02-05-2010 08:40 AM - edited 03-07-2019 12:33 AM
I have created a new VLAN on my 6509 Core Switch. On this VLAN, I have applied an extended ACL to allow
servers OUTSIDE the VLAN to access certain servers INSIDE the VLAN. It appears the access-list is working
but yet my access-list doesnt show matches UNLESS it's on a specific deny ip any any log statement that I put on
the bottom of the ACL. I want to see the matches on the ACL. Why is it that I'm not getting matches on this?
I have my VLAN applied to my interface in an outbound fashion. This is pretty much what i have:
vlan50
ip address 192.168.50.x y.y.y.y
ip access-group ACL-OUT out
ip access-list extended ACL-OUT
permit ip host 1.1.1.1 192.168.50.0 0.0.0.255
permit ip host 2.2.2.2 192.168.50.0 0.0.0.255
deny ip any any log
Now even though I am coming from a host of 1.1.1.1 or 2.2.2.2 and destined for a host on 192.168.50.x, the access is
granted but yet when I display my ACL it's not showing any matches. If I remove say 1.1.1.1 from the acl and try to ping. I can
no longer ping, but i do get matches on the deny line. Can someone explain that to me? That doesnt make sense to me.
I'm using IOS ver 12.2(33)SXH2a if it helps.
Solved! Go to Solution.
02-08-2010 11:34 AM
jonesl1 wrote:
Jon,
Thanks again for taking the time to assist me with understanding this. It's definitely appreciated.
It appears as though the other ACL's seem to be kicking out the right numbers. However, it's only a guess per say since there
are numerous packets shooting through these interfaces. When I do a ping or something along those lines, they seem to work ok with
the correct number of icmp packets per ping.
I was reading the article you sent about OAL and it mentioned that VACL (vlan acl's) and OAL are incompatible. Isnt this what I'm attempting
to do? I guess i'm still a bit confused and I apologize for my ignorance. How is this normally done in order for me to see activity on this ACLor the traffic? Do I just add a 'log' statement to each line of the ACL? My fear is that someone else from my network team will go look at this VACL and not see any matches and end up removing it thinking it's not being utilized.
Also, are the high end switch/routers the only ons that do their switching in hardware? We have a bunch of 1721's / 1841's / 2600''s and a couple of 7200's and I don't know that i've ever ran into this problem with them.
Thanks a million for sharing a little bit of your knowledge with me.
VACLs on the 6500 are vlan acls that can be applied to traffic entering or leaving a vlan but also to traffic between clients within the same vlan. So a VACL is not a standard acl that is applied to a vlan interface. So the acl in your example is not a VACL.
You certainly don't want to add a log to each entry without turning on OAL otherwise you will seriously degrade the performance of the 6500. But with OAL you should be okay. Don't forget that you can add "remark
To be honest, without looking at architecture papers (if there are any) for the devices you have listed it's difficult to answer. Generally routers perform their functions in software. The 6500 i know relatively well so i have seen this acl hitcount behaviour many times. Don't forget that not necessarily all packets are hardware switched even without the log keyword so your acls will have some hitcounts.
Jon
02-05-2010 08:47 AM
jonesl1 wrote:
I have created a new VLAN on my 6509 Core Switch. On this VLAN, I have applied an extended ACL to allow
servers OUTSIDE the VLAN to access certain servers INSIDE the VLAN. It appears the access-list is working
but yet my access-list doesnt show matches UNLESS it's on a specific deny ip any any log statement that I put on
the bottom of the ACL. I want to see the matches on the ACL. Why is it that I'm not getting matches on this?
I have my VLAN applied to my interface in an outbound fashion. This is pretty much what i have:
vlan50
ip address 192.168.50.x y.y.y.y
ip access-group ACL-OUT out
ip access-list extended ACL-OUT
permit ip host 1.1.1.1 192.168.50.0 0.0.0.255
permit ip host 2.2.2.2 192.168.50.0 0.0.0.255
deny ip any any log
Now even though I am coming from a host of 1.1.1.1 or 2.2.2.2 and destined for a host on 192.168.50.x, the access is
granted but yet when I display my ACL it's not showing any matches. If I remove say 1.1.1.1 from the acl and try to ping. I can
no longer ping, but i do get matches on the deny line. Can someone explain that to me? That doesnt make sense to me.
I'm using IOS ver 12.2(33)SXH2a if it helps.
The 6500 processes the acl in hardware and that is why you are not seeing any hits. This is normal. By adding the "log" keyword to your deny line unless you have configured OAL (Optimised ACL Logging) you are actually processing all the deny packets in software on the RP.
See this guide for OAL -
Jon
02-05-2010 12:43 PM
Jon,
The only thing is regarding the OAL is I have numerous other extended ACL's on this router and they are all showing matches on the
ACL's like they should. It only seems to be this one. I did, however, try to enable OAL on the interface, but with no change. it still
wouldnt work.
Any other suggestions?
02-05-2010 08:51 AM
Hi Jones
Can you try an inbound access-list here ?? When inbound, traffic from 192.x.x.x segment reaches 1.1.1.1 and you would have more control of your traffic..
vlan50
ip address 192.168.50.x y.y.y.y
ip access-group ACL-IN in
ip access-list extended ACL-IN
permit ip 192.168.50.0 0.0.0.255 host 1.1.1.1
permit ip 192.168.50.0 0.0.0.255 host 2.2.2.2
deny ip any any log
The above ACL should work good.
