ACL count increase on Cisco 6500

Unanswered Question
Jun 24th, 2009
User Badges:

Hello Experts,


I have configured 100+ ACL on 6500. I see log of rules with matches but only few (i.e example 10 out of 100 matches ). And when i remove the rules which are not matches in the acl's the traffice does not go out of interface. It appears to me like a bug could some one tell what is causing this.


ACLS example:

2 permit tcp any any established (23090 matches)

10 permit ospf 10.2.2.0 0.0.0.255 any (290892 matches)

30 permit ip 10.3.3.0 0.0.0.255 any (34362 matches)

40 permit ip 10.11.11 0.0.0.255 10.11.11.0 0.0.255 (679608 matches)

50 permit ip 10.80.0.0 0.3.255.255 10.80.0.0 0.3.255.255

60 permit ip 10.20.129.0 0.0.0.255 any

70 permit ip 10.0.0.0 0.0.0.0 10.12.9.0 0.0.0.255

80 permit ip 10.0.0.0 0.0.0.255 10.70.50.0 0.0.0.255

90 permit ip 10.0.0.0 0.0.0.255 10.20.0.7 0.0.0.255

100 permit ip 10.0.0.0 0.255.255.255 10.50.0.0 0.0.255.255 (15 matches)

and many more....


Any help on this will be highly appriciated.


thanks

Neha.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (2 ratings)
Loading.
Edison Ortiz Wed, 06/24/2009 - 08:38
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

Neha,


It's not a bug, that's a 6500 feature. ACLs are processed in hardware not by the CPU. Any counts you see there, were packets punted to the CPU for some reason. It will not reflect the total count processed by such ACE.


HTH,


__


Edison.

nehakulsum Wed, 06/24/2009 - 23:43
User Badges:

Hi Edison,

Thanks for the update. But I have around 500 acl's and I want to clear the unnecessary ACL rules/entries on the switch which are not matching or not used,and keep only the rules which are needed and which are getting match.


But as soon as I remove the rules whih are not matching/not needed there is no traffic flows through the interface.


Is this the behaviour of the switch?? What is the alternate way to remove the acl's??


Thanks in advance.

Neha.

Edison Ortiz Thu, 06/25/2009 - 05:01
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

Neha,


You can configure NetFlow and capture the flows traversing the interface. These flows can be exported to a NetFlow collector for further analysis.


As I stated, ACLs can't be used for logging mechanism in the 6500.


HTH,


__


Edison.

nehakulsum Thu, 06/25/2009 - 05:43
User Badges:

Hi Edison,

Thanks for the information.

Can you tell me the best way to remove all the access-list at once rather than removing it line by line? will configure the access-list in a newly manner with only 10 to 15 lines.


Regards,

Neha


Edison Ortiz Thu, 06/25/2009 - 05:56
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

Neha,


Just precede the command with a no


For instance:


access-list 101 ...

no access-list 101 ...





Actions

This Discussion