05-17-2007 06:40 AM - edited 03-05-2019 04:08 PM
Hello.
I am a new cisco 3750G-48TS-E administrator.
To learn, I have created a simple access-list to pass all on an interface.
But when I execute : show access-list, I never see matches.
I receive :
10 permit 10.1.222.1
and never "(xxx matches)" after that line !
Is there something I must configure to see the matches ?
Thank you.
jmd
05-17-2007 06:44 AM
jmd
In addition to showing us the content of the access list it would be helpful if you would show us the specifics of how you apply the access list.
Also this appears to be a standard access list which examines the source address of packets. So are you sure that there were packets with source address of 10.1.222.1?
HTH
Rick
05-17-2007 07:08 AM
Thank you for this very speedy response.
I did :
bb-3750(config)#access-list 50 permit any
bb-3750(config)#int gi2/0/14
bb-3750(config-if)#ip access-group 50 in
bb-3750(config-if)#end
bb-3750#sh access-lists
Standard IP access list 50
10 permit any
I also have in running-config :
interface GigabitEthernet2/0/14
switchport access vlan 222
switchport mode access
ip access-group 50 in
I then make a ping from 10.1.222.1 (witch is a pc on the gigabit 2/0/14 interface) to another pc (10.1.55.10) and another ping in the other direction.
But, after that, no matches for show access-list !
jmd
05-17-2007 07:15 AM
I think the problem is the this port configured as layer2 port and not layer3.
You have two options:
Configure it as layer3 port and give an IP address to that (no switchport command and ip address x.x.x.x y.y.y.y)
Or creat an SVI (if you don't have yet)
interface vlan222
ip address x.x.x.x y.y.y.y
and assign the access-list to this interface
Is the 10.1.55.10 host connected to this switch too?
Hope it helps,
Krisztian
05-17-2007 07:30 AM
jmd
I believe that Krisztian has it exactly right. In fact I am surprised that there was not an error when you configured the ip access-group on a layer 2 port.
But certainly for the access-group and the access list to work the access-group must be assigned on a working layer 3 interface (either make the port a layer 3 interface or use the VLAN interface).
HTH
Rick
05-17-2007 07:56 AM
Ok, I apply the access-list to vlan222 (already created with ip 10.1.222.254/24) and not to the interface.
But I have stranged results with show access-list :
ONLY a ping from host 10.1.222.1 (linked to the interface gi2/0/14) to the interface address itself (10.1.222.254) show the matches (4)
and no other pings.
The host 10.1.55.10 is on another subnet on a 3com L3 switch linked to the cisco 3750 by (for my beginning tests) the default vlan 1.
I suppose I must re-read and learn better the ios documentation. Probably there are things
I have not yet understood.
jmd
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide