What is "sh vlan access-log flow..." supposed to show?

jkeeffe · ‎09-19-2008

I have a VACL defined on a 6509 to block traffic from a host on the vlan from establishing outbound TCP connections. The VACL works just fine, and all other traffic on the vlan is permitted.

I found this following show command "show vlan access-list flow tcp (or IP) any any", expecting to see something about the VACL, but nothing gets displayed.

Here is my VACL:

vlan access-map restrict-laptop-permit 9

match ip address 166

action forward

vlan filter restrict-laptop-permit vlan-list 110

access-list 166 permit tcp host 10.0.1.10 any established log

access-list 166 deny ip host 10.0.1.10 any log

access-list 166 permit ip any any

ENGLAB-6513-Native#sh vlan ?

access-log VACL Logging

ENGLAB-6513-Native#sh vlan access-log flow ip any any

Matched flows:

id prot src_ip dst_ip sport dport vlan mod/port count total lastlog

----------------------------------------------------------------------------------------------

Total number of matched entries: 0

ENGLAB-6513-Native#sh vlan access-log statistics

VACL Logging Statistics:

total packets :0

logged :0

dropped :0

buffered :0

Dropped Packets Statistics:

unsupported protocol :0

no packet buffer :0

hash queue full :0

flow table full :0

Misc Information:

VACL Logging LTL Index :0x7E06

free packet buffers :8192

log messages sent :0

flow table size :0

Is this a true command - is it supposed to show something when a VACL is loaded?

amritpatek · ‎09-25-2008

This command is used for the display information about the VLAN access control list (VACL) logging including the configured logging properties, flow table contents, and statistics, use the show vlan access-log command in privileged EXEC mode.

show vlan access-log config

show vlan access-log flow protocol {src-addr src-mask | any | host {hostname | host-ip}} {dst-addr dst-mask | any | host {hostname | host-ip}} [vlan vlan-id]

show vlan access-log statistics