How to get ACL hit count on hardware based ACL's? - Page 3

pietro manicioto · ‎04-29-2024

Good morning all,

I have created some large ACL's strictly for the task of triggering hit counts for static routes to tell me if the routes are even used any longer (for future cleanup purposes)

I am not getting any hit counts (Cisco 9604R) and have researched this is common for ACL's on L3 switches as they are processed in hardware vs software.

Is the answer to get the hit counts as simple as adding the log command at the end of each ACE, or is there a better way? (The total ACE count between both ACL's is almost 600, so I would like to avoid blowing my buffer up as well as syslog server with these if I can just simply see the hit count. )

pietro manicioto · ‎05-03-2024

Do you have a URL to review? I have not heard of this before.

Joseph W. Doherty · ‎05-03-2024

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/15-0SY/configuration/guide/15_0_sy_swcg/ios_acl_support.html#71949

Again, this doc isn't for your platform, but a feature you might check into.

wallacewebste-r60 · ‎05-03-2024

@pietro manicioto Cintas Partner Connect wrote:
Good morning all,
I have created some large ACL's strictly for the task of triggering hit counts for static routes to tell me if the routes are even used any longer (for future cleanup purposes)
I am not getting any hit counts (Cisco 9604R) and have researched this is common for ACL's on L3 switches as they are processed in hardware vs software.
Is the answer to get the hit counts as simple as adding the log command at the end of each ACE, or is there a better way? (The total ACE count between both ACL's is almost 600, so I would like to avoid blowing my buffer up as well as syslog server with these if I can just simply see the hit count. )

I have this problem too.

dieter-lievens · ‎04-26-2025

At the risk of raising this topic from the dead, I have a small contribution perhaps:

Aren't you trying to use the wrong tool for this job? If you want to see if certain routes are hit, you aren't trying to identify if ACL's are hit, you are trying to see if certain traffic is still going over a line.

Isn't netflow a much better alternative to analyse this? Then you also have no problem keeping those logs for months and months on end.

An ACL is a basic security tool that doesn't really cover you usecase.

Or am I wrong?

Joseph W. Doherty · ‎04-26-2025

Or am I wrong?

Not so much wrong, as I suspect OP was just looking for a quick and dirty way that static route statements are used or not.

Although ACLs, by name, certainly were likely designed for security purposes, many other purposes came along that their usage would apply. A simple example, would be using an ACL for QoS purposes. Later NetFlow analysis isn't going to be a huge help.