ACL counters and policy map

Answered Question
Aug 6th, 2010
User Badges:

I have a policy map that 'seem's to be working but the ACL counters is not hitting hits.. I verified by having the server guy do a traceroute and verify my path. When I removed the policy map , it reverts to the regular routing table path.   however, when the policy is in place, I cannot see any hits on the ACL that is ref in the route-map.   Even the traceroute packets are not seen which was performed when the ' ip policy route-map xx" command is in place and is showing  the correct path taken which implies the policy map is working , I  just don't under the command  ' show route-map xxx"  packets being matched or show access-list xxx for the counter hits...


Can it be how the packets is being switched in the 6513 , process or fast-switched ?? just grasping at straws here...


thanks

Correct Answer by Jon Marshall about 6 years 11 months ago

The vast majority of packets are hardware switched on a 6513. When the packet is hardware switched it does not increment the acl counters. That is why you are not seeing any acl hits but the policy map is still working correctly.


Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Jon Marshall Fri, 08/06/2010 - 09:27
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

The vast majority of packets are hardware switched on a 6513. When the packet is hardware switched it does not increment the acl counters. That is why you are not seeing any acl hits but the policy map is still working correctly.


Jon

kwanm63my Fri, 08/06/2010 - 09:43
User Badges:

Jon, I saw that mentioned  too when I browse this forum but the strange thing is I have another policy map on a another interface on the same 6513.


the config is similar but with diff acl and diff route-map pointing to diff next-hop.....that one is getting hits and show route-,map shows matching packets counters building...



I'm not aware of turning anything on under the interfaces to hardware switch or not the packets as both  vlan interface config is similar... is there anyway to test what you are saying by let's say,  turn off 'hardware switching' on my 'suspect' policy map interface  and observe the results for the counters ?


thanks

Jon Marshall Fri, 08/06/2010 - 09:59
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

kwanm63my wrote:


Jon, I saw that mentioned  too when I browse this forum but the strange thing is I have another policy map on a another interface on the same 6513.


the config is similar but with diff acl and diff route-map pointing to diff next-hop.....that one is getting hits and show route-,map shows matching packets counters building...



I'm not aware of turning anything on under the interfaces to hardware switch or not the packets as both  vlan interface config is similar... is there anyway to test what you are saying by let's say,  turn off 'hardware switching' on my 'suspect' policy map interface  and observe the results for the counters ?


thanks


Can you post the access-lists and both policy maps.


To test you can add the "log" keyword which should then make the 6500 send the packet to the MSFC ie. not hardware switched but obviously you will have to judge whether there will be a performance hit for your users.


Jon

kwanm63my Fri, 08/06/2010 - 10:04
User Badges:

well. I found a way 'around' the issue. I added a set ip precedence network statement , and now I see the counters incrementing...

If it's matching on that statement and forcing the counters to go up ( because that's probably  using another process as opposed to switching the packets), it's more evidence to me it's working as it should.


Thanks

Jon Marshall Fri, 08/06/2010 - 10:10
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

No problem.


Yes i suspect that by adding that statement you are forcing the packet to go to the main CPU. If you are happy it's working as it should be though i wouldn't leave it in as it's not really an issue rather the way a 6500 works.


For your info here is hardware/software processing acl information on 6500 switches -


6500 acl processing


Jon

kwanm63my Fri, 08/06/2010 - 10:33
User Badges:

yea, I removed it after my testing.. You know what they say,  seeing is believing ! LOL.. thanks for your inputs.

Actions

This Discussion