Solved: ACL Issue

jonesl1 · ‎02-05-2010

I have created a new VLAN on my 6509 Core Switch. On this VLAN, I have applied an extended ACL to allow

servers OUTSIDE the VLAN to access certain servers INSIDE the VLAN. It appears the access-list is working

but yet my access-list doesnt show matches UNLESS it's on a specific deny ip any any log statement that I put on

the bottom of the ACL. I want to see the matches on the ACL. Why is it that I'm not getting matches on this?

I have my VLAN applied to my interface in an outbound fashion. This is pretty much what i have:

vlan50

ip address 192.168.50.x y.y.y.y

ip access-group ACL-OUT out

ip access-list extended ACL-OUT

permit ip host 1.1.1.1 192.168.50.0 0.0.0.255

permit ip host 2.2.2.2 192.168.50.0 0.0.0.255

deny ip any any log

Now even though I am coming from a host of 1.1.1.1 or 2.2.2.2 and destined for a host on 192.168.50.x, the access is

granted but yet when I display my ACL it's not showing any matches. If I remove say 1.1.1.1 from the acl and try to ping. I can

no longer ping, but i do get matches on the deny line. Can someone explain that to me? That doesnt make sense to me.

I'm using IOS ver 12.2(33)SXH2a if it helps.

Jon Marshall · ‎02-08-2010

jonesl1 wrote:

Jon,

Thanks again for taking the time to assist me with understanding this. It's definitely appreciated.

It appears as though the other ACL's seem to be kicking out the right numbers. However, it's only a guess per say since there

are numerous packets shooting through these interfaces. When I do a ping or something along those lines, they seem to work ok with

the correct number of icmp packets per ping.

I was reading the article you sent about OAL and it mentioned that VACL (vlan acl's) and OAL are incompatible. Isnt this what I'm attempting

to do? I guess i'm still a bit confused and I apologize for my ignorance. How is this normally done in order for me to see activity on this ACLor the traffic? Do I just add a 'log' statement to each line of the ACL? My fear is that someone else from my network team will go look at this VACL and not see any matches and end up removing it thinking it's not being utilized.

Also, are the high end switch/routers the only ons that do their switching in hardware? We have a bunch of 1721's / 1841's / 2600''s and a couple of 7200's and I don't know that i've ever ran into this problem with them.

Thanks a million for sharing a little bit of your knowledge with me.

VACLs on the 6500 are vlan acls that can be applied to traffic entering or leaving a vlan but also to traffic between clients within the same vlan. So a VACL is not a standard acl that is applied to a vlan interface. So the acl in your example is not a VACL.

You certainly don't want to add a log to each entry without turning on OAL otherwise you will seriously degrade the performance of the 6500. But with OAL you should be okay. Don't forget that you can add "remark " entry to ACLs so you could add a remark saying something along the lines of "This acl is in use, do not delete".

To be honest, without looking at architecture papers (if there are any) for the devices you have listed it's difficult to answer. Generally routers perform their functions in software. The 6500 i know relatively well so i have seen this acl hitcount behaviour many times. Don't forget that not necessarily all packets are hardware switched even without the log keyword so your acls will have some hitcounts.

Jon

View solution in original post

Jon Marshall · ‎02-05-2010

jonesl1 wrote:

I have created a new VLAN on my 6509 Core Switch. On this VLAN, I have applied an extended ACL to allow

servers OUTSIDE the VLAN to access certain servers INSIDE the VLAN. It appears the access-list is working

but yet my access-list doesnt show matches UNLESS it's on a specific deny ip any any log statement that I put on

the bottom of the ACL. I want to see the matches on the ACL. Why is it that I'm not getting matches on this?

I have my VLAN applied to my interface in an outbound fashion. This is pretty much what i have:

vlan50

ip address 192.168.50.x y.y.y.y

ip access-group ACL-OUT out

ip access-list extended ACL-OUT

permit ip host 1.1.1.1 192.168.50.0 0.0.0.255

permit ip host 2.2.2.2 192.168.50.0 0.0.0.255

deny ip any any log

Now even though I am coming from a host of 1.1.1.1 or 2.2.2.2 and destined for a host on 192.168.50.x, the access is

granted but yet when I display my ACL it's not showing any matches. If I remove say 1.1.1.1 from the acl and try to ping. I can

no longer ping, but i do get matches on the deny line. Can someone explain that to me? That doesnt make sense to me.

I'm using IOS ver 12.2(33)SXH2a if it helps.

The 6500 processes the acl in hardware and that is why you are not seeing any hits. This is normal. By adding the "log" keyword to your deny line unless you have configured OAL (Optimised ACL Logging) you are actually processing all the deny packets in software on the RP.

See this guide for OAL -

6500 OAL

Jon

jonesl1 · ‎02-05-2010

Jon,

The only thing is regarding the OAL is I have numerous other extended ACL's on this router and they are all showing matches on the

ACL's like they should. It only seems to be this one. I did, however, try to enable OAL on the interface, but with no change. it still

wouldnt work.

Any other suggestions?

sachinraja · ‎02-05-2010

Hi Jones

Can you try an inbound access-list here ?? When inbound, traffic from 192.x.x.x segment reaches 1.1.1.1 and you would have more control of your traffic..

vlan50

ip address 192.168.50.x y.y.y.y

ip access-group ACL-IN in

ip access-list extended ACL-IN

permit ip 192.168.50.0 0.0.0.255 host 1.1.1.1

permit ip 192.168.50.0 0.0.0.255 host 2.2.2.2

deny ip any any log

The above ACL should work good.

