Hi Friends,

I've been studying the PFC and MSFC features on the Cisco 6500 and came across a very interesting fact that on a Cisco 6500 switch ACL entries that are processed in hardware do not show any matches when we use the show access-list "acl name: command. From what I've read so far I've come accorss the command to check the ACL hit counters fro entries that are processed in hardware.     

Below is the ACL counter from Hardware and the Software and I have also attached the entire ACL.

Output 1 (Hardware Matches)

mumbkc02ecc10#sh tcam interface vlan 533 acl in ip all
Displaying interface ACL TCAM entries for module 5
----------------------------------------------------

* Global Defaults not shared

Entries from Bank 0

Entries from Bank 1

    permit       tcp any any fragments
    permit       tcp any any established match-any (13562298 matches)
    permit       udp host 192.168.65.55 host 224.0.0.2 fragments
    permit       udp host 192.168.65.56 host 224.0.0.2 fragments
    permit       udp host 192.168.65.55 host 224.0.0.2 eq 1985
    permit       udp host 192.168.65.56 host 224.0.0.2 eq 1985 (3392328 matches)
    punt         tcp host 192.168.65.57 host 192.168.174.130 eq ftp (1 match)
    punt         tcp host 192.168.65.57 host 192.168.174.130 eq 9080
    punt         tcp host 192.168.65.57 host 192.168.174.130 eq domain
    punt         tcp host 192.168.65.57 host 192.168.174.130 eq 443
    punt         tcp host 192.168.65.57 host 192.168.174.130 eq 9443
    punt         tcp host 192.168.65.57 host 192.168.174.130 eq ftp-data
    punt         tcp host 192.168.65.57 host 192.168.174.135 eq ftp (2 matches)
    punt         tcp host 192.168.65.57 host 192.168.174.135 eq 9080
    punt         tcp host 192.168.65.57 host 192.168.174.135 eq domain
    punt         tcp host 192.168.65.57 host 192.168.174.135 eq 443
    punt         tcp host 192.168.65.57 host 192.168.174.135 eq 9443
    punt         tcp host 192.168.65.57 host 192.168.174.135 eq ftp-data
    deny         ip any 224.0.0.0 31.255.255.255 (2220897 matches)
    permit       tcp host 192.168.65.57 eq ftp-data host 192.168.174.135 gt 1023 (245 matches)
    permit       tcp host 192.168.65.57 eq ftp-data host 192.168.174.130 gt 1023 (177 matches)
    punt         ip any any (47611 matches)

Output 2: Software Matches)

mumbkc02ecc10#sh ip access-lists acl-2533-in | i  (match)
    10 permit tcp any any established (100 matches)
    30 permit udp host 192.168.65.56 host 224.0.0.2 eq 1985 (3590428 matches)
    90 permit tcp host 192.168.65.57 host 160.82.234.47 eq 1503 log (92 matches)
    110 permit tcp host 192.168.65.57 host 160.82.234.44 eq www log (4 matches)
    120 permit tcp host 192.168.65.57 host 160.82.234.44 eq 8080 log (990 matches)
    130 permit tcp host 192.168.65.57 host 160.82.234.45 range 5600 5601 log (12 matches)
    180 permit tcp host 192.168.65.57 host 160.82.234.37 eq 52311 log (80 matches)
    240 permit tcp host 192.168.65.57 host 160.82.234.81 eq 52311 log (1 match)
    530 permit tcp host 192.168.65.57 host 192.168.174.130 eq ftp log (3 matches)
    670 permit tcp host 192.168.65.57 host 192.168.174.135 eq ftp log (8 matches)
    810 permit tcp host 192.168.65.57 host 192.168.174.180 eq ftp log (265 matches)
    860 permit tcp host 192.168.65.57 host 192.168.174.180 eq 9443 log (37071 matches)
    880 permit tcp host 192.168.65.57 host 192.168.174.185 eq ftp log (2 matches)
    890 permit tcp host 192.168.65.57 host 192.168.174.185 eq 9080 log (1 match)
    930 permit tcp host 192.168.65.57 host 192.168.174.185 eq 9443 log (1 match)
    970 deny ip any any log (47057 matches)

1) I can see the ACL hits in the against the TCP rules which should ideally be matched in Hardware are being matched in Software is there any reason for that.

2) Under the hardware matches , I can see "punt: preceding some of the rules, what does this actually mean in context to the processing of this rule.

Thanks in advance

Regards

Umesh Shetty