cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3418
Views
10
Helpful
7
Replies

ACL on VLAN doesn't match

To block traffic between Access Points connected in diferent VLANs to the WLC VLAN (VLAN300) I have the next configs:

SWPPAL#sho access-lists
Extended IP access list 102
    10 deny udp any any range 12222 12223
    20 deny udp any any range 5246 5247
    30 permit ip any any

PPAL#       sh run int vlan 300
Building configuration...

Current configuration : 91 bytes
!

interface Vlan300
ip address 192.168.21.0 255.255.255.128
ip access-group 102 out
end

but I get this result:

SWPPAL#sh access-lists 102
Extended IP access list 101
    10 deny udp any any range 12222 12223
    20 deny udp any any range 5246 5247
    30 permit ip any any

Exist traffic in two ways, but the ACL doesn´t match any traffic, permit any any doesn´t match never.

Can somebody tell me what is wrong?

1 Accepted Solution

Accepted Solutions

If the traffic is processed by the switch CPU, the counters will increase. If the traffic is destined to the switch and you have ACLs applied on the switch, the counters will increase as the traffic is processed by the CPU. Otherwise ACL is handled in hardware, so software cannot see those packets, hence no increase in counters.

View solution in original post

7 Replies 7

Nikita Singh
Cisco Employee
Cisco Employee

The problem description is not clear. Please explain.

Also, I think the access-group should be applied "in" .

andtoth
Level 4
Level 4

Hi,

Did you try sending traffic? Does it get blocked when the ACL is applied?

Did you try removing the ACL? Does the traffic get through?

Did you try applying the ACL for the "in" direction instead of "out"? Do you see the problem then?

Please note that if you are configuring this on a Catalyst switch, you will not see ACL counters (x matches) because the switch does the ACL filtering in hardware, therefore it does not count the number of hits in software. This is a normal behavior.

Best regards,

Andras

Hi Andras,

***Please note that if you are configuring this on a Catalyst switch, you will not see ACL counters (x matches) because the switch does the ACL filtering in hardware, therefore it does not count the number of hits in software. This is a normal behavior.***

This is not correct, because I have 4507r and still I can see the hit count on ACL's

Hi Jesu,

The access group applied should be in like below.....

interface Vlan300
ip address 192.168.21.0 255.255.255.128
ip access-group 102 in

Please rate if this helps you....

Regards,

Naidu.

If the traffic is processed by the switch CPU, the counters will increase. If the traffic is destined to the switch and you have ACLs applied on the switch, the counters will increase as the traffic is processed by the CPU. Otherwise ACL is handled in hardware, so software cannot see those packets, hence no increase in counters.

Good Day,

Exist a reason to this?

I have 3750's and 3560's and shows the matchs only in certain switches, despite the configuration is basicaly the same (except for IPs), other case is that the switches shows matches for denies but not for permits, and i don't see a pattern o common configuration to this.

Thanks

Catalyst switches are forwarding packets in hardware and also process ACLs in hardware, so packets are not seen and not counted by software. If packets are sourced from the switch or destined to it or packets need special processing by the CPU, they will be sent to the software (CPU), so the counters will be increased.

Also, if you have the 'log' or 'log-input' keyword specified at the end of ACL, the packet will be copied to the CPU in order to create a log message in software, and the counter will increase.

If you have a deny statement without the log keyword, and don't have 'no ip unreachables' configured on the interface where the ACL is applied (in other words, sending of ICMP unreachables is enabled), the counters will also increment because the switch will send out ICMP unreachable messages for denied packets to inform the source that the packet is dropped. Once you configure 'no ip unreachables', the counters will not increase as CPU will not send out ICMP packets.

Andras

to add to Andras reply, if you would like to see the counters incrementing in the hardware you need to use the below command

sh tcam int vlan <> acl in ip

or sh tcam int vlan < >acl in ip detail << the output is long and complicated and needs understanding of the hardware to interpret the result.

Rgds,
Souvik

Review Cisco Networking for a $25 gift card