We help IT Professionals succeed at work.

We've partnered with Certified Experts, Carl Webster and Richard Faulkner, to bring you a podcast all about Citrix Workspace, moving to the cloud, and analytics & intelligence. Episode 2 coming soon!Listen Now

x

Access-list on vlan interface Cisco 3750

Pelitti
Pelitti asked
on
Medium Priority
2,204 Views
Last Modified: 2010-05-18
Hi,
i am working with tree Cisco 3750 for my core Routing/Switching.
I am ablte to route L3 traffic and Vlan traffic. My vlan are definied on the same switch (VTP Domain Server).
I apply some access-list to the vlans interface.
Everything work fine.
When i go to see the acl status with 'show access-list myacl" the 3750 show the acl with some match, but quickly they are reset. Like if i do a "clear counter access-list myacl".

The ios version is Cisco IOS Software, C3750 Software (C3750-IPSERVICESK9-M), Version 12.2(25)SEB2

Any idea ??

Thank you,
Mauro
Comment
Watch Question

Top Expert 2006

Commented:
Are you saying the numbers go DOWN, or simply that they're lower than what you'd expect?  I'm not familiar with the 3750 platform yet, but many of the swouters don't have accurate ACL counters because the processing is distributed amongst the port ASICs.

Author

Commented:
The number are quikly reset, so i can't determine how many match i have.
I can to see the number with show access-list, but they are reset (no match)...

Thank you,
Mauro

Top Expert 2006

Commented:
Can you show us three successive "sh access-list" outputs?

Author

Commented:
Extended IP access list 112
    10 permit udp 10.0.12.0 0.0.0.255 10.0.12.0 0.0.0.255 (6 matches)
    30 permit udp host 10.0.11.111 host 10.0.12.6
    40 permit udp host 10.0.11.18 host 10.0.12.6
    50 permit udp host 10.0.11.35 host 10.0.12.6
    60 permit udp host 10.0.57.1 host 10.0.12.6
    80 permit udp host 10.0.57.1 host 10.0.12.7 eq syslog
    90 permit ip 10.0.14.0 0.0.0.255 any
    100 permit ip 10.0.16.0 0.0.0.255 any (12 matches)
    110 permit ip 10.0.17.0 0.0.0.255 any
    120 permit ip 10.0.19.0 0.0.0.63 any
    130 permit ip 10.0.22.0 0.0.0.63 any
    140 permit ip 10.0.18.0 0.0.0.255 host 10.0.12.2
    150 permit ip 10.0.18.0 0.0.0.255 host 10.0.12.3
    160 permit ip 10.0.18.0 0.0.0.255 host 10.0.12.4
    170 permit ip 10.0.18.0 0.0.0.255 host 10.0.12.5
    180 permit ip 10.0.18.0 0.0.0.255 host 10.0.12.6
    190 permit ip 10.0.18.0 0.0.0.255 host 10.0.12.10
    210 permit tcp any host 10.0.12.2 log
    220 permit tcp any host 10.0.12.4 log
    230 permit tcp any host 10.0.12.6 established log
    240 permit tcp any host 10.0.12.7 established log
    250 permit tcp any host 10.0.12.9 established log
    260 permit tcp host 10.0.12.26 10.0.55.0 0.0.0.255 log
    270 permit icmp 10.0.25.0 0.0.0.255 any
    280 permit udp 10.0.25.0 0.0.0.255 host 10.0.12.2 eq domain
    290 permit udp 10.0.25.0 0.0.0.255 host 10.0.12.4 eq domain
    300 deny ip any any log
Dor01#sh access-lists 112
Extended IP access list 112
    10 permit udp 10.0.12.0 0.0.0.255 10.0.12.0 0.0.0.255 (6 matches)
    30 permit udp host 10.0.11.111 host 10.0.12.6
    40 permit udp host 10.0.11.18 host 10.0.12.6
    50 permit udp host 10.0.11.35 host 10.0.12.6
    60 permit udp host 10.0.57.1 host 10.0.12.6
    80 permit udp host 10.0.57.1 host 10.0.12.7 eq syslog
    90 permit ip 10.0.14.0 0.0.0.255 any
    100 permit ip 10.0.16.0 0.0.0.255 any (16 matches)
    110 permit ip 10.0.17.0 0.0.0.255 any
    120 permit ip 10.0.19.0 0.0.0.63 any
    130 permit ip 10.0.22.0 0.0.0.63 any
    140 permit ip 10.0.18.0 0.0.0.255 host 10.0.12.2
    150 permit ip 10.0.18.0 0.0.0.255 host 10.0.12.3
    160 permit ip 10.0.18.0 0.0.0.255 host 10.0.12.4
    170 permit ip 10.0.18.0 0.0.0.255 host 10.0.12.5
    180 permit ip 10.0.18.0 0.0.0.255 host 10.0.12.6
    190 permit ip 10.0.18.0 0.0.0.255 host 10.0.12.10
    210 permit tcp any host 10.0.12.2 log
    220 permit tcp any host 10.0.12.4 log
    230 permit tcp any host 10.0.12.6 established log
    240 permit tcp any host 10.0.12.7 established log
    250 permit tcp any host 10.0.12.9 established log
    260 permit tcp host 10.0.12.26 10.0.55.0 0.0.0.255 log
    270 permit icmp 10.0.25.0 0.0.0.255 any
    280 permit udp 10.0.25.0 0.0.0.255 host 10.0.12.2 eq domain
    290 permit udp 10.0.25.0 0.0.0.255 host 10.0.12.4 eq domain
    300 deny ip any any log
Dor01#sh access-lists 112
Extended IP access list 112
    10 permit udp 10.0.12.0 0.0.0.255 10.0.12.0 0.0.0.255
    30 permit udp host 10.0.11.111 host 10.0.12.6
    40 permit udp host 10.0.11.18 host 10.0.12.6
    50 permit udp host 10.0.11.35 host 10.0.12.6
    60 permit udp host 10.0.57.1 host 10.0.12.6
    80 permit udp host 10.0.57.1 host 10.0.12.7 eq syslog
    90 permit ip 10.0.14.0 0.0.0.255 any
    100 permit ip 10.0.16.0 0.0.0.255 any
    110 permit ip 10.0.17.0 0.0.0.255 any
    120 permit ip 10.0.19.0 0.0.0.63 any
    130 permit ip 10.0.22.0 0.0.0.63 any
    140 permit ip 10.0.18.0 0.0.0.255 host 10.0.12.2
    150 permit ip 10.0.18.0 0.0.0.255 host 10.0.12.3
    160 permit ip 10.0.18.0 0.0.0.255 host 10.0.12.4
    170 permit ip 10.0.18.0 0.0.0.255 host 10.0.12.5
    180 permit ip 10.0.18.0 0.0.0.255 host 10.0.12.6
    190 permit ip 10.0.18.0 0.0.0.255 host 10.0.12.10
    210 permit tcp any host 10.0.12.2 log
    220 permit tcp any host 10.0.12.4 log
    230 permit tcp any host 10.0.12.6 established log
    240 permit tcp any host 10.0.12.7 established log
    250 permit tcp any host 10.0.12.9 established log
    260 permit tcp host 10.0.12.26 10.0.55.0 0.0.0.255 log
    270 permit icmp 10.0.25.0 0.0.0.255 any
    280 permit udp 10.0.25.0 0.0.0.255 host 10.0.12.2 eq domain
    290 permit udp 10.0.25.0 0.0.0.255 host 10.0.12.4 eq domain
    300 deny ip any any log
Top Expert 2006
Commented:
Uh, strange.  Time to call Cisco TAC on that one.

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.