Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ACL not showing matches

Hi,

We have an extended ACL on a 6509 running IOS ver 12.2(17r)S2, RELEASE SOFTWARE (fc1)

I have added the following line:-

1320 permit udp host 172.18.6.0 0.0.0.250 172.16.1.5 eq syslog

This is working as I am now getting syslog messages on the 172.16.1.5 box but I wanted to tidy up the rest of the access list and remove rules that are not used. To do this I was going to look at which rules are not showing any matches but hardly any of them are including this new one (although some are)

It must be hitting this rule as when I remove it I no longer get syslogs so it's not hitting another rule higher up.

I tried to use the Cisco bug toolkit but this version of the IOS doesn't show up on there? Is this likely to be an IOS bug or something I'm doing wrong?

thanks for any help.

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Blue

Re: ACL not showing matches

Matt

The reason you are not seeing any matches -when you look at the access-list is because access-list entries that are processed in hardware by the PFC (Policy Feature Card) do not increment the match count.

If the access-list entry was processed in software, and this can happen, then you would see it in the match count.

See this link for full details on what is processed in hardware and software regarding acl's.

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SXF/native/configuration/guide/acl.html#wp1033602

Jon

5 REPLIES

Re: ACL not showing matches

You already did the 1st step of troubleshooting by removing the rule to chk if syslog msg are trapped by server or not.

2nd option:

clear access-list xxx counters

3rd option:

move the syslog rule to any higher number. You'll 1st have to remove this rule & add again by prefixing the line no. of acl.

One of these should work.

Re: ACL not showing matches

" 1320 permit udp host 172.18.6.0 0.0.0.250 172.16.1.5 eq syslog"

Are you sure this rule allows traffic to your syslog server from 172.18.6.0 network? You have the host keyword applied to the network rather than the syslog server address that follows later.

Can you reconfigure the ACE this way and check whether you are seeing matches.

1320 permit udp 172.18.6.0 0.0.0.255 host 172.16.1.5 eq syslog

HTH

Sundar

Hall of Fame Super Blue

Re: ACL not showing matches

Matt

The reason you are not seeing any matches -when you look at the access-list is because access-list entries that are processed in hardware by the PFC (Policy Feature Card) do not increment the match count.

If the access-list entry was processed in software, and this can happen, then you would see it in the match count.

See this link for full details on what is processed in hardware and software regarding acl's.

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SXF/native/configuration/guide/acl.html#wp1033602

Jon

New Member

Re: ACL not showing matches

Thanks for all the posts guys, Jon it seems your right so there's not much I can do about that as it's not really a problem more just the way it should work.

thanks.

Re: ACL not showing matches

Try this:

show tcam interface acl in ip

show tcam interface acl out ip

3103
Views
9
Helpful
5
Replies