cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
11141
Views
0
Helpful
5
Replies

Match/Hit for ACL in 3750/3560?

davidsudjiman
Level 1
Level 1

I've installed and ACL on one of my vlan in 3750 and not seeing matches exactly like what I've wanted. I've also make some search regarding this issue and apparently this is due to that 3750/3560 is using fast-switching and not packet switching. My questions are:

1. Does my ACL work?

2. How do I know that?

3. Is there a command to check match/hit ACL in 3750/3560?

Regards,

David Sudjiman

1 Accepted Solution

Accepted Solutions

Yes, you are right. You will not see the counter increasing from the "show access-list" output. The only way to see if the access-list is being hit is from the logging.

Please also be advised how the logging works (snipet from the doc provided earlier):

The first packet that triggers the ACL causes a  logging message right away, and subsequent packets are collected over  5-minute intervals before they appear or logged. The logging message  includes the access list number, whether the packet was permitted or  denied, the source IP address of the packet, and the number of packets  from that source permitted or denied in the prior 5-minute interval.<\quote>

Hope that makes sense.

View solution in original post

5 Replies 5

Jennifer Halim
Cisco Employee
Cisco Employee

Yes, you are right. Routing is performed in hardware, and if you would like to check if your ACL is matching, you can configure the "log" keyword at the end of your ACL. But please be advised that logging is performed in software, hence it might impact your CPU, therefore, use the "log" keyword if it is really necessary.

Here is more information on access-list on the 3560 switch platform for your reference:

http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_52_se/configuration/guide/swacl.html#wp1689553

Hope that helps.

Halijenn,

thanks very much for the answer and the referenced document. I helps me to get closer but doesn't really answer my questions.

I still don't see matches or hits that I'm supposed to see. I can see other entries getting hit but not the one I setup and Yes, I've put log on the list and seeing it on the log, but again, as I cannot see hit on my list, therefore I cannot see it on my log.

Is this doco implicitly saying that there is no way I could check my ACL due to fast-switching feature?

Regards,

David Sudjiman

Yes, you are right. You will not see the counter increasing from the "show access-list" output. The only way to see if the access-list is being hit is from the logging.

Please also be advised how the logging works (snipet from the doc provided earlier):

The first packet that triggers the ACL causes a  logging message right away, and subsequent packets are collected over  5-minute intervals before they appear or logged. The logging message  includes the access list number, whether the packet was permitted or  denied, the source IP address of the packet, and the number of packets  from that source permitted or denied in the prior 5-minute interval.<\quote>

Hope that makes sense.

Hi,

  I am not sure about the following solution but you can use it as reference if it is valid.

Attach ACL into policy-map

Attach policy-map to the vlan

That way, you can get the counters of the policy-map.

Thanks,

Balajee

Hi Halijenn,

Thanks for your time and clear explanation.

Regards,

David Sudjiman

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: