IP accounting / output-packets / access-violations

balindsley · ‎02-10-2006

I applied an access list to a VLAN interface and also added IP accounting output-packets and ip accounting access-violations. Interestingly, the devices that are allowed off the subnet can the ones that should be blocked are blocked by the ACL and show up in the show IP accounting access-v command. What I don't understand is why the show IP accounting doesn't show any packets. Also why a show access-list doesn't show any hits on the list. Is it because I'm using a VLAN interface? I would think I should see output packets and hits on the ACL. I do see dropped packets on the ACL for the violators.

mchin345 · ‎02-15-2006

This chapter describes the function and displays the syntax of the commands used to configure Lock-and-key security (available for IP only). For more information about defaults and usage guidelines, see the corresponding chapter of the Security Command Reference. (Other traffic filter commands are described in the applicable protocol-specific chapters.)

http://www.cisco.com/univercd/cc/td/doc/product/software/ios112/sbook/sacclst.htm

jarathbu · ‎02-15-2006

Hello,

On certain platforms (hw/sw) packets are switched in hardware and not software. The RP doesn't have to make a forwarding decision. The ip accounting output-packets tracks statistics for packets via the RP. Applying a an ACL to a VLAN would typically breaks the flow of hardware switching and forces those packets to be further interrogated.

More granular traffic flows and statistics can be recorded with netflow switching. This does work on an SVI.

I hope this helps.

Regards,

James