cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
443
Views
0
Helpful
4
Replies

VACL not showing matches

Jason Fraioli
Level 3
Level 3

Do VACLS simply not show the matches in "show ip access-lists"?

I have 2 extended access-lists in production which work great, the only difference is that one of them is applied to an interface. The other ACL is applied in a VACL.

Edit: I am not seeing any matches even if I append the "log" on the end of an ACL statement.

1 Accepted Solution

Accepted Solutions

I'm assuming this is a Native IOS 6500 and you have applied a standard or extended RACLs (Routed Access Lists) on a physical or SVI (Switch VLAN Interface) interfaces. The reason why you don't see matches using the the "sh access-list" command is because the RACLs get imported into TCAM that resides on the PFC module which at that point are processed in hardware.

That particular show command would only show packets that would get punted to the MSFC to get processed in software because of some specific criteria that packet could not meet to be processed in hardware. For example, using the "log" keyword at the end of your ACL invokes those packets to get punted to the MSFC to generate a syslog messages, hence why you would see matches for those packets in the show access-list command.

So if you really want to see the matches on the RACLs that get imported into hardware, you need to issue the following command on the 6500 switch:

Switch#show tcam interface x/y acl in ip

View solution in original post

4 Replies 4

srue
Level 7
Level 7

you are correct...it won't show the matches.

in fact, other than testing the vacl's, i haven't found a good way to actually verify that they are doing what you want them to do.

anyone else have suggestions on this?

I am thinking the ACL's show the matches because they are being shot up the MSFC as opposed to the VACL's which are not.

I'm assuming this is a Native IOS 6500 and you have applied a standard or extended RACLs (Routed Access Lists) on a physical or SVI (Switch VLAN Interface) interfaces. The reason why you don't see matches using the the "sh access-list" command is because the RACLs get imported into TCAM that resides on the PFC module which at that point are processed in hardware.

That particular show command would only show packets that would get punted to the MSFC to get processed in software because of some specific criteria that packet could not meet to be processed in hardware. For example, using the "log" keyword at the end of your ACL invokes those packets to get punted to the MSFC to generate a syslog messages, hence why you would see matches for those packets in the show access-list command.

So if you really want to see the matches on the RACLs that get imported into hardware, you need to issue the following command on the 6500 switch:

Switch#show tcam interface x/y acl in ip

great info! thanks.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: