OPERATIONAL DEFECT DATABASE
...
...
Incorrect hit counters increase if Object Group is used in ACL If we configure ACL using object groups, then hit counter for the wrong statement increases - Instead of 'deny' matches, we see 'permit ip any any' matches increasing. However, the traffic in actual fact is being blocked. ---------------------------------------------------------------------------------- Example: ---------------------------------------------------------------------------------- On the switch with ACL: Int Vlan 100 configured as 10.10.10.200/24 Int Vlan 11 configured as 10.10.11.11/24 Extended IP access list TAC 10 deny icmp object-group VLAN100 object-group VLAN11 log 20 deny icmp object-group VLAN11 object-group VLAN100 log 30 permit ip any any Network object group VLAN100 10.10.10.0 255.255.255.0 Network object group VLAN11 10.10.11.0 255.255.255.0 ACL_SWI(config-if)#int Vlan 100 ACL_SWI(config-if)#ip access-group TAC in ---------------------------------------------------------------------------------- Trying to ping 10.10.11.11 from neighbouring switch: (here Int Vlan 100 = 10.10.10.100 and no SVI for 10.10.11.0/24 is configured) PING_SRC#ping 10.10.11.11 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.10.11.11, timeout is 2 seconds: U.U.U Success rate is 0 percent (0/5) PING_SRC# ---------------------------------------------------------------------------------- Checking the ACL on the switch where Object Groups and ACL are configured: ACL_SWI#sh ip access-lists TAC Extended IP access list TAC 10 deny icmp object-group VLAN100 object-group VLAN11 log 20 deny icmp object-group VLAN11 object-group VLAN100 log 30 permit ip any any (10 matches) <------------------------------------ traffic was blocked, but we see permit statement hits
Cat9500 ACL with Object-Groups
none
Incorrect hit counters increase if Object Group is used in ACL If we configure ACL using object groups, then hit counter for the wrong statement increases. Instead of 'deny' matches, we see 'permit ip any any' matches increasing. However, the traffic in actual fact is being blocked. ---------------------------------------------------------------------------------- Example (please use monospaced font to see the topology) +------------------------+Vlan 100 Vlan 100+--------------------------+ | PING-SRC |Tw1/0/2 Tw1/0/2| ACL_SWI | | +---------------------------------------+ SVI 100 | | SVI 100 | | SVI 11 | | +---------------------------------------+ | +------------------------+Tw1/0/48 Tw1/0/48+--------------------------+ Vlan 11 Vlan 11 Int Vlan 100 = 10.10.10.200/24 Int Vlan 100 = 10.10.10.100 Int Vlan 11 = 10.10.11.11/24 - no int vlan11 - no routing between 100 and 11 Extended IP access list TAC 10 deny icmp object-group VLAN100 object-group VLAN11 log 20 deny icmp object-group VLAN11 object-group VLAN100 log 30 permit ip any any Network object group VLAN100 10.10.10.0 255.255.255.0 Network object group VLAN11 10.10.11.0 255.255.255.0 ACL_SWI(config-if)#int Vlan 100 ACL_SWI(config-if)#ip access-group TAC in ---------------------------------------------------------------------------------- On ACL_SWI: Extended IP access list TAC 10 deny icmp object-group VLAN100 object-group VLAN11 log 20 deny icmp object-group VLAN11 object-group VLAN100 log 30 permit ip any any Network object group VLAN100 10.10.10.0 255.255.255.0 Network object group VLAN11 10.10.11.0 255.255.255.0 ACL_SWI(config-if)#int Vlan 100 ACL_SWI(config-if)#ip access-group TAC in ---------------------------------------------------------------------------------- Trying to ping 10.10.11.11 from neighbouring switch (PING_SRC): PING_SRC#ping 10.10.11.11 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.10.11.11, timeout is 2 seconds: U.U.U Success rate is 0 percent (0/5) PING_SRC# ---------------------------------------------------------------------------------- Checking the ACL on the switch where Object Groups are configured (ACL_SWI): ACL_SWI#sh ip access-lists TAC Extended IP access list TAC 10 deny icmp object-group VLAN100 object-group VLAN11 log 20 deny icmp object-group VLAN11 object-group VLAN100 log 30 permit ip any any (10 matches) <------------------------------------ ---------------------------------------------------------------------------------- To make sure that the ACL is the reason of unreachable pings, we can remove the ACL form interface: ACL_SWI(config)#int vlan 100 ACL_SWI(config-if)#no ip access-group TAC in PING_SRC>ping 10.10.11.11 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.10.11.11, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms PING_SRC>
Cisco Integration
Learn more about where this data comes from
Bug Scrub Advisor
Streamline upgrades with automated vendor bug scrubs
BugZero Enterprise
Wish you caught this bug sooner? Get proactive today.
