02-02-2007 07:15 AM - edited 03-05-2019 02:08 PM
It's unclear to me what the difference is between these 2 acl statements , could anyone elaborate. The reason I'm asking this is on a outbound acl using the 2nd entry listed and we are not seeing anything on the acl counters when he comes thru yet if we put a deny all at the beginning of the list he is blocked. I am wondering if the syntax is wrong and actually should be the first entry listed below , or are there any reasons why the acl counters would not be imcrementing , the user is going to telnet as verified thru the cache flows .
permit tcp 192.98.97.0 0.0.0.255 eq telnet host 192.108.213.10 ----->
permit tcp 192.98.97.0 0.0.0.255 host 192.108.213.10 eq telnet
02-02-2007 07:59 AM
Glen
I believe the first statement says
allow any 192.98.97.x host with a source port of 23 to access the host 192.108.213.10 on any port.
the second says
allow any 192.98.97.x host on any port to talk to host 192.108.213.10 on port 23.
I believe your access list is working but you don't see the access-list counters going up because the 6500 processes the acl in hardware on the PFC. We have access-lists outbound on some of our vlan interfaces on our 6500's and we know they work but the acl counters never increment.
See attached link for more details:-
HTH
Jon
02-02-2007 08:46 AM
Ok ,the original entry appears to be correct then because the destination port is telnet , why doesn't the counters increment , the interface is on a serial port on a flexwan card and the access list is applied to a sub interface . Any ideas ????
02-02-2007 09:46 AM
Glen
I haven't used the flexwan cards in the 6500 but as i said in the previous post i believe you don't see the counters increment because the 6500 switches in hardware. From the doc
"When you enter the show ip access-list command, the match count displayed does not include packets processed in hardware".
I did a quick test on our lab 6500. Applied an extended access-list which allowed ssh from my client to one of the servers on a server vlan and then denied everything else.
I was able to ssh but when i did a "sh ip access-list" the counters on the access-list had not incremented.
HTH
Jon
02-02-2007 10:24 AM
Thanks Jon , seems like I remember reading that somewhere also just wanted to run that by other people , appreciate it .
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide