Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2106
Views
5
Helpful
3
Replies

Cisco 3650 L3 Switch - ACL Hit Counter

RS19
Level 4
Level 4

‎08-23-2020 04:31 PM - edited ‎08-23-2020 04:34 PM

I am using Cisco Catalyst 3650 L3 switch and using VLAN Interface.

I have applied ACL for the VLAN interface IN direction. The ACL has some deny  rules & the traffic is deny as expected.

But when I see the ACL counters, there is no increment in the hit counters. (show access-list <access list name>)

 

Would like to know how to see the hit counters ? Is there any other commands by which this can be seen ?

Labels:
0 Helpful
3 Replies 3

Francesco Molino
VIP Alumni
VIP Alumni

‎08-23-2020 05:24 PM

Hi

Can you share your acl configuration?
If packets are accessed control by hardware, you won’t see them using show ip access-list or show access-list. Instead, you will see IPv4 acl drops using the command show platform software fed switch 1 acl counters hardware

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

RS19
Level 4
Level 4
In response to Francesco Molino

‎08-23-2020 06:00 PM

I have the below ACL. What is the difference between hardware and software control

 

ip access-list extended VLAN100_IN
permit icmp 10.140.60.0 0.0.3.255 10.140.60.0 0.0.0.15
 deny  ip 10.140.60.0 0.0.3.255 10.0.0.0 0.255.255.255
 deny  ip 10.140.60.0 0.0.3.255 172.16.0.0 0.15.255.255
 deny  ip 10.140.60.0 0.0.3.255 192.168.0.0 0.0.255.255
 deny  ip 10.140.60.0 0.0.3.255  host 4,4,4,4
 deny  ip 10.140.60.0 0.0.3.255  host 8.8.8.8
permit ip any any


interface VLAN100

ip address 10.140.60.1 255.255.252.0
 ip access-group VLAN100_IN in

0 Helpful

Francesco Molino
VIP Alumni
VIP Alumni
In response to RS19

‎08-23-2020 06:31 PM

ACLs are usually treated in Hardware and in some exceptions they are in software.

Few examples of ACLs in hardware:
ACL flows that match a “deny” statement in standard and extended ACLs (input and output) are dropped in hardware if “ip unreachables” is disabled.
ACL flows that match a “permit” statement in standard and extended ACLs (input and output) are processed in hardware.

If the acl has the log keyword or switch doesn’t have enough resources, then they are handled in software.
Check out your version configuration guide, it is well written in it: https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3850/software/release/16-9/configuration_guide/sec/b_169_sec_3850_cg/configuring_ipv4_acls.html

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
Customers Also Viewed These Support Documents