[c-nsp] matched ACL - counters not updating
David Prall
dcp at dcptech.com
Thu Jul 2 22:08:11 EDT 2009
If you have "mls rate-limit unicast ip icmp unreachable acl-drop 0"
configured the counters on deny's don't get incremented. The default for
this rate-limiter is 100 pps with a burst of 10, you could have other acl's
being hammered and your reaching the 100pps limit via others so this one
isn't be incremented. You can use "sh int <interface> stats" to see what is
happening with the deny's. With the default you will see packets in the
Processor as icmp unreachables are returned. If "no ip unreachables" is
configured then they will be sent through the Route cache.
David
--
http://dcp.dcptech.com
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-
> bounces at puck.nether.net] On Behalf Of Aaron Riemer
> Sent: Thursday, July 02, 2009 9:48 PM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] matched ACL - counters not updating
>
> Hey guys,
>
> Just a quick one I am interested to know why an ACL I have applied to a
> VLAN is not showing counters for a particular line in the access-list
> that I know is denying packets. See below for example
>
> Extended IP access list virus-traffic
> 10 deny ip host 10.x.x.x 10.y.y.y.y 0.0.255.255
> 20 permit ip any any (167199 matches)
>
> The permit ip any any shows matches as normal. What am I missing here?
>
> Cheers,
>
> Aaron.
>
>
> LEGAL DISCLAIMER: This message contains confidential information and is
> intended only for the individual named. If you are not the named
> addressee you should not disseminate, distribute or copy this e-mail.
> Please notify the sender immediately by e-mail if you have received
> this e-mail by mistake and delete this e-mail from your system. If you
> are not the intended recipient you are notified that disclosing,
> copying, distributing or taking any action in reliance on the contents
> of this information is strictly prohibited.
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
More information about the cisco-nsp
mailing list