Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ACL not showing hit count incremented

Hi Folks, I need a little help. I have configured an ACL on a 3750 to allow RDP, SSH & TCP 8080 access to a management machine from certain VLAN's. I am able to access the machine but I do not see the ACL hit counts incremented. How do I configure my ACL to show the hit count incrementing.

Thank you in Advance I appreciate it.

Regards,

JP

5 REPLIES
Hall of Fame Super Silver

Re: ACL not showing hit count incremented

Hello Joseph,

after having defined the ACL, have you applied it somewhere for example:

int vlan 10

ip access-group acl_number

or

ip access-group acl_name

caution:

this may cause you to miss device remote access and control.

so don't do it if you are not sure your ACL is correct.

Be also aware that some multilayer switch platforms are not able to update hint counters for their MLS implementation.

This can be your case: the ACL may be effective but counters are not incremented

Hope to help

Giuseppe

New Member

Re: ACL not showing hit count incremented

Hi Siuseppe,

Thank you for your response, yes the ACL are applied on the VLAN interface.

I apologize for not mentioning that the counters for the other lines on the ACL shows hit counts incremented & some don't increment. I am able to connect to that box using RDP.

Extended IP access list Restrict-Mgmt

10 permit tcp any any established (146 matches)

20 permit tcp 10.10.2.0 0.0.0.255 host 192.168.100.200 eq 3389

30 permit tcp 10.10.2.0 0.0.0.255 host 192.168.100.200 eq 443 (9 matches)

50 permit tcp 10.10.2.0 0.0.0.255 host 192.168.100.200 eq 8080

60 permit udp any eq ntp host 172.16.100.200

70 permit udp any eq domain host 192.168.100.200

80 deny ip any host 192.168.100.200 (17131 matches)

90 permit ip any any (515 matches)

sw-core-2#

interface Vlan100

ip address 192.168.100.3 255.255.255.0

ip access-group Restrict-Mgmt out

no ip redirects

no ip proxy-arp

end

Re: ACL not showing hit count incremented

Shouldn't you ACL be applied inbound...

interface Vlan100

ip address 192.168.100.3 255.255.255.0

ip access-group Restrict-Mgmt in

New Member

Re: ACL not showing hit count incremented

Hi pompeychimes,

Thanks for you input. it should be applied out bound. as you can see the destination of the acl's is 192.168.100.200.

Thanks,

Joe

Re: ACL not showing hit count incremented

Here's a link on Access List Logging and some of the caveats.

http://www.cisco.com/web/about/security/intelligence/acl-logging.html

Hope it helps.

3509
Views
0
Helpful
5
Replies