cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1535
Views
0
Helpful
8
Replies

Revealing denied packets in Class-map ACLs

fsebera
Level 4
Level 4

In configuring Control Plane Policing (CPP),  I use ACLs to filter packets, not all packets pass the permit statements and thus are denied. How do I see which OTHER packets are being denied. I tried to add the “LOG” keyword to the end of the deny statement but IOS provided an error message stating the LOG is not an option in class-maps.

ERROR MESSAGE: R(config-ext-nacl)#110 deny tcp any any log class-map COPP_3 : access-list with 'log' not supported, pls remove 'log' from access-list otherwise class-map COPP_3 will not work properly

Anyone know a way to show which packets are being denied?

SAMPLE:

class-map match-any COPP_3

match access-group name MVID

!

class COPP_3

   police 768000 192000 conform-action transmit  exceed-action drop

!

!

!

ip access-list extended MVID

remark _____________________________VER.2

permit udp any host 224.0.1.1 eq ntp

permit udp 172.16.1.0 0.0.0.255 host 239.255.0.1 eq 5004

permit udp 172.16.1.0 0.0.0.255 any eq 5004

permit udp 172.0.0.0 0.255.255.255 any eq 5004

remark ------ PIM L3 Neighbor (PE3)

permit pim host 172.17.30.2 host 224.0.0.13

remark ------ Anycast RP (HUB1 or HUB2)

permit udp 172.31.255.0 0.0.0.255 eq pim-auto-rp host 224.0.1.39 eq pim-auto-rp

permit udp 172.16.0.0 0.0.0.255 eq pim-auto-rp host 224.0.1.39 eq pim-auto-rp

remark ------ Phantom-RP HUB1 F0/0.100

permit udp host 172.16.10.254 eq pim-auto-rp host 224.0.1.40 eq pim-auto-rp

remark ------ Phantom-RP HUB2 F0/0.200

permit udp host 172.16.20.254 eq pim-auto-rp host 224.0.1.40 eq pim-auto-rp

remark ------ LLMNR

deny  ip any host 224.0.0.252

deny  tcp any any

deny  udp any any

deny  ip any any

R#sh ip access-list MVID

       Extended IP access list MVID

     10 permit udp any host 224.0.1.1 eq ntp

     20 permit udp 172.16.1.0 0.0.0.255 host 239.255.0.1 eq 5004

     30 permit udp 172.16.1.0 0.0.0.255 any eq 5004

     40 permit udp 172.0.0.0 0.255.255.255 any eq 5004

     50 permit pim host 172.17.30.2 host 224.0.0.13 (20 matches)

     60 permit udp 172.31.255.0 0.0.0.255 eq pim-auto-rp host 224.0.1.39 eq pim-auto-rp (2 matches)

     70 permit udp 172.16.0.0 0.0.0.255 eq pim-auto-rp host 224.0.1.39 eq pim-auto-rp (2 matches)

     80 permit udp host 172.16.10.254 eq pim-auto-rp host 224.0.1.40 eq pim-auto-rp (8 matches)

     90 permit udp host 172.16.20.254 eq pim-auto-rp host 224.0.1.40 eq pim-auto-rp (9 matches)

     100 deny ip any host 224.0.0.252

     110 deny tcp any any (15 matches)

     120 deny udp any any (12 matches)

     130 deny ip any any (66 matches)

Regards

Frank

8 Replies 8

Collin Clark
VIP Alumni
VIP Alumni

I don't think you need the class-map keyword. Just 'log' should log the traffic to buffer/syslog.

SO, how do you configure Control Plane Policing without class-maps?

Please provide a sample configuration.

Tks

Frank

Sorry for not being clear. I meant just remove the class-map from the ACE

(config-ext-nacl)#110 deny tcp any any log class-map COPP_3

to

(config-ext-nacl)#110 deny tcp any any log

You do realize this is the ERROR MESSAGE produced by IOS and not a CLI entry -Right?

I didn't, I thought it was a CLI error. Let me dig in my stuff and see what else I can find.

Anyone else have any thoughts on how to troubleshoot Control Plane Policing ACLs¿¿¿

Thanks

Frank

Got it figured out, no additional help needed - yet!!

Best

Frank

Any chance you can tell me what you did to resolve this? I've run into the exact same issue and there seems to be very little supporting information around...

Thanks!

Review Cisco Networking for a $25 gift card