|
triton
36 posts
 |
I have an ACL applied to a interface SVI and some lines are not matched and some lines are. I dont know if this i normal on a switch. SW3560#sh access-list 197 Extended IP access list 197 5 permit icmp any any 10 permit tcp 192.168.40.0 0.0.0.255 host 192.168.30.10 eq www 20 permit udp host 192.168.40.3 eq 1985 host 224.0.0.2 eq 1985 (248 matches) 30 permit tcp 192.168.40.0 0.0.0.255 any eq telnet (296 matches) 40 permit tcp 192.168.40.0 0.0.0.255 host 192.168.40.2 eq telnet 50 permit tcp 192.168.40.0 0.0.0.255 any established 60 permit tcp 192.168.40.0 0.0.0.255 host 192.168.60.100 eq telnet interface Vlan40 ip address 192.168.40.2 255.255.255.0 ip access-group 197 in The IOS is c3560-ipbase-mz.122-35.SE5/c3560-ipbase-mz.122-35.SE5.bin Thanks |
|
triton
36 posts
|
I attach the output of sh access-list File Attachments |
|
musicjunky
2 posts
 |
When you append the "log" keyword to the end of an ACL statement it will show you how many times that line gets a hit. Those matches are the counters for each time that specific line in the ACL matches a packet being filtered. It is handy to be able to see how many hits each line is getting but it does use extra CPU process so only use it if you know you can spare the resources and you need to see if a certain line is getting a match. If you have an ACL with many Permit statements in a row, it is good practice to move the lines that are getting more hits towards the top to shorten the amount of processing for each packet, ONLY if it won't affect the LOGICAL FUNCTIONALITY of the ACL. |
Viewing 1 - 3 of 3
- 1