I have a VSS pair of Cisco 4500-X switches as our core switch and L3 inter-VLAN router. There are a number of ACLs. Following an upgrade of IOS-XE to the 3.8.x series, the "object group" features have become available to me and I'm experimenting with them. It seems to work fine, except that the match count is not incrementing when the rules are hit.
That is, my old ruleset:
````
show access-lists | sect test_1
Extended IP access list test_1 10 permit ip 10.10.10.0 0.255.255.255 any (2603 matches) 20 permit ip 10.20.20.0 0.255.255.255 any (1040 matches) 30 permit ip 10.30.30.0 0.255.255.255 any (58 matches) 40 deny ip any any log (6 matches) ````
It is attached to an interface and the counts are incrementing as shown. However if instead I use this:
````
show access-lists | sect test_2
Extended IP access list test_2 10 permit ip object-group VLAN10 any 20 permit ip object-group VLAN20 any 30 permit ip object-group VLAN30 any 40 deny ip any any log
show run | sect object
[...] object-group network VLAN10 10.10.10.0 255.255.255.0 object-group network VLAN20 10.20.20.0 255.255.255.0 object-group network VLAN30 10.30.30.0 255.255.255.0 ````
and attach this ACL instead to the interface then the counts are never incremented. The ACL works and I've verified that this ACL and its object groups are being honoured by making changes to the object groups and seeing changed behaviour.
I expect to see the counts here on the ACLs, is there a reason why they don't appear?
No comments:
Post a Comment