Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1755
Views
0
Helpful
5
Replies

ICMP request problem

burkot
Level 1
Level 1

‎09-21-2021 10:47 AM

When I setup control plane policing to restric access to router I cannot ping local interfaces
Configuration below

access-list 100 permit tcp 192.168.1.0 0.0.0.255 host 192.168.1.1 eq 443
access-list 100 permit icmp 192.168.1.0 0.0.0.255 host 192.168.1.1 echo
access-list 100 permit icmp 192.168.1.0 0.0.0.255 host 192.168.1.1 echo-reply
access-list 100 permit icmp 192.168.1.0 0.0.0.255 host 192.168.1.1 port-unreachable
access-list 100 permit icmp 192.168.1.0 0.0.0.255 host 192.168.1.1 unreachable

access-list 101 permit tcp any any
access-list 101 permit udp any any
access-list 101 permit icmp any any
access-list 101 permit ip any any



class-map match-all local-cmap
 match access-group 100
exit
class-map match-all catch-all-ip-cmap
 match access-group 101
exit

policy-map copp-pmap
 class local-cmap
  police 100000 20000 20000 conform-action transmit exceed-action drop
  exit
 exit
 class catch-all-ip-cmap
  police 8000 1500 1500 conform-action drop exceed-action drop
  exit
 exit
 class class-default
  police 8000 1500 1500 conform-action transmit exceed-action transmit
  exit
 exit
exit

control-plane
 service-policy input copp-pmap
exit

I notice that if I add following entry to access list

access-list 100 permit icmp host 192.168.1.1 192.168.1.0 0.0.0.255 echo

then ping works

 

I used Datapath Packet Trace feature to debug and I found out where packet is dropped but I do not know how to fix it
I have C1111-4P with software version 16.12.03

 

I would be glad for any help

 

Packet Trace result

sh platform packet-trace summary
Pkt   Input                     Output                    State  Reason
0     Gi0/1/0                   Vl1                       CONS   Packet Consumed
1     Vl1                       internal0/0/recycle:0     DROP   20  (QosPolicing)
2     Gi0/1/0                   Vl1                       CONS   Packet Consumed
3     Vl1                       internal0/0/recycle:0     DROP   20  (QosPolicing)
4     Gi0/1/0                   Vl1                       CONS   Packet Consumed
5     Vl1                       internal0/0/recycle:0     DROP   20  (QosPolicing)
6     Gi0/1/0                   Vl1                       CONS   Packet Consumed
7     Vl1                       internal0/0/recycle:0     DROP   20  (QosPolicing)



