acl problem l3 switch

Archil Sokhadze · ‎12-10-2012

HI All,

i am assigning access list on vlan interface (in) direction , i am not getting matchs on first record of acl but only on second .

Extended IP access list test

10 deny ip any host 192.168.1.5

19 permit icmp any any log (142 matches)

%SEC-6-IPACCESSLOGDP: list test permitted icmp 172.16.100.116 -> 192.168.1.5 (8/0), 1 packet

r.sneekes · ‎12-10-2012

This is normal behavior on an L3 switch, since the processesing of the ip packets is done in hardware.

U won't see any matches on ACL except for packets that are proccesed by the CPU. That also explain why u do get hits on the 2nd rule. The "log" keyword make the packet pass the CPU and that why u do see hitcounts for that entry.

Archil Sokhadze · ‎12-10-2012

i wanted to deny traffic to 192.168.1.5 , and it matched permit statement . is that normal behaviour ?

i followed your suggestion and tryied to delete (10) entry and add it again with "log" keyword to see matches, but actully when i issued command "no 10" in acl config , switch did not have any reaction, (10) record was still there (strange).

then i complitely deleted acl and have created new one with "log" keyword on every line , (10) begin to match traffic.

10 deny ip any host 192.168.1.5 log (60 matches)

20 permit icmp any any log (284 matches)

removed acl with "log" keyword and created one more without "log" and still it was logging (10) entry

10 deny ip any host 192.168.1.5 (98 matches)

20 permit icmp any any (2 matches)