Re: Viewing and Evaluating hits on a VLAN based ACL (VACL)

digitalflaunt · ‎12-29-2022

Hello:

We are deploying VLAN ACLs (VACLs) that are IP based ACLs on several VLANs within our 3850 switches. This solution is working, but since the ACL is applied on the VLAN (layer-2), logging is not permitted in the defined ACEs. What is the easiest way/method in order to view hits on ACLs used in this manner? I remember seeing something related to "ip accounting" at one point but am looking for some good examples for config to allow for viewing data for t-shooting reasons.

Thanks,

Jesse

Reza Sharifi · ‎12-29-2022

Hi,

Usually, show access-list <name or number>

or

show ip access-list <name or number>

should show you that. See table-2 in this link for more info

https://www.cisco.com/en/US/docs/switches/lan/catalyst3850/software/release/3se/consolidated_guide/b_consolidated_3850_3se_cg_chapter_0111001.html

HTH

digitalflaunt · ‎12-29-2022

Yes, I understand the standard 'show access-list xxx' commands. However in this case (layer-2 / VACL based), the matches are not incremented as a L3/VTY based ACL would be. As mentioned, the VACL is working yet just looking to view matches / hits somehow.

Thanks again,

Jesse

MHM Cisco World · ‎12-29-2022

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SX/configuration/guide/book/vacl.html#95869

I think the VACL have log but the MAC ACL have not log.
please check above guide.

digitalflaunt · ‎12-29-2022

Your referencing IOS code / Cat6500 here ... VACL access-log cmds are not offered on Cat3K (3650/3850) IOS-XE code.

MHM Cisco World · ‎12-29-2022

OK, I will run lab today and check.

MHM Cisco World · ‎12-29-2022

I run lab and with action drop you can add log and you can see I success get log for drop packet between two host bridge in VLAN, and VACL deny this connection.