07-28-2009 07:26 AM - edited 03-04-2019 05:34 AM
I had configured an access list but i vent applied to any where still it is showing drops .if it is removed there will not be any drops.
there the existing network is 202.148.202.128/26
EDGE1(config)#ip access-list standard 98
EDGE1(config-std-nacl)#permit 202.148.202.138 0.0.0.0
EDGE1(config-std-nacl)#exit
EDGE1(config)#exit
EDGE1#sh ip access-lists 98
Standard IP access list 98
10 permit 202.148.202.138 (14 matches)
After creating above standard access-list(still not applied anywhere),when checked ping response heavy packet drops are observed :
EDGE1#ping ip
Target IP address: 202.148.202.138
Repeat count [5]: 1000
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 1000, 100-byte ICMP Echos to 202.148.202.138, timeout is 2 seconds:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!.!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!.
Success rate is 97 percent (152/156), round-trip min/avg/max = 1/1/4 ms
-------------------------------------------------------------------------------------
When standard access-list was removed ,Ping response was normal :
EDGE1#conf t
EDGE1(config)#no ip access-list standard 98
EDGE1(config)#exit
EDGE1#sh ip access-lists 98
EDGE1#ping ip
Target IP address: 202.148.202.138
Repeat count [5]: 1000
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 1000, 100-byte ICMP Echos to 202.148.202.138, timeout is 2 seconds:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!
Success rate is 100 percent (1000/1000), round-trip min/avg/max = 1/1/16 ms
07-28-2009 09:05 AM
Hello Mahesh,
be aware that you have created a named ACL with a name="98" like a numeric ACL I would avoid this.
access-list 98 permit host 202.148.202.138
this the original numeric ACL that you can still configure on a device.
the one you have configured is actually a named standard ACL
Hope to help
Giuseppe
07-28-2009 08:36 PM
Hi all,
Still i am getting the same drops...also the cpu utilisation is getting higher.Once i ve created an access list then itself it is started incresing the matches to about 500-600 even though it is is not applied anywhere.
EDGE1(config)#access-list 98 permit hos
EDGE1(config)#access-list 98 permit host 202.148.202.138
EDGE1(config)#end
EDGE1#sh access-lists 98
Standard IP access list 98
10 permit 202.148.202.138 (56 matches)
EDGE1#sh access-lists 98
Standard IP access list 98
10 permit 202.148.202.138 (56 matches)
EDGE1#sh access-lists 98
Standard IP access list 98
10 permit 202.148.202.138 (56 matches)
EDGE1#sh access-lists 98
Standard IP access list 98
10 permit 202.148.202.138 (56 matches)
EDGE1#sh access-lists 98
Standard IP access list 98
10 permit 202.148.202.138 (56 matches)
EDGE1#sh access-lists 98
Standard IP access list 98
10 permit 202.148.202.138 (56 matches)
EDGE1#sh access-lists 98
Standard IP access list 98
10 permit 202.148.202.138 (56 matches)
EDGE1#sh access-lists 98
Standard IP access list 98
10 permit 202.148.202.138 (56 matches)
EDGE1#sh access-lists 98
Standard IP access list 98
10 permit 202.148.202.138 (56 matches)
EDGE1#ping ip
Target IP address: 202.148.202.138
Repeat count [5]: 100
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 100, 100-byte ICMP Echos to 202.148.202.138, timeout is 2 seconds:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!.!!!!!!!!!!!!!!!!!!!!!!
Success rate is 98 percent (98/100), round-trip min/avg/max = 1/1/4 ms
EDGE1#100
% Unknown command or computer name, or unable to find computer address
EDGE1#ping ip
Target IP address: 202.148.202.138
Repeat count [5]: 100
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 100, 100-byte ICMP Echos to 202.148.202.138, timeout is 2 seconds:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!.!!!!!!!!!!!!!!!!!!!!
Success rate is 98 percent (98/100), round-trip min/avg/max = 1/1/4 ms
-EDGE1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
EDGE1(config)#no access-list 98 permit host 202.148.202.138
EDGE1(config)#end
07-28-2009 09:23 PM
Hi ,
Also i ve seen the configuration like
class-map match-all SNMP
match access-group 98
policy-map SNMPRESTRICT
class SNMP
police cir 128000 pir 130000 conform-action transmit exceed-action drop
control-plane
service-policy input SNMPRESTRICT
what s the impact of the above configs???
07-30-2009 05:01 AM
Mahesh
The impact of the above config is to contradict your statement that the access list was not applied. This statement:"match access-group 98" is applying access list 98 and using it to identify traffic which will be policed with the exceed-action of drop. So this is a clear explanation of why you are seeing drops when you create access list 98. If the traffic that matches access list 98 exceeds the configured threshold then that traffic will be dropped.
HTH
Rick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide