I have a Cisco ISR 4300 running isr4300-universalk9.03.13.01.S.154-3.S1-ext.SPA.bin. We can see the counters (pkts output/bytes output) for the class-map incrementing but not in the actual ACL. Is this because your unable to see Matches against ACL bound to Class-maps as per CSCtj33068 ?
MY-ISR#show ip access-lists MULTIMEDIA
Extended IP access list MULTIMEDIA
10 permit ip 10.58.0.0 0.0.255.255 126.96.36.199 0.0.63.255
20 permit ip 10.58.0.0 0.0.255.255 188.8.131.52 0.0.31.255
30 permit ip 10.58.0.0 0.0.255.255 184.108.40.206 0.0.15.255
40 permit ip 10.58.0.0 0.0.255.255 220.127.116.11 0.0.15.255
50 permit ip 10.58.0.0 0.0.255.255 18.104.22.168 0.0.1.255
60 permit ip 10.58.0.0 0.0.255.255 22.214.171.124 0.0.31.255
70 permit ip 10.58.0.0 0.0.255.255 126.96.36.199 0.0.15.255
80 permit ip 10.58.0.0 0.0.255.255 188.8.131.52 0.0.0.255
90 permit ip 10.58.0.0 0.0.255.255 184.108.40.206 0.0.31.255
100 permit ip 10.58.0.0 0.0.255.255 220.127.116.11 0.0.15.255
110 permit ip 10.206.58.0 0.0.0.255 18.104.22.168 0.0.63.255
120 permit ip 10.206.58.0 0.0.0.255 22.214.171.124 0.0.31.255
130 permit ip 10.206.58.0 0.0.0.255 126.96.36.199 0.0.15.255
140 permit ip 10.206.58.0 0.0.0.255 188.8.131.52 0.0.15.255
150 permit ip 10.206.58.0 0.0.0.255 184.108.40.206 0.0.1.255
160 permit ip 10.206.58.0 0.0.0.255 220.127.116.11 0.0.31.255
170 permit ip 10.206.58.0 0.0.0.255 18.104.22.168 0.0.15.255
180 permit ip 10.206.58.0 0.0.0.255 22.214.171.124 0.0.0.255
190 permit ip 10.206.58.0 0.0.0.255 126.96.36.199 0.0.31.255
200 permit ip 10.206.58.0 0.0.0.255 188.8.131.52 0.0.15.255
MY-ISR$-map interface gig0/0/0.4094 output class MULTIMEDIA
Service-policy output: CIRCUIT_POLICY
Match: access-group name MULTIMEDIA
queue limit 64 packets
(queue depth/total drops/no-buffer drops) 0/0/0
(pkts output/bytes output) 176233/94492816
Frustrating isn't it?
I opened a case for this and was provided the following solution which worked for me.
1) Remove/detach ALL QoS service policies from ALL targets.
2) Re-apply the counter configuration commands: (regardless, even if they were already run)
platform qos match-statistics per-filter
platform qos match-statistics per-ace
3) Re-attach the QoS service policies.
# show ip access-lists
Hope that helps.
(I am back on the forums because the counters for my ACL used for wccp redirect are not working)
Did you ever manage to fix this issue? I'm using ACLs for PBR and also I don't see any packets matching the ACL statements however the PBR is working fine.
Anothe issue is that I don't get any console output or logging for "debug ip policy", looks like it's not working.
Thanks in advance.
I still cannot see packet counts. As I understand, since the packet processing now occurs in Hardware, the counters are never incremented as the are not flowing through as they use to. I think it was mentioned that you could issue no ip cef temporarily to see the flows but I did not try this. Sorry - no good news here.
Thanks Tony, there is sense in what you're mentioning. I will try to open a case with Cisco.
Meantime I tried disabling the cef and no joy on this platform:
wan-rtr1(config)#no ip cef distributed
%Cannot disable CEF on this platform
rather than disabling the CEF globally, try using no ip route-cache cef on the interface for which you want to disable cef.
A quick note here, ACL counters on nat enabled interface or QoS is not supported.. The CSCtj33068 (ACL counters for QoS) seems to be valid in this case.
If there is a feature requirement, you can open a case with Cisco and request for feature enhancement.
Hope this answers your questions.
Thanks for the explanation. I will open a case with Cisco because I have the same setup in my lab but with ISR 1921 G2 and I see the ACL counters works fine when attached to PBR as well as I get the output for "debug ip policy", not sure why it is not working on ISR 4331, because here we have IOS XE?
Both ISR-G2 and ISR 4400's have a different architecture and moreover different Code base. ISR-G2 runs on IOS where as 4400's run on IOS XE. the ACL, QOS, Nat like features have hardware dependency which is not the case on ISR-G2.
Hope this helps.
PS: Please rate useful posts.