Buy or Renew
Buy or Renew
NEW: Try the Beta AI Summary feature on posts in the Routing and SD-WAN forum. Click to go to the forum.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
757
Views
0
Helpful
1
Replies

SVI ACL issues

S891
Level 5
Level 5

‎12-02-2014 09:37 AM - edited ‎03-07-2019 09:44 PM

Hi there, 

I am having some issue with SVI ACLs on Cat 6500. I am not able to see ACL being hit on match. Probably I am missing something. Any suggestion would be appreciated.

The ACL is applied inbound on the SVI interface. I tested port 80 and 443 access. Users on the vlan 114 are able to access these ports but I don't see any hit count on the ACL So I am not sure if the ACL is working properly. The only matches I see is for bootp, HSRP, and deny ACL. I have checked both primary hsrp and secondary switch acl and both are not showing match on these ports. I can browse on http and https but there in no log entry. I have not tried other ports.

The second question I have is if I want to see the log of what is being denied how do I see all the details? ip accounting? I enabled it but no output in show command. 

 

access-list 114 remark GUEST-ACL
access-list 114 permit udp any any eq bootps
access-list 114 permit udp any any eq domain
access-list 114 permit tcp any any eq 443
access-list 114 permit tcp any any eq www
access-list 114 permit icmp any any
access-list 114 permit ip host 172.20.35.3 host 224.0.0.2
access-list 114 deny   ip any any log

 

interface Vlan114
  ip address 172.20.35.2 255.255.255.0
 ip access-group 114 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 standby 1 ip 172.20.35.1
 standby 1 priority 110
 standby 1 preempt
 

sw#sh access-lists 114
Extended IP access list 114
    10 permit udp any any eq bootps (234 matches)
    20 permit udp any any eq domain 
    30 permit tcp any any eq 443
    40 permit tcp any any eq www 
    50 permit icmp any any 
    60 permit ip host 172.20.35.3 host 224.0.0.2 (78 matches)
    70 deny ip any any log (277 matches)

Labels:
0 Helpful
1 Reply 1

Jon Marshall
Hall of Fame
Hall of Fame

‎12-02-2014 10:50 AM

With switches such as the 6500 you often don't see hits in your acl because the packets are being switched in hardware and so are not logged.This is normal behaviour so the test is whether or not your acl is working not whether you can see hits.

If you enable logging on a switch this usually means the packets then have to be processed in software which is exactly what you don't want to happen. However with the 6500 you can use something called OAL (Optimized ACL Logging) which allows the switch to log the hits in hardware ie. no performance impact.

See this link for configuration details -

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SXF/native/configuration/guide/swcg/acl.html#wp1090858

Jon

0 Helpful
Customers Also Viewed These Support Documents