Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chris Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

ACL counter

Status
Not open for further replies.
inay

inay

IS-IT--Management
Jan 21, 2006
2
TR
Hi all

I have a Catalyst 6509 switch. I'just migrated from SUP1A-MSFC to SUP 720. I have copied my working ACL's onto the new platform. Now some of my access lists are not working or the counters doesn't increment.

here is an example:

ip access-list extended Vlan7
remark permitted
permit tcp any any eq smtp
permit tcp any any eq pop3
permit tcp any any eq www
permit tcp any any eq ftp
permit tcp any any eq 106
remark *************
remark icmp
deny icmp any any fragments
permit icmp any any packet-too-big
permit icmp any any time-exceeded
permit icmp any any echo-reply
permit icmp host x.x.x.x any echo
permit icmp host x.x.x.x any echo
permit icmp x.x.x.x 0.0.0.255 any echo
deny icmp any any echo
remark **************
remark cancelled
permit tcp any host x.x.x.x eq 22
permit tcp any host x.x.x.x eq 22
permit tcp any host x.x.x.x eq 22
permit tcp any host x.x.x.x eq 22
permit tcp x.x.x.x 0.0.0.255 any eq 22
deny tcp any any eq 22 log
deny tcp any any eq telnet
deny tcp any any eq 1434
deny tcp any any eq 1900
deny udp any any eq 1433
deny udp any any eq 1434
deny udp any any eq 1900
deny tcp any any eq 139 log
deny tcp any any eq 135
permit ip any any

This Vlan belongs to e-mail servers but there is no increment on the counter of the line "permit tcp any any eq smtp" nor "permit ip any any". I ?think when I boot the switch it works for a little while cause I see a little count on those lines like 40-50 hits. Then they stop counting. This Vlan has a 1-2 Mbit constant traffic on it. On the other hand some other ACL's work fine.

I'm not sure that my ACL's work. How can I solve this problem

Inay
 
Sort by date Sort by votes
Hmmm, this looks familiar, questions...

- What do you have for the configuration under Vlan7?
- What is the CPU usage (average) for process and interrupt runtimes?
- Do you have logging enabled and is there anything there?
- What is your current IOS running on your Sup720?
- Do you have any switching methods/paths enabled (e.g. CEF, Fast Switching, etc)
- Which ACLs are working consistently?
- Which ACLs are not working consistently?

cf
 
Upvote 0 Downvote
We used to have a bug on a 6513 SUP2/MSFC2 that caused this type of problem. We upgraded the IOS and that fixed the counters.

John
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Mogles49
  • Locked
  • Question
Firewall ACL question
Replies
1
Views
175
burtsbees
burtsbees
acabezas2014
  • Locked
  • Question
Create ACL for ip range
Replies
2
Views
147
acabezas2014
acabezas2014
hunt3rxhunt3r
  • Locked
  • Question
ACL to allow address range access to internal address range behind dynamic nat ip
Replies
0
Views
98
hunt3rxhunt3r
hunt3rxhunt3r
xdxml12
  • Locked
  • Question
ACL
Replies
3
Views
102
xdxml12
xdxml12
Almin
  • Locked
  • Question
ACL Question 1
Replies
2
Views
87
Almin
Almin

Part and Inventory Search

Sponsor

Back
Top