[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Cisco 3560 access-list anomaly

Posted on 2006-05-16
7
Medium Priority
?
449 Views
Last Modified: 2010-04-17
We have several VLANS setup on our 3560 switch.

Everything is working, but the strange thing is that each ace isn't incrementing as traffic is processed against it.

Any comments?

Running 12.2 IOS.
0
Comment
Question by:averyb
7 Comments
 
LVL 28

Expert Comment

by:mikebernhardt
ID: 16694648
You could provide the config and the output of "show access-list"
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 16698878
Have you actually applied the acl to the appropriate vlan?
0
 
LVL 4

Author Comment

by:averyb
ID: 16699036
Here's the config
I removed several lines related to which ports are on which VLAN.

version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname 3560
!
no logging console
enable secret 5 $1$XWhF$F9woAFcfR7hXkIINHaozN/
!
no aaa new-model
ip subnet-zero
ip routing
!
!
!
!
no file verify auto
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
!
interface FastEthernet0/1
 description uplink to FW
 switchport mode access
!
interface FastEthernet0/2
 switchport access vlan 100
 switchport mode access
!
<Lines removed>
!
interface FastEthernet0/13
 switchport access vlan 110
 switchport mode access
!
<Lines Removed>
!
interface FastEthernet0/19
 switchport access vlan 111
 switchport mode access
!
<Lines Removed>
!
interface FastEthernet0/25
 switchport access vlan 112
 switchport mode access
!
<Lines Removed>
!
interface FastEthernet0/31
 switchport access vlan 113
 switchport mode access
!
<Lines Removed>
!
interface FastEthernet0/37
 switchport access vlan 114
 switchport mode access
 shutdown
!
<Lines removed>
!
interface FastEthernet0/43
 switchport access vlan 115
 switchport mode access
 shutdown
!
<Lines Removed>
!
interface GigabitEthernet0/1
 shutdown
!
<Lines removed>

