03-04-2021 09:37 PM - edited 03-04-2021 09:39 PM
Dear all,
When it configures like the following, it can verify without statistics per-entry however I can not check the relationship between
the configured ACL and Physical interface, if the show hardware access-list vlan [vlan-id] input statistics, it shows INSTANCE value like 0x0 and 0x1.
Is it possible to check the relationship between SVI RACL per-entry counters and physical interface?
here is the verification output:
########################################################################################## INSTANCE 0x0 ===== E1/30(ACL conifgured) Policies: RACL(TEST) [Merged] Entries: [Index] Entry [Stats] --------------------- [0x0000:0x0002:0x0002] permit ip 1.1.1.1/32 5.5.5.5/32 routeable 0x1 [9] [0x0001:0x0003:0x0003] deny ip 0.0.0.0/0 0.0.0.0/0 routeable 0x1 [28] INSTANCE 0x1 ===== E1/1(ACL additionally configured) Policies: RACL(TEST) [Merged] Entries: [Index] Entry [Stats] --------------------- [0x0000:0x0002:0x0002] permit ip 1.1.1.1/32 5.5.5.5/32 routeable 0x1 [0] [0x0001:0x0003:0x0003] deny ip 0.0.0.0/0 0.0.0.0/0 routeable 0x1 [0] ########################################################################################## [ACL-config] interface Vlan10 ip access-group TEST in interface Ethernet1/30 switchport switchport access vlan 10 Nexus9K# sh hardware access-list vlan 10 input statistics slot 1 ======= INSTANCE 0x0 --------------- Tcam 1 resource usage: ---------------------- LBL B = 0x1 Bank 1 ------ IPv4 Class Policies: RACL(TEST) [Merged] Netflow profile: 0 Netflow deny profile: 0 Entries: [Index] Entry [Stats] --------------------- [0x0000:0x0002:0x0002] permit ip 1.1.1.1/32 5.5.5.5/32 routeable 0x1 [3] [0x0001:0x0003:0x0003] deny ip 0.0.0.0/0 0.0.0.0/0 routeable 0x1 [15] ########################################################################################## ==> additional interface Nexus9K(config)# int E1/1 Nexus9K(config-if)# switchport Nexus9K(config-if)# switchport access vlan 10 Nexus9K# sh hardware access-list vlan 10 input statistics slot 1 ======= INSTANCE 0x0 --------------- Tcam 1 resource usage: ---------------------- LBL B = 0x1 Bank 1 ------ IPv4 Class Policies: RACL(TEST) [Merged] Netflow profile: 0 Netflow deny profile: 0 Entries: [Index] Entry [Stats] --------------------- [0x0000:0x0002:0x0002] permit ip 1.1.1.1/32 5.5.5.5/32 routeable 0x1 [9] [0x0001:0x0003:0x0003] deny ip 0.0.0.0/0 0.0.0.0/0 routeable 0x1 [28] INSTANCE 0x1 --------------- Tcam 1 resource usage: ---------------------- LBL B = 0x1 Bank 1 ------ IPv4 Class Policies: RACL(TEST) [Merged] Netflow profile: 0 Netflow deny profile: 0 Entries: [Index] Entry [Stats] --------------------- [0x0000:0x0002:0x0002] permit ip 1.1.1.1/32 5.5.5.5/32 routeable 0x1 [0] [0x0001:0x0003:0x0003] deny ip 0.0.0.0/0 0.0.0.0/0 routeable 0x1 [0]
03-04-2021 11:36 PM
Hi @mhiyoshi
Just to understand, you want to see the match counters per interface of an ACL applies on a SVI? That is not possible.
In the command you just used you see the counters per ASIC TCAM Instance.
You can try to use Port ACL with statistics per-entry enabled and apply the ACLs on the desired interfaces.
Stay safe,
Sergiu
03-05-2021 12:15 AM
Hi, thank you very much!
>Just to understand, you want to see the match counters per interface of an ACL applies on a SVI? That is not possible.
Yes, if ACL with statistics per-entry then it shows ACL counter like [XXX], however in case of interface vlan (SVI) with ACL,
If I configure with switchport access vlan [vlan-id] on several physical interface, it creates INSTANCE value like 0x0, 0x1 etc.
So it can be helpful if I can check which physical interface is related to the created INSTANCE value.
sh hardware access-list vlan 10 input statistics
INSTANCE 0x0 ===== E1/30(ACL conifgured)
INSTANCE 0x1 ===== E1/1(ACL additionally configured)
Best Regards,
Masanobu Hiyoshi
03-06-2021 08:37 AM
HI @mhiyoshi
Again, instance is just the TCAM (ASIC) instance. Is not the interface.
You only see the Instance the interface belong to.
Stay safe,
Sergiu
03-07-2021 04:31 PM
Hi msdaniluk,
Thank you very much.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide