cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Community Live
302
Views
0
Helpful
2
Replies
liuluht
Beginner

% match access-group is not allowed in class tietong on GigabitEthernet1/0

I used to apply the policy-map on interface POS 4/0 on CISCO 12008 。POS4/0 is a uplink interface 。But when I changed the policy-map to G1/0 .(interface  G1/0 is connect to MAN) ,I got a message  “% match access-group is not allowed in class tietong on GigabitEthernet1/0”

I want to konw in what condition does the message appear ?

Policy-Map limit-campus

    Class tietong

      police   8500000 265625 265625 conform-action transmit  exceed-action drop  

Class Map match-all  tietong (id 10)

   Match access-group 164

Extended IP access list 164

    permit ip any 210.45.192.0 0.0.15.255

    permit ip 210.45.192.0 0.0.15.255 any (1 match)

1 ACCEPTED SOLUTION

Accepted Solutions
Giuseppe Larosa
Hall of Fame Master

Hello Liuluht@163.com,

with C12000 the features that are available are highly dependent on the type of linecard involved.

What type of linecard is in slot 1?

For example 3 GE engine2 linecards miss many edge features and are good for backbone links.

4GE engine3 linecards have much more features and can be used on edge.

The POS port may be part of a linecard with a different engine model, so this may explain what you see.

Hope to help

Giuseppe

View solution in original post

2 REPLIES 2
Giuseppe Larosa
Hall of Fame Master

Hello Liuluht@163.com,

with C12000 the features that are available are highly dependent on the type of linecard involved.

What type of linecard is in slot 1?

For example 3 GE engine2 linecards miss many edge features and are good for backbone links.

4GE engine3 linecards have much more features and can be used on edge.

The POS port may be part of a linecard with a different engine model, so this may explain what you see.

Hope to help

Giuseppe

View solution in original post

ajstadlin
Beginner

I was not able to get "ip access-list extended" to work with class-maps in IOS 15.1(4)M4.  You may get around that issue by using the access-list numbering instead of names like "ip access-list extended myacl164"

As a work  around, I used the following for something like you want to do:

access-list 2164 permit ip any 210.45.192.0 0.0.15.255

access-list 2164 permit ip 210.45.192.0 0.0.15.255 any

class-map match-all tietong

match access-group 2164

exit

If you type "access-list ?" at the IOS command prompt, it will tell you the extended access-list number ranges.  The extended range for extended access-lists is 2000-2699.  For class-map match access-group statements, I am not able to use "ip access-list" names; so I just use "access-list" numbers for class-maps.  Named access lists would be great to use in class-maps when the feature is implemented there.  After all, it works in my route-maps.

REVISED

Nov 27, 2012:   I found an example for using the named access-list in class-maps in a Cisco ZBF Configuration Example document.  I haven't tested it, but it probably will work.  For example:

class-map match-all tietong

match access-group name myacl164

exit