Issue with ACL and ACL rules.

Unanswered Question
Jun 30th, 2009
User Badges:

Hi Experts,

I have question on acl rule entries matches but doesn't affect/increase the match count on the output cmd(show access-list).

Syntax:-

I have acl rule configured as :

Permit ip 20.0.0.0 0.0.255.255 20.16.105.0 0.0.0.255 on my cisco 6500 switch and we are able to access the servers on 20.16.105.x network without any problem and we are happy about this.


Now the problem here is Why am I not able to see this rule hitting on the show access-list cmd? There are lot of users accessing the dst network/servers at the same time but still there is no match under the cmd.


#show access-list


Permit ip 20.0.0.0 0.0.255.255 20.16.105.0 0.0.0.255 ---> (Here i see no matches were as there should be increase count of matches when the traffic flows frm src to dst and vice version for this acl rule.


Is this the bug or anything else?


Any help would be greatly appricated.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (2 ratings)
Loading.
mahmoodmkl Tue, 06/30/2009 - 02:46
User Badges:
  • Gold, 750 points or more

Hi


Probably this is due to the acl entires are hardware processed they are not hitting the CPU.


Thanks

Mahmood

nehakulsum Tue, 06/30/2009 - 03:03
User Badges:

Yes I agree with you. It is hardware processed but only why this rule is not hitting the matches were as I have other rule were i see the acl entries are getting matches.

Is there any way to findout this?


Thanks in advance.

REgards

Neha

nehakulsum Tue, 06/30/2009 - 05:57
User Badges:

Hi collin,

Thanks for the wonderfull link. Can you just tell me how exactly I need to enable on the switch?


Thanks in advance.

Regard

Neha.

Collin Clark Tue, 06/30/2009 - 06:15
User Badges:
  • Purple, 4500 points or more

You would need to use Process Switching instead of CEF. Please note the second sentence in the link above.Unfortunately, ACL logging can be CPU intensive and can negatively affect other functions of the network device. Process switching may or may not be available, depending on the platform of your device. I highly recommend you do NOT enable process switching.


http://www.cisco.com/en/US/docs/ios/12_1/switch/configuration/guide/xcdovips.html



nehakulsum Tue, 06/30/2009 - 06:33
User Badges:

HI collin,

Thanks a ton this is what I was looking it for.


Appriciate for your time and solution provided.


Regards,

Neha.

Actions

This Discussion