cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2123
Views
0
Helpful
6
Replies

Empty ACL referring to class-map

Heinz Kern
Level 1
Level 1

i´m not able to test at the moment.

what does this command do

policy-map TEST

class TEST

set ip dscp ef

class-map match-all TEST

match access-group name TEST

ip access-list extended TEST

the ACL doesn´t have an entry. does the ACL hit every traffic meaning that every traffic is marked with EF? or isn´t there any hit at all?

6 Replies 6

Abzal
Level 7
Level 7

Hi,

I believe if packet does not match to any defined class in policy-map it will match to class-default. In your situation it means that packets will not match to class TEST because there is no ACL configured and as result will not be marked with EF.

Hope it will help.

Best regards,
Abzal

Best regards,
Abzal

hi,

but an ACL is configured. the only point is that this ACL is empty

Hello, I believe if an ACL has no entries, it's followed by the implicit deny, therefor none of the packets will be classed.

If you had a permit any any, this will class all packets and will be treated accordingly to the policy set.
Hope this helps

Sent from Cisco Technical Support iPhone App

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

this is not always true: having a route-map with an ACL which is empty allows everything.

My apologies, you are correct, at least 1 entry needs to be applied before implicit deny.
Tested on an interface and allowed all packets, however this won't work in the class-map since there is an undefined ACL with no entries to match packets with.

Sent from Cisco Technical Support iPhone App

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

Hi Heinz,

I believe that this also true for empty ACL configured under class-map. Actually I've tested it on a lab and I saw that all packets didn't match to above class. If your routers connected directly you can test by yourself just put on the interface connected to the above router policy-map:

http://www.cisco.com/en/US/docs/ios/12_2s/feature/guide/fsaclseq.html#wp1036808

http://ieoc.com/forums/p/16348/135645.aspx

policy-map TEST

class TEST

set ip dscp ef

class-map match-all TEST

match ip dscp ef

Then verify:

sh service-policy interface x

Hope it will help.

Best regards,
Abzal

Best regards,
Abzal
Review Cisco Networking for a $25 gift card