ACE Counter

salemmahara · ‎08-06-2018

Hello everybody

As you know, ACLs are processed in Hardware in MLS. So the Match Counter doesn't change when a packet match the ACE.

Could you please help me to find a way to troubleshoot ACLs without match counters. It's really helpful to check the process. We're used to check Match Counter at first.

Joseph W. Doherty · ‎08-06-2018

If you enable log on the ACEs of interest, I believe you'll obtain match counts too. However, understand the impact of doing so.

salemmahara · ‎08-07-2018

Hello Joseph

Thanks for replying.

using "log keyword" at the end of ACE will cause a software processing which means high CPU utilization. I'm looking for a way to done it at hardware.

There should be a way to troubleshoot ACLs!

Joseph W. Doherty · ‎08-08-2018

"using "log keyword" at the end of ACE will cause a software processing which means high CPU utilization."

Yes it does, which is why my OP mentioned understanding the impact.

Of course, enabling debug statements often has a similar impact. So, either might be considered for troubleshooting.

"I'm looking for a way to done it at hardware."

Then you need hardware and an OS that supports it. My guess, Cisco, at the time, could only cram so many features in the hardware, at the cost point they desired, and figured such ACL counter support wasn't "worth" the additional cost/impact.

salemmahara · ‎08-11-2018

Maybe you're right :).

But match hints always help.