interface Vlan1
 ip address 192.168.1.2 255.255.255.252
!
interface Vlan100
 ip address 192.168.100.1 255.255.255.0
 ip access-group 100 in
!
interface Vlan110
 ip address 192.168.110.1 255.255.255.0
 ip access-group 110 in
 ip helper-address 192.168.100.3
!
interface Vlan111
 ip address 192.168.111.1 255.255.255.0
 ip access-group 111 in
 ip helper-address 192.168.100.3
!
interface Vlan112
 ip address 192.168.112.1 255.255.255.0
 ip access-group 112 in
 ip helper-address 192.168.100.3
!
interface Vlan113
 ip address 192.168.113.1 255.255.255.0
 ip access-group 113 in
 ip helper-address 192.168.100.3
!
interface Vlan114
 ip address 192.168.114.1 255.255.255.0
 ip helper-address 192.168.100.3
 shutdown
!
interface Vlan115
 ip address 192.168.115.1 255.255.255.0
 ip helper-address 192.168.100.3
 shutdown
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.1.1
no ip http server
!
!
access-list 100 permit icmp any any
access-list 100 permit ip host 192.168.100.1 host 192.168.110.1
access-list 100 permit ip host 192.168.100.3 host 192.168.110.1
access-list 100 permit ip host 192.168.100.1 host 192.168.111.1
access-list 100 permit ip host 192.168.100.3 host 192.168.111.1
access-list 100 permit ip host 192.168.100.1 host 192.168.112.1
access-list 100 permit ip host 192.168.100.3 host 192.168.112.1
access-list 100 permit ip host 192.168.100.1 host 192.168.113.1
access-list 100 permit ip host 192.168.100.3 host 192.168.113.1
access-list 100 permit udp any any eq bootps
access-list 100 permit udp any any eq bootpc
access-list 100 permit tcp any any eq ftp-data
access-list 100 permit tcp any eq ftp-data any
access-list 100 permit tcp any any eq ftp
access-list 100 permit tcp any eq ftp any
access-list 100 permit tcp any any eq 3389
access-list 100 permit tcp any any eq 2000
access-list 100 permit ip host 192.168.100.151 any
access-list 100 permit ip host 192.168.100.152 any
access-list 100 permit ip any 192.168.111.32 0.0.0.31
access-list 100 permit ip any 192.168.112.32 0.0.0.31
access-list 100 permit ip any 192.168.113.32 0.0.0.31
access-list 100 permit ip host 192.168.100.3 host 192.168.111.10
access-list 100 permit ip host 192.168.100.3 host 192.168.112.10
access-list 100 permit ip host 192.168.100.3 host 192.168.113.10
access-list 100 permit ip host 192.168.100.4 host 192.168.111.10
access-list 100 permit ip host 192.168.100.4 host 192.168.112.10
access-list 100 permit ip host 192.168.100.4 host 192.168.113.10
access-list 100 permit ip host 192.168.100.240 host 192.168.111.10
access-list 100 permit ip host 192.168.100.240 host 192.168.112.10
access-list 100 permit ip host 192.168.100.240 host 192.168.113.10
access-list 100 deny   ip any 192.168.111.0 0.0.0.255
access-list 100 deny   ip any 192.168.112.0 0.0.0.255
access-list 100 deny   ip any 192.168.113.0 0.0.0.255
access-list 100 permit ip any any
access-list 110 permit ip any any
access-list 111 permit icmp any any
access-list 111 permit ip host 192.168.111.1 host 192.168.100.1
access-list 111 permit ip host 192.168.111.1 host 192.168.100.3
access-list 111 permit udp any any eq bootps
access-list 111 permit udp any any eq bootpc
access-list 111 permit ip any 192.168.10.240 0.0.0.7
access-list 111 permit ip any 192.168.10.248 0.0.0.3
access-list 111 permit ip 192.168.111.32 0.0.0.31 192.168.100.0 0.0.0.255
access-list 111 permit tcp 192.168.111.32 0.0.0.31 any eq 7609
access-list 111 permit tcp any any eq ftp-data
access-list 111 permit tcp any eq ftp-data any
access-list 111 permit tcp any any eq ftp
access-list 111 permit tcp any eq ftp any
access-list 111 permit tcp any 192.168.100.0 0.0.0.255 eq 3389
access-list 111 permit ip host 192.168.111.10 host 192.168.100.240
access-list 111 permit ip host 192.168.111.10 host 192.168.100.3
access-list 111 permit tcp host 192.168.111.10 any eq smtp
access-list 111 permit tcp host 192.168.111.10 eq smtp any
access-list 111 permit tcp host 192.168.111.10 any eq 7609
access-list 111 deny   tcp host 192.168.111.10 192.168.112.0 0.0.0.255 eq www
access-list 111 deny   tcp host 192.168.111.10 192.168.113.0 0.0.0.255 eq www
access-list 111 deny   tcp host 192.168.111.10 192.168.112.0 0.0.0.255 eq 8080
access-list 111 deny   tcp host 192.168.111.10 192.168.113.0 0.0.0.255 eq 8080
access-list 111 deny   tcp host 192.168.111.10 192.168.112.0 0.0.0.255 eq 443
access-list 111 deny   tcp host 192.168.111.10 192.168.113.0 0.0.0.255 eq 443
access-list 111 deny   tcp 192.168.111.32 0.0.0.31 192.168.112.0 0.0.0.255 eq www
access-list 111 deny   tcp 192.168.111.32 0.0.0.31 192.168.113.0 0.0.0.255 eq www
access-list 111 deny   tcp 192.168.111.32 0.0.0.31 192.168.112.0 0.0.0.255 eq 8080
access-list 111 deny   tcp 192.168.111.32 0.0.0.31 192.168.113.0 0.0.0.255 eq 8080
access-list 111 deny   tcp 192.168.111.32 0.0.0.31 192.168.112.0 0.0.0.255 eq 443
access-list 111 deny   tcp 192.168.111.32 0.0.0.31 192.168.113.0 0.0.0.255 eq 443
access-list 111 permit tcp host 192.168.111.10 any eq www
access-list 111 permit tcp host 192.168.111.10 any eq 8080
access-list 111 permit tcp host 192.168.111.10 any eq 443
access-list 111 permit tcp 192.168.111.32 0.0.0.31 any eq www
access-list 111 permit tcp 192.168.111.32 0.0.0.31 any eq 8080
