Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Webcast-Catalyst9k
New Member

Match/Hit for ACL in 3750/3560?

I've installed and ACL on one of my vlan in 3750 and not seeing matches exactly like what I've wanted. I've also make some search regarding this issue and apparently this is due to that 3750/3560 is using fast-switching and not packet switching. My questions are:

1. Does my ACL work?

2. How do I know that?

3. Is there a command to check match/hit ACL in 3750/3560?

Regards,

David Sudjiman

Everyone's tags (3)
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: Match/Hit for ACL in 3750/3560?

Yes, you are right. You will not see the counter increasing from the "show access-list" output. The only way to see if the access-list is being hit is from the logging.

Please also be advised how the logging works (snipet from the doc provided earlier):

The first packet that triggers the ACL causes a  logging message right away, and subsequent packets are collected over  5-minute intervals before they appear or logged. The logging message  includes the access list number, whether the packet was permitted or  denied, the source IP address of the packet, and the number of packets  from that source permitted or denied in the prior 5-minute interval.<\quote>

Hope that makes sense.

5 REPLIES
Cisco Employee

Re: Match/Hit for ACL in 3750/3560?

Yes, you are right. Routing is performed in hardware, and if you would like to check if your ACL is matching, you can configure the "log" keyword at the end of your ACL. But please be advised that logging is performed in software, hence it might impact your CPU, therefore, use the "log" keyword if it is really necessary.

Here is more information on access-list on the 3560 switch platform for your reference:

http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_52_se/configuration/guide/swacl.html#wp1689553

Hope that helps.

New Member

Re: Match/Hit for ACL in 3750/3560?

Halijenn,

thanks very much for the answer and the referenced document. I helps me to get closer but doesn't really answer my questions.

I still don't see matches or hits that I'm supposed to see. I can see other entries getting hit but not the one I setup and Yes, I've put log on the list and seeing it on the log, but again, as I cannot see hit on my list, therefore I cannot see it on my log.

Is this doco implicitly saying that there is no way I could check my ACL due to fast-switching feature?

Regards,

David Sudjiman

Cisco Employee

Re: Match/Hit for ACL in 3750/3560?

Yes, you are right. You will not see the counter increasing from the "show access-list" output. The only way to see if the access-list is being hit is from the logging.

Please also be advised how the logging works (snipet from the doc provided earlier):

The first packet that triggers the ACL causes a  logging message right away, and subsequent packets are collected over  5-minute intervals before they appear or logged. The logging message  includes the access list number, whether the packet was permitted or  denied, the source IP address of the packet, and the number of packets  from that source permitted or denied in the prior 5-minute interval.<\quote>

Hope that makes sense.

New Member

Re: Match/Hit for ACL in 3750/3560?

Hi,

  I am not sure about the following solution but you can use it as reference if it is valid.

Attach ACL into policy-map

Attach policy-map to the vlan

That way, you can get the counters of the policy-map.

Thanks,

Balajee

New Member

Re: Match/Hit for ACL in 3750/3560?

Hi Halijenn,

Thanks for your time and clear explanation.

Regards,

David Sudjiman

9793
Views
0
Helpful
5
Replies
CreatePlease to create content