07-23-2008 12:13 PM - edited 03-06-2019 12:25 AM
Do VACLS simply not show the matches in "show ip access-lists"?
I have 2 extended access-lists in production which work great, the only difference is that one of them is applied to an interface. The other ACL is applied in a VACL.
Edit: I am not seeing any matches even if I append the "log" on the end of an ACL statement.
Solved! Go to Solution.
07-23-2008 08:21 PM
I'm assuming this is a Native IOS 6500 and you have applied a standard or extended RACLs (Routed Access Lists) on a physical or SVI (Switch VLAN Interface) interfaces. The reason why you don't see matches using the the "sh access-list" command is because the RACLs get imported into TCAM that resides on the PFC module which at that point are processed in hardware.
That particular show command would only show packets that would get punted to the MSFC to get processed in software because of some specific criteria that packet could not meet to be processed in hardware. For example, using the "log" keyword at the end of your ACL invokes those packets to get punted to the MSFC to generate a syslog messages, hence why you would see matches for those packets in the show access-list command.
So if you really want to see the matches on the RACLs that get imported into hardware, you need to issue the following command on the 6500 switch:
Switch#show tcam interface x/y acl in ip
07-23-2008 01:01 PM
you are correct...it won't show the matches.
in fact, other than testing the vacl's, i haven't found a good way to actually verify that they are doing what you want them to do.
anyone else have suggestions on this?
07-23-2008 02:17 PM
I am thinking the ACL's show the matches because they are being shot up the MSFC as opposed to the VACL's which are not.
07-23-2008 08:21 PM
I'm assuming this is a Native IOS 6500 and you have applied a standard or extended RACLs (Routed Access Lists) on a physical or SVI (Switch VLAN Interface) interfaces. The reason why you don't see matches using the the "sh access-list" command is because the RACLs get imported into TCAM that resides on the PFC module which at that point are processed in hardware.
That particular show command would only show packets that would get punted to the MSFC to get processed in software because of some specific criteria that packet could not meet to be processed in hardware. For example, using the "log" keyword at the end of your ACL invokes those packets to get punted to the MSFC to generate a syslog messages, hence why you would see matches for those packets in the show access-list command.
So if you really want to see the matches on the RACLs that get imported into hardware, you need to issue the following command on the 6500 switch:
Switch#show tcam interface x/y acl in ip
07-24-2008 03:36 AM
great info! thanks.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: