Port Based ACL Counters

BigDawgFelton · ‎10-17-2012

Hello again,

This is a continuation of my last post in which I need to apply ACLs to the physical ports within Etherchannels. The switch is a Catalyst 2970 running IOS 12.2. These Etherchannels are configured as trunks with 2 VLANS allowed on each trunk.

I have applied an inbound ACL on the physical ports that filters based on layer 3 and layer 4 traffic. The issue that I am seeing is that the counters for the ACL are not increasing even though the ACL is clearly doing its job. At the end of the ACL I have an entry of "permit ip any any". Removing this from the list causes connectivity problems to the server on this port. Adding it back and everything is back to normal. However the counters don't increase. At first I thought maybe this wasn't supported on this switch but then I noticed the counter had increased to "2 matches" later in the day.

Does anyone know what the normal behavior is for this switch and does it support logging on an ACL entry as well?

Thanks, Elton

Sent from Cisco Technical Support iPhone App

acampbell · ‎10-17-2012

Elton

ACL logging is not supported on the 2970 running 12.2

The switch does not support these Cisco IOS router ACL-related features:

•Non-IP protocol ACLs (see Table 26-1) or bridge-group ACLs

•IP accounting

•Inbound and outbound rate limiting (except with QoS ACLs)

•Reflexive ACLs or dynamic ACLs (except for some specialized dynamic ACLs used by the switch clustering feature)

•ACL logging

http://www.cisco.com/en/US/docs/switches/lan/catalyst2970/software/release/12.2_18_se/configuration/guide/swacl.html

Regards,
Alex.
Please rate useful posts.

Regards, Alex. Please rate useful posts.

BigDawgFelton · ‎10-17-2012

Thanks for the quick response. As far as the logging is that just entries that are in the log file or does that also include match counts on an entry?

Why would I only have 2 matches if it is clearly doing its job?

Sent from Cisco Technical Support iPhone App