有關cisco switch ACL相關問題

acl estimate matches cisco switch core

a01541681680 2020-06-08 08:48:26 ‧ 2102 瀏覽

分享至

此為cisco layer3 core switch C4506-E

Q1:為何有些是 matches, 有些則是 estimate matches.
Q2:是否有辦法看到下方粗體的詳細資訊呢?
(3 estimate matches) >> 如何知道是哪3個IP被deny了

Standard IP access list 69
10 deny 192.168.0.0, wildcard bits 0.0.255.255 (44 matches)
20 deny 172.16.0.0, wildcard bits 0.224.255.255 (1 match)
30 permit any (18934 matches)

Extended IP access list RDP_ONLY_65_ALLOW
10 permit tcp any eq 3389 192.168.65.0 0.0.0.255 (57790 estimate matches)
20 permit tcp any eq 3389 192.168.200.0 0.0.0.255
30 deny tcp any eq 3389 any (3 estimate matches)
40 permit ip any any (1319081 estimate matches)
Extended IP access list RDP_ONLY_6465_ALLOW
10 permit tcp any eq 3389 192.168.64.0 0.0.1.255 (1289 estimate matches)
20 deny tcp any eq 3389 any (2 estimate matches)
30 permit ip any any (83907 estimate matches)

bluegrass iT邦高手 1 級 ‧ 2020-08-26 22:14:55 檢舉

It's specific to the SUP6 and occurs due to a hardware limitation on how many TCAM entries the Sup is capable of gathering true statistics for.

You can enable full statistics gathering on a specific ACL using the following command:

#hardware statistics

http://www.cisco.com/en/US/partner/docs/switches/lan/catalyst4500/12.2/54sg/configuration/guide/secure.html#wp1126548

This is applicable to both IPv4 and IPv6 ACLs.

Let me know if this helps.

Thanks,

https://community.cisco.com/t5/switching/what-is-the-meaning-of-quot-estimate-matches-quot-in-show-ip/td-p/1696766

登入發表討論