ACL not showing matches

Answered Question
Jul 18th, 2008
User Badges:

Hi,


We have an extended ACL on a 6509 running IOS ver 12.2(17r)S2, RELEASE SOFTWARE (fc1)


I have added the following line:-

1320 permit udp host 172.18.6.0 0.0.0.250 172.16.1.5 eq syslog


This is working as I am now getting syslog messages on the 172.16.1.5 box but I wanted to tidy up the rest of the access list and remove rules that are not used. To do this I was going to look at which rules are not showing any matches but hardly any of them are including this new one (although some are)


It must be hitting this rule as when I remove it I no longer get syslogs so it's not hitting another rule higher up.


I tried to use the Cisco bug toolkit but this version of the IOS doesn't show up on there? Is this likely to be an IOS bug or something I'm doing wrong?


thanks for any help.

Correct Answer by Jon Marshall about 8 years 9 months ago

Matt


The reason you are not seeing any matches -when you look at the access-list is because access-list entries that are processed in hardware by the PFC (Policy Feature Card) do not increment the match count.


If the access-list entry was processed in software, and this can happen, then you would see it in the match count.


See this link for full details on what is processed in hardware and software regarding acl's.


http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SXF/native/configuration/guide/acl.html#wp1033602


Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (4 ratings)
Loading.
bvsnarayana03 Fri, 07/18/2008 - 04:29
User Badges:
  • Silver, 250 points or more

You already did the 1st step of troubleshooting by removing the rule to chk if syslog msg are trapped by server or not.


2nd option:

clear access-list xxx counters


3rd option:

move the syslog rule to any higher number. You'll 1st have to remove this rule & add again by prefixing the line no. of acl.


One of these should work.

sundar.palaniappan Fri, 07/18/2008 - 06:50
User Badges:
  • Green, 3000 points or more

" 1320 permit udp host 172.18.6.0 0.0.0.250 172.16.1.5 eq syslog"


Are you sure this rule allows traffic to your syslog server from 172.18.6.0 network? You have the host keyword applied to the network rather than the syslog server address that follows later.


Can you reconfigure the ACE this way and check whether you are seeing matches.


1320 permit udp 172.18.6.0 0.0.0.255 host 172.16.1.5 eq syslog


HTH


Sundar

Correct Answer
Jon Marshall Fri, 07/18/2008 - 09:59
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Matt


The reason you are not seeing any matches -when you look at the access-list is because access-list entries that are processed in hardware by the PFC (Policy Feature Card) do not increment the match count.


If the access-list entry was processed in software, and this can happen, then you would see it in the match count.


See this link for full details on what is processed in hardware and software regarding acl's.


http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SXF/native/configuration/guide/acl.html#wp1033602


Jon

spiritgroup Mon, 07/21/2008 - 08:32
User Badges:

Thanks for all the posts guys, Jon it seems your right so there's not much I can do about that as it's not really a problem more just the way it should work.


thanks.

Ryan Carretta Mon, 07/21/2008 - 23:40
User Badges:
  • Bronze, 100 points or more

Try this:


show tcam interface acl in ip

show tcam interface acl out ip

Actions

This Discussion