Solved: Re: ACL counters and policy map

kwanm63my · ‎08-06-2010

I have a policy map that 'seem's to be working but the ACL counters is not hitting hits.. I verified by having the server guy do a traceroute and verify my path. When I removed the policy map , it reverts to the regular routing table path. however, when the policy is in place, I cannot see any hits on the ACL that is ref in the route-map. Even the traceroute packets are not seen which was performed when the ' ip policy route-map xx" command is in place and is showing the correct path taken which implies the policy map is working , I just don't under the command ' show route-map xxx" packets being matched or show access-list xxx for the counter hits...

Can it be how the packets is being switched in the 6513 , process or fast-switched ?? just grasping at straws here...

thanks

Jon Marshall · ‎08-06-2010

The vast majority of packets are hardware switched on a 6513. When the packet is hardware switched it does not increment the acl counters. That is why you are not seeing any acl hits but the policy map is still working correctly.

Jon

View solution in original post

Jon Marshall · ‎08-06-2010

The vast majority of packets are hardware switched on a 6513. When the packet is hardware switched it does not increment the acl counters. That is why you are not seeing any acl hits but the policy map is still working correctly.

Jon

kwanm63my · ‎08-06-2010

Jon, I saw that mentioned too when I browse this forum but the strange thing is I have another policy map on a another interface on the same 6513.

the config is similar but with diff acl and diff route-map pointing to diff next-hop.....that one is getting hits and show route-,map shows matching packets counters building...

I'm not aware of turning anything on under the interfaces to hardware switch or not the packets as both vlan interface config is similar... is there anyway to test what you are saying by let's say, turn off 'hardware switching' on my 'suspect' policy map interface and observe the results for the counters ?

thanks

Jon Marshall · ‎08-06-2010

kwanm63my wrote:

Jon, I saw that mentioned too when I browse this forum but the strange thing is I have another policy map on a another interface on the same 6513.

the config is similar but with diff acl and diff route-map pointing to diff next-hop.....that one is getting hits and show route-,map shows matching packets counters building...

I'm not aware of turning anything on under the interfaces to hardware switch or not the packets as both vlan interface config is similar... is there anyway to test what you are saying by let's say, turn off 'hardware switching' on my 'suspect' policy map interface and observe the results for the counters ?

thanks

Can you post the access-lists and both policy maps.

To test you can add the "log" keyword which should then make the 6500 send the packet to the MSFC ie. not hardware switched but obviously you will have to judge whether there will be a performance hit for your users.

Jon

kwanm63my · ‎08-06-2010

well. I found a way 'around' the issue. I added a set ip precedence network statement , and now I see the counters incrementing...

If it's matching on that statement and forcing the counters to go up ( because that's probably using another process as opposed to switching the packets), it's more evidence to me it's working as it should.

Thanks

Jon Marshall · ‎08-06-2010

No problem.

Yes i suspect that by adding that statement you are forcing the packet to go to the main CPU. If you are happy it's working as it should be though i wouldn't leave it in as it's not really an issue rather the way a 6500 works.

For your info here is hardware/software processing acl information on 6500 switches -

6500 acl processing

Jon

kwanm63my · ‎08-06-2010

yea, I removed it after my testing.. You know what they say, seeing is believing ! LOL.. thanks for your inputs.