Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3114
Views
10
Helpful
7
Replies

ACL on VLAN doesn't match

Go to solution
jesusdavidzambrano
Level 1
Level 1

‎12-27-2010 08:53 AM - edited ‎03-06-2019 02:43 PM

To block traffic between Access Points connected in diferent VLANs to the WLC VLAN (VLAN300) I have the next configs:

SWPPAL#sho access-lists
Extended IP access list 102
    10 deny udp any any range 12222 12223
    20 deny udp any any range 5246 5247
    30 permit ip any any

PPAL#       sh run int vlan 300
Building configuration...

Current configuration : 91 bytes
!

interface Vlan300
ip address 192.168.21.0 255.255.255.128
ip access-group 102 out
end

but I get this result:

SWPPAL#sh access-lists 102
Extended IP access list 101
    10 deny udp any any range 12222 12223
    20 deny udp any any range 5246 5247
    30 permit ip any any

Exist traffic in two ways, but the ACL doesn´t match any traffic, permit any any doesn´t match never.

Can somebody tell me what is wrong?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
andtoth
Level 4
Level 4
In response to Latchum Naidu

‎12-30-2010 04:24 AM

If the traffic is processed by the switch CPU, the counters will increase. If the traffic is destined to the switch and you have ACLs applied on the switch, the counters will increase as the traffic is processed by the CPU. Otherwise ACL is handled in hardware, so software cannot see those packets, hence no increase in counters.

View solution in original post

0 Helpful
7 Replies 7

Go to solution
Nikita Singh
Cisco Employee
Cisco Employee

‎12-27-2010 07:16 PM

The problem description is not clear. Please explain.

Also, I think the access-group should be applied "in" .

0 Helpful

Go to solution
andtoth
Level 4
Level 4

‎12-29-2010 04:14 PM

Hi,

Did you try sending traffic? Does it get blocked when the ACL is applied?

Did you try removing the ACL? Does the traffic get through?

Did you try applying the ACL for the "in" direction instead of "out"? Do you see the problem then?

Please note that if you are configuring this on a Catalyst switch, you will not see ACL counters (x matches) because the switch does the ACL filtering in hardware, therefore it does not count the number of hits in software. This is a normal behavior.

Best regards,

Andras

Go to solution
Latchum Naidu
VIP Alumni
VIP Alumni
In response to andtoth

‎12-30-2010 03:36 AM

Hi Andras,

***Please note that if you are configuring this on a Catalyst switch, you will not see ACL counters (x matches) because the switch does the ACL filtering in hardware, therefore it does not count the number of hits in software. This is a normal behavior.***

This is not correct, because I have 4507r and still I can see the hit count on ACL's

Hi Jesu,

The access group applied should be in like below.....

interface Vlan300
ip address 192.168.21.0 255.255.255.128
ip access-group 102 in

Please rate if this helps you....

Regards,

Naidu.

Go to solution
andtoth
Level 4
Level 4
In response to Latchum Naidu

‎12-30-2010 04:24 AM

If the traffic is processed by the switch CPU, the counters will increase. If the traffic is destined to the switch and you have ACLs applied on the switch, the counters will increase as the traffic is processed by the CPU. Otherwise ACL is handled in hardware, so software cannot see those packets, hence no increase in counters.

0 Helpful

Go to solution
jesusdavidzambrano
Level 1
Level 1
In response to andtoth

‎12-30-2010 06:06 AM

Good Day,

Exist a reason to this?

I have 3750's and 3560's and shows the matchs only in certain switches, despite the configuration is basicaly the same (except for IPs), other case is that the switches shows matches for denies but not for permits, and i don't see a pattern o common configuration to this.

Thanks

0 Helpful

Go to solution
andtoth
Level 4
Level 4
In response to jesusdavidzambrano

‎12-30-2010 07:07 AM

Catalyst switches are forwarding packets in hardware and also process ACLs in hardware, so packets are not seen and not counted by software. If packets are sourced from the switch or destined to it or packets need special processing by the CPU, they will be sent to the software (CPU), so the counters will be increased.

Also, if you have the 'log' or 'log-input' keyword specified at the end of ACL, the packet will be copied to the CPU in order to create a log message in software, and the counter will increase.

If you have a deny statement without the log keyword, and don't have 'no ip unreachables' configured on the interface where the ACL is applied (in other words, sending of ICMP unreachables is enabled), the counters will also increment because the switch will send out ICMP unreachable messages for denied packets to inform the source that the packet is dropped. Once you configure 'no ip unreachables', the counters will not increase as CPU will not send out ICMP packets.

Andras

0 Helpful

Go to solution
Souvik Ghosh
Cisco Employee
Cisco Employee
In response to andtoth

‎12-30-2010 07:31 PM

to add to Andras reply, if you would like to see the counters incrementing in the hardware you need to use the below command

sh tcam int vlan <> acl in ip

or sh tcam int vlan < >acl in ip detail << the output is long and complicated and needs understanding of the hardware to interpret the result.

Rgds,
Souvik

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card