Issue with ACL and ACL rules.

Unanswered Question
Jun 30th, 2009

Hi Experts,

I have question on acl rule entries matches but doesn't affect/increase the match count on the output cmd(show access-list).

Syntax:-

I have acl rule configured as :

Permit ip 20.0.0.0 0.0.255.255 20.16.105.0 0.0.0.255 on my cisco 6500 switch and we are able to access the servers on 20.16.105.x network without any problem and we are happy about this.

Now the problem here is Why am I not able to see this rule hitting on the show access-list cmd? There are lot of users accessing the dst network/servers at the same time but still there is no match under the cmd.

#show access-list

Permit ip 20.0.0.0 0.0.255.255 20.16.105.0 0.0.0.255 ---> (Here i see no matches were as there should be increase count of matches when the traffic flows frm src to dst and vice version for this acl rule.

Is this the bug or anything else?

Any help would be greatly appricated.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (2 ratings)
Loading.
mahmoodmkl Tue, 06/30/2009 - 02:46

Hi

Probably this is due to the acl entires are hardware processed they are not hitting the CPU.

Thanks

Mahmood

nehakulsum Tue, 06/30/2009 - 03:03

Yes I agree with you. It is hardware processed but only why this rule is not hitting the matches were as I have other rule were i see the acl entries are getting matches.

Is there any way to findout this?

Thanks in advance.

REgards

Neha

nehakulsum Tue, 06/30/2009 - 05:57

Hi collin,

Thanks for the wonderfull link. Can you just tell me how exactly I need to enable on the switch?

Thanks in advance.

Regard

Neha.

Collin Clark Tue, 06/30/2009 - 06:15

You would need to use Process Switching instead of CEF. Please note the second sentence in the link above.Unfortunately, ACL logging can be CPU intensive and can negatively affect other functions of the network device. Process switching may or may not be available, depending on the platform of your device. I highly recommend you do NOT enable process switching.

http://www.cisco.com/en/US/docs/ios/12_1/switch/configuration/guide/xcdovips.html

nehakulsum Tue, 06/30/2009 - 06:33

HI collin,

Thanks a ton this is what I was looking it for.

Appriciate for your time and solution provided.

Regards,

Neha.

Actions

This Discussion