access-list 111 permit tcp 192.168.111.32 0.0.0.31 any eq 443
access-list 111 permit ip 192.168.111.0 0.0.0.255 192.168.110.0 0.0.0.255
access-list 112 permit icmp any any
access-list 112 permit ip host 192.168.112.1 host 192.168.100.1
access-list 112 permit ip host 192.168.112.1 host 192.168.100.3
access-list 112 permit udp any any eq bootps
access-list 112 permit udp any any eq bootpc
access-list 112 permit ip any 192.168.10.240 0.0.0.7
access-list 112 permit ip any 192.168.10.248 0.0.0.3
access-list 112 permit ip 192.168.112.32 0.0.0.31 192.168.100.0 0.0.0.255
access-list 112 permit tcp 192.168.112.32 0.0.0.31 any eq 7609
access-list 112 permit tcp any any eq ftp-data
access-list 112 permit tcp any eq ftp-data any
access-list 112 permit tcp any any eq ftp
access-list 112 permit tcp any eq ftp any
access-list 112 permit tcp any 192.168.100.0 0.0.0.255 eq 3389
access-list 112 permit ip host 192.168.112.10 host 192.168.100.240
access-list 112 permit ip host 192.168.112.10 host 192.168.100.3
access-list 112 permit tcp host 192.168.112.10 any eq smtp
access-list 112 permit tcp host 192.168.112.10 eq smtp any
access-list 112 permit tcp host 192.168.112.10 any eq 7609
access-list 112 deny   tcp host 192.168.112.10 192.168.111.0 0.0.0.255 eq www
access-list 112 deny   tcp host 192.168.112.10 192.168.113.0 0.0.0.255 eq www
access-list 112 deny   tcp host 192.168.112.10 192.168.111.0 0.0.0.255 eq 8080
access-list 112 deny   tcp host 192.168.112.10 192.168.113.0 0.0.0.255 eq 8080
access-list 112 deny   tcp host 192.168.112.10 192.168.111.0 0.0.0.255 eq 443
access-list 112 deny   tcp host 192.168.112.10 192.168.113.0 0.0.0.255 eq 443
access-list 112 deny   tcp 192.168.112.32 0.0.0.31 192.168.111.0 0.0.0.255 eq www
access-list 112 deny   tcp 192.168.112.32 0.0.0.31 192.168.113.0 0.0.0.255 eq www
access-list 112 deny   tcp 192.168.112.32 0.0.0.31 192.168.111.0 0.0.0.255 eq 8080
access-list 112 deny   tcp 192.168.112.32 0.0.0.31 192.168.113.0 0.0.0.255 eq 8080
access-list 112 deny   tcp 192.168.112.32 0.0.0.31 192.168.111.0 0.0.0.255 eq 443
access-list 112 deny   tcp 192.168.112.32 0.0.0.31 192.168.113.0 0.0.0.255 eq 443
access-list 112 permit tcp host 192.168.112.10 any eq www
access-list 112 permit tcp host 192.168.112.10 any eq 8080
access-list 112 permit tcp host 192.168.112.10 any eq 443
access-list 112 permit tcp 192.168.112.32 0.0.0.31 any eq www
access-list 112 permit tcp 192.168.112.32 0.0.0.31 any eq 8080
access-list 112 permit tcp 192.168.112.32 0.0.0.31 any eq 443
access-list 112 permit ip 192.168.112.0 0.0.0.255 192.168.110.0 0.0.0.255
access-list 113 permit icmp any any
access-list 113 permit ip host 192.168.113.1 host 192.168.100.1
access-list 113 permit ip host 192.168.113.1 host 192.168.100.3
access-list 113 permit udp any any eq bootps
access-list 113 permit udp any any eq bootpc
access-list 113 permit ip any 192.168.10.240 0.0.0.7
access-list 113 permit ip any 192.168.10.248 0.0.0.3
access-list 113 permit ip 192.168.113.32 0.0.0.31 192.168.100.0 0.0.0.255
access-list 113 permit tcp 192.168.113.32 0.0.0.31 any eq 7609
access-list 113 permit tcp any any eq ftp-data
access-list 113 permit tcp any eq ftp-data any
access-list 113 permit tcp any any eq ftp
access-list 113 permit tcp any eq ftp any
access-list 113 permit tcp any 192.168.100.0 0.0.0.255 eq 3389
access-list 113 permit ip host 192.168.113.10 host 192.168.100.240
access-list 113 permit ip host 192.168.113.10 host 192.168.100.3
access-list 113 permit tcp host 192.168.113.10 any eq smtp
access-list 113 permit tcp host 192.168.113.10 eq smtp any
access-list 113 permit tcp host 192.168.113.10 any eq 7609
access-list 113 deny   tcp host 192.168.113.10 192.168.111.0 0.0.0.255 eq www
access-list 113 deny   tcp host 192.168.113.10 192.168.112.0 0.0.0.255 eq www
access-list 113 deny   tcp host 192.168.113.10 192.168.111.0 0.0.0.255 eq 8080
access-list 113 deny   tcp host 192.168.113.10 192.168.112.0 0.0.0.255 eq 8080
access-list 113 deny   tcp host 192.168.113.10 192.168.111.0 0.0.0.255 eq 443
access-list 113 deny   tcp host 192.168.113.10 192.168.112.0 0.0.0.255 eq 443
access-list 113 deny   tcp 192.168.113.32 0.0.0.31 192.168.111.0 0.0.0.255 eq www
access-list 113 deny   tcp 192.168.113.32 0.0.0.31 192.168.112.0 0.0.0.255 eq www
access-list 113 deny   tcp 192.168.113.32 0.0.0.31 192.168.111.0 0.0.0.255 eq 8080
access-list 113 deny   tcp 192.168.113.32 0.0.0.31 192.168.112.0 0.0.0.255 eq 8080
access-list 113 deny   tcp 192.168.113.32 0.0.0.31 192.168.111.0 0.0.0.255 eq 443
access-list 113 deny   tcp 192.168.113.32 0.0.0.31 192.168.112.0 0.0.0.255 eq 443
access-list 113 permit tcp host 192.168.113.10 any eq www
access-list 113 permit tcp host 192.168.113.10 any eq 8080
access-list 113 permit tcp host 192.168.113.10 any eq 443
access-list 113 permit tcp 192.168.113.32 0.0.0.31 any eq www
access-list 113 permit tcp 192.168.113.32 0.0.0.31 any eq 8080
access-list 113 permit tcp 192.168.113.32 0.0.0.31 any eq 443
access-list 113 permit ip 192.168.113.0 0.0.0.255 192.168.110.0 0.0.0.255
!
control-plane
!
!
line con 0
line vty 0 4
 password 7 005403030A695B070B32
 login
line vty 5 15
 no login
!
!
end



