP "out" direction

Re: Match named access-list is not supported for this interface when trying to ratelimit by output policy with trunk interface

Richard Burts — Tue, 20 Nov 2018 20:01:08 GMT

Daniel

In reading through the complete discussion I realize that several of us have made a significant mistake in our suggestions. We kept focusing on the type of access list (is it named, is it numbered, is it layer 3) as the issue. But in the original post you told us that applying the policy (with its access list) works for inbound but has problems for outbound. If it works in one direction and not in the other direction then I do not see how the type of access list could make any difference. Instead we should be looking at why applying the policy outbound is a problem. And right now I do not have a good answer for that.

HTH

Rick

Re: Match named access-list is not supported for this interface when t

m.eshrair — Tue, 19 Oct 2021 13:15:01 GMT

Hi danielchau,

It is an old topic, but i'm facing the same issue with C1000 series switch. Have you managed to overcome this issue?

Thanks