Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
537
Views
0
Helpful
4
Replies

ICMPs and ACLs

diya isleem
Level 1
Level 1

‎10-29-2013 04:46 AM - edited ‎03-07-2019 04:18 PM

Dears,

when I had an issue troubleshooting, i noticed that ACLs count for ICMP messages twice as they are, is that real behlavour and why?, or I have a loop in my network?

My topology was two dircet Switches (SW2 & SW4) connected directly to each other using L3 port-channel, i setup ACL on SW4 states as the following

SW4:

access-list 101 permit icmp any any

access-list 101 permit ip any any

int port1

access-group 101 in

no sw

ip add 1.1.1.4 255.255.255.0

SW2

int port1

no sw

ip add 1.1.1.2 255.255.255.0

then i issued ping 1.1.1.4 repe 1 from SW2, then when i hit show ip access-list, I found 2 matches in the show access-list command, is that normal? or was it a loop? or does it count for incoming and outgoing packets although it is applied only once and in one direction ??

to make sure it doesn't count for both income and outgoing packets, I've changed the first sequence of the ACL to be: access-list 101 permit icmp host 1.1.1.2 any, and it still counts the double..

I also noticed that after I spcifified source of ICM in the ACL , the switch starts to show logging event says: "administratively prohibited unreachable message sent to 1.1.1.2", even if there is no pings, what is that message for? i tried to search but i did not yet find any thing about it

Labels:
0 Helpful
4 Replies 4

Andrew Clark
Level 1
Level 1

‎10-29-2013 06:42 AM

You said these are connected via a Ether-Channel but do you have trunking configured or spanning-tree?

0 Helpful

diya isleem
Level 1
Level 1
In response to Andrew Clark

‎10-29-2013 07:06 AM

I have for other VLANs, but a L3 portchannel made by L3 ports. I also tried between a router and a switch, same result...

Also one thing: debug IP icmp on SW4 shows that that it only recieved one packet while show access-list show 2 packets.

0 Helpful

diya isleem
Level 1
Level 1

‎10-31-2013 05:35 AM

Any Explaination Guys??

0 Helpful

cadet alain
VIP Alumni
VIP Alumni
In response to diya isleem

‎10-31-2013 06:40 AM

Hi,

I suppose this is because the ACL is mapped both to the logical port-channel but also to the member physical interfaces.

So the hit count is once for member ports and once for port-channel.But that is only a supposition and I can't find any doc stating it explicitly.

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card