08-06-2018 02:28 AM - edited 03-08-2019 03:50 PM
Hello everybody
As you know, ACLs are processed in Hardware in MLS. So the Match Counter doesn't change when a packet match the ACE.
Could you please help me to find a way to troubleshoot ACLs without match counters. It's really helpful to check the process. We're used to check Match Counter at first.
08-06-2018 07:41 AM
08-07-2018 11:20 PM - edited 08-07-2018 11:22 PM
Hello Joseph
Thanks for replying.
using "log keyword" at the end of ACE will cause a software processing which means high CPU utilization. I'm looking for a way to done it at hardware.
There should be a way to troubleshoot ACLs!
08-08-2018 04:46 AM - edited 08-08-2018 04:47 AM
"using "log keyword" at the end of ACE will cause a software processing which means high CPU utilization."
Yes it does, which is why my OP mentioned understanding the impact.
Of course, enabling debug statements often has a similar impact. So, either might be considered for troubleshooting.
"I'm looking for a way to done it at hardware."
Then you need hardware and an OS that supports it. My guess, Cisco, at the time, could only cram so many features in the hardware, at the cost point they desired, and figured such ACL counter support wasn't "worth" the additional cost/impact.
08-11-2018 12:03 AM
Maybe you're right :).
But match hints always help.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide