Solved: ACL counters issue

Vyacheslav_Maliev · ‎04-03-2012

Hi!

I have 2911 router with 15.0 IOS + security + data. The problem is in ACL hit logging. Even if i applied statement "permit ip any any log" on the interface, counters would not match anything.

Vasileios Bouloukos MSc, ITIL, CCIE · ‎04-03-2012

Hi,

Did you search for the possibiltiy of a bug?

I have involved to a problem with an Access-list that denied all and was solved with a new IOS

https://supportforums.cisco.com/message/3591511#3591511

Hope that helps,

Vasilis

View solution in original post

Edison Ortiz · ‎04-03-2012

Can you provide configs and example of exactly what you are seeing?

Vyacheslav_Maliev · ‎04-03-2012

Yes, here you are:

interface GigabitEthernet0/0

ip address 172.16.1.1 255.255.255.252

ip access-group test_acl in

ip flow ingress

ip flow egress

duplex auto

speed auto

ip access-list extended test_acl

permit ip any any log

i am seeing:

#show interfaces gigabitEthernet 0/0

GigabitEthernet0/0 is up, line protocol is up

Hardware is CN Gigabit Ethernet, address is c471.fec5.89f8 (bia c471.fec5.89f8)

Internet address is 172.16.1.1/30

MTU 1500 bytes, BW 100000 Kbit/sec, DLY 100 usec,

reliability 255/255, txload 1/255, rxload 1/255

Encapsulation ARPA, loopback not set

Keepalive set (10 sec)

Full Duplex, 100Mbps, media type is RJ45

output flow-control is XON, input flow-control is XON

ARP type: ARPA, ARP Timeout 04:00:00

Last input 00:00:10, output 00:00:00, output hang never

Last clearing of "show interface" counters never

Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 35

Queueing strategy: fifo

Output queue: 0/40 (size/max)

5 minute input rate 186000 bits/sec, 10 packets/sec

5 minute output rate 27000 bits/sec, 14 packets/sec

418641389 packets input, 3158351856 bytes, 0 no buffer

Received 69630 broadcasts (0 IP multicasts)

0 runts, 0 giants, 0 throttles

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored

0 watchdog, 66277 multicast, 0 pause input

439197818 packets output, 803260124 bytes, 0 underruns

0 output errors, 0 collisions, 0 interface resets

0 unknown protocol drops

0 babbles, 0 late collision, 0 deferred

2 lost carrier, 0 no carrier, 0 pause output

0 output buffer failures, 0 output buffers swapped out

#sh ip access-lists

Standard IP access list RADMIN

10 permit 172.16.2.0, wildcard bits 0.0.0.255 (12 matches)

Extended IP access list test_acl

10 permit ip any any log

Edison Ortiz · ‎04-03-2012

Unable to duplicate:

System image file is "flash0:c2900-universalk9-mz.SPA.151-1.T.bin"

ip access-list extended acl-in

permit ip any any log

interface GigabitEthernet0/0

ip address 100.1.13.200 255.255.255.0

ip access-group acl-in in

duplex auto

speed auto

Router#ping 100.1.13.200

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 100.1.13.200, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

Router#

%SEC-6-IPACCESSLOGDP: list acl-in permitted icmp 100.1.13.250 -> 100.1.13.200 (0/0), 1 packet

Extended IP access list acl-in

10 permit ip any any log (9 matches)

Vasileios Bouloukos MSc, ITIL, CCIE · ‎04-03-2012

Hi,

Did you search for the possibiltiy of a bug?

I have involved to a problem with an Access-list that denied all and was solved with a new IOS

https://supportforums.cisco.com/message/3591511#3591511

Hope that helps,

Vasilis

Vyacheslav_Maliev · ‎04-04-2012

I am suspecting IP CEF enabled globally

Peter Paluch · ‎04-04-2012

Hi Vyacheslav,

IP CEF is activated globally by default indeed, but on ISR and ISR G2 routers, CEF is purely software-based. Counters on ACLs are not incremented if they are processed in hardware, which should not be the case here.

Best regards,

Peter