Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
971
Views
10
Helpful
4
Replies

How to verify SVI (Routed) ACL per-entry counter and Physical interface on Nexus9K?

mhiyoshi
Level 3
Level 3

‎03-04-2021 09:37 PM - edited ‎03-04-2021 09:39 PM

Dear all,

When it configures like the following, it can verify without statistics per-entry however I can not check the relationship between
the configured ACL and Physical interface, if the show hardware access-list vlan [vlan-id] input statistics, it shows INSTANCE value like 0x0 and 0x1.

Is it possible to check the relationship between SVI RACL per-entry counters and physical interface?

here is the verification output:

##########################################################################################

INSTANCE 0x0 ===== E1/30(ACL conifgured)
       Policies: RACL(TEST)  [Merged]
       Entries:
         [Index] Entry [Stats]
         ---------------------
  [0x0000:0x0002:0x0002] permit ip 1.1.1.1/32 5.5.5.5/32  routeable 0x1  [9]
  [0x0001:0x0003:0x0003] deny ip 0.0.0.0/0 0.0.0.0/0  routeable 0x1  [28]

INSTANCE 0x1 ===== E1/1(ACL additionally configured)
       Policies: RACL(TEST)  [Merged]
       Entries:
         [Index] Entry [Stats]
         ---------------------
  [0x0000:0x0002:0x0002] permit ip 1.1.1.1/32 5.5.5.5/32  routeable 0x1  [0]
  [0x0001:0x0003:0x0003] deny ip 0.0.0.0/0 0.0.0.0/0  routeable 0x1  [0]

##########################################################################################

[ACL-config]
interface Vlan10
  ip access-group TEST in

interface Ethernet1/30
  switchport
  switchport access vlan 10

Nexus9K# sh hardware access-list vlan 10 input statistics
slot  1
=======
INSTANCE 0x0
---------------
  Tcam 1 resource usage:
  ----------------------
  LBL B = 0x1
   Bank 1
   ------
     IPv4 Class
       Policies: RACL(TEST)  [Merged]
       Netflow profile: 0
       Netflow deny profile: 0
       Entries:
         [Index] Entry [Stats]
         ---------------------
  [0x0000:0x0002:0x0002] permit ip 1.1.1.1/32 5.5.5.5/32  routeable 0x1  [3]
  [0x0001:0x0003:0x0003] deny ip 0.0.0.0/0 0.0.0.0/0  routeable 0x1  [15]


##########################################################################################

==> additional interface

Nexus9K(config)# int E1/1
Nexus9K(config-if)# switchport
Nexus9K(config-if)# switchport access vlan 10

Nexus9K# sh hardware access-list vlan 10 input statistics

slot  1
=======
INSTANCE 0x0
---------------
  Tcam 1 resource usage:
  ----------------------
  LBL B = 0x1
   Bank 1
   ------
     IPv4 Class
       Policies: RACL(TEST)  [Merged]
       Netflow profile: 0
       Netflow deny profile: 0
       Entries:
         [Index] Entry [Stats]
         ---------------------
  [0x0000:0x0002:0x0002] permit ip 1.1.1.1/32 5.5.5.5/32  routeable 0x1  [9]
  [0x0001:0x0003:0x0003] deny ip 0.0.0.0/0 0.0.0.0/0  routeable 0x1  [28]

INSTANCE 0x1  
---------------
  Tcam 1 resource usage:
  ----------------------
  LBL B = 0x1
   Bank 1
   ------
     IPv4 Class
       Policies: RACL(TEST)  [Merged]
       Netflow profile: 0
       Netflow deny profile: 0
       Entries:
         [Index] Entry [Stats]
         ---------------------
  [0x0000:0x0002:0x0002] permit ip 1.1.1.1/32 5.5.5.5/32  routeable 0x1  [0]
  [0x0001:0x0003:0x0003] deny ip 0.0.0.0/0 0.0.0.0/0  routeable 0x1  [0]

 

Labels:
0 Helpful
4 Replies 4

Sergiu.Daniluk
VIP Alumni
VIP Alumni

‎03-04-2021 11:36 PM

Hi @mhiyoshi 

Just to understand, you want to see the match counters per interface of an ACL applies on a SVI? That is not possible.

In the command you just used you see the counters per ASIC TCAM Instance. 

You can try to use Port ACL with statistics per-entry enabled and apply the ACLs on the desired interfaces.

 

Stay safe,

Sergiu

mhiyoshi
Level 3
Level 3
In response to Sergiu.Daniluk

‎03-05-2021 12:15 AM

Hi, thank you very much!

 

>Just to understand, you want to see the match counters per interface of an ACL applies on a SVI? That is not possible.

 

Yes, if ACL with statistics per-entry then it shows ACL counter like [XXX], however in case of interface vlan (SVI) with ACL,

If I configure with switchport access vlan [vlan-id] on several physical interface, it creates INSTANCE value like 0x0, 0x1 etc.

So it can be helpful if I can check which physical interface is related to the created INSTANCE value.

 

sh hardware access-list vlan 10 input statistics
INSTANCE 0x0 ===== E1/30(ACL conifgured)
INSTANCE 0x1 ===== E1/1(ACL additionally configured)

 

Best Regards,

 

Masanobu Hiyoshi

 

0 Helpful

Sergiu.Daniluk
VIP Alumni
VIP Alumni

‎03-06-2021 08:37 AM

HI @mhiyoshi 

Again, instance is just the TCAM (ASIC) instance. Is not the interface.

You only see the Instance the interface belong to.

 

Stay safe,

Sergiu

mhiyoshi
Level 3
Level 3

‎03-07-2021 04:31 PM

Hi msdaniluk,

Thank you very much.

0 Helpful
Customers Also Viewed These Support Documents