sh platform packet-trace packet 0
Packet: 0           CBUG ID: 0
Summary
  Input     : GigabitEthernet0/1/0
  Output    : Vlan1
  State     : CONS Packet Consumed
  Timestamp
    Start   : 321963541880 ns (09/19/2021 17:01:08.805101 UTC)
    Stop    : 321963621360 ns (09/19/2021 17:01:08.805181 UTC)
Path Trace
  Feature: IPV4(Input)
    Input       : GigabitEthernet0/1/0
    Output      : <unknown>
    Source      : 192.168.1.2
    Destination : 192.168.1.1
    Protocol    : 1 (ICMP)
  Feature: DEBUG_COND_INPUT_PKT
    Entry       : Input - 0x10e707b8
    Input       : GigabitEthernet0/1/0
    Output      : <unknown>
    Lapsed time : 213 ns
  Feature: L2_ES_INPUT_CONTROL_CHECK
    Entry       : Input - 0x10e8b904
    Input       : GigabitEthernet0/1/0
    Output      : <unknown>
    Lapsed time : 280 ns
  Feature: L2_INPUT_SVI_LOOKUP
    Entry       : Input - 0x10e8b90c
    Input       : Vlan1
    Output      : <unknown>
    Lapsed time : 1240 ns
  Feature: IPV4_INPUT_DST_LOOKUP_ISSUE
    Entry       : Input - 0x10e8aa54
    Input       : Vlan1
    Output      : <unknown>
    Lapsed time : 293 ns
  Feature: IPV4_INPUT_ARL_SANITY
    Entry       : Input - 0x10e72188
    Input       : Vlan1
    Output      : <unknown>
    Lapsed time : 626 ns
  Feature: CBUG_INPUT_FIA
    Entry       : Input - 0x10e707a0
    Input       : Vlan1
    Output      : <unknown>
    Lapsed time : 53 ns
  Feature: DEBUG_COND_INPUT_PKT
    Entry       : Input - 0x10e707b8
    Input       : Vlan1
    Output      : <unknown>
    Lapsed time : 93 ns
  Feature: IPV4_INPUT_DST_LOOKUP_CONSUME
    Entry       : Input - 0x10e8aa50
    Input       : Vlan1
    Output      : <unknown>
    Lapsed time : 280 ns
  Feature: IPV4_INPUT_FOR_US_MARTIAN
    Entry       : Input - 0x10e8aa5c
    Input       : Vlan1
    Output      : <unknown>
    Lapsed time : 4573 ns
  Feature: DEBUG_COND_APPLICATION_IN
    Entry       : Input - 0x10e707ac
    Input       : Vlan1
    Output      : <unknown>
    Lapsed time : 133 ns
  Feature: DEBUG_COND_APPLICATION_IN_CLR_TXT
    Entry       : Input - 0x10e707a8
    Input       : Vlan1
    Output      : <unknown>
    Lapsed time : 80 ns
  Feature: ICMPV4(Input)
    Input       : Vlan1
    Output      : <unknown>
    Type        : 8 (Echo)
    Code        : 0 (No Code)
  Feature: STILE_LEGACY_DROP
    Entry       : Input - 0x10fde82c
    Input       : Vlan1
    Output      : <unknown>
    Lapsed time : 480 ns
  Feature: INGRESS_MMA_LOOKUP_DROP
    Entry       : Input - 0x10fda0e4
    Input       : Vlan1
    Output      : <unknown>
    Lapsed time : 480 ns
  Feature: INPUT_DROP_FNF_AOR
    Entry       : Input - 0x10e888dc
    Input       : Vlan1
    Output      : <unknown>
    Lapsed time : 426 ns
  Feature: INPUT_FNF_DROP
    Entry       : Input - 0x10e74e68
    Input       : Vlan1
    Output      : <unknown>
    Lapsed time : 680 ns
  Feature: INPUT_DROP_FNF_AOR_RELEASE
    Entry       : Input - 0x10e888d8
    Input       : Vlan1
    Output      : <unknown>
    Lapsed time : 440 ns
  Feature: INPUT_DROP
    Entry       : Input - 0x10e6e62c
    Input       : Vlan1
    Output      : <unknown>
    Lapsed time : 93 ns
  Feature: IPV4_INPUT_LOOKUP_PROCESS
    Entry       : Input - 0x10e8aa68
    Input       : Vlan1
    Output      : <unknown>
    Lapsed time : 11653 ns

