cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
799
Views
5
Helpful
6
Replies

Viewing and Evaluating hits on a VLAN based ACL (VACL)

digitalflaunt
Level 1
Level 1

Hello:

We are deploying VLAN ACLs (VACLs) that are IP based ACLs on several VLANs within our 3850 switches.  This solution is working, but since the ACL is applied on the VLAN (layer-2), logging is not permitted in the defined ACEs.  What is the easiest way/method in order to view hits on ACLs used in this manner?  I remember seeing something related to "ip accounting" at one point but am looking for some good examples for config to allow for viewing data for t-shooting reasons.

Thanks,

Jesse

6 Replies 6

Reza Sharifi
Hall of Fame
Hall of Fame

Hi,

Usually, show access-list <name or number>

or

show ip access-list <name or number> 

should show you that. See table-2 in this link for more info

https://www.cisco.com/en/US/docs/switches/lan/catalyst3850/software/release/3se/consolidated_guide/b_consolidated_3850_3se_cg_chapter_0111001.html

HTH

 

Yes, I understand the standard 'show access-list xxx' commands.  However in this case (layer-2 / VACL based), the matches are not incremented as a L3/VTY based ACL would be.  As mentioned, the VACL is working yet just looking to view matches / hits somehow.

Thanks again,

Jesse

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SX/configuration/guide/book/vacl.html#95869

I think the VACL have log but the MAC ACL have not log. 
please check above guide.

Your referencing IOS code / Cat6500 here ... VACL access-log cmds are not offered on Cat3K (3650/3850) IOS-XE code.

OK, I will run lab today and check. 

Screenshot (177).png

I run lab and with action drop you can add log and you can see I success get log for drop packet between two host bridge in VLAN, and VACL deny this connection. 

Review Cisco Networking for a $25 gift card