ACL not showing hit count incremented

Unanswered Question

Hi Folks, I need a little help. I have configured an ACL on a 3750 to allow RDP, SSH & TCP 8080 access to a management machine from certain VLAN's. I am able to access the machine but I do not see the ACL hit counts incremented. How do I configure my ACL to show the hit count incrementing.

Thank you in Advance I appreciate it.

Regards,

JP

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Giuseppe Larosa Mon, 10/12/2009 - 10:37

Hello Joseph,

after having defined the ACL, have you applied it somewhere for example:

int vlan 10

ip access-group acl_number

or

ip access-group acl_name

caution:

this may cause you to miss device remote access and control.

so don't do it if you are not sure your ACL is correct.

Be also aware that some multilayer switch platforms are not able to update hint counters for their MLS implementation.

This can be your case: the ACL may be effective but counters are not incremented

Hope to help

Giuseppe

Hi Siuseppe,

Thank you for your response, yes the ACL are applied on the VLAN interface.

I apologize for not mentioning that the counters for the other lines on the ACL shows hit counts incremented & some don't increment. I am able to connect to that box using RDP.

Extended IP access list Restrict-Mgmt

10 permit tcp any any established (146 matches)

20 permit tcp 10.10.2.0 0.0.0.255 host 192.168.100.200 eq 3389

30 permit tcp 10.10.2.0 0.0.0.255 host 192.168.100.200 eq 443 (9 matches)

50 permit tcp 10.10.2.0 0.0.0.255 host 192.168.100.200 eq 8080

60 permit udp any eq ntp host 172.16.100.200

70 permit udp any eq domain host 192.168.100.200

80 deny ip any host 192.168.100.200 (17131 matches)

90 permit ip any any (515 matches)

sw-core-2#

interface Vlan100

ip address 192.168.100.3 255.255.255.0

ip access-group Restrict-Mgmt out

no ip redirects

no ip proxy-arp

end

pompeychimes Tue, 10/13/2009 - 17:50

Shouldn't you ACL be applied inbound...

interface Vlan100

ip address 192.168.100.3 255.255.255.0

ip access-group Restrict-Mgmt in

Actions

This Discussion