ACL getting hits even though the associated interface is shut

stephen.lewis1905 · ‎12-14-2022

Hi

Background:

I recently moved a VLAN for a lab network from our corporate network to behind a firewall. In doing so, I shut the VLAN interface (with an ACL) on the core switch and placed a static route pointing the subnet to the firewall, where the new L3 interface resides. Common stuff, we do it all the time.

This time though, a user was complaining that RDP from the corporate network to the network moved to the firewall was intermittently failing.

Long story short, during investigations, I saw in the logs that the ACL was still getting hits from a server behind the firewall to a multicast address

*Dec xx 08:34:50.713 UTC: %SEC-6-IPACCESSLOGP: list LAB_in denied udp 160.xxx.xxx.xxx(59627) -> 224.0.0.252(5355), 2 packets

deleting the redundant VLAN interface on the core resolved the problem. (it was only kept in case of rollback)

My question is, why was the ACL still getting hits even though the only interface it was associated with was shut?

thanks

balaji.bandi · ‎12-14-2022

deleting the redundant VLAN interface on the core resolved the problem. (it was only kept in case of rollback)

so you did no interface vlan X to fix the issue ?

personally if the VLAN shutdown, that ACL should be not effective. and also you mentioned that interface and IP move to Firewall.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

stephen.lewis1905 · ‎12-14-2022

Hi Balaji
Yep, I "no interface vlan xx" and that fixed the problem
Like you, I believe the ACL should not get hits if the interface was shut. Hence my question

balaji.bandi · ‎12-14-2022

that strage, this could be bug or something, since we can not simulate this - i take this one kind of issue, this is not effecting your environment, there is no point going back digging the past, personally - we should move one (since we can not simulate as i am mentioning again)

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

MHM Cisco World · ‎12-14-2022

show access list
do you see the access list or not ?

stephen.lewis1905 · ‎12-14-2022

Yes, the ACL was still there as I'd kept it incase we rolled back. it was still there after I "no int vlan xx" which fixed the problem

MHM Cisco World · ‎12-14-2022

what is core switch platform you use ?

stephen.lewis1905 · ‎12-14-2022

Switch Ports Model SW Version SW Image Mode
------ ----- ----- ---------- ---------- ----
* 1 65 C9300-48UXM 17.03.05 CAT9K_IOSXE INSTALL
2 65 C9300-48UXM 17.03.05 CAT9K_IOSXE INSTALL
3 65 C9300-48U 17.03.05 CAT9K_IOSXE INSTALL
4 65 C9300-48U 17.03.05 CAT9K_IOSXE INSTALL
5 65 C9300-48U 17.03.05 CAT9K_IOSXE INSTALL

MHM Cisco World · ‎12-14-2022

friend what @balaji.bandi and you mention before is right the remove of SVI is automatic make ACL inactive
still
there is two types of ACL
1-RACL which is apply under SVI
2- VACL which is apply under vlan (under VLAN not under SVI of vlan).

which one you are use ?

stephen.lewis1905 · ‎12-14-2022

It was on the SVI, so RACL

interface Vlan90

description LAB Vlan

ip address 160.xxx.xxx.xxx 255.255.255.192

ip helper-address 10.xxx.xxx.xxx

no ip proxy-arp

ip pim sparse-mode

ip access-group LAB_in in

ip ospf 1 area 1

end

MHM Cisco World · ‎12-14-2022

show platform software fed active ifm mappings l3if-le

take value of below from command (this value is represent the VLANx ID

IF_ID

show platform software fed active acl interface IF_ID

take value of below from command

CG ID

show platform software fed active acl info acl-cgid CG ID

Now check the interface how many interface this ACL apply to only one or there are many ?