no match to any policy class map

Filbert · ‎09-13-2017

Dear All,

Please help me to solve this problem. I want to limit every Vlan to use limited bandwith. So there's no conflict in taking each other bandwidth. but after I've made this command, and check it in the show policy-map interface, there is no traffic in my class, all traffic goes to class-default.

Service-policy output: physical

Class-map: global (match-any)
0 packets, 0 bytes
5 minute offered rate 0000 bps, drop rate 0000 bps
Match: access-group name globalip
0 packets, 0 bytes
5 minute rate 0 bps
police:
cir 13000000 bps, bc 1000000 bytes
conformed 0 packets, 0 bytes; actions:
transmit
exceeded 0 packets, 0 bytes; actions:
drop
conformed 0000 bps, exceeded 0000 bps

Class-map: wifiGO (match-any)
0 packets, 0 bytes
5 minute offered rate 0000 bps, drop rate 0000 bps
Match: access-group name goip
0 packets, 0 bytes
5 minute rate 0 bps
police:
cir 1000000 bps, bc 100000 bytes
conformed 0 packets, 0 bytes; actions:
transmit
exceeded 0 packets, 0 bytes; actions:
drop
conformed 0000 bps, exceeded 0000 bps

Class-map: office (match-all)
0 packets, 0 bytes
5 minute offered rate 0000 bps, drop rate 0000 bps
Match: access-group name officeIP
police:
rate 14000000 bps, burst 437500 bytes
conformed 0 packets, 0 bytes; actions:
transmit
exceeded 0 packets, 0 bytes; actions:
drop
conformed 0000 bps, exceeded 0000 bps

Class-map: class-default (match-any)
9009793 packets, 2109890446 bytes
5 minute offered rate 2120000 bps, drop rate 0000 bps

class-map match-all office
match access-group name officeIP
class-map match-any global
match access-group name globalip
class-map match-any wifiGO
match access-group name goip

!
policy-map physical
class global
police cir 13000000 bc 1000000
conform-action transmit
exceed-action drop
class wifiGO
police cir 1000000 bc 100000
conform-action transmit
exceed-action drop
class office
police rate 14000000
conform-action transmit
exceed-action drop

ip access-list extended globalip
permit ip 10.101.0.0 0.0.255.255 any
permit ip 10.102.0.0 0.0.255.255 any
permit ip 10.103.0.0 0.0.255.255 any
permit ip 10.104.0.0 0.0.255.255 any

ip access-list extended officeIP
permit ip 192.168.81.0 0.0.0.255 any
permit ip 192.168.82.0 0.0.0.255 any
permit ip 192.168.83.0 0.0.0.255 any
permit ip 192.168.84.0 0.0.0.255 any
permit ip 192.168.85.0 0.0.0.255 any
permit ip 192.168.86.0 0.0.0.255 any
permit ip 192.168.87.0 0.0.0.255 any
permit ip 192.168.88.0 0.0.0.255 any
permit ip 192.168.89.0 0.0.0.255 any

ip access-list extended goip
permit ip 10.108.0.0 0.0.0.255 any

Joseph W. Doherty · ‎09-13-2017

Is the policy being used for ingress or egress? Where's the interface in reference to your topology? (Basically trying to determine if your policy and ACLs correctly map the networks you've looking for as sources.)

BTW, I also see your class-maps use both match-any and match-all. As you only have a single statement in each class statement, it shouldn't make a difference, but it does difference usage muddies your intent.

Filbert · ‎09-13-2017

the police used for ingress and egress.

I actually using match-any in any of my class-map.

i am testing to use match-all in one of my class-map, but there's no effect.

Here's the infterface

interface GigabitEthernet0/0
no ip address
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/0.111
encapsulation dot1Q 111
ip address <ip public>
ip access-group blocking_port out
ip nat outside
ip virtual-reassembly in
service-policy output physical
!

Joseph W. Doherty · ‎09-14-2017

Ah, you're doing NAT! I don't recall for sure, but an egress policy, with NAT, might be "seeing" IPs after they have been NATted.

Correct, with only one statement in your class maps, match-any and match-all won't differ. However, if you add additional statements, match-any logically does an OR between them while match-all logically does an AND between them.