Where is the traffic originating ? from 1.1.1.1 or 192.168.x.x. ?

Thanks & Regards

Raj

jonesl1 · ‎02-05-2010

Raj,

Thanks for the quick replies. I did try to reverse the direction of the ACL. Again the same results are occurring. I only catch

matches on the deny statement. I still have no idea why this is occurring.

sachinraja · ‎02-05-2010

Is the ACL functionality working ? is it denying / allowing traffic which you wanted ? If it is only to do with counters, see Jons explanation... its a very useful information that Jon provided...

Raj

..

jonesl1 · ‎02-05-2010

The ACL functions fine....works great. The counters seem to be my only issue. And when I say counters, I'm talking about when I do a 'sho access-list XXXX' and it displays the matches after the line. I have many other extended ACL's on this device and am not sure why this one would be so different. Also, I did attempt to apply the logging ip access-list cache in to the vlan interface, but it didnt seem to make a difference.

sachinraja · ‎02-05-2010

Can you please post the output of "Show ip access-list" ? you mean to say you have other extended ACLs which show

matches, but only this named ACL which doesnt show ?

Raj

Jon Marshall · ‎02-05-2010

jonesl1 wrote:

The ACL functions fine....works great. The counters seem to be my only issue. And when I say counters, I'm talking about when I do a 'sho access-list XXXX' and it displays the matches after the line. I have many other extended ACL's on this device and am not sure why this one would be so different. Also, I did attempt to apply the logging ip access-list cache in to the vlan interface, but it didnt seem to make a difference.

There will be hits on an acl every time the packet is processed in software. So you may well be seeing some hits on other acls if the packet is not hardware switched and there are a number of reasons why a packet is not hardware switched of which adding the log keyword is just one.

The other acls that are showing hit counts, are they showing anywhere near the right amount for the traffic going through them ?

Jon

jonesl1 · ‎02-08-2010

Jon,

Thanks again for taking the time to assist me with understanding this. It's definitely appreciated.

It appears as though the other ACL's seem to be kicking out the right numbers. However, it's only a guess per say since there

are numerous packets shooting through these interfaces. When I do a ping or something along those lines, they seem to work ok with

the correct number of icmp packets per ping.

I was reading the article you sent about OAL and it mentioned that VACL (vlan acl's) and OAL are incompatible. Isnt this what I'm attempting

to do? I guess i'm still a bit confused and I apologize for my ignorance. How is this normally done in order for me to see activity on this ACLor the traffic? Do I just add a 'log' statement to each line of the ACL? My fear is that someone else from my network team will go look at this VACL and not see any matches and end up removing it thinking it's not being utilized.

Also, are the high end switch/routers the only ons that do their switching in hardware? We have a bunch of 1721's / 1841's / 2600''s and a couple of 7200's and I don't know that i've ever ran into this problem with them.

Thanks a million for sharing a little bit of your knowledge with me.

Jon Marshall · ‎02-08-2010

jonesl1 wrote:

Jon,

Thanks again for taking the time to assist me with understanding this. It's definitely appreciated.

It appears as though the other ACL's seem to be kicking out the right numbers. However, it's only a guess per say since there

are numerous packets shooting through these interfaces. When I do a ping or something along those lines, they seem to work ok with

the correct number of icmp packets per ping.

I was reading the article you sent about OAL and it mentioned that VACL (vlan acl's) and OAL are incompatible. Isnt this what I'm attempting

to do? I guess i'm still a bit confused and I apologize for my ignorance. How is this normally done in order for me to see activity on this ACLor the traffic? Do I just add a 'log' statement to each line of the ACL? My fear is that someone else from my network team will go look at this VACL and not see any matches and end up removing it thinking it's not being utilized.

Also, are the high end switch/routers the only ons that do their switching in hardware? We have a bunch of 1721's / 1841's / 2600''s and a couple of 7200's and I don't know that i've ever ran into this problem with them.

Thanks a million for sharing a little bit of your knowledge with me.

VACLs on the 6500 are vlan acls that can be applied to traffic entering or leaving a vlan but also to traffic between clients within the same vlan. So a VACL is not a standard acl that is applied to a vlan interface. So the acl in your example is not a VACL.

You certainly don't want to add a log to each entry without turning on OAL otherwise you will seriously degrade the performance of the 6500. But with OAL you should be okay. Don't forget that you can add "remark " entry to ACLs so you could add a remark saying something along the lines of "This acl is in use, do not delete".

To be honest, without looking at architecture papers (if there are any) for the devices you have listed it's difficult to answer. Generally routers perform their functions in software. The 6500 i know relatively well so i have seen this acl hitcount behaviour many times. Don't forget that not necessarily all packets are hardware switched even without the log keyword so your acls will have some hitcounts.

Jon

jonesl1 · ‎02-09-2010

Thank you for the explanation Jon. It's definitely helped me. I know we had another problem here a while back with route-map's and

the acl defining the interesting traffic. That ACL ALSO didnt show hits and i never really understood why...So I think you've actually solved two of my issues. I never realized that it only logs on the acl if its switched in software.

In terms of knowledge in this field, most of the time I feel like I am losing ground rather than gaining, but today I think you helped me take a step forward. Thank you!

Jon Marshall · ‎02-09-2010

No problem, glad to have helped.

In terms of knowledge in this field, most of the time I feel like I am losing ground rather than gaining

I think we all feel like this at times to be honest

Jon