Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

VACL Debugs

All,

What is the best way to debug/troubleshoot VACL's ?

This question is posed simply but the background is as follows:

SW1---SW2---SW3---R4

VLAN 46 Trunked between SW1--SW2--SW3, and Layer3 interface between SW3 and R4 (10.10.46.4)

VACL applied to SW1 SVI as per below:

vlan access-map DROP 30

action drop

match ip address R4

vlan access-map DROP 40

action forward

ip access-list standard R4

permit 10.10.46.4

Now the question here is not that the VACL is disfunctioning but if I am to "debug ip icmp" or "debug ip packet" I do not see any output, is this because of the hardware based processing of the switches (3560's) ? Moreover if the VACL is disabled I do see output ie: ICMP Type 0 reply messages being generated.

Debugging platform acl vacl, shows some output but it seems to relate to every other configured VLAN not related to the one in question ie: VLAN46

hacl_input_access_check: 761: for vlanid 107 label_info->invlm.vlmap is NULL

hacl_input_access_check: 761: for vlanid 28 label_info->invlm.vlmap is NULL

hacl_input_access_check: 761: for vlanid 28 label_info->invlm.vlmap is NULL

hacl_input_access_check: 761: for vlanid 107 label_info->invlm.vlmap is NULL

hacl_input_access_check: 761: for vlanid 105 label_info->invlm.vlmap is NULL

hacl_input_access_check: 761: for vlanid 28 label_info->invlm.vlmap is NULL

hacl_input_access_check: 761: for vlanid 102 label_info->invlm.vlmap is NULL

hacl_input_access_check: 761: for vlanid 107 label_info->invlm.vlmap is NULL

Look forward to your feedback.

Everyone's tags (1)
6 REPLIES

VACL Debugs

Well, your VACL is created but not applied is on any vlan at layer2 level.

Secondly to see the debug output, please enable terminal monitor on your console.

Hope that helps.

Thanks

Rizwan Rafeek

New Member

Re: VACL Debugs

Hi All, forgot to mention

vlan filter DROP vlan-list 46

Is configured, as I say it works but what is the best debug ?

term mon, logging console is enabled.

VACL Debugs

You could create ACL and associate the source and destination in the ACL and map the ACL to debug.

New Member

Re: VACL Debugs

Hi Rizwan,

Thanks for your reply.

Tried that also ie: applied a Src Dest Extended ACL, applied to a debug ip packet and nothing.

Again when VACL is disabled it happily debugs and I see plenty of output below is an excerpt:

SW1

Debug ip packet 101 detail (where 101 is simply matching on any ICMP from Src 10.10.46.4 [R4] Dst 10.10.46.7 [SW1])

IP: s=10.10.46.4 (Vlan46), d=10.10.46.7, len 100, input feature

     ICMP type=8, code=0, MCI Check(63), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

This may be normal behaviour, just wondered what exactly is going on, is TCAM stopping the ICMP in its tracks before CPU gets a hold of it ? And if so, what debugs would apply ?

VH

Re: VACL Debugs

Yes, "VACLS are processed in hardware." layer, therefor you will not see output related to layer3 application.

Here is a reference below, you might want to read further.

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SXF/native/configuration/guide/vacl.html

Thanks

New Member

Re: VACL Debugs

Ok, so the only way I can see to verify is by way of the following output:

SW1#show access-lists hardware counters

L3 ACL INPUT Statistics

     Drop:                     All frame count: 4973

     Drop:                     All bytes count: 367232

Whereby there is an indicative increase in drops when vlan filter is applied.

Seems as though the platform (3560) I am running on does not include a Log option with the VLMAP drop action , but the 6500 platform does. The reason that I wanted to discuss this topic was for remote assistance purposes, ie: I don't even receive an administrative prohibited message back from SW1 on R4 when the VACL is applied, which makes sense if the CPU is not touching the ICMP packet.

VH

1175
Views
5
Helpful
6
Replies