Any idea why ACL counters aren't showing in a 7604?

Answered Question
Jun 2nd, 2008
User Badges:

I have a QOS class called Imaging to match an ACL. The policy is working because the 'show policy-map int' shows how many packets have matched the ACL and been acted on. Yet a 'show access-list ...' doesn't show any hit counters.


This same QOS config is in 7206 and 2821 routers and the ACL hit counters increment when they are hit.


Any idea why the ACL hit counters aren't incrementing?


Here is the 7604 pertinent info:


IOS = 12.2(33)SRB1



ROC-RT7604A-CR#sh policy-map int g2/1/1.54


GigabitEthernet2/1/1.54


Service-policy output: ESH-WAN-100MB-speed_with_10MB_voice


.

.

.

Class-map: Imaging (match-any)

30800769 packets, 24714774942 bytes

30 second offered rate 2147000 bps, drop rate 0 bps

Match: access-group 151

Queueing

queue limit 12000 packets

(queue depth/total drops/no-buffer drops) 0/0/0

(pkts output/bytes output) 30800775/24714776230

QoS Set

set dscp af11

Packets marked 30800769

bandwidth 48000 kbps


ROC-RT7604A-CR#sh access-list 151

Extended IP access list 151

10 permit tcp any any eq 6464

20 permit tcp any eq 6464 any

30 permit tcp any any eq 104

40 permit tcp any eq 104 any

50 permit tcp any any eq 105

60 permit tcp any eq 105 any



class-map match-any Imaging

match access-group 151


policy-map ESH-QOS_classes_6Video_110voice

class Voice

priority 10000

class Call-Control

bandwidth 500

class Imaging

set dscp af11

bandwidth 48000

class Video

bandwidth 3220

class DVR

police 1544000

class class-default

random-detect

Correct Answer by Jon Marshall about 8 years 9 months ago

Jim


The 7600 router, as with the 6500 switch, supports ACL processsing in hardware. Any packets processed in hardware will not be shown in the match count when you do a "sh ip access-list ".


I would assume this is why you are not seeing hits. In contrast the 2800 and 7200 routers handle this in software hence you see the matches.


Attached is a link with more details on ACL processing for the 7600:


http://www.cisco.com/en/US/docs/routers/7600/ios/12.2SR/configuration/guide/acl.html


Jon


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Jon Marshall Mon, 06/02/2008 - 09:35
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Jim


The 7600 router, as with the 6500 switch, supports ACL processsing in hardware. Any packets processed in hardware will not be shown in the match count when you do a "sh ip access-list ".


I would assume this is why you are not seeing hits. In contrast the 2800 and 7200 routers handle this in software hence you see the matches.


Attached is a link with more details on ACL processing for the 7600:


http://www.cisco.com/en/US/docs/routers/7600/ios/12.2SR/configuration/guide/acl.html


Jon


Ryan Carretta Tue, 06/03/2008 - 00:32
User Badges:
  • Bronze, 100 points or more

You might try:

'show tcam interface acl ip'

Actions

This Discussion