Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

show access-list no matches ?

Hello.

I am a new cisco 3750G-48TS-E administrator.

To learn, I have created a simple access-list to pass all on an interface.

But when I execute : show access-list, I never see matches.

I receive :

10 permit 10.1.222.1

and never "(xxx matches)" after that line !

Is there something I must configure to see the matches ?

Thank you.

jmd

5 REPLIES
Hall of Fame Super Silver

Re: show access-list no matches ?

jmd

In addition to showing us the content of the access list it would be helpful if you would show us the specifics of how you apply the access list.

Also this appears to be a standard access list which examines the source address of packets. So are you sure that there were packets with source address of 10.1.222.1?

HTH

Rick

New Member

Re: show access-list no matches ?

Thank you for this very speedy response.

I did :

bb-3750(config)#access-list 50 permit any

bb-3750(config)#int gi2/0/14

bb-3750(config-if)#ip access-group 50 in

bb-3750(config-if)#end

bb-3750#sh access-lists

Standard IP access list 50

10 permit any

I also have in running-config :

interface GigabitEthernet2/0/14

switchport access vlan 222

switchport mode access

ip access-group 50 in

I then make a ping from 10.1.222.1 (witch is a pc on the gigabit 2/0/14 interface) to another pc (10.1.55.10) and another ping in the other direction.

But, after that, no matches for show access-list !

jmd

Silver

Re: show access-list no matches ?

I think the problem is the this port configured as layer2 port and not layer3.

You have two options:

Configure it as layer3 port and give an IP address to that (no switchport command and ip address x.x.x.x y.y.y.y)

Or creat an SVI (if you don't have yet)

interface vlan222

ip address x.x.x.x y.y.y.y

and assign the access-list to this interface

Is the 10.1.55.10 host connected to this switch too?

Hope it helps,

Krisztian

Hall of Fame Super Silver

Re: show access-list no matches ?

jmd

I believe that Krisztian has it exactly right. In fact I am surprised that there was not an error when you configured the ip access-group on a layer 2 port.

But certainly for the access-group and the access list to work the access-group must be assigned on a working layer 3 interface (either make the port a layer 3 interface or use the VLAN interface).

HTH

Rick

New Member

Re: show access-list no matches ?

Ok, I apply the access-list to vlan222 (already created with ip 10.1.222.254/24) and not to the interface.

But I have stranged results with show access-list :

ONLY a ping from host 10.1.222.1 (linked to the interface gi2/0/14) to the interface address itself (10.1.222.254) show the matches (4)

and no other pings.

The host 10.1.55.10 is on another subnet on a 3com L3 switch linked to the cisco 3750 by (for my beginning tests) the default vlan 1.

I suppose I must re-read and learn better the ios documentation. Probably there are things

I have not yet understood.

jmd

1937
Views
0
Helpful
5
Replies