show access-list no matches ?

Unanswered Question
May 17th, 2007

Hello.

I am a new cisco 3750G-48TS-E administrator.

To learn, I have created a simple access-list to pass all on an interface.

But when I execute : show access-list, I never see matches.

I receive :

10 permit 10.1.222.1

and never "(xxx matches)" after that line !

Is there something I must configure to see the matches ?

Thank you.

jmd

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Richard Burts Thu, 05/17/2007 - 06:44

jmd

In addition to showing us the content of the access list it would be helpful if you would show us the specifics of how you apply the access list.

Also this appears to be a standard access list which examines the source address of packets. So are you sure that there were packets with source address of 10.1.222.1?

HTH

Rick

iesncisco Thu, 05/17/2007 - 07:08

Thank you for this very speedy response.

I did :

bb-3750(config)#access-list 50 permit any

bb-3750(config)#int gi2/0/14

bb-3750(config-if)#ip access-group 50 in

bb-3750(config-if)#end

bb-3750#sh access-lists

Standard IP access list 50

10 permit any

I also have in running-config :

interface GigabitEthernet2/0/14

switchport access vlan 222

switchport mode access

ip access-group 50 in

I then make a ping from 10.1.222.1 (witch is a pc on the gigabit 2/0/14 interface) to another pc (10.1.55.10) and another ping in the other direction.

But, after that, no matches for show access-list !

jmd

I think the problem is the this port configured as layer2 port and not layer3.

You have two options:

Configure it as layer3 port and give an IP address to that (no switchport command and ip address x.x.x.x y.y.y.y)

Or creat an SVI (if you don't have yet)

interface vlan222

ip address x.x.x.x y.y.y.y

and assign the access-list to this interface

Is the 10.1.55.10 host connected to this switch too?

Hope it helps,

Krisztian

Richard Burts Thu, 05/17/2007 - 07:30

jmd

I believe that Krisztian has it exactly right. In fact I am surprised that there was not an error when you configured the ip access-group on a layer 2 port.

But certainly for the access-group and the access list to work the access-group must be assigned on a working layer 3 interface (either make the port a layer 3 interface or use the VLAN interface).

HTH

Rick

iesncisco Thu, 05/17/2007 - 07:56

Ok, I apply the access-list to vlan222 (already created with ip 10.1.222.254/24) and not to the interface.

But I have stranged results with show access-list :

ONLY a ping from host 10.1.222.1 (linked to the interface gi2/0/14) to the interface address itself (10.1.222.254) show the matches (4)

and no other pings.

The host 10.1.55.10 is on another subnet on a 3com L3 switch linked to the cisco 3750 by (for my beginning tests) the default vlan 1.

I suppose I must re-read and learn better the ios documentation. Probably there are things

I have not yet understood.

jmd

Actions

This Discussion