Very Big problem with ACL on Cisco 3550

Unanswered Question
Jan 25th, 2008
User Badges:

Hi, All! I have Cisco Catalyst 3550. Recently, I have upgraded Cisco IOS. After upgrading IOS, ACL isn't working any more. WHY??? Maybe not enought TCAM resources?.. but in the previous IOS ACEs were functioning properly.

On the switch I have QoS, DHCP Snooping, Dinamic ARP Inspector, VLANs, SNMP running.


Old Cisco IOS: 12.2 (25) SEE IPSERVICES

new IOS: 12.2 (44) SE

Help me, please! Maybe somebody had similar problem?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
lisajoseph1970 Sat, 01/26/2008 - 14:49
User Badges:

Can you provide some additional information on how you are checking to see if ACL's are working or not.


Regards,

Lisa

Edgar Shvaikovskij Sun, 01/27/2008 - 04:00
User Badges:

Hello!


Thank you, for your answer, Lisa!


I have the following ACL:


ip access-list extended HomeClients-16

permit tcp any host 172.16.2.2 eq www 443

permit udp any host 172.16.2.2 eq domain

permit udp any any eq bootpc

permit udp any any eq bootps

deny ip 10.0.213.0 0.255.0.255 any log

permit ip any 10.0.0.0 0.255.255.255

permit tcp any host 172.16.2.2 range 10050 10180

permit tcp any host 172.16.2.10 eq 1723

permit gre any host 172.16.2.10

permit tcp any host 172.16.2.2 eq 6667 9997 411 smtp pop3 ftp ftp-data

permit ip any 172.16.5.0 0.0.0.255

permit udp any host 172.16.2.10 eq ntp

permit udp any eq 28960 20800 20810 any

permit tcp host 10.1.1.42 host 172.16.1.254 eq 22

deny any any


After upgrading IOS the ACL rule “deny ip 10.0.213.0 0.255.0.255 any log” isn't working any more!

Hosts 10.*.213.* have access to everything (smtp, mail, etc.).

“sh logging” doesn't show logs about blocked packet by rule “deny ip 10.0.213.0 0.255.0.255 any log”


You asked how I'm checking that ACLs are working. Well, my PC is behind the ACL "HomeClients-16". I'm just successfully pinging the host 172.16.1.5, which is not allowed by this ACL.

I've made some tests and found some interesting things. After reattaching ACL HomeClients-16, ACL is working few minutes correctly!


After ACL was detached:

3550# sh tcam inacl 1 statistics

Ingress ACL TCAM#1: Number of active labels: 6

Ingress ACL TCAM#1: Number of masks allocated: 16, available: 192

Ingress ACL TCAM#1: Number of entries allocated: 32, available: 1632


After ACL was attached:

3550# sh tcam inacl 1 statistics

Ingress ACL TCAM#1: Number of active labels: 7

Ingress ACL TCAM#1: Number of masks allocated: 140, available: 68

Ingress ACL TCAM#1: Number of entries allocated: 180, available: 1484


After 5 minutes:

3550# sh tcam inacl 1 statistics

Ingress ACL TCAM#1: Number of active labels: 6

Ingress ACL TCAM#1: Number of masks allocated: 16, available: 192

Ingress ACL TCAM#1: Number of entries allocated: 32, available: 1632


Why IOS unloaded ACL from TCAM?


Another interesting information:

3550#sh access-lists hardware counters

Input Drops: 0 matches (0 bytes)

Output Drops: 0 matches (0 bytes)

Input Forwarded: 137882870 matches (108061827907 bytes)

Output Forwarded: 137706883 matches (108032598824 bytes)

Input Bridge Only: 29229 matches (3789141 bytes)

Bridge and Route in CPU: 43315 matches (3152892 bytes)

Route in CPU: 573 matches (97530 bytes)


Why "Input Drops" and "Output Drops" couters are zero? Should the be zero if ACL blocking traffic?

ajagadee Mon, 01/28/2008 - 10:13
User Badges:
  • Cisco Employee,

Hi Edgar,


Can you post the output from "sh run int XXXX", where XXXX is the interface that you have applied this ACL. Also, what is the source and destination IP of your testing and also the default gateway of the host that you are trying to source the packet from.


Regards,

Arul

Edgar Shvaikovskij Tue, 01/29/2008 - 04:04
User Badges:

Hi, Arul!


interface Vlan1

description default

ip address 172.16.1.254 255.255.255.0


interface Vlan20

ip address 10.1.0.2 255.255.0.0

ip access-group HomeClients-16 in

ip helper-address 172.16.2.2


interface Vlan21

ip address 10.2.0.2 255.255.0.0

ip access-group HomeClients-16 in

ip helper-address 172.16.2.2


Well, my PC have ip=10.1.1.42/16 default gateway=10.1.0.2, I'm just successfully pinging the host 172.16.1.5 and another hosts, but pinging is not allowed by this ACL! Sometimes ACL begin working correctly 5 minutes-3 hour, but after this time IOS unload ACL from tcam resources (tcam resources more than enough), and ACL's don't working any more.

I have the second Cisco 3550 in another node, I conducted experiment yesterday. Before experiment ACL's in Cisco 3550 were working correctly. I upgraded Cisco IOS to 12.2 (44) SE IP Services (now first 3550 and second 3550 have same IOS), after upgrading IOS, ACL isn't working any more normally, and situation the same the first Cisco3550. After I began installing Cisco IOS another version, my results:

1) Cisco IOS to 12.2 (40) IP Services - ACL's isn't work

2) Cisco IOS to 12.2 (37) IP Services - ACL's isn't work

3) Cisco IOS to 12.2 (35) IP Services - ACL's isn't work

4) Cisco IOS to 12.2 (25) SEE5 IP Services - ACL's work well!

5) Cisco IOS to 12.2 (25) SEE IP Services - ACL's work well!


If it's helps to understand situation, I make show you config-file my Cisco Catalyst 3550.


Edgar Shvaikovskij Tue, 01/29/2008 - 04:09
User Badges:

Hi!

I apply this acl!


interface Vlan20

ip address 10.1.0.2 255.255.0.0

ip access-group HomeClients-16 in

ip helper-address 172.16.2.2

Actions

This Discussion