• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2149
  • Last Modified:

Access-list on vlan interface Cisco 3750

Hi,
i am working with tree Cisco 3750 for my core Routing/Switching.
I am ablte to route L3 traffic and Vlan traffic. My vlan are definied on the same switch (VTP Domain Server).
I apply some access-list to the vlans interface.
Everything work fine.
When i go to see the acl status with 'show access-list myacl" the 3750 show the acl with some match, but quickly they are reset. Like if i do a "clear counter access-list myacl".

The ios version is Cisco IOS Software, C3750 Software (C3750-IPSERVICESK9-M), Version 12.2(25)SEB2

Any idea ??

Thank you,
Mauro
0
Pelitti
Asked:
Pelitti
  • 3
  • 2
1 Solution
 
pjtemplinCommented:
Are you saying the numbers go DOWN, or simply that they're lower than what you'd expect?  I'm not familiar with the 3750 platform yet, but many of the swouters don't have accurate ACL counters because the processing is distributed amongst the port ASICs.
0
 
PelittiAuthor Commented:
The number are quikly reset, so i can't determine how many match i have.
I can to see the number with show access-list, but they are reset (no match)...

Thank you,
Mauro

0
 
pjtemplinCommented:
Can you show us three successive "sh access-list" outputs?
0
 
PelittiAuthor Commented:
Extended IP access list 112
    10 permit udp 10.0.12.0 0.0.0.255 10.0.12.0 0.0.0.255 (6 matches)
    30 permit udp host 10.0.11.111 host 10.0.12.6
    40 permit udp host 10.0.11.18 host 10.0.12.6
    50 permit udp host 10.0.11.35 host 10.0.12.6
    60 permit udp host 10.0.57.1 host 10.0.12.6
    80 permit udp host 10.0.57.1 host 10.0.12.7 eq syslog
    90 permit ip 10.0.14.0 0.0.0.255 any
    100 permit ip 10.0.16.0 0.0.0.255 any (12 matches)
    110 permit ip 10.0.17.0 0.0.0.255 any
    120 permit ip 10.0.19.0 0.0.0.63 any
    130 permit ip 10.0.22.0 0.0.0.63 any
    140 permit ip 10.0.18.0 0.0.0.255 host 10.0.12.2
    150 permit ip 10.0.18.0 0.0.0.255 host 10.0.12.3
    160 permit ip 10.0.18.0 0.0.0.255 host 10.0.12.4
    170 permit ip 10.0.18.0 0.0.0.255 host 10.0.12.5
    180 permit ip 10.0.18.0 0.0.0.255 host 10.0.12.6
    190 permit ip 10.0.18.0 0.0.0.255 host 10.0.12.10
    210 permit tcp any host 10.0.12.2 log
    220 permit tcp any host 10.0.12.4 log
    230 permit tcp any host 10.0.12.6 established log
    240 permit tcp any host 10.0.12.7 established log
    250 permit tcp any host 10.0.12.9 established log
    260 permit tcp host 10.0.12.26 10.0.55.0 0.0.0.255 log
    270 permit icmp 10.0.25.0 0.0.0.255 any
    280 permit udp 10.0.25.0 0.0.0.255 host 10.0.12.2 eq domain
    290 permit udp 10.0.25.0 0.0.0.255 host 10.0.12.4 eq domain
    300 deny ip any any log
Dor01#sh access-lists 112
Extended IP access list 112
    10 permit udp 10.0.12.0 0.0.0.255 10.0.12.0 0.0.0.255 (6 matches)
    30 permit udp host 10.0.11.111 host 10.0.12.6
    40 permit udp host 10.0.11.18 host 10.0.12.6
    50 permit udp host 10.0.11.35 host 10.0.12.6
    60 permit udp host 10.0.57.1 host 10.0.12.6
    80 permit udp host 10.0.57.1 host 10.0.12.7 eq syslog
    90 permit ip 10.0.14.0 0.0.0.255 any
    100 permit ip 10.0.16.0 0.0.0.255 any (16 matches)
    110 permit ip 10.0.17.0 0.0.0.255 any
    120 permit ip 10.0.19.0 0.0.0.63 any
    130 permit ip 10.0.22.0 0.0.0.63 any
    140 permit ip 10.0.18.0 0.0.0.255 host 10.0.12.2
    150 permit ip 10.0.18.0 0.0.0.255 host 10.0.12.3
    160 permit ip 10.0.18.0 0.0.0.255 host 10.0.12.4
    170 permit ip 10.0.18.0 0.0.0.255 host 10.0.12.5
    180 permit ip 10.0.18.0 0.0.0.255 host 10.0.12.6
    190 permit ip 10.0.18.0 0.0.0.255 host 10.0.12.10
    210 permit tcp any host 10.0.12.2 log
    220 permit tcp any host 10.0.12.4 log
    230 permit tcp any host 10.0.12.6 established log
    240 permit tcp any host 10.0.12.7 established log
    250 permit tcp any host 10.0.12.9 established log
    260 permit tcp host 10.0.12.26 10.0.55.0 0.0.0.255 log
    270 permit icmp 10.0.25.0 0.0.0.255 any
    280 permit udp 10.0.25.0 0.0.0.255 host 10.0.12.2 eq domain
    290 permit udp 10.0.25.0 0.0.0.255 host 10.0.12.4 eq domain
    300 deny ip any any log
Dor01#sh access-lists 112
Extended IP access list 112
    10 permit udp 10.0.12.0 0.0.0.255 10.0.12.0 0.0.0.255
    30 permit udp host 10.0.11.111 host 10.0.12.6
    40 permit udp host 10.0.11.18 host 10.0.12.6
    50 permit udp host 10.0.11.35 host 10.0.12.6
    60 permit udp host 10.0.57.1 host 10.0.12.6
    80 permit udp host 10.0.57.1 host 10.0.12.7 eq syslog
    90 permit ip 10.0.14.0 0.0.0.255 any
    100 permit ip 10.0.16.0 0.0.0.255 any
    110 permit ip 10.0.17.0 0.0.0.255 any
    120 permit ip 10.0.19.0 0.0.0.63 any
    130 permit ip 10.0.22.0 0.0.0.63 any
    140 permit ip 10.0.18.0 0.0.0.255 host 10.0.12.2
    150 permit ip 10.0.18.0 0.0.0.255 host 10.0.12.3
    160 permit ip 10.0.18.0 0.0.0.255 host 10.0.12.4
    170 permit ip 10.0.18.0 0.0.0.255 host 10.0.12.5
    180 permit ip 10.0.18.0 0.0.0.255 host 10.0.12.6
    190 permit ip 10.0.18.0 0.0.0.255 host 10.0.12.10
    210 permit tcp any host 10.0.12.2 log
    220 permit tcp any host 10.0.12.4 log
    230 permit tcp any host 10.0.12.6 established log
    240 permit tcp any host 10.0.12.7 established log
    250 permit tcp any host 10.0.12.9 established log
    260 permit tcp host 10.0.12.26 10.0.55.0 0.0.0.255 log
    270 permit icmp 10.0.25.0 0.0.0.255 any
    280 permit udp 10.0.25.0 0.0.0.255 host 10.0.12.2 eq domain
    290 permit udp 10.0.25.0 0.0.0.255 host 10.0.12.4 eq domain
    300 deny ip any any log
0
 
pjtemplinCommented:
Uh, strange.  Time to call Cisco TAC on that one.
0

Featured Post

Important Lessons on Recovering from Petya

In their most recent webinar, Skyport Systems explores ways to isolate and protect critical databases to keep the core of your company safe from harm.

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now