Buy or Renew
Buy or Renew
COMING SOON: Umbrella and Secure Access release notes are coming to Cisco Community. The community will be in read-only August 16 – 19. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2426
Views
0
Helpful
9
Replies

Match named access-list is not supported for this interface when trying to ratelimit by output policy with trunk interface

danielchau
Level 1
Level 1

‎11-18-2018 11:34 PM - edited ‎03-08-2019 04:38 PM

Hello,

Currently have a cisco 7600 router with IOS 12.2(33)SRE12 and would like to rate limit the udp traffic from a host. Currently have this setup:

 

ip access-list extended LIMIT-UDP-IN
 remark LIMIT-UDP-IN
 permit udp host 1.2.3.4 any

!


ip access-list extended LIMIT-UDP-OUT
 remark LIMIT-UDP-OUT
 permit udp any host 1.2.3.4
!

class-map match-any LIMIT-Traffic-IN
  match access-group name LIMIT-UDP-IN

class-map match-any LIMIT-Traffic-OUT
  match access-group name LIMIT-UDP-OUT


policy-map LIMIT-2Mbps-OUT-UDP
  class LIMIT-Traffic-OUT
  police cir 3600000 bc 8000 be 8000 conform-action transmit exceed-action drop violate-action drop
  shape average 1600000

policy-map LIMIT-2Mbps-IN-UDP
    class LIMIT-Traffic-IN
    police cir 3600000 bc 8000 be 8000 conform-action transmit exceed-action drop violate-action drop
 
There is no problem of apply the input proicy to the interface, but when apply the output policy:

ROUTER(config-if)#service-policy output  LIMIT-2Mbps-OUT-UDP

Match named access-list is not supported for this interface

 

Would you please let me know how can i fix this?

Thanks

 

Daniel

2 people had this problem
Labels:
0 Helpful
9 Replies 9

Georg Pauwen
VIP
VIP

‎11-19-2018 12:07 AM

Hello,

 

you are running a very outdated IOS version. Try to match on a numbered access list:

 

ip access-list 101 permit udp host 1.2.3.4 any
remark LIMIT-UDP-IN

!

ip access-list 102 permit udp any host 1.2.3.4
remark LIMIT-UDP-OUT

!

class-map match-any LIMIT-Traffic-IN
match access-group 101

!

class-map match-any LIMIT-Traffic-OUT
match access-group 102

0 Helpful

danielchau
Level 1
Level 1
In response to Georg Pauwen

‎11-19-2018 02:06 AM

Hello George,

 

Thanks for your suggestion, now it shows

 


Match numbered access-list is not supported for this interface

 

Not sure why it only have problem of "service-policy output " only? service-policy input can apply successfully without any problem....

0 Helpful

Georg Pauwen
VIP
VIP
In response to danielchau

‎11-19-2018 04:29 AM

Hello,

 

which interface are you applying the service policy to ?

0 Helpful

danielchau
Level 1
Level 1
In response to Georg Pauwen

‎11-19-2018 07:07 AM - edited ‎11-19-2018 07:08 AM

Hello Georg

 

Basically a 1G Trunk port.

 

interface GigabitEthernet3/1

 switchport
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 2-100
 switchport mode trunk
 mls qos trust dscp
 service-policy input LIMIT-2Mbps-IN-UDP
end

 

Router#sh int gigabitEthernet 3/1
GigabitEthernet3/1 is up, line protocol is up (connected)
  Hardware is C6k 1000Mb 802.3, address is
  MTU 1500 bytes, BW 1000000 Kbit/sec, DLY 10 usec,
     reliability 255/255, txload 17/255, rxload 45/255
  Encapsulation ARPA, loopback not set

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to danielchau

‎11-19-2018 08:35 AM

It looks like you are trying to apply a layer 3 access list (does not matter whether numbered or named) to an interface operating at layer 2. Where is the layer 3 interface for the device you want to control?

 

HTH

 

Rick

HTH

Rick
0 Helpful

danielchau
Level 1
Level 1
In response to Richard Burts

‎11-19-2018 09:21 PM

Hello Richard,

 

I have also tried on a layer3 port, say i have this config in the other router now

 

access-list 192 remark **LIMIT-UDP-OUT**
access-list 192 permit udp any host 1.2.3.4

 

class-map match-any LIMIT-Traffic-OUT
  match access-group 192

 

policy-map LIMIT-6Mbps-OUT-UDP
  class LIMIT-Traffic-OUT
    shape average 6600000
!
!

 

But it now have this error.

Router (config-subif)#service-policy output  LIMIT-6Mbps-OUT-UDP
shape average command is not supported in output direction for this interface
Configuration failed on GigabitEthernet5/1.3252

 

I am not sure if the direction is wrong? "permit udp any host 1.2.3.4" I always confusing with the output like the BGP "out" direction

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to danielchau

‎11-20-2018 12:01 PM

Daniel

 

In reading through the complete discussion I realize that several of us have made a significant mistake in our suggestions. We kept focusing on the type of access list (is it named, is it numbered, is it layer 3) as the issue. But in the original post you told us that applying the policy (with its access list) works for inbound but has problems for outbound. If it works in one direction and not in the other direction then I do not see how the type of access list could make any difference. Instead we should be looking at why applying the policy outbound is a problem. And right now I do not have a good answer for that.

 

HTH

 

Rick

HTH

Rick
0 Helpful

Samer R. Saleem
Level 4
Level 4

‎11-19-2018 03:37 AM - edited ‎11-19-2018 03:38 AM

apologies replied by mistake

0 Helpful

m.eshrair
Level 1
Level 1

‎10-19-2021 06:14 AM - edited ‎10-19-2021 06:15 AM

Hi danielchau,

 

It is an old topic, but i'm facing the same issue with C1000 series switch. Have you managed to overcome this issue?

 

 

Thanks 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card