12-10-2012 07:36 AM - edited 03-07-2019 10:30 AM
HI All,
i am assigning access list on vlan interface (in) direction , i am not getting matchs on first record of acl but only on second .
Extended IP access list test
10 deny ip any host 192.168.1.5
19 permit icmp any any log (142 matches)
%SEC-6-IPACCESSLOGDP: list test permitted icmp 172.16.100.116 -> 192.168.1.5 (8/0), 1 packet
12-10-2012 07:47 AM
This is normal behavior on an L3 switch, since the processesing of the ip packets is done in hardware.
U won't see any matches on ACL except for packets that are proccesed by the CPU. That also explain why u do get hits on the 2nd rule. The "log" keyword make the packet pass the CPU and that why u do see hitcounts for that entry.
12-10-2012 08:18 AM
i wanted to deny traffic to 192.168.1.5 , and it matched permit statement . is that normal behaviour ?
i followed your suggestion and tryied to delete (10) entry and add it again with "log" keyword to see matches, but actully when i issued command "no 10" in acl config , switch did not have any reaction, (10) record was still there (strange).
then i complitely deleted acl and have created new one with "log" keyword on every line , (10) begin to match traffic.
10 deny ip any host 192.168.1.5 log (60 matches)
20 permit icmp any any log (284 matches)
removed acl with "log" keyword and created one more without "log" and still it was logging (10) entry
10 deny ip any host 192.168.1.5 (98 matches)
20 permit icmp any any (2 matches)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide