ā01-16-2018 03:11 PM - edited ā03-05-2019 09:46 AM
C7606-S#sh platform hardware acl global-config
CM global configurations:
Update mode: hitless
Default result: deny
Match L4 protocols:
Real protocol value: 47, encoded value: 9
Reserved QoS Banks:
Current 1 banks
Latest set 1 banks
After next reload 1 banks
Rbacl is not enabled
Sgt-dgt region 45%, any-any region 5%
Hardware consistency checker is ON
TCAM expandable logic is OFF
Acl logging is DISABLED
Dose anybody know how to turn on TCAM expandable logic and ACL logging ?
Thank you
Solved! Go to Solution.
ā01-17-2018 01:35 AM
Nik,
The TCAM expandable logic is related to L4 operations (matching on L4 port numbers) only, and can be activated using
platform hardware acl tcam-exp-logic enable
This is mentioned at the bottom of the following document:
Please beware that using this command may result into increased TCAM L4Ops utilization - therefore, you should know very well why you want to configure this command beforehand. Configuring it just because it may seem a good idea might not be a good approach.
The ACL logging referred in your original post is in fact a logging of ACL updates and is not related to a possible log keyword in ACL entries; this logging can be enabled using
platform software acl log-update rate-limit-msg { disable | enable }
with the disable and enable keywords enabling or disabling the rate-limiting of resulting syslog messages.
As you did not explain why you need to activate these two features, the suitability of using these two commands depends exclusively on you, including the potential risks.
Best regards,
Peter
ā01-17-2018 01:35 AM
Nik,
The TCAM expandable logic is related to L4 operations (matching on L4 port numbers) only, and can be activated using
platform hardware acl tcam-exp-logic enable
This is mentioned at the bottom of the following document:
Please beware that using this command may result into increased TCAM L4Ops utilization - therefore, you should know very well why you want to configure this command beforehand. Configuring it just because it may seem a good idea might not be a good approach.
The ACL logging referred in your original post is in fact a logging of ACL updates and is not related to a possible log keyword in ACL entries; this logging can be enabled using
platform software acl log-update rate-limit-msg { disable | enable }
with the disable and enable keywords enabling or disabling the rate-limiting of resulting syslog messages.
As you did not explain why you need to activate these two features, the suitability of using these two commands depends exclusively on you, including the potential risks.
Best regards,
Peter
ā01-17-2018 02:45 AM
Thank you Peter, also do you know a way to see matches on ACL for 7606-s. I have Sup2t card installed but I don't see matches on ACL.
C7606-S#sh access-lists
Extended IP access list AMP_HTTP_TRAFFIC
10 permit tcp 10.99.7.0 0.0.0.255 any eq www log
20 permit tcp any eq www 10.99.7.0 0.0.0.7 log
"show tcam" is an unknown command on my 7606-s
Thanks again
ā01-17-2018 04:15 AM
Hi Nik,
Try this:
show platform hardware acl entry interface interface_name security in ip
If you are using VSS, you will also need to add the switch and module keywords at the end of this command.
By the way, it is strongly discouraged to use the log keyword in ACL entries. This causes the traffic to be processed by CPU, risking CPU load spikes. If at all possible, do not use the log keyword with ACLs.
Best regards,
Peter
ā01-18-2018 02:35 PM - edited ā01-18-2018 02:38 PM
Thank you so much Peter.
Also, do you know a way to see matches on route-map ? Traffic is being redirected but I don't see matches on the route-map.
C7606-S#sh route-map
route-map AMP_REDIRECT, permit, sequence 1
Match clauses:
ip address (access-lists): AMP_HTTP_TRAFFIC
Set clauses:
ip next-hop verify-availability 192.168.201.2 1 track 100 [up]
Policy routing matches: 0 packets, 0 bytes
route-map AMP_REDIRECT, permit, sequence 2
Match clauses:
ip address (access-lists): AMP_HTTP_TRAFFIC1
Set clauses:
ip next-hop verify-availability 192.168.204.100 1 track 21 [up]
Policy routing matches: 0 packets, 0 bytes
C7606-S#
ā01-19-2018 02:17 PM
Please help Peter
Thank you
ā01-19-2018 04:04 PM
Hello Nik,
I am sorry for responding late.
I am afraid that there is no way to make the show route-map output display the amounts of PBR-ed packets switched in hardware. On Catalyst switches, the counters in this output only show you the amount of software-switched packets, and these should ideally be at zero (you want all your traffic to be handled by the switching hardware, not by CPU and the IOS).
The only way known to me to verify the hit counters for PBR is again to use the command you already know:
show platform hardware acl entry interface interface-name security in ip
The entries labeled with "Redirect" in the output correspond to the individual ACL entries that are used in a PBR route-map. Consider this example configuration:
ip access-list extended pbrtest permit ip host 1.2.3.4 host 5.6.7.8 permit tcp host 2.3.4.5 host 6.7.8.9 eq 4432 permit udp host 3.4.5.6 host 7.8.9.0 eq 1234 ! route-map pbrtest permit 10 match ip address pbrtest set ip next-hop 10.1.2.3 ! interface GigabitEthernet5/2 ip address 10.1.2.1 255.255.255.0 ip policy route-map pbrtest
The show command would then produce the following output:
Router# show platform hardware acl entry interface gi5/2 security in ip [ ... cut ... ] Permit ip any 224.0.0.0 15.255.255.255 (7 matches) Redirect udp host 3.4.5.6 host 7.8.9.0 fragments Redirect udp host 3.4.5.6 host 7.8.9.0 eq 1234 Redirect tcp host 2.3.4.5 host 6.7.8.9 fragments Redirect tcp host 2.3.4.5 host 6.7.8.9 eq 4432 Redirect ip host 1.2.3.4 host 5.6.7.8 Permit ip any any
If there were any hits for these ACL entries that are in turn used to drive the PBR, we would see the match counters in the output (I did not have any matches here, just tested the config).
I believe that this is as good as we can get.
Best regards,
Peter
ā01-19-2018 04:39 PM
Thank you so much Peter !!!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide