Problem with ACLs hit counts

Unanswered Question
Aug 29th, 2011

Hello

I've applied the following ACL to an interface but don't see the hit counts (e.g. something like

30 deny tcp any any (58 hw matches)):

RP/0/RSP0/CPU0:test#show access-lists ipv4 2020
Fri Aug 26 09:34:48.094 HKT
ipv4 access-list 2020
 10 deny ipv4 any host 202.146.219.55
 20 deny ipv4 any host 218.213.235.211
 30 deny ipv4 any host 116.193.159.79
 50 deny ipv4 any host 111.68.2.101
 60 deny ipv4 any host 112.121.170.43
 77 deny ipv4 host 117.211.87.202 any
 78 deny ipv4 host 202.29.220.238 any
 79 deny udp any host 218.213.92.3
 80 deny udp any host 218.213.91.45
 81 deny ipv4 host 59.42.249.51 host 218.213.91.45

........

Also got the following:

RP/0/RSP0/CPU0:test#show access-lists ipv4 2020 hardware ingress interface gigabitEthernet 0/0/0/31 sequence 81 location 0/0/CPU0
Fri Aug 26 09:34:52.209 HKT
 
The interface does not have per-interface statistics enabled

RP/0/RSP0/CPU0:test(config-if)#ipv4 access-group 2020 ingress  interface-statistics

RP/0/RSP0/CPU0:test(config-if)#commit

Mon Aug  29 09:44:42.725 HKT

% Failed to commit one or more configuration items  during a pseudo-atomic operation. All changes made have been reverted. Please  issue 'show configuration failed' from this session to view the errors


Is there any configuration still missing?? 


Pls help.  Thanks!
I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 0 (0 ratings)
mdebraba Tue, 08/30/2011 - 02:31

Try adding 'hardware-count' so the NP counts the acl hits in hardware:

ipv4 access-group 2020 ingress hardware-count interface-statistics

If it still fails get a 'show config failed' after trying to commit to see why it wsa not accepted.

3alee Tue, 08/30/2011 - 18:49

Thanks!

Have tried but still got the following:

RP/0/RSP0/CPU0:test(config-if)#show config failed

Wed Aug 31 09:41:58.730 HKT

!! SEMANTIC ERRORS: This configuration was rejected by

!! the system due to semantic errors. The individual

!! errors with each failed configuration command can be

!! found below.

interface GigabitEthernet0/0/0/23

ipv4 access-group 2020 ingress hardware-count interface-statistics

!!% 'pfilter-ea' detected the 'warning' condition 'Mode mismatch.ACL has been applied in different modes on this LC - interface stats and ace stats. '

!

end

Could you let me know the reason?  Thanks again.

3alee Wed, 08/31/2011 - 03:38

It seems working now:

RP/0/RSP0/CPU0:test#show access-lists 2020 | in 2000

Wed Aug 31 10:48:49.335 HKT

2000 permit ipv4 any any (338 matches)

RP/0/RSP0/CPU0:test#show access-lists ipv4 2020 hardware ingress sequence 2000 location 0/0/CPU0

Wed Aug 31 10:49:40.734 HKT

ipv4 access-list 2020

2000 permit ipv4 any any (418319686845 hw matches)

But can you let me know why there's big difference between the counter values of the tow commands above?

Thanks!

mdebraba Wed, 08/31/2011 - 04:28

The first one is a counter from the RSP processor, so it only shows punted packets (for us, or ip options, etc...), the second one shows all the packets forwarded by the linecard.

Actions

Login or Register to take actions

This Discussion

Posted August 29, 2011 at 6:03 PM
Stats:
Replies:4 Avg. Rating:
Views:1378 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard