I have created a new VLAN on my 6509 Core Switch. On this VLAN, I have applied an extended ACL to allow
servers OUTSIDE the VLAN to access certain servers INSIDE the VLAN. It appears the access-list is working
but yet my access-list doesnt show matches UNLESS it's on a specific deny ip any any log statement that I put on
the bottom of the ACL. I want to see the matches on the ACL. Why is it that I'm not getting matches on this?
I have my VLAN applied to my interface in an outbound fashion. This is pretty much what i have:
ip address 192.168.50.x y.y.y.y
ip access-group ACL-OUT out
ip access-list extended ACL-OUT
permit ip host 184.108.40.206 192.168.50.0 0.0.0.255
permit ip host 220.127.116.11 192.168.50.0 0.0.0.255
deny ip any any log
Now even though I am coming from a host of 18.104.22.168 or 22.214.171.124 and destined for a host on 192.168.50.x, the access is
granted but yet when I display my ACL it's not showing any matches. If I remove say 126.96.36.199 from the acl and try to ping. I can
no longer ping, but i do get matches on the deny line. Can someone explain that to me? That doesnt make sense to me.
I'm using IOS ver 12.2(33)SXH2a if it helps.
Thanks again for taking the time to assist me with understanding this. It's definitely appreciated.
It appears as though the other ACL's seem to be kicking out the right numbers. However, it's only a guess per say since there
are numerous packets shooting through these interfaces. When I do a ping or something along those lines, they seem to work ok with
the correct number of icmp packets per ping.
I was reading the article you sent about OAL and it mentioned that VACL (vlan acl's) and OAL are incompatible. Isnt this what I'm attempting
to do? I guess i'm still a bit confused and I apologize for my ignorance. How is this normally done in order for me to see activity on this ACLor the traffic? Do I just add a 'log' statement to each line of the ACL? My fear is that someone else from my network team will go look at this VACL and not see any matches and end up removing it thinking it's not being utilized.
Also, are the high end switch/routers the only ons that do their switching in hardware? We have a bunch of 1721's / 1841's / 2600''s and a couple of 7200's and I don't know that i've ever ran into this problem with them.
Thanks a million for sharing a little bit of your knowledge with me.
VACLs on the 6500 are vlan acls that can be applied to traffic entering or leaving a vlan but also to traffic between clients within the same vlan. So a VACL is not a standard acl that is applied to a vlan interface. So the acl in your example is not a VACL.
You certainly don't want to add a log to each entry without turning on OAL otherwise you will seriously degrade the performance of the 6500. But with OAL you should be okay. Don't forget that you can add "remark " entry to ACLs so you could add a remark saying something along the lines of "This acl is in use, do not delete".
To be honest, without looking at architecture papers (if there are any) for the devices you have listed it's difficult to answer. Generally routers perform their functions in software. The 6500 i know relatively well so i have seen this acl hitcount behaviour many times. Don't forget that not necessarily all packets are hardware switched even without the log keyword so your acls will have some hitcounts.