sh platform packet-trace packet 1
Packet: 1           CBUG ID: 1
Summary
  Input     : Vlan1
  Output    : internal0/0/recycle:0
  State     : DROP 20  (QosPolicing)
  Timestamp
    Start   : 321963765720 ns (09/19/2021 17:01:08.805325 UTC)
    Stop    : 321963805360 ns (09/19/2021 17:01:08.805365 UTC)
Path Trace
  Feature: IPV4(Output)
    Input       : Vlan1
    Output      : internal0/0/recycle:0
    Source      : 192.168.1.1
    Destination : 192.168.1.2
    Protocol    : 1 (ICMP)
  Feature: DEBUG_COND_MAC_EGRESS_EXT
    Entry       : Output - 0x10e707c0
    Input       : Vlan1
    Output      : internal0/0/recycle:0
    Lapsed time : 306 ns
  Feature: DEBUG_COND_APPLICATION_OUT_CLR_TXT_EXT
    Entry       : Output - 0x10e707b0
    Input       : Vlan1
    Output      : internal0/0/recycle:0
    Lapsed time : 13 ns
  Feature: DEBUG_COND_APPLICATION_OUT_EXT
    Entry       : Output - 0x10e707b4
    Input       : Vlan1
    Output      : internal0/0/recycle:0
    Lapsed time : 80 ns
  Feature: IPV4_INTERNAL_ARL_SANITY_EXT
    Entry       : Output - 0x10e72190
    Input       : Vlan1
    Output      : internal0/0/recycle:0
    Lapsed time : 413 ns
  Feature: IPV4_VFR_REFRAG_EXT
    Entry       : Output - 0x10e8b000
    Input       : Vlan1
    Output      : internal0/0/recycle:0
    Lapsed time : 200 ns
  Feature: QOS
    Direction        : Egress
    Action           : DROP PKT
    Drop Cause       : POLICE DROP
    Policy name      : copp-pmap
    Class name       : catch-all-ip-cmap
  Feature: IPV4_OUTPUT_QOS_EXT
    Entry       : Output - 0x10e8cb0c
    Input       : Vlan1
    Output      : internal0/0/recycle:0
    Lapsed time : 10840 ns#e6e62c
Labels:
0 Helpful
5 Replies 5

Georg Pauwen
VIP
VIP

‎09-21-2021 02:40 PM

Hello,

 

are you asking a question, or is this an observation (as you have provided the solution yourself) ?

 

--> access-list 100 permit icmp host 192.168.1.1 192.168.1.0 0.0.0.255 echo

 

This line is necessary for the ping to work...

 

 

0 Helpful

mlund
Level 7
Level 7

‎09-22-2021 03:43 AM

Hi Georg

I'm also curious why this isn't working.

I suppose 192.168.1.1 is the local router, and 192.168.1.2 is something outside that is generating the ping. Maybe burkot can verify that this is the case.

The service-policy is applied in input direction on control-plane, so I can't see the need for that extra access-list entry. An explanation may be needed for us to understand that.

/Mikael

0 Helpful

burkot
Level 1
Level 1
In response to mlund

‎09-22-2021 11:53 AM

Router has 192.168.1.1 address
I have second router with policy on control plane without this extra line and ping works

 

I do not know why I need to add this extra line. Maybe my router is broken

Why is it not enough
access-list 100 permit icmp 192.168.1.0 0.0.0.255 host 192.168.1.1 echo
access-list 100 permit icmp 192.168.1.0 0.0.0.255 host 192.168.1.1 echo-reply

0 Helpful

Georg Pauwen
VIP
VIP
In response to burkot

‎09-22-2021 01:18 PM

Hello,

 

--> access-list 100 permit icmp 192.168.1.0 0.0.0.255 host 192.168.1.1 echo

 

With this line, you would only be able to ping 192.168.1.1, does this work then ?

 

--> access-list 100 permit icmp host 192.168.1.1 192.168.1.0 0.0.0.255 echo

 

With this line, you would be able to ping any interface in the 192.168.1.0/24 range...

 

 

0 Helpful

burkot
Level 1
Level 1
In response to Georg Pauwen

‎09-23-2021 04:33 AM - edited ‎09-23-2021 04:36 AM

--> access-list 100 permit icmp 192.168.1.0 0.0.0.255 host 192.168.1.1 echo

 

With this line, you would only be able to ping 192.168.1.1, does this work then ?

 

I cannot ping 192.168.1.1

 

When I change it to

--> access-list 100 permit icmp host 192.168.1.1 192.168.1.0 0.0.0.255 echo

 

then it does

0 Helpful
Customers Also Viewed These Support Documents