topic Seems I have found the answer in Network Security

Nexus 3548 ACL Logging

stephendrkw — Fri, 21 Feb 2020 13:23:02 GMT

"show ip access-list", IOS displays matches against each statement within the ACL and you can see counters incrementing or not, useful in troubleshooting. Nexus 3548 does not display any counters with the same command!

I must be missing something because I cannot find a logging command that will simply add hits with command "show IP access-list <name>" (Nexus 3548)

Is there an alternative?

After reading Cisco ACL docs

stephendrkw — Sat, 07 Feb 2015 19:23:31 GMT

After reading Cisco ACL docs I managed to configure and get ACL logging working fine on my lab 3548:

test# sh log ip access-list cache
Source IP Destination IP S-Port D-Port Interface Protocol Hits
----------------------------------------------------------------------------------------
10.170.x.x 10.x.x.x 0 0 mgmt0 (6)TCP 98

Software
BIOS:      version 1.9.0
loader:    version N/A
kickstart: version 6.0(2)A4(3)
system:    version 6.0(2)A4(3)
Power Sequencer Firmware:
             Module 1: version v2.1
BIOS compile time:       10/13/2012
kickstart image file is: bootflash:///n3500-uk9-kickstart.6.0.2.A4.3.bin
kickstart compile time: 11/21/2014 9:00:00 [11/21/2014 19:29:20]
system image file is:    bootflash:///n3500-uk9.6.0.2.A4.3.bin
system compile time:     11/21/2014 9:00:00 [11/21/2014 21:09:06]

Hardware
cisco Nexus 3548 Chassis ("48x10GE Supervisor")
Intel(R) Pentium(R) CPU @ 1.50GHz
with 3805876 kB of memory.

However in my other live Nexus 3548 "show log ip access-list cache" is not available from the command line with the following software version:

-n35# show log ip access-list cache
^
% Invalid command at '^' marker.

Software
BIOS:      version 1.9.0
loader:    version N/A
kickstart: version 6.0(2)A1(1b)
system:    version 6.0(2)A1(1b)
Power Sequencer Firmware:
             Module 1: version v2.1
BIOS compile time:       10/13/2012
kickstart image file is: bootflash:///n3500-uk9-kickstart.6.0.2.A1.1b.bin
kickstart compile time: 9/5/2013 14:00:00 [09/05/2013 23:37:16]
system image file is:    bootflash:///n3500-uk9.6.0.2.A1.1b.bin
system compile time:     9/5/2013 14:00:00 [09/06/2013 03:25:01]

Hardware
cisco Nexus 3548 Chassis ("48x10GE Supervisor")

I've researched the command line reference and found nothing to suggest version 6.0(2)A1(1b) this OAL feature is not supported......anyways the live 3548 I can see statistics per-entry command under each ACL (these ACL's are not bound to any VLAN interfaces). show ip access-list shows no hits against any of the ACL's

My 1st question why is the OAL ACL cache is not supported on my live version?

2nd q - Why there are no hits when the statistics per-entry command is configured under each ACL when I know there are thousands of hits per minute?

NB: The ip access-group in statements are applied to the Interface port number NOT interface VLAN

example

interface Ethernet1/6
description ** hello **
ip access-group test in
switchport access vlan 885
speed 1000
no negotiate auto

Seems I have found the answer

stephendrkw — Sun, 08 Feb 2015 14:18:31 GMT

Seems I have found the answer!

ACL statement is applied to the port interfaces and if I issue the command show ip access-list summary this shows that the ACL's are not active!!!! hence the statistics per-entry command is not taking affect when listing a show ip access-list.

After reading you need to issue:

ip port access group hello in

Only inbound is supported at the port level also to be noted.

I applied "ip access-list group hello in" which does not take affect you need "ip port access-list hello in"

I've left this discussion open, just in case someone is having an issue, worth a read!

In regards as to why sh log ip access-list cache does not work on my production 3548 software version (OAL) I'm not sure why as OAL was introduced in 5.0 (2). Once I make my production change access group to each port, I still wouldn't expect this command to work, but lets see. OAL is very useful in that you can see the source <>destionation<>TCP or ICMP for easier troubleshooting.