Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
516
Views
0
Helpful
2
Replies

GSR and access-list

Go to solution
Antonio_1_2
Level 1
Level 1

‎01-22-2011 11:16 AM - edited ‎03-04-2019 11:10 AM

Hello,

I have applied named access-list in output direction on 1GE interface on GSR12400 (IOS XR 3.4),

but there is no matches. Counters doesn't increase although access-list blocks or permits certain packets (access-list works as it should).

Why is it so?

thnaks in advance,

A

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rivalino Tamaela
Cisco Employee
Cisco Employee

‎01-27-2011 11:20 AM

Hi Antonio,

I assume the counter you meant is the counter of access list. If this is the case, you need to enable hardware counter in access-list you applied in interface.

Look example I did in my lab:

RP/0/RP0/CPU0:CRS4A#show run int gi0/1/0/3

Thu Jan 27 11:14:45.691 PST

interface GigabitEthernet0/1/0/3

cdp

ipv4 address 12.1.1.2 255.255.255.0

ipv4 access-group ACL egress hardware-count interface-statistics

!

RP/0/RP0/CPU0:CRS4A#show access-lists ipv4 ACL

Thu Jan 27 11:16:18.552 PST

ipv4 access-list ACL

10 permit icmp any host 10.1.1.2

20 permit ipv4 any any

!
RP/0/RP0/CPU0:CRS4A#ping 10.1.1.2                                                                                
Thu Jan 27 11:12:27.749 PST
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 2/3/8 ms
RP/0/RP0/CPU0:CRS4A#show access-lists ipv4 ACL hardware egress interface gigabitEthernet 0/1/0/3 location 0/1/cpu0
Thu Jan 27 11:18:45.104 PST
ipv4 access-list ACL
10 permit icmp any host 10.1.1.2 (5 hw matches)
20 permit ipv4 any any (2 hw matches)
Hardware counting is not enabled by default for IPv4 ACL, but it is enabled by default for IPv6 ACL.
Please refer to the following documentation to understand better:

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Rivalino Tamaela
Cisco Employee
Cisco Employee

‎01-27-2011 11:20 AM

Hi Antonio,

I assume the counter you meant is the counter of access list. If this is the case, you need to enable hardware counter in access-list you applied in interface.

Look example I did in my lab:

RP/0/RP0/CPU0:CRS4A#show run int gi0/1/0/3

Thu Jan 27 11:14:45.691 PST

interface GigabitEthernet0/1/0/3

cdp

ipv4 address 12.1.1.2 255.255.255.0

ipv4 access-group ACL egress hardware-count interface-statistics

!

RP/0/RP0/CPU0:CRS4A#show access-lists ipv4 ACL

Thu Jan 27 11:16:18.552 PST

ipv4 access-list ACL

10 permit icmp any host 10.1.1.2

20 permit ipv4 any any

!
RP/0/RP0/CPU0:CRS4A#ping 10.1.1.2                                                                                
Thu Jan 27 11:12:27.749 PST
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 2/3/8 ms
RP/0/RP0/CPU0:CRS4A#show access-lists ipv4 ACL hardware egress interface gigabitEthernet 0/1/0/3 location 0/1/cpu0
Thu Jan 27 11:18:45.104 PST
ipv4 access-list ACL
10 permit icmp any host 10.1.1.2 (5 hw matches)
20 permit ipv4 any any (2 hw matches)
Hardware counting is not enabled by default for IPv4 ACL, but it is enabled by default for IPv6 ACL.
Please refer to the following documentation to understand better:

0 Helpful

Go to solution
Antonio_1_2
Level 1
Level 1
In response to Rivalino Tamaela

‎01-31-2011 12:37 AM

Thank you very much Rivalino,

A.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card