06-02-2013 08:51 PM - edited 03-04-2019 08:05 PM
Hi Friends,
I've been studying the PFC and MSFC features on the Cisco 6500 and came across a very interesting fact that on a Cisco 6500 switch ACL entries that are processed in hardware do not show any matches when we use the show access-list "acl name: command. From what I've read so far I've come accorss the command to check the ACL hit counters fro entries that are processed in hardware.
Below is the ACL counter from Hardware and the Software and I have also attached the entire ACL.
Output 1 (Hardware Matches)
mumbkc02ecc10#sh tcam interface vlan 533 acl in ip all
Displaying interface ACL TCAM entries for module 5
----------------------------------------------------
* Global Defaults not shared
Entries from Bank 0
Entries from Bank 1
permit tcp any any fragments
permit tcp any any established match-any (13562298 matches)
permit udp host 192.168.65.55 host 224.0.0.2 fragments
permit udp host 192.168.65.56 host 224.0.0.2 fragments
permit udp host 192.168.65.55 host 224.0.0.2 eq 1985
permit udp host 192.168.65.56 host 224.0.0.2 eq 1985 (3392328 matches)
punt tcp host 192.168.65.57 host 192.168.174.130 eq ftp (1 match)
punt tcp host 192.168.65.57 host 192.168.174.130 eq 9080
punt tcp host 192.168.65.57 host 192.168.174.130 eq domain
punt tcp host 192.168.65.57 host 192.168.174.130 eq 443
punt tcp host 192.168.65.57 host 192.168.174.130 eq 9443
punt tcp host 192.168.65.57 host 192.168.174.130 eq ftp-data
punt tcp host 192.168.65.57 host 192.168.174.135 eq ftp (2 matches)
punt tcp host 192.168.65.57 host 192.168.174.135 eq 9080
punt tcp host 192.168.65.57 host 192.168.174.135 eq domain
punt tcp host 192.168.65.57 host 192.168.174.135 eq 443
punt tcp host 192.168.65.57 host 192.168.174.135 eq 9443
punt tcp host 192.168.65.57 host 192.168.174.135 eq ftp-data
deny ip any 224.0.0.0 31.255.255.255 (2220897 matches)
permit tcp host 192.168.65.57 eq ftp-data host 192.168.174.135 gt 1023 (245 matches)
permit tcp host 192.168.65.57 eq ftp-data host 192.168.174.130 gt 1023 (177 matches)
punt ip any any (47611 matches)
Output 2: Software Matches)
mumbkc02ecc10#sh ip access-lists acl-2533-in | i (match)
10 permit tcp any any established (100 matches)
30 permit udp host 192.168.65.56 host 224.0.0.2 eq 1985 (3590428 matches)
90 permit tcp host 192.168.65.57 host 160.82.234.47 eq 1503 log (92 matches)
110 permit tcp host 192.168.65.57 host 160.82.234.44 eq www log (4 matches)
120 permit tcp host 192.168.65.57 host 160.82.234.44 eq 8080 log (990 matches)
130 permit tcp host 192.168.65.57 host 160.82.234.45 range 5600 5601 log (12 matches)
180 permit tcp host 192.168.65.57 host 160.82.234.37 eq 52311 log (80 matches)
240 permit tcp host 192.168.65.57 host 160.82.234.81 eq 52311 log (1 match)
530 permit tcp host 192.168.65.57 host 192.168.174.130 eq ftp log (3 matches)
670 permit tcp host 192.168.65.57 host 192.168.174.135 eq ftp log (8 matches)
810 permit tcp host 192.168.65.57 host 192.168.174.180 eq ftp log (265 matches)
860 permit tcp host 192.168.65.57 host 192.168.174.180 eq 9443 log (37071 matches)
880 permit tcp host 192.168.65.57 host 192.168.174.185 eq ftp log (2 matches)
890 permit tcp host 192.168.65.57 host 192.168.174.185 eq 9080 log (1 match)
930 permit tcp host 192.168.65.57 host 192.168.174.185 eq 9443 log (1 match)
970 deny ip any any log (47057 matches)
1) I can see the ACL hits in the against the TCP rules which should ideally be matched in Hardware are being matched in Software is there any reason for that.
2) Under the hardware matches , I can see "punt: preceding some of the rules, what does this actually mean in context to the processing of this rule.
Thanks in advance
Regards
Umesh Shetty
06-02-2013 10:21 PM
Hi Umesh
Statement with the log enteries are punted to the RP that is what punt means.
Thanks & Regards
Sandeep
06-03-2013 06:59 AM
Hi Sandeep,
If you see the full actual acl from the show run , there are many statements that have the log keyword. Then why are only a few staements shown to be "punted" ?
Regards
Umesh Shetty
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide