The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This chapter describes how to identify and resolve problems that relate to Access Control Lists (ACLs) and includes the following sections:
An ACL is an ordered set of rules for filtering traffic. When the device determines that an ACL applies to a packet, it tests the packet against the rules. The first matching rule determines whether the packet is permitted or denied. If there is no match, the device applies a default rule. The device processes packets that are permitted and drops packets that are denied.
ACLs protect networks and specific hosts from unnecessary or unwanted traffic. For example, ACLs are used to disallow HTTP traffic from a high-security network to the Internet. ACLs also allow HTTP traffic but only to specific sites, using the IP address of the site to identify it in an IP ACL.
The following types of ACLs are supported for filtering traffic:
For detailed information about how ACL rules are used to configure network traffic, see the Cisco Nexus 1000V Security Configuration Guide.
The following restrictions apply to ACLs:
The commands listed in this section can be used on the VSM to see the policies that are configured and applied on the interfaces.
Use the following command to display configured ACLs:
Use following commands on the VSM to see run-time information of the ACLMGR and ACLCOMP during configuration errors and to collect ACLMGR process run-time information configuration errors:
Use the following commands to collect ACLCOMP process run-time information configuration errors:
The commands listed in this section can be used to display configured ACL policies on the Virtual Ethernet Module (VSE).
Use the following command to list the ACLs installed on that server
The Acl-id is the local ACLID for this VSE. Ref-cnt refers to the number of instances of this ACL in this VSE.
Use the following command to list the interfaces on which ACLs have been installed
You can debug a policy verification failure.
Note This section is applicable only to VSEs that are available in older releases. The VSEs in the latest release do not have any policy verification failure issue.
Step 1 On the VSM, redirect the output to a file in bootflash.
Step 2 Enter the debug aclmgr all command.
Step 3 Enter the debug aclcomp all command.
For the VSEs where the policy exists, or is being applied, enter the following these steps from the VSM. The output goes to the console.
Step 4 Enter the module vse module-number execute vemdpalog debug sfaclagent all command.
Step 5 Enter the module vse module-number execute vemdpalog debug sfpdlagent all command.
Step 6 Enter the module vse module-number execute vemlog debug sfacl all command.
Step 7 Enter the module vse module-number execute vemlog start command.
Step 8 Enter the module vse module-number execute vemlog start command.
Step 9 Configure the policy that was causing the verify error.
Step 10 Enter the module vse module-number execute vemdpalog show all command.
Step 11 Enter module vse module-number execute vemlog show all command.
Save the Telnet or SSH session buffer to a file. Copy the logfile created in bootflash.
This section includes the following topics:
The commands in this section will help you to troubleshoot ACL logging by examining ACL flows.
You can troubleshoot ACL logging by viewing the current flows on a VSE.
The following example shows how to troubleshoot ACL logging:
You can display all the active flows on a VSE.
vemcmd show aclflows [ permit | deny ]
If you do not specify permit or deny, the command displays both.
The following example shows how to display all the active flows on a VSE:
You can use the vemcmd flush aclflows command to detect any new flows that affect the VSE. Clear all the existing flows, and then you can detect new flows that match any expected traffic. Syslog messages are not sent when you do this action.
You can show ACL debug statistics.
To display internal ACL flow statistics, enter the following command:
To clear all internal ACL flow debug statistics, enter the following command:
This section describes situations that you might encounter when you are using ACL logging.
If syslog messages are not being sent from the VSE, you can check the syslog server configuration and check if ACL logging is configured by entering the commands shown in the following procedure.
|
|
|
---|---|---|
show logging ip access-list status |
Verifies that the remote syslog server is configured properly. |
|
If the ACL rule does not have a log keyword, any flow that matches the ACL is not reported although the ACL statistics continue to advance. You can verify a log keyword.
|
|
|
---|---|---|
show logging ip access-list status |
||
If the number of flows does not reach 5000 for either permit of deny flows, you can increase the maximum flows.
|
|
|
---|---|---|
show logging ip access-list status |
||
logging ip access-list cache max-deny- flows <num> |
If syslog messages are not being sent and the flow information counters are invalid, the configuration between a VSM and a VSE might be mismatched.
Modify any mismatched configurations by using the appropriate configuration command. If the problem persists, enable acllog debugging on both the VSM and the VSE and retry the commands.
|
|
|
---|---|---|
show logging ip access-list status |
||