Cisco Support Community
Community Member

ACL on VLAN interface

I have this ACL applied to a VLAN interface as follows:

ip access-list extended catch-snmp

permit icmp host host

permit ip host host

permit udp host eq snmp host

permit ip any any

interface Vlan10

ip address

ip access-group catch-snmp in

I then do a ping  from  to but I don't get any maches on the ACL.

Is this because the switch (3750X) is doing CEF switching and the ACL on the VLAN doesn't actually get looked at?

VIP Super Bronze

ACL on VLAN interface

CEF is enabled globally by default on the 3750X series switches.

Try logging your ACLs.

permit icmp host host log


Community Member

ACL on VLAN interface

Logging doesn't help...

I can see the permit ip any any get hits on the counters but not the ones above

ACL on VLAN interface

I just replicated your setup in packet tracer and I get matches on the top line of the ACL:

    10 permit icmp host host (16 match(es))

    20 permit ip host host

    30 permit ip any any (3 match(es))

Are there any ACL's on the 192.168.60.* SVI?

Can you do a #show ip access-list catch-snmp and post back the results.

Hall of Fame Super Blue

Re: ACL on VLAN interface

Switch acl counters are not reliable because the vast majority of packets are processed in hardware and so they do not increment the hit counters.

Only packets that are sent to the main CPU would register in the hit counters and you generally don't want this on a hardware switch.

If the acl is working ie. allowing and blocking what you want then it is not a problem.


CreatePlease to create content