Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
10609
Views
1
Helpful
7
Replies

ACL not showing hit count incremented

josephp
Level 1
Level 1

‎10-12-2009 07:26 AM - edited ‎03-06-2019 08:05 AM

Hi Folks, I need a little help. I have configured an ACL on a 3750 to allow RDP, SSH & TCP 8080 access to a management machine from certain VLAN's. I am able to access the machine but I do not see the ACL hit counts incremented. How do I configure my ACL to show the hit count incrementing.

Thank you in Advance I appreciate it.

Regards,

JP

1 person had this problem
Labels:
0 Helpful
7 Replies 7

Giuseppe Larosa
Hall of Fame
Hall of Fame

‎10-12-2009 10:37 AM

Hello Joseph,

after having defined the ACL, have you applied it somewhere for example:

int vlan 10

ip access-group acl_number

or

ip access-group acl_name

caution:

this may cause you to miss device remote access and control.

so don't do it if you are not sure your ACL is correct.

Be also aware that some multilayer switch platforms are not able to update hint counters for their MLS implementation.

This can be your case: the ACL may be effective but counters are not incremented

Hope to help

Giuseppe

0 Helpful

josephp
Level 1
Level 1
In response to Giuseppe Larosa

‎10-12-2009 11:14 AM

Hi Siuseppe,

Thank you for your response, yes the ACL are applied on the VLAN interface.

I apologize for not mentioning that the counters for the other lines on the ACL shows hit counts incremented & some don't increment. I am able to connect to that box using RDP.

Extended IP access list Restrict-Mgmt

10 permit tcp any any established (146 matches)

20 permit tcp 10.10.2.0 0.0.0.255 host 192.168.100.200 eq 3389

30 permit tcp 10.10.2.0 0.0.0.255 host 192.168.100.200 eq 443 (9 matches)

50 permit tcp 10.10.2.0 0.0.0.255 host 192.168.100.200 eq 8080

60 permit udp any eq ntp host 172.16.100.200

70 permit udp any eq domain host 192.168.100.200

80 deny ip any host 192.168.100.200 (17131 matches)

90 permit ip any any (515 matches)

sw-core-2#

interface Vlan100

ip address 192.168.100.3 255.255.255.0

ip access-group Restrict-Mgmt out

no ip redirects

no ip proxy-arp

end

0 Helpful

pompeychimes
Level 4
Level 4
In response to josephp

‎10-13-2009 05:50 PM

Shouldn't you ACL be applied inbound...

interface Vlan100

ip address 192.168.100.3 255.255.255.0

ip access-group Restrict-Mgmt in

0 Helpful

josephp
Level 1
Level 1
In response to pompeychimes

‎10-14-2009 10:31 AM

Hi pompeychimes,

Thanks for you input. it should be applied out bound. as you can see the destination of the acl's is 192.168.100.200.

Thanks,

Joe

0 Helpful

Collin Clark
VIP Alumni
VIP Alumni

‎10-12-2009 11:02 AM

Here's a link on Access List Logging and some of the caveats.

http://www.cisco.com/web/about/security/intelligence/acl-logging.html

Hope it helps.

0 Helpful

ChristopherMendiola5186
Level 1
Level 1

‎03-20-2025 09:18 AM

had this problem too, ACL hit/matches not showing on 9300 switches, found out , there's an issue on the doppler chipset for 9300, the ACL will do it's job, but ACL hit will not be shown.

0 Helpful

Joseph W. Doherty
Hall of Fame
Hall of Fame
In response to ChristopherMendiola5186

‎03-20-2025 09:31 AM

Actually, it's not uncommon on some switches the ACL functions correctly, but the hardware doesn't count hits.

Customers Also Viewed These Support Documents