cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
670
Views
0
Helpful
2
Replies

acl problem l3 switch

Archil Sokhadze
Level 1
Level 1

HI All,

i am assigning access list on vlan interface (in) direction , i am not getting matchs on first  record of acl but only on second .

Extended IP access list test

10 deny ip any host 192.168.1.5

19 permit icmp any any log (142 matches)

%SEC-6-IPACCESSLOGDP: list test permitted icmp 172.16.100.116 -> 192.168.1.5 (8/0), 1 packet

2 Replies 2

r.sneekes
Level 1
Level 1

This is normal behavior on an L3 switch, since the processesing of the ip packets is done in hardware.

U won't see any matches on ACL except for packets that are proccesed by the CPU. That also explain why u do get hits on the 2nd rule. The "log" keyword make the packet pass the CPU and that why u do see hitcounts for that entry.

i wanted to deny traffic to 192.168.1.5 , and it matched permit statement . is that normal behaviour ?

i followed your suggestion and tryied to delete (10) entry and add it again with "log" keyword to see matches, but actully when i issued command "no 10" in acl config , switch did not have any reaction,  (10) record was still there (strange).

then i complitely deleted acl and have created new one with "log" keyword on every line , (10) begin to match traffic.

10 deny ip any host 192.168.1.5 log (60 matches)

20 permit icmp any any log (284 matches)

removed acl with "log" keyword and created one more without "log" and still it was logging (10) entry

10 deny ip any host 192.168.1.5 (98 matches)

20 permit icmp any any (2 matches)

Review Cisco Networking products for a $25 gift card