04-26-2018 03:52 AM - edited 03-08-2019 02:48 PM
Hello,
We have deployed a 1001HX running Denali Version 16.03.06.
We have configured ACL inbound on two interfaces: TenGigabitEthernet0/1/1 and Gi0/0/0
However, the ACL on Gi0/0/0 doesn't show any hit counters:
R#show ip access-lists 105
Extended IP access list 105
190 permit udp any eq domain any
200 permit tcp any any gt 1024 established
1790 permit object-group IPSEC-OBJ host X.X.X.X host Z.Z.Z.Z
1800 permit object-group IPSEC-OBJ host Y.Y.Y.Y host Z.Z.Z.Z
The ACL deployed on the Te0/1/1 interface show permit hit counters:
R#sh ip access-lists 111
Extended IP access list 111
20 permit ip 10.0.0.0 0.255.255.255 any (3383382 matches)
Both are deployed inbound.
Could it be that i don't see hit counters on ACL105 because it contains object-groups ??
How to see hits in ACLs that contain object groups ??
regards,
Geert
Solved! Go to Solution.
04-26-2018 04:13 AM
Strange. When i configured "service internal", and did "show ip acces list 105 expand", i got the following:
Object groups are not expanded yet.
Object groups expansion happens upon exiting from ACL configuration submode.
After
conf t
ip access-list ext 105
exit
exit
it works like it should.....
giving statistics even in normal view:
190 permit udp any eq domain any (1401 matches)
200 permit tcp any any gt 1024 established (12942158 matches)
04-26-2018 04:00 AM
04-26-2018 04:13 AM
Strange. When i configured "service internal", and did "show ip acces list 105 expand", i got the following:
Object groups are not expanded yet.
Object groups expansion happens upon exiting from ACL configuration submode.
After
conf t
ip access-list ext 105
exit
exit
it works like it should.....
giving statistics even in normal view:
190 permit udp any eq domain any (1401 matches)
200 permit tcp any any gt 1024 established (12942158 matches)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide