cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

602
Views
20
Helpful
7
Replies
Nilay Patel
Beginner

C9500-48Y4C - ACL counters

C9500-48Y4C - ACL counter

not able to see permitted traffic counters but able to see deny counters increasing. What's the catch here?

2 ACCEPTED SOLUTIONS

Accepted Solutions

Looks for me bug i guess, i have running 16.12,X OLD Code I can see the counters

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

I think this is bug, check link below. 
extended ACL with L4 port

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvs74735

 

 

View solution in original post

7 REPLIES 7
balaji.bandi
VIP Guru

what is the version of Code and can you show us the example of ACL and output

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

cisco C9500-48Y4C

Cisco IOS XE Software, Version 17.03.04
Cisco IOS Software [Amsterdam], Catalyst L3 Switch Software (CAT9K_IOSXE), Version 17.3.4, RELEASE SOFTWARE (fc3)

!

interface Vlan XXXX
description TEST-1
ip address 10.1.191.1 255.255.255.0
ip helper-address 192.168.150.31
ip helper-address 192.168.150.37
ip pim sparse-mode
ip access-group TEST-1 in
end

TEST-COR-SW-01#sh access-lists TEST-1
Extended IP access list TEST-1
10 permit udp any host 192.168.150.31 eq bootps
20 permit udp any host 192.168.150.37 eq bootps
30 permit udp any host 192.168.150.28 eq domain
40 permit tcp any host 192.168.150.28 eq domain
50 permit udp any host 192.168.150.20 eq domain
60 permit tcp any host 192.168.150.20 eq domain
70 permit udp any host 192.168.20.141 eq domain
80 permit tcp any host 192.168.20.141 eq domain
90 permit udp any host 192.168.20.142 eq domain
100 permit tcp any host 192.168.20.142 eq domain
110 permit tcp host 10.1.191.90 host 192.168.30.21 eq smtp
120 permit tcp host 10.1.191.90 host 192.168.30.22 eq smtp
130 permit tcp host 10.1.191.90 host 192.168.30.30 eq smtp
140 permit tcp host 10.1.191.90 host 192.168.30.31 eq smtp
150 permit tcp any any eq 502 log
160 permit udp any any eq 502 log
170 permit udp any any eq 7700 log
180 permit tcp any any eq 7700 log
200 permit ip 10.1.191.48 0.0.0.15 host 192.168.20.247
210 permit ip 10.1.191.64 0.0.0.7 host 192.168.20.247
220 permit ip 10.1.191.72 0.0.0.7 host 192.168.20.247
240 permit ip host 10.1.191.168 host 192.168.20.247
250 permit udp any host 192.168.150.28 eq ntp
260 permit ip any host 192.168.150.28
300 deny ip any 10.0.0.0 0.255.255.255 (9854 matches)
310 deny ip any 157.21.0.0 0.0.255.255
320 deny ip any 192.168.0.0 0.0.255.255 (86 matches)
330 deny ip any 172.16.0.0 0.15.255.255 (65644 matches)
340 permit ip any any (54403 matches)

Looks for me bug i guess, i have running 16.12,X OLD Code I can see the counters

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Thx. I will open case on this

MHM Cisco World
Advisor

can you share 
show ip access-list

interface Vlan XXXX
description TEST-1
ip address 10.1.191.1 255.255.255.0
ip helper-address 192.168.150.31
ip helper-address 192.168.150.37
ip pim sparse-mode
ip access-group TEST-1 in
end

!

TEST-COR-SW-01#sh access-lists TEST-1
Extended IP access list TEST-1
 10 permit udp any host 192.168.150.31 eq bootps
20 permit udp any host 192.168.150.37 eq bootps
30 permit udp any host 192.168.150.28 eq domain
40 permit tcp any host 192.168.150.28 eq domain
50 permit udp any host 192.168.150.20 eq domain
60 permit tcp any host 192.168.150.20 eq domain
70 permit udp any host 192.168.20.141 eq domain
80 permit tcp any host 192.168.20.141 eq domain
90 permit udp any host 192.168.20.142 eq domain
100 permit tcp any host 192.168.20.142 eq domain
110 permit tcp host 10.1.191.90 host 192.168.30.21 eq smtp
120 permit tcp host 10.1.191.90 host 192.168.30.22 eq smtp
130 permit tcp host 10.1.191.90 host 192.168.30.30 eq smtp
140 permit tcp host 10.1.191.90 host 192.168.30.31 eq smtp
150 permit tcp any any eq 502 log
160 permit udp any any eq 502 log
170 permit udp any any eq 7700 log
180 permit tcp any any eq 7700 log
200 permit ip 10.1.191.48 0.0.0.15 host 192.168.20.247
210 permit ip 10.1.191.64 0.0.0.7 host 192.168.20.247
220 permit ip 10.1.191.72 0.0.0.7 host 192.168.20.247
240 permit ip host 10.1.191.168 host 192.168.20.247
250 permit udp any host 192.168.150.28 eq ntp
260 permit ip any host 192.168.150.28
300 deny ip any 10.0.0.0 0.255.255.255 (9854 matches)
310 deny ip any 157.21.0.0 0.0.255.255
320 deny ip any 192.168.0.0 0.0.255.255 (86 matches)
330 deny ip any 172.16.0.0 0.15.255.255 (65644 matches)
340 permit ip any any (54403 matches)

I think this is bug, check link below. 
extended ACL with L4 port

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvs74735