Showing results for 
Search instead for 
Did you mean: 

How to retrieve ACL Counters using SNMP and its benefits


Hi community,
I just wanted to share my findings about accesing to ACL counters by SNMP on ASR9000/XR.


Searching on Internet I found the section ACL Counters Using SNMP in the IP Addresses and Services Configuration Guide but I didn't found any information related to how to access those counters so I did:

RP/0/RSP0/CPU0:router#sh snmp mib object-name

...on my router ASR9904 with IOS XR 5.3.4 to look for something interesting... and voila, the two last ones were:             caAclLabelIntfStatsEntry.2             caAclLabelIntfStatsEntry.3

...which are part of the CISCO-ACL-MIB (OID


Next I configured a counter "test" on my ACL (see documentation) and did a snmpwalk. I got:

[root@server ~]# snmpwalk -v2c -c community hostname .
SNMPv2-SMI::enterprises.9.9.808. = Counter64: 20617
SNMPv2-SMI::enterprises.9.9.808. = Counter64: 1803947


On I found:
caAclLabelIntfStatsEntry.2 = caAclIntfStatsPackets ("The total number of packets that match this counter label.")
caAclLabelIntfStatsEntry.3 = caAclIntfStatsOctets ("The total number of octets that match this counter label.")
There is also:
caAclLabelIntfStatsEntry.1 = caAclIntfStatsCounterLabelName ("The counter label index associated with this set of statistics.")
...but it seems IOS XR doesn't support it, at least on v5.3.4.

So, I had 20617 packets and 1803947 bytes matching my counter.

Then, after several tests and many counters configured I figured out what the last numbers on the OID chain meant.

In the example:

.14 interface index that you get when do snmpwalk with oid .
.1 I don't know, it's was the same number for all the tests.
.2 ACL direction (1 for in and 2 for out).
.4 Length of the name of the counter ("test" in my example).
. .'t'.'e'.'s'.'t' in ascii code

Once I knew this information I did a template for Cacti to graph the bytes matched for each counter. In this manner, having entries of this type:

permit ipv4 any x.x.x.0 counter network_A can have graphs of bandwith usage per link for network_A, or maybe:

permit tcp any any eq www counter HTTP

... for bandwith usage by protocol (HTTP). Of course, notice that one packet can only match one entry, so it's not a good idea to use both examples of above in the same ACL.

Of course, you could also do all this using netflow but you'll need a software to process the data.

I hope you have found interesting this article.