Acl matches not showing

Hi all
My question is about ACL

here is my acl

permit tcp any host 172.16.88.20 eq smtp log
deny   tcp any host 172.16.88.253 eq ftp log
deny   tcp any host 172.16.88.253 eq 22 log
deny   tcp any host172.16.88.253  eq telnet log
deny   tcp any host 172.16.88.253  eq sunrpc log
deny   tcp any host 172.16.88.253  eq ftp-data log
deny   icmp any host 202.163.80.253 log

Now my question is when i give the command
show access-list

it dows not show  the matches

permit tcp any host 172.16.88.20 eq smtp log (10 matches)
( as this is our mail server and we are recieving mails succesfully)

how can i enable my router that it show the matches when i issue command

Waiting for early response
iam23mAsked:
Who is Participating?
 
MaxQCommented:
I don't think it's a question about logging messages as much as the hit counters for each line of the access list.  

My first guess would be that "ip route-cache" is turned on, which means that the router will fast-switch all of the packets after the first one in each flow, so only that first packet will show up in the ACL counters.  

If your router isn't extremely busy you can turn off the feature (I wouldn't recommend leaving it this way though) with "no ip route-cache" on the interfaces in question if you need to see the exact numbers of hits on each line in the ACL.
0
 
NicBreyCommented:
Hi there
You have to enable logging on the router, either to a syslog server or to memory

To log to a memory buffer:
router(config)# logging buffered <level of logging you require>     <----  use the  " ? "  key to see the options

To log to syslog server:
router(config)# logging <ip address of syslog server>

View the memory buffer log:
router#  show log


0
 
NicBreyCommented:
I suggest that you log to a external syslog server save router resources.

Link to syslog daemon for Windows:
http://www.kiwisyslog.com/

But it you are going to log to memory, use the "clear log" command to clean out the log.
0
 
Scotty_ciscoCommented:
I think MaxQ is on the right path but I got the impression that he was not showing any matches? Is this correct?  If this is the case I would try adding the log statment to the end of the ACL for some testing and check to see if the packets are actually hitting the ACL.  If they are, I have seen some situations where different versions of IOS shows the packet counts and others do not.  For instance route-maps are that way in many of the 12.1 versions they are not shown as hitting the ACL when we upgraded to 12.2 they started showing.  Also check the direction of the applied access list I know it sounds dumb but that has bitten me more than once ....

Thanks
Scott
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.