Where is the traffic originating ? from 1.1.1.1 or 192.168.x.x. ?
Thanks & Regards
Raj
02-05-2010 12:40 PM
Raj,
Thanks for the quick replies. I did try to reverse the direction of the ACL. Again the same results are occurring. I only catch
matches on the deny statement. I still have no idea why this is occurring.
02-05-2010 12:45 PM
Is the ACL functionality working ? is it denying / allowing traffic which you wanted ? If it is only to do with counters, see Jons explanation... its a very useful information that Jon provided...
Raj
..
02-05-2010 12:51 PM
The ACL functions fine....works great. The counters seem to be my only issue. And when I say counters, I'm talking about when I do a 'sho access-list XXXX' and it displays the matches after the line. I have many other extended ACL's on this device and am not sure why this one would be so different. Also, I did attempt to apply the logging ip access-list cache in to the vlan interface, but it didnt seem to make a difference.
02-05-2010 01:04 PM
Can you please post the output of "Show ip access-list" ? you mean to say you have other extended ACLs which show
matches, but only this named ACL which doesnt show ?
Raj
02-05-2010 03:15 PM
jonesl1 wrote:
The ACL functions fine....works great. The counters seem to be my only issue. And when I say counters, I'm talking about when I do a 'sho access-list XXXX' and it displays the matches after the line. I have many other extended ACL's on this device and am not sure why this one would be so different. Also, I did attempt to apply the logging ip access-list cache in to the vlan interface, but it didnt seem to make a difference.
There will be hits on an acl every time the packet is processed in software. So you may well be seeing some hits on other acls if the packet is not hardware switched and there are a number of reasons why a packet is not hardware switched of which adding the log keyword is just one.
The other acls that are showing hit counts, are they showing anywhere near the right amount for the traffic going through them ?
Jon
02-08-2010 05:29 AM
Jon,
Thanks again for taking the time to assist me with understanding this. It's definitely appreciated.
It appears as though the other ACL's seem to be kicking out the right numbers. However, it's only a guess per say since there
are numerous packets shooting through these interfaces. When I do a ping or something along those lines, they seem to work ok with
the correct number of icmp packets per ping.
I was reading the article you sent about OAL and it mentioned that VACL (vlan acl's) and OAL are incompatible. Isnt this what I'm attempting
to do? I guess i'm still a bit confused and I apologize for my ignorance. How is this normally done in order for me to see activity on this ACLor the traffic? Do I just add a 'log' statement to each line of the ACL? My fear is that someone else from my network team will go look at this VACL and not see any matches and end up removing it thinking it's not being utilized.
Also, are the high end switch/routers the only ons that do their switching in hardware? We have a bunch of 1721's / 1841's / 2600''s and a couple of 7200's and I don't know that i've ever ran into this problem with them.
Thanks a million for sharing a little bit of your knowledge with me.
02-08-2010 11:34 AM
jonesl1 wrote:
Jon,
Thanks again for taking the time to assist me with understanding this. It's definitely appreciated.
It appears as though the other ACL's seem to be kicking out the right numbers. However, it's only a guess per say since there
are numerous packets shooting through these interfaces. When I do a ping or something along those lines, they seem to work ok with
the correct number of icmp packets per ping.
I was reading the article you sent about OAL and it mentioned that VACL (vlan acl's) and OAL are incompatible. Isnt this what I'm attempting
to do? I guess i'm still a bit confused and I apologize for my ignorance. How is this normally done in order for me to see activity on this ACLor the traffic? Do I just add a 'log' statement to each line of the ACL? My fear is that someone else from my network team will go look at this VACL and not see any matches and end up removing it thinking it's not being utilized.
Also, are the high end switch/routers the only ons that do their switching in hardware? We have a bunch of 1721's / 1841's / 2600''s and a couple of 7200's and I don't know that i've ever ran into this problem with them.
Thanks a million for sharing a little bit of your knowledge with me.
VACLs on the 6500 are vlan acls that can be applied to traffic entering or leaving a vlan but also to traffic between clients within the same vlan. So a VACL is not a standard acl that is applied to a vlan interface. So the acl in your example is not a VACL.
You certainly don't want to add a log to each entry without turning on OAL otherwise you will seriously degrade the performance of the 6500. But with OAL you should be okay. Don't forget that you can add "remark
To be honest, without looking at architecture papers (if there are any) for the devices you have listed it's difficult to answer. Generally routers perform their functions in software. The 6500 i know relatively well so i have seen this acl hitcount behaviour many times. Don't forget that not necessarily all packets are hardware switched even without the log keyword so your acls will have some hitcounts.
Jon
02-09-2010 06:41 AM
Thank you for the explanation Jon. It's definitely helped me. I know we had another problem here a while back with route-map's and
the acl defining the interesting traffic. That ACL ALSO didnt show hits and i never really understood why...So I think you've actually solved two of my issues. I never realized that it only logs on the acl if its switched in software.
In terms of knowledge in this field, most of the time I feel like I am losing ground rather than gaining, but today I think you helped me take a step forward. Thank you!
02-09-2010 06:46 AM
No problem, glad to have helped.
In terms of knowledge in this field, most of the time I feel like I am losing ground rather than gaining
I think we all feel like this at times to be honest
Jon
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide