cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
476
Views
0
Helpful
2
Replies

Two ACL's hit counts getting summed and logged againts only one

david.kane
Level 1
Level 1

The router is a 3620 IOS 12.0(24), with an ethernet and a serial interface. Each interface has a pair of inbound and outbound ACLs, which are exact reciprocals of each other. A single test packet that matches any entry (either permit or deny) should generate a single hit on the outbound ACL and a single hit on the inbound ACL. What actually happens is that the inbound ACL gets 2 hits on the matching item, and the outbound ACL's item gets none.

Any ideas?

2 Replies 2

raymong
Level 4
Level 4

This link has an explanation as to why you don't see a corresponding mesage for every packet that matches the acl.

http://www.cisco.com/univercd/cc/td/doc/product/software/ios113ed/113t/113t_3/stdlog.htm

"The first packet that triggers the access list causes a logging message right away, and subsequent packets are collected over 5-minute intervals before they are displayed or logged."

Thanks for your reply, however I don't think that is the problem I am having. Maybe an example might help to explain things. The following is a simplistic, and possible sytactically incorrect, example which should help to illustrate my problem.

- two networks 10.1.0.0/24 and 10.1.1.0/24

- two hosts, one on each network (x.x.x.100)

- a dual ethernet router between the networks

- short form of router config:

interface ethernet0

ip address 10.1.0.1 255.255.255.0

ip access-group inboundfilter in

ip access-group outboundfilter out

interface ethernet1

ip address 10.1.1.1 255.255.255.0

ip access-list extended inboundfilter

permit icmp host 10.1.0.100 host 10.1.1.100

ip access-list extended outboundfilter

permit icmp host 10.1.1.100 host 10.1.0.100

- Now the 10.1.0.100 host sends 1 ping to the 10.1.1.100 host who replys

- sh access-list should look like:

Extended IP access list inboundfilter

permit icmp host 10.1.0.100 host 10.1.1.100 (1 matches)

Extended IP access list outboundfilter

permit icmp host 10.1.1.100 host 10.1.0.100 (1 matches)

- However it turns out to be actually:

Extended IP access list inboundfilter

permit icmp host 10.1.0.100 host 10.1.1.100 (2 matches)

Extended IP access list outboundfilter

permit icmp host 10.1.1.100 host 10.1.0.100

In my real world situation, the setup is a little more complicated. The router actually NATs the source address of traffic at both interfaces, and there are inbound and outbound ACLs on both the interfaces. I don't think that the second set of ACLs (which match the first set) are causing the problem, but I cannot rule out the NATing causing this effect.

Any ideas?

David Kane