About access-list match counter.

Unanswered Question
Aug 29th, 2007
User Badges:

Hi to all

I`ve applied below access-list on catalys 6509 switch.

And then I applied

"ip access-group 110 in" to ethernet port.

Acl working is fine. but I`ve not see the any match counter list.

Your help with this would be appreciated.


TEST#sh access-lists

ExtendedIP access list 110

10 deny ip any host

20 permit ip any any

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (2 ratings)
nambi_gct Wed, 08/29/2007 - 00:59
User Badges:
  • Bronze, 100 points or more

i think if acl drop happens at hardware level this counter wont be incremented.

Jon Marshall Wed, 08/29/2007 - 01:57
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN


This is because the acl's are processed in hardware by the PFC so you will not see matches on the acl.

Attached is a link to ACL processing on the 6500 which explains it in a whole more detail.




moksu_0312 Wed, 08/29/2007 - 19:54
User Badges:

Thanks for your comment.

And then

How do I see the acl match counters

on this swithc?

JORGE RODRIGUEZ Wed, 08/29/2007 - 21:40
User Badges:
  • Green, 3000 points or more

Dong, in the same link Jon provided see topic under "Optimized ACL Logging with a PFC3" for a way to accomplish acls hits logs, but unfortunately it seems this feature is supported on platforms with PFC3 plus other restrictions..

Very good link Jon have provided.


moksu_0312 Thu, 08/30/2007 - 16:52
User Badges:

Thank you every one!

I`m gonna set a test.

Thanks again.

moksu_0312 Thu, 08/30/2007 - 18:51
User Badges:


Is there no way to see the match counter list?

I have to check the match counter list..

Somebody help me!


This Discussion