Friday, September 25, 2009

show tcam command for access lists

I was trying to use 'show access-list ' to find ACL hits from a local machine to a web server. I noticed I was only seeing the initial connection from the local device to the server hitting the inbound ACL on the VLAN interface but the outbound ACL on the VLAN interface was never reporting matches on the reciprocal ACE - even though the web connection was working.

After research I found a few features on newer IOSes (CBAC being the main one) which behave this way but the code on this device didn't support it and, even if it did, it wasn't configured for any such thing. Apparently, the culprit is hardware ACL processing. The 6500 was pushing the ACL processing to the TCAM and once the connection was hitting the first ACL, I never saw it again. It is possible (but I haven't tested this) that adding the 'log' statement to the ACE on the return ACL will force matches (or at least log entries) to show up. Either way, that isn't necessary. The show tcam interface acl ip shows basically the old-school 'show access-list ' output with the matches I was looking for.

Some of the information about this is (vaguely) documented here:

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SXF/native/configuration/guide/acl.html
https://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/52sg/configuration/guide/secure.html
https://www.cisco.com/en/US/products/hw/switches/ps708/products_white_paper09186a00800c9470.shtml
http://www.elemental.net/~lf/undoc/#d0e59

No comments:

Post a Comment