Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1952
Views
0
Helpful
6
Replies

ACL counters and policy map

Go to solution
kwanm63my
Level 1
Level 1

‎08-06-2010 07:10 AM - edited ‎03-06-2019 12:21 PM

I have a policy map that 'seem's to be working but the ACL counters is not hitting hits.. I verified by having the server guy do a traceroute and verify my path. When I removed the policy map , it reverts to the regular routing table path.   however, when the policy is in place, I cannot see any hits on the ACL that is ref in the route-map.   Even the traceroute packets are not seen which was performed when the ' ip policy route-map xx" command is in place and is showing  the correct path taken which implies the policy map is working , I  just don't under the command  ' show route-map xxx"  packets being matched or show access-list xxx for the counter hits...

Can it be how the packets is being switched in the 6513 , process or fast-switched ?? just grasping at straws here...

thanks

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎08-06-2010 09:27 AM

The vast majority of packets are hardware switched on a 6513. When the packet is hardware switched it does not increment the acl counters. That is why you are not seeing any acl hits but the policy map is still working correctly.

Jon

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎08-06-2010 09:27 AM

The vast majority of packets are hardware switched on a 6513. When the packet is hardware switched it does not increment the acl counters. That is why you are not seeing any acl hits but the policy map is still working correctly.

Jon

0 Helpful

Go to solution
kwanm63my
Level 1
Level 1
In response to Jon Marshall

‎08-06-2010 09:43 AM

Jon, I saw that mentioned  too when I browse this forum but the strange thing is I have another policy map on a another interface on the same 6513.

the config is similar but with diff acl and diff route-map pointing to diff next-hop.....that one is getting hits and show route-,map shows matching packets counters building...

I'm not aware of turning anything on under the interfaces to hardware switch or not the packets as both  vlan interface config is similar... is there anyway to test what you are saying by let's say,  turn off 'hardware switching' on my 'suspect' policy map interface  and observe the results for the counters ?

thanks

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to kwanm63my

‎08-06-2010 09:59 AM 

kwanm63my wrote:
Jon, I saw that mentioned  too when I browse this forum but the strange thing is I have another policy map on a another interface on the same 6513.
the config is similar but with diff acl and diff route-map pointing to diff next-hop.....that one is getting hits and show route-,map shows matching packets counters building...
I'm not aware of turning anything on under the interfaces to hardware switch or not the packets as both  vlan interface config is similar... is there anyway to test what you are saying by let's say,  turn off 'hardware switching' on my 'suspect' policy map interface  and observe the results for the counters ?
thanks

Can you post the access-lists and both policy maps.

To test you can add the "log" keyword which should then make the 6500 send the packet to the MSFC ie. not hardware switched but obviously you will have to judge whether there will be a performance hit for your users.

Jon

0 Helpful

Go to solution
kwanm63my
Level 1
Level 1
In response to Jon Marshall

‎08-06-2010 10:04 AM

well. I found a way 'around' the issue. I added a set ip precedence network statement , and now I see the counters incrementing...

If it's matching on that statement and forcing the counters to go up ( because that's probably  using another process as opposed to switching the packets), it's more evidence to me it's working as it should.

Thanks

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to kwanm63my

‎08-06-2010 10:10 AM

No problem.

Yes i suspect that by adding that statement you are forcing the packet to go to the main CPU. If you are happy it's working as it should be though i wouldn't leave it in as it's not really an issue rather the way a 6500 works.

For your info here is hardware/software processing acl information on 6500 switches -

6500 acl processing

Jon

0 Helpful

Go to solution
kwanm63my
Level 1
Level 1
In response to Jon Marshall

‎08-06-2010 10:33 AM

yea, I removed it after my testing.. You know what they say,  seeing is believing ! LOL.. thanks for your inputs.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card