cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
16151
Views
14
Helpful
5
Replies

ACL not showing matches

spiritgroup
Level 1
Level 1

Hi,

We have an extended ACL on a 6509 running IOS ver 12.2(17r)S2, RELEASE SOFTWARE (fc1)

I have added the following line:-

1320 permit udp host 172.18.6.0 0.0.0.250 172.16.1.5 eq syslog

This is working as I am now getting syslog messages on the 172.16.1.5 box but I wanted to tidy up the rest of the access list and remove rules that are not used. To do this I was going to look at which rules are not showing any matches but hardly any of them are including this new one (although some are)

It must be hitting this rule as when I remove it I no longer get syslogs so it's not hitting another rule higher up.

I tried to use the Cisco bug toolkit but this version of the IOS doesn't show up on there? Is this likely to be an IOS bug or something I'm doing wrong?

thanks for any help.

1 Accepted Solution

Accepted Solutions

Jon Marshall
Hall of Fame
Hall of Fame

Matt

The reason you are not seeing any matches -when you look at the access-list is because access-list entries that are processed in hardware by the PFC (Policy Feature Card) do not increment the match count.

If the access-list entry was processed in software, and this can happen, then you would see it in the match count.

See this link for full details on what is processed in hardware and software regarding acl's.

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SXF/native/configuration/guide/acl.html#wp1033602

Jon

View solution in original post

5 Replies 5

bvsnarayana03
Level 5
Level 5

You already did the 1st step of troubleshooting by removing the rule to chk if syslog msg are trapped by server or not.

2nd option:

clear access-list xxx counters

3rd option:

move the syslog rule to any higher number. You'll 1st have to remove this rule & add again by prefixing the line no. of acl.

One of these should work.

" 1320 permit udp host 172.18.6.0 0.0.0.250 172.16.1.5 eq syslog"

Are you sure this rule allows traffic to your syslog server from 172.18.6.0 network? You have the host keyword applied to the network rather than the syslog server address that follows later.

Can you reconfigure the ACE this way and check whether you are seeing matches.

1320 permit udp 172.18.6.0 0.0.0.255 host 172.16.1.5 eq syslog

HTH

Sundar

Jon Marshall
Hall of Fame
Hall of Fame

Matt

The reason you are not seeing any matches -when you look at the access-list is because access-list entries that are processed in hardware by the PFC (Policy Feature Card) do not increment the match count.

If the access-list entry was processed in software, and this can happen, then you would see it in the match count.

See this link for full details on what is processed in hardware and software regarding acl's.

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SXF/native/configuration/guide/acl.html#wp1033602

Jon

Thanks for all the posts guys, Jon it seems your right so there's not much I can do about that as it's not really a problem more just the way it should work.

thanks.

Try this:

show tcam interface acl in ip

show tcam interface acl out ip

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: