access-list hit counts don't increment, but with "log" keyword they do

jci-netops · ‎11-10-2016

Hello all,

we are quering udp servers 8.8.8.8 and 8.8.4.4 from inside IP address 10.60.208.116 and it works, however hits on ACLs do not increment.

When I add "log" keyword at the end of the access rules hit counts start to increment.

interface Vlan208
ip access-group DR-ACL in
ip access-group DR-ACL out

Extended IP access list DR-ACL
10 permit ip 10.60.0.0 0.0.255.255 10.60.0.0 0.0.255.255 (562353 matches)
22 permit udp host 8.8.8.8 eq domain host 10.60.208.116
23 permit udp host 8.8.4.4 eq domain host 10.60.208.116
50 permit udp host 10.60.208.116 host 8.8.8.8 eq domain
60 permit udp host 10.60.208.116 host 8.8.4.4 eq domain
999 deny ip any any (681909 matches)

With "log" keyword:

Extended IP access list DR-ACL
10 permit ip 10.60.0.0 0.0.255.255 10.60.0.0 0.0.255.255 (562353 matches)
22 permit udp host 8.8.8.8 eq domain host 10.60.208.116 log (70 matches)
23 permit udp host 8.8.4.4 eq domain host 10.60.208.116 log (15 matches)
50 permit udp host 10.60.208.116 host 8.8.8.8 eq domain log (65 matches)
60 permit udp host 10.60.208.116 host 8.8.4.4 eq domain log (5 matches)
999 deny ip any any (681909 matches)

Any explanation for this behavior?

Thank you

Richard

Richard Burts · ‎11-10-2016

Richard

The counters for the ACL are maintained in software and are incremented when packets are processed in software on the CPU. If the packet is forwarded with hardware logic (on many layer 3 switches) the counters do not increment. When you add the log parameter it forces the packet to be processed in software and the counters increment. But without the log parameter the packet is forwarded by the more efficient hardware and the counters do not increment.

HTH

Rick

HTH

Rick