Problem with ACLs hit counts

Unanswered Question
Aug 29th, 2011
User Badges:


I've applied the following ACL to an interface but don't see the hit counts (e.g. something like

30 deny tcp any any (58 hw matches)):

RP/0/RSP0/CPU0:test#show access-lists ipv4 2020
Fri Aug 26 09:34:48.094 HKT
ipv4 access-list 2020
 10 deny ipv4 any host
 20 deny ipv4 any host
 30 deny ipv4 any host
 50 deny ipv4 any host
 60 deny ipv4 any host
 77 deny ipv4 host any
 78 deny ipv4 host any
 79 deny udp any host
 80 deny udp any host
 81 deny ipv4 host host


Also got the following:

RP/0/RSP0/CPU0:test#show access-lists ipv4 2020 hardware ingress interface gigabitEthernet 0/0/0/31 sequence 81 location 0/0/CPU0
Fri Aug 26 09:34:52.209 HKT
The interface does not have per-interface statistics enabled

RP/0/RSP0/CPU0:test(config-if)#ipv4 access-group 2020 ingress  interface-statistics


Mon Aug  29 09:44:42.725 HKT

% Failed to commit one or more configuration items  during a pseudo-atomic operation. All changes made have been reverted. Please  issue 'show configuration failed' from this session to view the errors

Is there any configuration still missing?? 

Pls help.  Thanks!
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
mdebraba Tue, 08/30/2011 - 02:31
User Badges:
  • Cisco Employee,

Try adding 'hardware-count' so the NP counts the acl hits in hardware:

ipv4 access-group 2020 ingress hardware-count interface-statistics

If it still fails get a 'show config failed' after trying to commit to see why it wsa not accepted.

3alee Tue, 08/30/2011 - 18:49
User Badges:


Have tried but still got the following:

RP/0/RSP0/CPU0:test(config-if)#show config failed

Wed Aug 31 09:41:58.730 HKT

!! SEMANTIC ERRORS: This configuration was rejected by

!! the system due to semantic errors. The individual

!! errors with each failed configuration command can be

!! found below.

interface GigabitEthernet0/0/0/23

ipv4 access-group 2020 ingress hardware-count interface-statistics

!!% 'pfilter-ea' detected the 'warning' condition 'Mode mismatch.ACL has been applied in different modes on this LC - interface stats and ace stats. '



Could you let me know the reason?  Thanks again.

3alee Wed, 08/31/2011 - 03:38
User Badges:

It seems working now:

RP/0/RSP0/CPU0:test#show access-lists 2020 | in 2000

Wed Aug 31 10:48:49.335 HKT

2000 permit ipv4 any any (338 matches)

RP/0/RSP0/CPU0:test#show access-lists ipv4 2020 hardware ingress sequence 2000 location 0/0/CPU0

Wed Aug 31 10:49:40.734 HKT

ipv4 access-list 2020

2000 permit ipv4 any any (418319686845 hw matches)

But can you let me know why there's big difference between the counter values of the tow commands above?


mdebraba Wed, 08/31/2011 - 04:28
User Badges:
  • Cisco Employee,

The first one is a counter from the RSP processor, so it only shows punted packets (for us, or ip options, etc...), the second one shows all the packets forwarded by the linecard.


This Discussion