ACL on VLAN interface

LucaSalvatore_2 · ‎02-02-2014

I have this ACL applied to a VLAN interface as follows:

ip access-list extended catch-snmp

permit icmp host 10.83.1.13 host 192.168.60.172

permit ip host 10.83.1.13 host 192.168.60.172

permit udp host 10.83.1.13 eq snmp host 192.168.60.172

permit ip any any

interface Vlan10

ip address 10.83.1.254 255.255.255.0

ip access-group catch-snmp in

I then do a ping from 10.83.1.13 to 192.168.60.172 but I don't get any maches on the ACL.

Is this because the switch (3750X) is doing CEF switching and the ACL on the VLAN doesn't actually get looked at?

Reza Sharifi · ‎02-02-2014

CEF is enabled globally by default on the 3750X series switches.

Try logging your ACLs.

permit icmp host 10.83.1.13 host 192.168.60.172 log

HTH

LucaSalvatore_2 · ‎02-02-2014

Logging doesn't help...

I can see the permit ip any any get hits on the counters but not the ones above

devils_advocate · ‎02-03-2014

I just replicated your setup in packet tracer and I get matches on the top line of the ACL:

10 permit icmp host 10.83.1.13 host 192.168.60.172 (16 match(es))

20 permit ip host 10.83.1.13 host 192.168.60.172

30 permit ip any any (3 match(es))

Are there any ACL's on the 192.168.60.* SVI?

Can you do a #show ip access-list catch-snmp and post back the results.

Jon Marshall · ‎02-03-2014

Switch acl counters are not reliable because the vast majority of packets are processed in hardware and so they do not increment the hit counters.

Only packets that are sent to the main CPU would register in the hit counters and you generally don't want this on a hardware switch.

If the acl is working ie. allowing and blocking what you want then it is not a problem.

Jon