cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
520
Views
8
Helpful
5
Replies

ACL count increase on Cisco 6500

nehakulsum
Level 1
Level 1

Hello Experts,

I have configured 100+ ACL on 6500. I see log of rules with matches but only few (i.e example 10 out of 100 matches ). And when i remove the rules which are not matches in the acl's the traffice does not go out of interface. It appears to me like a bug could some one tell what is causing this.

ACLS example:

2 permit tcp any any established (23090 matches)

10 permit ospf 10.2.2.0 0.0.0.255 any (290892 matches)

30 permit ip 10.3.3.0 0.0.0.255 any (34362 matches)

40 permit ip 10.11.11 0.0.0.255 10.11.11.0 0.0.255 (679608 matches)

50 permit ip 10.80.0.0 0.3.255.255 10.80.0.0 0.3.255.255

60 permit ip 10.20.129.0 0.0.0.255 any

70 permit ip 10.0.0.0 0.0.0.0 10.12.9.0 0.0.0.255

80 permit ip 10.0.0.0 0.0.0.255 10.70.50.0 0.0.0.255

90 permit ip 10.0.0.0 0.0.0.255 10.20.0.7 0.0.0.255

100 permit ip 10.0.0.0 0.255.255.255 10.50.0.0 0.0.255.255 (15 matches)

and many more....

Any help on this will be highly appriciated.

thanks

Neha.

5 Replies 5

Edison Ortiz
Hall of Fame
Hall of Fame

Neha,

It's not a bug, that's a 6500 feature. ACLs are processed in hardware not by the CPU. Any counts you see there, were packets punted to the CPU for some reason. It will not reflect the total count processed by such ACE.

HTH,

__

Edison.

Hi Edison,

Thanks for the update. But I have around 500 acl's and I want to clear the unnecessary ACL rules/entries on the switch which are not matching or not used,and keep only the rules which are needed and which are getting match.

But as soon as I remove the rules whih are not matching/not needed there is no traffic flows through the interface.

Is this the behaviour of the switch?? What is the alternate way to remove the acl's??

Thanks in advance.

Neha.

Neha,

You can configure NetFlow and capture the flows traversing the interface. These flows can be exported to a NetFlow collector for further analysis.

As I stated, ACLs can't be used for logging mechanism in the 6500.

HTH,

__

Edison.

Hi Edison,

Thanks for the information.

Can you tell me the best way to remove all the access-list at once rather than removing it line by line? will configure the access-list in a newly manner with only 10 to 15 lines.

Regards,

Neha

Neha,

Just precede the command with a no

For instance:

access-list 101 ...

no access-list 101 ...

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: