cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2694
Views
0
Helpful
9
Replies

Match named access-list is not supported for this interface when trying to ratelimit by output policy with trunk interface

danielchau
Level 1
Level 1

Hello,

Currently have a cisco 7600 router with IOS 12.2(33)SRE12 and would like to rate limit the udp traffic from a host. Currently have this setup:

 

ip access-list extended LIMIT-UDP-IN
 remark LIMIT-UDP-IN
 permit udp host 1.2.3.4 any

!


ip access-list extended LIMIT-UDP-OUT
 remark LIMIT-UDP-OUT
 permit udp any host 1.2.3.4
!

class-map match-any LIMIT-Traffic-IN
  match access-group name LIMIT-UDP-IN

class-map match-any LIMIT-Traffic-OUT
  match access-group name LIMIT-UDP-OUT


policy-map LIMIT-2Mbps-OUT-UDP
  class LIMIT-Traffic-OUT
  police cir 3600000 bc 8000 be 8000 conform-action transmit exceed-action drop violate-action drop
  shape average 1600000

policy-map LIMIT-2Mbps-IN-UDP
    class LIMIT-Traffic-IN
    police cir 3600000 bc 8000 be 8000 conform-action transmit exceed-action drop violate-action drop
 
There is no problem of apply the input proicy to the interface, but when apply the output policy:

ROUTER(config-if)#service-policy output  LIMIT-2Mbps-OUT-UDP

Match named access-list is not supported for this interface

 

Would you please let me know how can i fix this?

Thanks

 

Daniel

9 Replies 9

Hello,

 

you are running a very outdated IOS version. Try to match on a numbered access list:

 

ip access-list 101 permit udp host 1.2.3.4 any
remark LIMIT-UDP-IN

!

ip access-list 102 permit udp any host 1.2.3.4
remark LIMIT-UDP-OUT

!

class-map match-any LIMIT-Traffic-IN
match access-group 101

!

class-map match-any LIMIT-Traffic-OUT
match access-group 102

Hello George,

 

Thanks for your suggestion, now it shows

 


Match numbered access-list is not supported for this interface

 

Not sure why it only have problem of "service-policy output " only? service-policy input can apply successfully without any problem....

Hello,

 

which interface are you applying the service policy to ?

Hello Georg

 

Basically a 1G Trunk port.

 

interface GigabitEthernet3/1

 switchport
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 2-100
 switchport mode trunk
 mls qos trust dscp
 service-policy input LIMIT-2Mbps-IN-UDP
end

 

Router#sh int gigabitEthernet 3/1
GigabitEthernet3/1 is up, line protocol is up (connected)
  Hardware is C6k 1000Mb 802.3, address is
  MTU 1500 bytes, BW 1000000 Kbit/sec, DLY 10 usec,
     reliability 255/255, txload 17/255, rxload 45/255
  Encapsulation ARPA, loopback not set

It looks like you are trying to apply a layer 3 access list (does not matter whether numbered or named) to an interface operating at layer 2. Where is the layer 3 interface for the device you want to control?

 

HTH

 

Rick

HTH

Rick

Hello Richard,

 

I have also tried on a layer3 port, say i have this config in the other router now

 

access-list 192 remark **LIMIT-UDP-OUT**
access-list 192 permit udp any host 1.2.3.4

 

class-map match-any LIMIT-Traffic-OUT
  match access-group 192

 

policy-map LIMIT-6Mbps-OUT-UDP
  class LIMIT-Traffic-OUT
    shape average 6600000
!
!

 

But it now have this error.

Router (config-subif)#service-policy output  LIMIT-6Mbps-OUT-UDP
shape average command is not supported in output direction for this interface
Configuration failed on GigabitEthernet5/1.3252

 

I am not sure if the direction is wrong? "permit udp any host 1.2.3.4" I always confusing with the output like the BGP "out" direction

Daniel

 

In reading through the complete discussion I realize that several of us have made a significant mistake in our suggestions. We kept focusing on the type of access list (is it named, is it numbered, is it layer 3) as the issue. But in the original post you told us that applying the policy (with its access list) works for inbound but has problems for outbound. If it works in one direction and not in the other direction then I do not see how the type of access list could make any difference. Instead we should be looking at why applying the policy outbound is a problem. And right now I do not have a good answer for that.

 

HTH

 

Rick

HTH

Rick

Samer R. Saleem
Level 4
Level 4

apologies replied by mistake

m.eshrair
Level 1
Level 1

Hi danielchau,

 

It is an old topic, but i'm facing the same issue with C1000 series switch. Have you managed to overcome this issue?

 

 

Thanks 

Review Cisco Networking for a $25 gift card