Buy or Renew
Buy or Renew
COMING SOON: Umbrella and Secure Access release notes are coming to Cisco Community. The community will be in read-only August 16 – 19. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
57741
Views
64
Helpful
5
Replies

access list hit counts

Go to solution
Sanjay Shaw
Level 1
Level 1

‎05-09-2014 08:40 AM - edited ‎03-07-2019 07:23 PM

 Hello Mates,

Am getting a very rare type problem while I implement the aCL on 3850 switch

I do get hit matches when I put a log keyword in the ACL 102

SW#sh ip access-lists
Extended IP access list 102
    5 permit tcp 192.168.0.0.0 0.0.255.255 196.189.80.0 0.0.0.15 eq 23 log (28 matches)


But when I remove the log keyword then I don't get any matches.

SW#sh ip access-lists
Extended IP access list 102
    5 permit tcp 192.168.0.0.0 0.0.255.255 196.189.80.0 0.0.0.15 eq 23 (no matches )

Please assist.

2 people had this problem
Labels:
2 Accepted Solutions

Accepted Solutions

Go to solution
Richard Burts
Hall of Fame
Hall of Fame

‎05-09-2014 11:45 AM

To understand your issue I think it is helpful to start from the understanding that the hit count is maintained as the access list is processed in software (as is generally the case in layer 3 routers). We get a somewhat different situation in layer 3 switches. If the access list is processed in software (as is necessary when the entry includes the log parameter) then the hit count increments. But when the decision is made in hardware then the right behavior of traffic is achieved but the hit count is not incremented.

 

HTH

 

Rick

HTH

Rick

View solution in original post

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎05-09-2014 12:05 PM

This is normal behaviour.

L3 switches implement acl processing in hardware. Because of this the hit count is not representative of how many packets have been matched in the acl. If you want to see a more accurate display you can use the "sh platform acl counters hardware" command.

When you add the "log" keyword the forwarding is still done in hardware but the actual logging is done by the main CPU ie. software and this is why you see hits in your acl output.

Jon

View solution in original post

5 Replies 5

Go to solution
Richard Burts
Hall of Fame
Hall of Fame

‎05-09-2014 11:45 AM

To understand your issue I think it is helpful to start from the understanding that the hit count is maintained as the access list is processed in software (as is generally the case in layer 3 routers). We get a somewhat different situation in layer 3 switches. If the access list is processed in software (as is necessary when the entry includes the log parameter) then the hit count increments. But when the decision is made in hardware then the right behavior of traffic is achieved but the hit count is not incremented.

 

HTH

 

Rick

HTH

Rick

Go to solution
Sanjay Shaw
Level 1
Level 1
In response to Richard Burts

‎05-09-2014 12:39 PM

Thank you Jon & Richard for making a clear understanding to me.

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎05-09-2014 12:05 PM

This is normal behaviour.

L3 switches implement acl processing in hardware. Because of this the hit count is not representative of how many packets have been matched in the acl. If you want to see a more accurate display you can use the "sh platform acl counters hardware" command.

When you add the "log" keyword the forwarding is still done in hardware but the actual logging is done by the main CPU ie. software and this is why you see hits in your acl output.

Jon

Go to solution
dducamps01
Level 1
Level 1
In response to Jon Marshall

‎07-06-2023 01:19 AM

hello

this command does NOT exist on cisco Catalyst 9000 serie
is there an equivallent command on those eqpmts ?

I tried to find with CLI sh platform hardware fed active ...
but did not find any relevant info for ACl counter
thnas in advance

0 Helpful

Go to solution
dducamps01
Level 1
Level 1
In response to dducamps01

‎07-06-2023 01:41 AM

 

on a C9500 OS 17.x;  I found this  command; but it only give the sum of packet dropped for ALL HW ACl, so NOT really useful
i'd like to get the number of hit per line of ACL 

#show platform software fed active acl counters hardware
=========== Cumulative Stats Across All Asics ===========
Unknown Stat Counter (0x49000001): 1672546418 frames
Ingress IPv4 Forward (0x8d000003): 3713079398370 frames
Ingress IPv4 Forward from CPU (0xc2000004): 0 frames
Ingress IPv4 PACL Drop (0x77000005): 0 frames
Ingress IPv4 VACL Drop (0x23000006): 0 frames
Ingress IPv4 RACL Drop (0xed000007): 0 frames
Ingress IPv4 GACL Drop (0x92000008): 0 frames
Ingress IPv4 RACL Drop and Log (0x93000009): 0 frames
Ingress IPv4 VACL Drop and Log (0x6100000a): 0 frames
Ingress IPv4 PACL CPU (0x3e00000b): 0 frames
Ingress IPv4 VACL CPU (0x3f00000c): 0 frames
Ingress IPv4 RACL CPU (0xc000000d): 0 frames
Ingress IPv4 GACL CPU (0x4f00000e): 0 frames
Ingress IPv4 TCP MSS CPU (0x2e00000f): 0 frames
Ingress IPv6 Forward (0x81000010): 6021625 frames
Ingress IPv6 Forward from CPU (0x31000011): 0 frames
Ingress IPv6 PACL Drop (0x12000012): 0 frames
Ingress IPv6 VACL Drop (0xe5000013): 0 frames
Ingress IPv6 RACL Drop (0x78000014): 0 frames
Ingress IPv6 GACL Drop (0x0a000015): 0 frames
Ingress IPv6 RACL Drop and Log (0x61000016): 0 frames
Ingress IPv6 VACL Drop and Log (0xf5000017): 0 frames
Ingress IPv6 PACL CPU (0x7b000018): 0 frames
Ingress IPv6 PACL SISF CPU (0x40000019): 0 frames
Ingress IPv6 VACL CPU (0x7900001a): 0 frames
Ingress IPv6 VACL SISF CPU (0x7400001b): 0 frames
Ingress IPv6 RACL CPU (0x5100001c): 0 frames
Ingress IPv6 GACL CPU (0x3c00001d): 0 frames
Ingress IPv6 TCP MSS CPU (0x8f00001e): 0 frames
Ingress MAC Forward (0x9100001f): 1031868238823 frames

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card