Cisco Community
English
Register
Certain Solid State Drives (SSD) modules will stop functioning at 40,000 power-on hours (~4.5 years) if firmware is not updated. REVIEW UPGRADE DETAILS HERE
Register
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
294
Views
10
Helpful
4
Replies
mhiyoshi
Beginner
Beginner
‎03-04-2021 09:37 PM
‎03-04-2021 09:37 PM

How to verify SVI (Routed) ACL per-entry counter and Physical interface on Nexus9K?

Dear all,

When it configures like the following, it can verify without statistics per-entry however I can not check the relationship between
the configured ACL and Physical interface, if the show hardware access-list vlan [vlan-id] input statistics, it shows INSTANCE value like 0x0 and 0x1.

Is it possible to check the relationship between SVI RACL per-entry counters and physical interface?

here is the verification output:

##########################################################################################

INSTANCE 0x0 ===== E1/30(ACL conifgured)
       Policies: RACL(TEST)  [Merged]
       Entries:
         [Index] Entry [Stats]
         ---------------------
  [0x0000:0x0002:0x0002] permit ip 1.1.1.1/32 5.5.5.5/32  routeable 0x1  [9]
  [0x0001:0x0003:0x0003] deny ip 0.0.0.0/0 0.0.0.0/0  routeable 0x1  [28]

INSTANCE 0x1 ===== E1/1(ACL additionally configured)
       Policies: RACL(TEST)  [Merged]
       Entries:
         [Index] Entry [Stats]
         ---------------------
  [0x0000:0x0002:0x0002] permit ip 1.1.1.1/32 5.5.5.5/32  routeable 0x1  [0]
  [0x0001:0x0003:0x0003] deny ip 0.0.0.0/0 0.0.0.0/0  routeable 0x1  [0]

##########################################################################################

[ACL-config]
interface Vlan10
  ip access-group TEST in

interface Ethernet1/30
  switchport
  switchport access vlan 10

Nexus9K# sh hardware access-list vlan 10 input statistics
slot  1
=======
INSTANCE 0x0
---------------
  Tcam 1 resource usage:
  ----------------------
  LBL B = 0x1
   Bank 1
   ------
     IPv4 Class
       Policies: RACL(TEST)  [Merged]
       Netflow profile: 0
       Netflow deny profile: 0
       Entries:
         [Index] Entry [Stats]
         ---------------------
  [0x0000:0x0002:0x0002] permit ip 1.1.1.1/32 5.5.5.5/32  routeable 0x1  [3]
  [0x0001:0x0003:0x0003] deny ip 0.0.0.0/0 0.0.0.0/0  routeable 0x1  [15]


##########################################################################################

==> additional interface

Nexus9K(config)# int E1/1
Nexus9K(config-if)# switchport
Nexus9K(config-if)# switchport access vlan 10

Nexus9K# sh hardware access-list vlan 10 input statistics

slot  1
=======
INSTANCE 0x0
---------------
  Tcam 1 resource usage:
  ----------------------
  LBL B = 0x1
   Bank 1
   ------
     IPv4 Class
       Policies: RACL(TEST)  [Merged]
       Netflow profile: 0
       Netflow deny profile: 0
       Entries:
         [Index] Entry [Stats]
         ---------------------
  [0x0000:0x0002:0x0002] permit ip 1.1.1.1/32 5.5.5.5/32  routeable 0x1  [9]
  [0x0001:0x0003:0x0003] deny ip 0.0.0.0/0 0.0.0.0/0  routeable 0x1  [28]

INSTANCE 0x1  
---------------
  Tcam 1 resource usage:
  ----------------------
  LBL B = 0x1
   Bank 1
   ------
     IPv4 Class
       Policies: RACL(TEST)  [Merged]
       Netflow profile: 0
       Netflow deny profile: 0
       Entries:
         [Index] Entry [Stats]
         ---------------------
  [0x0000:0x0002:0x0002] permit ip 1.1.1.1/32 5.5.5.5/32  routeable 0x1  [0]
  [0x0001:0x0003:0x0003] deny ip 0.0.0.0/0 0.0.0.0/0  routeable 0x1  [0]

 

Labels:
0 Helpful
4 REPLIES 4
Sergiu.Daniluk
VIP Engager VIP Engager
VIP Engager
‎03-04-2021 11:36 PM
‎03-04-2021 11:36 PM

Hi @mhiyoshi 

Just to understand, you want to see the match counters per interface of an ACL applies on a SVI? That is not possible.

