In configuring Control Plane Policing (CPP),  I use ACLs to filter packets, not all packets pass the permit statements and thus are denied. How do I see which OTHER packets are being denied. I tried to add the “LOG” keyword to the end of the deny statement but IOS provided an error message stating the LOG is not an option in class-maps.

ERROR MESSAGE: R(config-ext-nacl)#110 deny tcp any any log class-map COPP_3 : access-list with 'log' not supported, pls remove 'log' from access-list otherwise class-map COPP_3 will not work properly

Anyone know a way to show which packets are being denied?

SAMPLE:

class-map match-any COPP_3

match access-group name MVID

!

class COPP_3

   police 768000 192000 conform-action transmit  exceed-action drop

!

!

!

ip access-list extended MVID

remark _____________________________VER.2

permit udp any host 224.0.1.1 eq ntp

permit udp 172.16.1.0 0.0.0.255 host 239.255.0.1 eq 5004

permit udp 172.16.1.0 0.0.0.255 any eq 5004

permit udp 172.0.0.0 0.255.255.255 any eq 5004

remark ------ PIM L3 Neighbor (PE3)

permit pim host 172.17.30.2 host 224.0.0.13

remark ------ Anycast RP (HUB1 or HUB2)

permit udp 172.31.255.0 0.0.0.255 eq pim-auto-rp host 224.0.1.39 eq pim-auto-rp

permit udp 172.16.0.0 0.0.0.255 eq pim-auto-rp host 224.0.1.39 eq pim-auto-rp

remark ------ Phantom-RP HUB1 F0/0.100

permit udp host 172.16.10.254 eq pim-auto-rp host 224.0.1.40 eq pim-auto-rp

remark ------ Phantom-RP HUB2 F0/0.200

permit udp host 172.16.20.254 eq pim-auto-rp host 224.0.1.40 eq pim-auto-rp

remark ------ LLMNR

deny  ip any host 224.0.0.252

deny  tcp any any

deny  udp any any

deny  ip any any

R#sh ip access-list MVID

       Extended IP access list MVID

     10 permit udp any host 224.0.1.1 eq ntp

     20 permit udp 172.16.1.0 0.0.0.255 host 239.255.0.1 eq 5004

     30 permit udp 172.16.1.0 0.0.0.255 any eq 5004

     40 permit udp 172.0.0.0 0.255.255.255 any eq 5004

     50 permit pim host 172.17.30.2 host 224.0.0.13 (20 matches)

     60 permit udp 172.31.255.0 0.0.0.255 eq pim-auto-rp host 224.0.1.39 eq pim-auto-rp (2 matches)

     70 permit udp 172.16.0.0 0.0.0.255 eq pim-auto-rp host 224.0.1.39 eq pim-auto-rp (2 matches)

     80 permit udp host 172.16.10.254 eq pim-auto-rp host 224.0.1.40 eq pim-auto-rp (8 matches)

     90 permit udp host 172.16.20.254 eq pim-auto-rp host 224.0.1.40 eq pim-auto-rp (9 matches)

     100 deny ip any host 224.0.0.252

     110 deny tcp any any (15 matches)

     120 deny udp any any (12 matches)

     130 deny ip any any (66 matches)

Regards

Frank