IPv4 counter operation with multiple interface assignments

Where the same IPv4 ACL is assigned to multiple interfaces as a VLAN ACL (VACL) or port ACL (PACL), the switch maintains a separate instance of ACE counters for each interface assignment. Thus, when there is a match with traffic on one of the ACL's VACL- or PACL-assigned interfaces, only the ACE counter in the affected instance of the ACL is incremented. However, if an ACL has multiple assignments as an RACL, then a match with an ACE in any RACL instance of the ACL increments that same counter on all RACL-assigned instances of that ACL. (The ACE counters for VACL and PACL instances of an ACL are not affected by counter activity in RACL instances of the same ACL.)

IPv4 counter operation with multiple interface assignments

Suppose that an IPv4 ACL named "Test-1" is configured as shown in the following example, to block Telnet access to a server at 10.10.20.12 on VLAN 20, and that the Test-1 ACL is assigned to VLANs as follows:
  • VLAN 20: VACL

  • VLAN 50: RACL

  • VLAN 70: RACL

ACL "Test-1" and interface assignment commands

Switch(config)# show access-list Test1 config

ip access-list extended "Test1"
   10 deny tcp 0.0.0.0 255.255.255.255 10.10.20.12 0.0.0.0 eq 23 log
   20 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
   exit

Switch(config)# vlan 20 ip access-group Test-1 vlan-in 1
Switch(config)# vlan 50 ip access-group Test-1 in 2
Switch(config)# vlan 70 ip access-group Test-1 in

1 Assigns the ACL as a VACL to VLAN 20

2 Assigns the ACL as an RACL to VLANs 50 and 70

Figure 12: Using the same IPv4 ACL for VACL and RACL applications
In the above case:
  • Matches with ACEs 10 or 20 that originate on VLAN 20 increment only the counters for the instances of these two ACEs in the Test-1 VACL assignment on VLAN 20. The same counters in the instances of ACL Test-1 assigned to VLANs 50 and 70 are not incremented.

  • Any Telnet requests to 10.10.20.12 that originate on VLANs 50 or 70 are filtered by instances of Test-1 assigned as RACLs and increment the counters for ACE 10 on both RACL instances of the Test-1 ACL.

Using the network in the figure shown, a device at 10.10.20.4 on VLAN 20 attempting to ping and Telnet to 10.10.20.12 is filtered through the VACL instance of the "Test-1" ACL on VLAN 20 and results in the following:

Ping and Telnet from 10.10.20.4 to 10.10.20.2 filtered by the assignment of "Test-1" as an IPv4 VACL on VLAN 20

Switch(config)# ping 10.10.20.2
10.10.20.2 is alive, time = 5 ms
Switch(config)# telnet 10.10.20.2
Telnet failed: Connection timed out.
Switch(config)#

Resulting ACE hits on IPv4 ACL "Test-1"

Switch(config)# show statistics aclv4 Test-1 vlan 20 vlan-in
 Hit Counts for ACL Test-1
  Total
(5)110 deny tcp 0.0.0.0 255.255.255.255 10.10.20.2 0.0.0.0 eq 23 log
(2)220 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255

Switch# show statistics aclv4 Test-1 vlan 50 in
Hit Counts for ACL Test-1
Total
(0) 310 deny tcp 0.0.0.0 255.255.255.255 10.10.20.2 0.0.0.0 eq 23 log
(0)20 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255

1 Indicates denied attempts to Telnet to 10.10.20.12 filtered by the instance of the "Test-1" VACL assignment on VLAN 20

2 Indicates permitted attempts to reach any accessible destination via the instance of the "Test- 1"VACL assignment on VLAN 20. This example shows the successful pings permitted by ACE

3 Shows that the hits on the instance of the "Test-1" VACL assignment on VLAN 20 have no effect on the counters for the RACL assignment of "Test-1" on VLAN 50

However, using a device at 10.10.30.11 on VLAN 50 for attempts to ping and Telnet to 10.10.20.12 requires routing and filters the attempts through the RACL instance of the "Test-1" ACL on VLAN 50.

Ping and Telnet from 10.10.30.11 to 10.10.20.2 filtered by the assignment of "Test-1" as an IPv4 RACL on VLAN 30

Switch# ping 10.10.20.2
10.10.20.2 is alive, time = 25 ms
Switch# telnet 10.10.20.2
Telnet failed: Connection timed out.
Switch#

This action has an identical effect on the counters in all RACL instances of the "Test-1" ACL configured and assigned to interfaces on the same switch. In this example, it means that the RACL assignments of "Test-1" on VLANs 50 and 70 are incremented by the above action occurring on VLAN 50.

Resulting ACE hits on the VLAN 30 IPv4 RACL assignment of the "Test-1" ACL

Switch(config)# show statistics aclv4 Test-1 vlan 50 in
Hit Counts for ACL Test-1
Total

(6) 10 deny tcp 0.0.0.0 255.255.255.255 10.10.20.2 0.0.0.0 eq 23 log
(1) 20 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
Switch(config)#
NOTE:

The Total 6 indicates the same type of data for the VACL assignment of the “Test-1” ACL. That is, the Ping attempt incremented the counters for ACE 20 and the Telnet attempt incremented the counters for ACE 10 in the VLAN 50 RACL instance of the ACL.

Resulting ACE hits on the VLAN 70 IPv4 RACL assignment of the "Test-1" ACL

Switch(config)# show statistics aclv4 Test-1 vlan 70 in
HitCounts for ACL Test-1
Total
(6) 10 deny tcp 0.0.0.0 255.255.255.255 10.10.20.2 0.0.0.0 eq 23 log
(1) 20 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
Switch(config)#