tcp port missing from 6509 MSFC access list output

rexhancock · ‎05-12-2003

Enabled an access list on a 6509 MSFC as follows:

access-list 110 permit ip any any log

access-list 111 permit ip any any log-input

..applied them to an interface:

Vlan11 is up, line protocol is up

Internet address is 10.1.1.1/24

Outgoing access list is 111

Inbound access list is 110

..yet the output does not show any ports from either the source or destination.

May 12 07:28:04 [10.1.1.1.198.215] 64809: May 12 07:20:04.866 edt: %SEC-6-IPACCESSLOGP: list 110

permitted tcp 10.1.1.149(0) -> 10.1.2.10(0), 1 packet

May 12 07:29:03 [10.1.1.1.198.215] 64810: May 12 07:21:03.286 edt: %SEC-6-IPACCESSLOGP: list 111

permitted tcp 10.1.2.10(0) (Vlan12 0006.5bf0.9a1c) -> 10.1.1.148(0), 4 packets

May 12 07:31:03 [10.1.1.1.198.215] 64811: May 12 07:23:03.322 edt: %SEC-6-IPACCESSLOGP: list 110

permitted tcp 10.1.1.9(0) -> 10.1.2.10(0), 90 packets

May 12 07:42:03 [10.1.1.1.198.215] 64819: May 12 07:34:03.498 edt: %SEC-6-IPACCESSLOGP: list 111

permitted tcp 10.1.2.10(0) (Vlan12 0006.5bf0.9a1c) -> 10.1.1.148(0), 1 packet

WHY ?

rjackson · ‎05-13-2003

This access list does not reference layer 4 (tcp) only layer 3 (IP). I'm not sure it will do what your after but this would be closer:

access-list 110 permit tcp any any log

access-list 111 permit tcp any any log-input

rexhancock · ‎05-13-2003

Thanks for the suggestion. I tried that already and it made no difference. I should point out that it works just fine with "ip" in the access list on a 4500 Catalyst MSFC! This should be a pretty rudimentary function. I was thinking that some other feature like CEF or some other form of fast switching is preventing it from capturing the information but I have disabled all forms of "fast switching" too with no luck.