10-24-2012 06:19 AM - edited 03-07-2019 09:39 AM
In configuring Control Plane Policing (CPP), I use ACLs to filter packets, not all packets pass the permit statements and thus are denied. How do I see which OTHER packets are being denied. I tried to add the “LOG” keyword to the end of the deny statement but IOS provided an error message stating the LOG is not an option in class-maps.
ERROR MESSAGE: R(config-ext-nacl)#110 deny tcp any any log class-map COPP_3 : access-list with 'log' not supported, pls remove 'log' from access-list otherwise class-map COPP_3 will not work properly
Anyone know a way to show which packets are being denied?
SAMPLE:
class-map match-any COPP_3
match access-group name MVID
!
class COPP_3
police 768000 192000 conform-action transmit exceed-action drop
!
!
!
ip access-list extended MVID
remark _____________________________VER.2
permit udp any host 224.0.1.1 eq ntp
permit udp 172.16.1.0 0.0.0.255 host 239.255.0.1 eq 5004
permit udp 172.16.1.0 0.0.0.255 any eq 5004
permit udp 172.0.0.0 0.255.255.255 any eq 5004
remark ------ PIM L3 Neighbor (PE3)
permit pim host 172.17.30.2 host 224.0.0.13
remark ------ Anycast RP (HUB1 or HUB2)
permit udp 172.31.255.0 0.0.0.255 eq pim-auto-rp host 224.0.1.39 eq pim-auto-rp
permit udp 172.16.0.0 0.0.0.255 eq pim-auto-rp host 224.0.1.39 eq pim-auto-rp
remark ------ Phantom-RP HUB1 F0/0.100
permit udp host 172.16.10.254 eq pim-auto-rp host 224.0.1.40 eq pim-auto-rp
remark ------ Phantom-RP HUB2 F0/0.200
permit udp host 172.16.20.254 eq pim-auto-rp host 224.0.1.40 eq pim-auto-rp
remark ------ LLMNR
deny ip any host 224.0.0.252
deny tcp any any
deny udp any any
deny ip any any
R#sh ip access-list MVID
Extended IP access list MVID
10 permit udp any host 224.0.1.1 eq ntp
20 permit udp 172.16.1.0 0.0.0.255 host 239.255.0.1 eq 5004
30 permit udp 172.16.1.0 0.0.0.255 any eq 5004
40 permit udp 172.0.0.0 0.255.255.255 any eq 5004
50 permit pim host 172.17.30.2 host 224.0.0.13 (20 matches)
60 permit udp 172.31.255.0 0.0.0.255 eq pim-auto-rp host 224.0.1.39 eq pim-auto-rp (2 matches)
70 permit udp 172.16.0.0 0.0.0.255 eq pim-auto-rp host 224.0.1.39 eq pim-auto-rp (2 matches)
80 permit udp host 172.16.10.254 eq pim-auto-rp host 224.0.1.40 eq pim-auto-rp (8 matches)
90 permit udp host 172.16.20.254 eq pim-auto-rp host 224.0.1.40 eq pim-auto-rp (9 matches)
100 deny ip any host 224.0.0.252
110 deny tcp any any (15 matches)
120 deny udp any any (12 matches)
130 deny ip any any (66 matches)
Regards
Frank