08-29-2011 06:03 PM
Hello
I've applied the following ACL to an interface but don't see the hit counts (e.g. something like
30 deny tcp any any (58 hw matches)):
RP/0/RSP0/CPU0:test#show access-lists ipv4 2020
Fri Aug 26 09:34:48.094 HKT
ipv4 access-list 2020
10 deny ipv4 any host 202.146.219.55
20 deny ipv4 any host 218.213.235.211
30 deny ipv4 any host 116.193.159.79
50 deny ipv4 any host 111.68.2.101
60 deny ipv4 any host 112.121.170.43
77 deny ipv4 host 117.211.87.202 any
78 deny ipv4 host 202.29.220.238 any
79 deny udp any host 218.213.92.3
80 deny udp any host 218.213.91.45
81 deny ipv4 host 59.42.249.51 host 218.213.91.45
........
Also got the following:
RP/0/RSP0/CPU0:test#show access-lists ipv4 2020 hardware ingress interface gigabitEthernet 0/0/0/31 sequence 81 location 0/0/CPU0
Fri Aug 26 09:34:52.209 HKT
The interface does not have per-interface statistics enabledRP/0/RSP0/CPU0:test(config-if)#ipv4 access-group 2020 ingress interface-statistics
RP/0/RSP0/CPU0:test(config-if)#commit
Mon Aug 29 09:44:42.725 HKT
% Failed to commit one or more configuration items during a pseudo-atomic operation. All changes made have been reverted. Please issue 'show configuration failed' from this session to view the errors
Is there any configuration still missing??
Pls help. Thanks!
08-30-2011 02:31 AM
Try adding 'hardware-count' so the NP counts the acl hits in hardware:
ipv4 access-group 2020 ingress hardware-count interface-statistics
If it still fails get a 'show config failed' after trying to commit to see why it wsa not accepted.
08-30-2011 06:49 PM
Thanks!
Have tried but still got the following:
RP/0/RSP0/CPU0:test(config-if)#show config failed
Wed Aug 31 09:41:58.730 HKT
!! SEMANTIC ERRORS: This configuration was rejected by
!! the system due to semantic errors. The individual
!! errors with each failed configuration command can be
!! found below.
interface GigabitEthernet0/0/0/23
ipv4 access-group 2020 ingress hardware-count interface-statistics
!!% 'pfilter-ea' detected the 'warning' condition 'Mode mismatch.ACL has been applied in different modes on this LC - interface stats and ace stats. '
!
end
Could you let me know the reason? Thanks again.
08-31-2011 03:38 AM
It seems working now:
RP/0/RSP0/CPU0:test#show access-lists 2020 | in 2000
Wed Aug 31 10:48:49.335 HKT
2000 permit ipv4 any any (338 matches)
RP/0/RSP0/CPU0:test#show access-lists ipv4 2020 hardware ingress sequence 2000 location 0/0/CPU0
Wed Aug 31 10:49:40.734 HKT
ipv4 access-list 2020
2000 permit ipv4 any any (418319686845 hw matches)
But can you let me know why there's big difference between the counter values of the tow commands above?
Thanks!
08-31-2011 04:28 AM
The first one is a counter from the RSP processor, so it only shows punted packets (for us, or ip options, etc...), the second one shows all the packets forwarded by the linecard.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide