sup 720 accesslists

Unanswered Question
Feb 2nd, 2007

It's unclear to me what the difference is between these 2 acl statements , could anyone elaborate. The reason I'm asking this is on a outbound acl using the 2nd entry listed and we are not seeing anything on the acl counters when he comes thru yet if we put a deny all at the beginning of the list he is blocked. I am wondering if the syntax is wrong and actually should be the first entry listed below , or are there any reasons why the acl counters would not be imcrementing , the user is going to telnet as verified thru the cache flows .

permit tcp 192.98.97.0 0.0.0.255 eq telnet host 192.108.213.10 ----->

permit tcp 192.98.97.0 0.0.0.255 host 192.108.213.10 eq telnet

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Fri, 02/02/2007 - 07:59

Glen

I believe the first statement says

allow any 192.98.97.x host with a source port of 23 to access the host 192.108.213.10 on any port.

the second says

allow any 192.98.97.x host on any port to talk to host 192.108.213.10 on port 23.

I believe your access list is working but you don't see the access-list counters going up because the 6500 processes the acl in hardware on the PFC. We have access-lists outbound on some of our vlan interfaces on our 6500's and we know they work but the acl counters never increment.

See attached link for more details:-

http://www.cisco.com/en/US/products/hw/switches/ps708/products_configuration_guide_chapter09186a00801609f6.html#wp1033602

HTH

Jon

glen.grant Fri, 02/02/2007 - 08:46

Ok ,the original entry appears to be correct then because the destination port is telnet , why doesn't the counters increment , the interface is on a serial port on a flexwan card and the access list is applied to a sub interface . Any ideas ????

Jon Marshall Fri, 02/02/2007 - 09:46

Glen

I haven't used the flexwan cards in the 6500 but as i said in the previous post i believe you don't see the counters increment because the 6500 switches in hardware. From the doc

"When you enter the show ip access-list command, the match count displayed does not include packets processed in hardware".

I did a quick test on our lab 6500. Applied an extended access-list which allowed ssh from my client to one of the servers on a server vlan and then denied everything else.

I was able to ssh but when i did a "sh ip access-list" the counters on the access-list had not incremented.

HTH

Jon

glen.grant Fri, 02/02/2007 - 10:24

Thanks Jon , seems like I remember reading that somewhere also just wanted to run that by other people , appreciate it .

Actions

This Discussion