Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
9413
Views
0
Helpful
5
Replies

ACL not showing hit count incremented

josephp
Level 1
Level 1

‎10-12-2009 07:26 AM - edited ‎03-06-2019 08:05 AM

Hi Folks, I need a little help. I have configured an ACL on a 3750 to allow RDP, SSH & TCP 8080 access to a management machine from certain VLAN's. I am able to access the machine but I do not see the ACL hit counts incremented. How do I configure my ACL to show the hit count incrementing.

Thank you in Advance I appreciate it.

Regards,

JP

Labels:
0 Helpful
5 Replies 5

Giuseppe Larosa
Hall of Fame
Hall of Fame

‎10-12-2009 10:37 AM

Hello Joseph,

after having defined the ACL, have you applied it somewhere for example:

int vlan 10

ip access-group acl_number

or

ip access-group acl_name

caution:

this may cause you to miss device remote access and control.

so don't do it if you are not sure your ACL is correct.

Be also aware that some multilayer switch platforms are not able to update hint counters for their MLS implementation.

This can be your case: the ACL may be effective but counters are not incremented

Hope to help

Giuseppe

0 Helpful

josephp
Level 1
Level 1
In response to Giuseppe Larosa

‎10-12-2009 11:14 AM

Hi Siuseppe,

Thank you for your response, yes the ACL are applied on the VLAN interface.

I apologize for not mentioning that the counters for the other lines on the ACL shows hit counts incremented & some don't increment. I am able to connect to that box using RDP.

Extended IP access list Restrict-Mgmt

10 permit tcp any any established (146 matches)

20 permit tcp 10.10.2.0 0.0.0.255 host 192.168.100.200 eq 3389

30 permit tcp 10.10.2.0 0.0.0.255 host 192.168.100.200 eq 443 (9 matches)

50 permit tcp 10.10.2.0 0.0.0.255 host 192.168.100.200 eq 8080

60 permit udp any eq ntp host 172.16.100.200

70 permit udp any eq domain host 192.168.100.200

80 deny ip any host 192.168.100.200 (17131 matches)

90 permit ip any any (515 matches)

sw-core-2#

interface Vlan100

ip address 192.168.100.3 255.255.255.0

ip access-group Restrict-Mgmt out

no ip redirects

no ip proxy-arp

end

0 Helpful

pompeychimes
Level 4
Level 4
In response to josephp

‎10-13-2009 05:50 PM

Shouldn't you ACL be applied inbound...

interface Vlan100

ip address 192.168.100.3 255.255.255.0

ip access-group Restrict-Mgmt in

0 Helpful

josephp
Level 1
Level 1
In response to pompeychimes

‎10-14-2009 10:31 AM

Hi pompeychimes,

Thanks for you input. it should be applied out bound. as you can see the destination of the acl's is 192.168.100.200.

Thanks,

Joe

0 Helpful

Collin Clark
VIP Alumni
VIP Alumni

‎10-12-2009 11:02 AM

Here's a link on Access List Logging and some of the caveats.

http://www.cisco.com/web/about/security/intelligence/acl-logging.html

Hope it helps.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card