ACL Counter not Incrementing despite packets getting matched

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

ACL Counter not Incrementing despite packets getting matched

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
ACL Counter not Incrementing despite packets getting matched
ACL Counter not Incrementing despite packets getting matched
2023-03-24 03:50:55 - last edited 2023-03-31 07:58:15
Model: TL-SG3210  
Hardware Version: V3
Firmware Version: 3.0.7 Build 20221130 Rel.42340

I have the following ACL setup on my TP-Link L2+ Managed Switch:

 

access-list create 550 name "Internal Firewall"
access-list ip 550 rule 1001 permit logging enable sip 0.0.0.0 sip-mask 255.255.255.255 dip 255.255.255.255 dip-mask 255.255.255.255 protocol 17 d-port 67 d-port-mask ffff s-port 68 s-port-mask ffff
access-list ip 550 rule 1005 permit logging enable sip 10.0.91.1 sip-mask 255.255.255.255 dip 10.0.91.1 dip-mask 255.255.255.0 protocol 17 d-port 68 d-port-mask ffff s-port 67 s-port-mask ffff
access-list ip 550 rule 1010 permit logging enable sip 0.0.0.0 sip-mask 255.255.255.255 dip 10.0.91.1 dip-mask 255.255.255.255 protocol 17 d-port 67 d-port-mask ffff s-port 68 s-port-mask ffff
access-list ip 550 rule 9999 deny logging enable
#
access-list bind 550 interface gigabitEthernet 1/0/1,1/0/7

 

As you can see, the ACL defaults to blocking any traffic. 

 

The DHCP-Traffic should be allowed though (and DHCP works) but (for some reason I don't understand) the ACL counter does not increment:

 

 

I already tried re-setting and upgrading my TP-Link Switch to the latest firmware, but the counter still doesn't increment.

 

The ACL config provided above is as is ; I haven't modified it in any way.

 

Flipping the action from "permit" to "deny" makes DHCP not work anymore so I'm sure that the rule gets matched.

 

However, I'm still not confident if the rule really get matched as the counter doesn't increment.

 

Any suggestions?

  0      
  0      
#1
Options
1 Accepted Solution
Re:ACL Counter not Incrementing despite packets getting matched-Solution
2023-03-27 12:03:34 - last edited 2023-03-31 07:59:50

Hello @Marco2023

 

Thank you for your valuable feedback. The Counter of these rules doesn't increment is because DHCP messages are prioritized by the CPU module and not processed by the ACL module. This is the current mechanism of switches.

Best Regards! >> Omada EAP Firmware Trial Available Here << >> Get the Latest Omada SDN Controller Releases Here << *Try filtering posts on each forum by Label of [Early Access]*
Recommended Solution
  1  
  1  
#2
Options
2 Reply
Re:ACL Counter not Incrementing despite packets getting matched-Solution
2023-03-27 12:03:34 - last edited 2023-03-31 07:59:50

Hello @Marco2023

 

Thank you for your valuable feedback. The Counter of these rules doesn't increment is because DHCP messages are prioritized by the CPU module and not processed by the ACL module. This is the current mechanism of switches.

Best Regards! >> Omada EAP Firmware Trial Available Here << >> Get the Latest Omada SDN Controller Releases Here << *Try filtering posts on each forum by Label of [Early Access]*
Recommended Solution
  1  
  1  
#2
Options
Re:ACL Counter not Incrementing despite packets getting matched
2023-03-27 23:38:38

  @Hank21 Thank you for your quick and enlightening answer!

 

When googeling, I came across forums that discussed the same behaviour but on a different platform (cisco products to be exact) so I'm not surprised to hear that.

 

I don't neccessarily need the counter to increment, but a remark that this kind of rule doesn't trigger the ACL would be nice in the web-interface or service manuals.

 

Of course, it would be a lot nicer if the ACL counter actually would increase :-) (I do my testing based on the counters).

  0  
  0  
#3
Options