0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
LVL 4

Author Comment

by:averyb
ID: 16699121
show access-list 112
Extended IP access list 112
    10 permit icmp any any (4 matches)
    20 permit ip host 192.168.112.1 host 192.168.100.1
    30 permit ip host 192.168.112.1 host 192.168.100.3
    40 permit udp any any eq bootps (20 matches)
    50 permit udp any any eq bootpc
    60 permit ip any 192.168.10.240 0.0.0.7
    70 permit ip any 192.168.10.248 0.0.0.3
    80 permit ip 192.168.112.32 0.0.0.31 192.168.100.0 0.0.0.255
    90 permit tcp 192.168.112.32 0.0.0.31 any eq 7609
    100 permit tcp any any eq ftp-data
    110 permit tcp any eq ftp-data any
    120 permit tcp any any eq ftp
    130 permit tcp any eq ftp any
    140 permit tcp any 192.168.100.0 0.0.0.255 eq 3389
    150 permit ip host 192.168.112.10 host 192.168.100.240
    160 permit ip host 192.168.112.10 host 192.168.100.3
    170 permit tcp host 192.168.112.10 any eq smtp
    180 permit tcp host 192.168.112.10 eq smtp any
    190 permit tcp host 192.168.112.10 any eq 7609
    200 deny tcp host 192.168.112.10 192.168.111.0 0.0.0.255 eq www
    210 deny tcp host 192.168.112.10 192.168.113.0 0.0.0.255 eq www
    220 deny tcp host 192.168.112.10 192.168.111.0 0.0.0.255 eq 8080
    230 deny tcp host 192.168.112.10 192.168.113.0 0.0.0.255 eq 8080
    240 deny tcp host 192.168.112.10 192.168.111.0 0.0.0.255 eq 443
    250 deny tcp host 192.168.112.10 192.168.113.0 0.0.0.255 eq 443
    260 deny tcp 192.168.112.32 0.0.0.31 192.168.111.0 0.0.0.255 eq www
    270 deny tcp 192.168.112.32 0.0.0.31 192.168.113.0 0.0.0.255 eq www
    280 deny tcp 192.168.112.32 0.0.0.31 192.168.111.0 0.0.0.255 eq 8080
    290 deny tcp 192.168.112.32 0.0.0.31 192.168.113.0 0.0.0.255 eq 8080
    300 deny tcp 192.168.112.32 0.0.0.31 192.168.111.0 0.0.0.255 eq 443
    310 deny tcp 192.168.112.32 0.0.0.31 192.168.113.0 0.0.0.255 eq 443
    320 permit tcp host 192.168.112.10 any eq www
    330 permit tcp host 192.168.112.10 any eq 8080
    340 permit tcp host 192.168.112.10 any eq 443
    350 permit tcp 192.168.112.32 0.0.0.31 any eq www
    360 permit tcp 192.168.112.32 0.0.0.31 any eq 8080
    370 permit tcp 192.168.112.32 0.0.0.31 any eq 443
    380 permit ip 192.168.112.0 0.0.0.255 192.168.110.0 0.0.0.255 (58 matches)

