Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

VACL not showing matches

Do VACLS simply not show the matches in "show ip access-lists"?

I have 2 extended access-lists in production which work great, the only difference is that one of them is applied to an interface. The other ACL is applied in a VACL.

Edit: I am not seeing any matches even if I append the "log" on the end of an ACL statement.

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: VACL not showing matches

I'm assuming this is a Native IOS 6500 and you have applied a standard or extended RACLs (Routed Access Lists) on a physical or SVI (Switch VLAN Interface) interfaces. The reason why you don't see matches using the the "sh access-list" command is because the RACLs get imported into TCAM that resides on the PFC module which at that point are processed in hardware.

That particular show command would only show packets that would get punted to the MSFC to get processed in software because of some specific criteria that packet could not meet to be processed in hardware. For example, using the "log" keyword at the end of your ACL invokes those packets to get punted to the MSFC to generate a syslog messages, hence why you would see matches for those packets in the show access-list command.

So if you really want to see the matches on the RACLs that get imported into hardware, you need to issue the following command on the 6500 switch:

Switch#show tcam interface x/y acl in ip

4 REPLIES
Gold

Re: VACL not showing matches

you are correct...it won't show the matches.

in fact, other than testing the vacl's, i haven't found a good way to actually verify that they are doing what you want them to do.

anyone else have suggestions on this?

Community Member

Re: VACL not showing matches

I am thinking the ACL's show the matches because they are being shot up the MSFC as opposed to the VACL's which are not.

Cisco Employee

Re: VACL not showing matches

I'm assuming this is a Native IOS 6500 and you have applied a standard or extended RACLs (Routed Access Lists) on a physical or SVI (Switch VLAN Interface) interfaces. The reason why you don't see matches using the the "sh access-list" command is because the RACLs get imported into TCAM that resides on the PFC module which at that point are processed in hardware.

That particular show command would only show packets that would get punted to the MSFC to get processed in software because of some specific criteria that packet could not meet to be processed in hardware. For example, using the "log" keyword at the end of your ACL invokes those packets to get punted to the MSFC to generate a syslog messages, hence why you would see matches for those packets in the show access-list command.

So if you really want to see the matches on the RACLs that get imported into hardware, you need to issue the following command on the 6500 switch:

Switch#show tcam interface x/y acl in ip

Community Member

Re: VACL not showing matches

great info! thanks.

171
Views
0
Helpful
4
Replies
CreatePlease to create content