In the command you just used you see the counters per ASIC TCAM Instance. 

You can try to use Port ACL with statistics per-entry enabled and apply the ACLs on the desired interfaces.

 

Stay safe,

Sergiu

mhiyoshi
Beginner
Beginner
In response to Sergiu.Daniluk
‎03-05-2021 12:15 AM
‎03-05-2021 12:15 AM

Hi, thank you very much!

 

>Just to understand, you want to see the match counters per interface of an ACL applies on a SVI? That is not possible.

 

Yes, if ACL with statistics per-entry then it shows ACL counter like [XXX], however in case of interface vlan (SVI) with ACL,

If I configure with switchport access vlan [vlan-id] on several physical interface, it creates INSTANCE value like 0x0, 0x1 etc.

So it can be helpful if I can check which physical interface is related to the created INSTANCE value.

 

sh hardware access-list vlan 10 input statistics
INSTANCE 0x0 ===== E1/30(ACL conifgured)
INSTANCE 0x1 ===== E1/1(ACL additionally configured)

 

Best Regards,

 

Masanobu Hiyoshi

 

0 Helpful
Sergiu.Daniluk
VIP Engager VIP Engager
VIP Engager
‎03-06-2021 08:37 AM
‎03-06-2021 08:37 AM

HI @mhiyoshi 

Again, instance is just the TCAM (ASIC) instance. Is not the interface.

You only see the Instance the interface belong to.

 

Stay safe,

Sergiu

mhiyoshi
Beginner
Beginner
‎03-07-2021 04:31 PM
‎03-07-2021 04:31 PM

Hi msdaniluk,

Thank you very much.

0 Helpful
Latest Contents
#CiscoChat Live - Cisco and HashiCorp Deliver IaC Automation...
Created by Kelli Glass on 04-06-2021 03:33 PM
0
0
0
0
Join us live on Thursday, April 8 at 10 am PT (and on demand after) as we join Cisco and HashiCorp executives to discuss the importance of IaC automation, Intersight Service for Terraform, and how to better manage hybrid cloud infrastructure at scale... view more
#CiscoChat Live - Cisco and HashiCorp Deliver IaC Automation...
Created by Kelli Glass on 04-06-2021 03:24 PM
2
0
2
0
Join us live on Thursday, April 8 at 10 am PT (and on demand after) where Cisco and HashiCorp executives will discuss the importance of IaC automation, Cisco Intersight Service for Hashicorp Terraform, and how to better manage hybrid cloud infrastructure... view more
Cisco ACI Resources
Created by roxadiaz on 03-31-2021 11:10 AM
0
5
0
5
          Start       Design      Deploy    Integration  Learn    Best Practice      Start   What's new in Cisco ACI 5.1(3) Video - What's New in Ci... view more
Infrastructure as a Code for Cisco Cloud Solutions
Created by roxadiaz on 03-29-2021 02:31 PM
0
0
0
0
How to START with Infrastructure as a code for Cisco Cloud Solutions   ACI Ansible Modules Documentation Guide Cisco Collections on Ansible Galaxy   Cisco DevNet Learning Labs DevNet Introduction to ACI and Ansible DevNet Introduction to ACI a... view more
How to Receive Software Release Notifications
Created by roxadiaz on 03-29-2021 02:25 PM
1
0
1
0
Here's how to get notified about Cisco software releases, like the Application Policy Infrastructure Controller (APIC) (APIC Software) Go to software.cisco.com - where you download all Cisco software Select Software Download Choose P... view more
Content for Community-Ad