show access-list shows 'check=177521

zhichao · ‎10-26-2004

Standard IP access list 12

deny 10.48.0.0, wildcard bits 0.0.7.255 check=177521

konigl · ‎10-26-2004

The number of packets that are allowed by each line of an access-list is displayed as the number of matches. "Check" indicates how many times a packet was compared to an access-list command line but failed to match.

Example from one of Cisco's command references covering the "show access-lists" command:

Router# show access-lists 101

Extended IP access list 101

permit tcp host 198.92.32.130 any established (4304 matches) check=5

permit udp host 198.92.32.130 any eq domain (129 matches)

permit icmp host 198.92.32.130 any

permit tcp host 198.92.32.130 host 171.69.2.141 gt 1023

permit tcp host 198.92.32.130 host 171.69.2.135 eq smtp (2 matches)

permit tcp host 198.92.32.130 host 198.92.30.32 eq smtp

permit tcp host 198.92.32.130 host 171.69.108.33 eq smtp

permit udp host 198.92.32.130 host 171.68.225.190 eq syslog

permit udp host 198.92.32.130 host 171.68.225.126 eq syslog

deny ip 150.136.0.0 0.0.255.255 224.0.0.0 15.255.255.255

deny ip 171.68.0.0 0.1.255.255 224.0.0.0 15.255.255.255 (2 matches) check=1

deny ip 172.24.24.0 0.0.1.255 224.0.0.0 15.255.255.255

deny ip 192.82.152.0 0.0.0.255 224.0.0.0 15.255.255.255

deny ip 192.122.173.0 0.0.0.255 224.0.0.0 15.255.255.255

deny ip 192.122.174.0 0.0.0.255 224.0.0.0 15.255.255.255

deny ip 192.135.239.0 0.0.0.255 224.0.0.0 15.255.255.255

deny ip 192.135.240.0 0.0.7.255 224.0.0.0 15.255.255.255

deny ip 192.135.248.0 0.0.3.255 224.0.0.0 15.255.255.255

The high number of checks but no matches for the "deny" command line in your access-list 12 indicates that the rule was checked 177521 times, and the source IP address in those packets was never one of the 2048 possible addresses between 10.48.0.0 and 10.48.7.255, inclusive.