cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
978
Views
0
Helpful
8
Replies

ACL and route-map counter issue on Sup2T.

nik.leckuthai
Level 1
Level 1

I installed Sup2T engine on 7606-x chassis. I applied ACL and route-map to redirect traffic on an interface. It works fine but ACL and route-map counters not incrementing. Does anyone have the same issue? 

 

route-map AMP_REDIRECT, permit, sequence 2
Match clauses:
ip address (access-lists): AMP_HTTP_TRAFFIC1
Set clauses:
Policy routing matches: 0 packets, 0 bytes

 

Extended IP access list AMP_HTTP_TRAFFIC1
10 permit tcp host 10.99.7.60 any eq www
20 permit tcp any eq www host 10.99.7.60

8 Replies 8

Hello,

 

I think I remember that the 7600 does ACL processing in hardware, so you won't see any match count.

 

Try:

 

show tcam interface <int> acl <in|out> ip

Thanks Georg.

 

C7606-S#show tcam interface
^
% Invalid input detected at '^' marker.

C7606-S#

 

It doesn't take that command

Hello,

 

can you post the output of 'show version' ?

 

I want to check what the command is for your IOS version.

 

It could be 'show platform tcam'... 

C7606-S#sh versi
C7606-S#sh version
Cisco IOS Software, s2t54 Software (s2t54-ADVENTERPRISEK9_NPE-M), Version 15.4(1)SY2, RELEASE SOFTWARE (fc4)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2017 by Cisco Systems, Inc.
Compiled Sun 28-May-17 00:57 by prod_rel_team

ROM: System Bootstrap, Version 12.2(50r)SYS4, RELEASE SOFTWARE (fc1)

C7606-S uptime is 4 weeks, 5 days, 22 hours, 35 minutes
Uptime for this control processor is 4 weeks, 5 days, 22 hours, 35 minutes
System returned to ROM by reload at 16:29:49 GMT Wed Nov 1 2017
System restarted at 16:31:25 GMT Wed Nov 1 2017
System image file is "bootdisk:/s2t54-adventerprisek9_npe-mz.SPA.154-1.SY2.bin"
Last reload reason: Reload Command

 

This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
export@cisco.com.

cisco CISCO7606-S (M8572) processor (revision ) with 1785856K/262144K bytes of memory.
Processor board ID FOX1323GS46
CPU: MPC8572_E, Version: 2.2, (0x80E80022)
CORE: E500, Version: 3.0, (0x80210030)
CPU:1500MHz, CCB:600MHz, DDR:600MHz
L1: D-cache 32 kB enabled
I-cache 32 kB enabled

Last reset from s/w reset
2 Virtual Ethernet interfaces
3 Gigabit Ethernet interfaces
6 Ten Gigabit Ethernet interfaces
2543K bytes of non-volatile configuration memory.

Configuration register is 0x2102

Hello,

 

you would need to have the Policy Feature Card 3 installed in order to configure Optimzed Access Logging, which is required for hardware support for ACL logging. Since you don't have that, the below applies:

 

--> When you enter the show ip access-list command, the match count displayed does not include packets processed in hardware.

 

Does that make sense ? Check the link below for reference. It simply means that ACLs are processed in hardware, and in order to log ACL entries, the ACL would need to be processed in software, for which you need the OAL feature and the PFC3...

 

https://www.cisco.com/c/en/us/td/docs/routers/7600/ios/15S/configuration/guide/7600_15_0s_book/acl.html#47441

C7606-S#sh mod
Mod Ports Card Type Model Serial No.
--- ----- -------------------------------------- ------------------ -----------
1 4 CEF720 4 port 10-Gigabit Ethernet WS-X6704-10GE SAL09222A0P
6 5 Supervisor Engine 2T 10GE w/ CTS (Acti VS-SUP2T-10G SAL17299S0A

Mod MAC addresses Hw Fw Sw Status
---- --------------------------- ------------------ ----------- ------- -------
1 Centralized Forwarding Card WS-F6700-CFC SAL09222EJC 2.0 Ok
6 Policy Feature Card 4 VS-F6K-PFC4 SAL17152SNZ 2.0 Ok
6 CPU Daughterboard VS-F6K-MSFC5 SAL17299WVK 2.0 Ok

Mod Online Diag Status
---- -------------------
1 Pass
6 Pass
C7606-S#

 

I have PFC4 installed.

Hello,

 

even better. Try and configure OAL (I am not sure if the commands are the same for the PFC4). The link I sent you has a section on how to set OAL up:

 

Configuring OAL

 

https://www.cisco.com/c/en/us/td/docs/routers/7600/ios/15S/configuration/guide/7600_15_0s_book/acl.html#18506

C7606-S#sh platform hardware acl global-config 
CM global configurations:

Update mode: hitless

Default result: deny

Match L4 protocols:
Real protocol value: 47, encoded value: 9

Reserved QoS Banks:
Current 1 banks
Latest set 1 banks
After next reload 1 banks

Rbacl is not enabled
Sgt-dgt region 45%, any-any region 5%

Hardware consistency checker is ON

TCAM expandable logic is OFF

Acl logging is DISABLED

 

Do you know how to turn on TCAM expandable logic and ACL logging ? 

 

Thank you

Review Cisco Networking for a $25 gift card