Show access-list 100
Extended IP access list 100
    10 permit icmp any any
    20 permit ip host 192.168.100.1 host 192.168.110.1
    30 permit ip host 192.168.100.3 host 192.168.110.1 (1 match)
    40 permit ip host 192.168.100.1 host 192.168.111.1
    50 permit ip host 192.168.100.3 host 192.168.111.1
    60 permit ip host 192.168.100.1 host 192.168.112.1
    70 permit ip host 192.168.100.3 host 192.168.112.1
    80 permit ip host 192.168.100.1 host 192.168.113.1
    90 permit ip host 192.168.100.3 host 192.168.113.1
    100 permit udp any any eq bootps (98 matches)
    110 permit udp any any eq bootpc (69 matches)
    120 permit tcp any any eq ftp-data
    130 permit tcp any eq ftp-data any
    140 permit tcp any any eq ftp
    150 permit tcp any eq ftp any
    160 permit tcp any any eq 3389
    170 permit tcp any any eq 2000
    180 permit ip host 192.168.100.151 any
    190 permit ip host 192.168.100.152 any
    200 permit ip any 192.168.111.32 0.0.0.31
    210 permit ip any 192.168.112.32 0.0.0.31
    220 permit ip any 192.168.113.32 0.0.0.31
    230 permit ip host 192.168.100.3 host 192.168.111.10
    240 permit ip host 192.168.100.3 host 192.168.112.10
    250 permit ip host 192.168.100.3 host 192.168.113.10
    260 permit ip host 192.168.100.4 host 192.168.111.10
    270 permit ip host 192.168.100.4 host 192.168.112.10
    280 permit ip host 192.168.100.4 host 192.168.113.10
    290 permit ip host 192.168.100.240 host 192.168.111.10
    300 permit ip host 192.168.100.240 host 192.168.112.10
    310 permit ip host 192.168.100.240 host 192.168.113.10
    320 deny ip any 192.168.111.0 0.0.0.255
    330 deny ip any 192.168.112.0 0.0.0.255 (6 matches)
    340 deny ip any 192.168.113.0 0.0.0.255
    350 permit ip any any (3522 matches)

Now I ping to a server on VLAN 112 from the switch itself--
Only difference on show access-list 100 is line 350.  
Only difference on show access-list 112 is line 10 which is expected.

Now I ping to a server on VLAN 112 from a server on VLAN 100--
Nothing on access-list 112 increments at all.  Only line 350 increments on access-list 100.

Note: There is a good bit of traffic present on the network with would cause line 350 on access-list 100 to increment.  The incrementing on that ace might be totally unrelated to the ping traffic.

If I ftp from VLAN 100 to VLAN 112
0
 
LVL 4

Author Comment

by:averyb
ID: 16699125
Ignore the last line in the previous post.
0
 
LVL 28

Expert Comment

by:mikebernhardt
ID: 16700660
>Now I ping to a server on VLAN 112 from the switch itself
 I wouldn't expect anything on access-list 100 since you are probably pinging from the interface address of vlan 112

>Now I ping to a server on VLAN 112 from a server on VLAN 100
 Not sure about this one. Are you running SM or SM software? Can you do a show version please? It may be that access-list counters are buggy. One test would be to add a line  5 denying icmp between the 2 test servers on vlan 100 and see if it blocks it.
0
 
LVL 12

Accepted Solution

by:
pjtemplin earned 2000 total points
ID: 16701238
Welcome to the wonderful world of L3 switches.  Because the packet processing is pushed out to the individual port ASICs, there are a lot of shortcomings with ACE counters in these boxes.  All too often (there are exceptions, but I don't know them), the only ACE counters that will increment are when the packet is processed "in software" (i.e. process-switched).

If you absolutely positively need to have the counters, you could add " log" to your ACE, thereby forcing a switch to the CPU and therefore an ACE increment.  Not recommended though.
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

It happens many times that access list (ACL) have to be applied to outgoing router interface in order to limit some traffic.This article is about how to test ACL from the router which is not very intuitive for everyone. Below scenario shows simple s…
The Cisco RV042 router is a popular small network interfacing device that is often used as an internet gateway. Network administrators need to get at the management interface to make settings, change passwords, etc. This access is generally done usi…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question