cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
237
Views
0
Helpful
2
Replies
Highlighted

acl problem l3 switch

HI All,

i am assigning access list on vlan interface (in) direction , i am not getting matchs on first  record of acl but only on second .

Extended IP access list test

10 deny ip any host 192.168.1.5

19 permit icmp any any log (142 matches)

%SEC-6-IPACCESSLOGDP: list test permitted icmp 172.16.100.116 -> 192.168.1.5 (8/0), 1 packet

Everyone's tags (4)
2 REPLIES 2
Highlighted
Beginner

acl problem l3 switch

This is normal behavior on an L3 switch, since the processesing of the ip packets is done in hardware.

U won't see any matches on ACL except for packets that are proccesed by the CPU. That also explain why u do get hits on the 2nd rule. The "log" keyword make the packet pass the CPU and that why u do see hitcounts for that entry.

Highlighted

acl problem l3 switch

i wanted to deny traffic to 192.168.1.5 , and it matched permit statement . is that normal behaviour ?

i followed your suggestion and tryied to delete (10) entry and add it again with "log" keyword to see matches, but actully when i issued command "no 10" in acl config , switch did not have any reaction,  (10) record was still there (strange).

then i complitely deleted acl and have created new one with "log" keyword on every line , (10) begin to match traffic.

10 deny ip any host 192.168.1.5 log (60 matches)

20 permit icmp any any log (284 matches)

removed acl with "log" keyword and created one more without "log" and still it was logging (10) entry

10 deny ip any host 192.168.1.5 (98 matches)

20 permit icmp any any (2 matches)

CreatePlease to create content
Content for Community-Ad