03-09-2015 09:42 AM - edited 03-05-2019 12:58 AM
Hi,
I have a Cisco ISR 4300 running isr4300-universalk9.03.13.01.S.154-3.S1-ext.SPA.bin. We can see the counters (pkts output/bytes output) for the class-map incrementing but not in the actual ACL. Is this because your unable to see Matches against ACL bound to Class-maps as per CSCtj33068 ?
MY-ISR#show ip access-lists MULTIMEDIA
Extended IP access list MULTIMEDIA
10 permit ip 10.58.0.0 0.0.255.255 62.109.192.0 0.0.63.255
20 permit ip 10.58.0.0 0.0.255.255 64.68.96.0 0.0.31.255
30 permit ip 10.58.0.0 0.0.255.255 66.114.160.0 0.0.15.255
40 permit ip 10.58.0.0 0.0.255.255 66.163.32.0 0.0.15.255
50 permit ip 10.58.0.0 0.0.255.255 66.163.46.0 0.0.1.255
60 permit ip 10.58.0.0 0.0.255.255 114.29.192.0 0.0.31.255
70 permit ip 10.58.0.0 0.0.255.255 173.243.0.0 0.0.15.255
80 permit ip 10.58.0.0 0.0.255.255 208.8.81.0 0.0.0.255
90 permit ip 10.58.0.0 0.0.255.255 209.197.192.0 0.0.31.255
100 permit ip 10.58.0.0 0.0.255.255 210.4.192.0 0.0.15.255
110 permit ip 10.206.58.0 0.0.0.255 62.109.192.0 0.0.63.255
120 permit ip 10.206.58.0 0.0.0.255 64.68.96.0 0.0.31.255
130 permit ip 10.206.58.0 0.0.0.255 66.114.160.0 0.0.15.255
140 permit ip 10.206.58.0 0.0.0.255 66.163.32.0 0.0.15.255
150 permit ip 10.206.58.0 0.0.0.255 66.163.46.0 0.0.1.255
160 permit ip 10.206.58.0 0.0.0.255 114.29.192.0 0.0.31.255
170 permit ip 10.206.58.0 0.0.0.255 173.243.0.0 0.0.15.255
180 permit ip 10.206.58.0 0.0.0.255 208.8.81.0 0.0.0.255
190 permit ip 10.206.58.0 0.0.0.255 209.197.192.0 0.0.31.255
200 permit ip 10.206.58.0 0.0.0.255 210.4.192.0 0.0.15.255
MY-ISR$-map interface gig0/0/0.4094 output class MULTIMEDIA
GigabitEthernet0/0/0.4094
Service-policy output: CIRCUIT_POLICY
Match: access-group name MULTIMEDIA
Queueing
queue limit 64 packets
(queue depth/total drops/no-buffer drops) 0/0/0
(pkts output/bytes output) 176233/94492816
Thanks
J
04-03-2015 11:22 AM
Frustrating isn't it?
I opened a case for this and was provided the following solution which worked for me.
1) Remove/detach ALL QoS service policies from ALL targets.
2) Re-apply the counter configuration commands: (regardless, even if they were already run)
platform qos match-statistics per-filter
platform qos match-statistics per-ace
3) Re-attach the QoS service policies.
# show ip access-lists
Hope that helps.
(I am back on the forums because the counters for my ACL used for wccp redirect are not working)
-T
12-18-2015 10:45 AM
Hi guys,
Did you ever manage to fix this issue? I'm using ACLs for PBR and also I don't see any packets matching the ACL statements however the PBR is working fine.
Anothe issue is that I don't get any console output or logging for "debug ip policy", looks like it's not working.
Thanks in advance.
Remi
12-18-2015 12:27 PM
I still cannot see packet counts. As I understand, since the packet processing now occurs in Hardware, the counters are never incremented as the are not flowing through as they use to. I think it was mentioned that you could issue no ip cef temporarily to see the flows but I did not try this. Sorry - no good news here.
- Tony
12-18-2015 12:35 PM
Thanks Tony, there is sense in what you're mentioning. I will try to open a case with Cisco.
Meantime I tried disabling the cef and no joy on this platform:
wan-rtr1(config)#no ip cef distributed
%Cannot disable CEF on this platform
Regards,
Remi
12-18-2015 12:47 PM
rather than disabling the CEF globally, try using no ip route-cache cef on the interface for which you want to disable cef.
A quick note here, ACL counters on nat enabled interface or QoS is not supported.. The CSCtj33068 (ACL counters for QoS) seems to be valid in this case.
If there is a feature requirement, you can open a case with Cisco and request for feature enhancement.
Hope this answers your questions.
Regards
Vinit
12-18-2015 01:25 PM
Hi Vinit,
Thanks for the explanation. I will open a case with Cisco because I have the same setup in my lab but with ISR 1921 G2 and I see the ACL counters works fine when attached to PBR as well as I get the output for "debug ip policy", not sure why it is not working on ISR 4331, because here we have IOS XE?
Thanks!
12-18-2015 03:16 PM
Hello Remi
Both ISR-G2 and ISR 4400's have a different architecture and moreover different Code base. ISR-G2 runs on IOS where as 4400's run on IOS XE. the ACL, QOS, Nat like features have hardware dependency which is not the case on ISR-G2.
Hope this helps.
Regards
Vinit
PS: Please rate useful posts.
06-08-2016 01:47 AM
Hi Justin,
Do you get it fixed ??
I have just upgraded from 2900 to 4300 with firmware
isr4300-universalk9.03.13.05.S.154-3.S5-ext.SPA.bin"
and have the same problem
Regards,
Niels-Peter
05-22-2019 02:55 PM
Use these statements:
platform qos marker-statistics
platform qos match-statistics per-filter
platform qos match-statistics per-ace
platform qos performance-monitor
platform qos optimize-rate-ratios
Then reboot.
02-16-2021 07:30 PM - edited 02-16-2021 07:31 PM
platform inspect match-statistics per-filter
You will need to reload or re-apply polices - it warns you as such.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide