cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2736
Views
0
Helpful
4
Replies

Problem with ACLs hit counts

3alee
Level 1
Level 1

Hello

I've applied the following ACL to an interface but don't see the hit counts (e.g. something like

30 deny tcp any any (58 hw matches)):

RP/0/RSP0/CPU0:test#show access-lists ipv4 2020
Fri Aug 26 09:34:48.094 HKT
ipv4 access-list 2020
 10 deny ipv4 any host 202.146.219.55
 20 deny ipv4 any host 218.213.235.211
 30 deny ipv4 any host 116.193.159.79
 50 deny ipv4 any host 111.68.2.101
 60 deny ipv4 any host 112.121.170.43
 77 deny ipv4 host 117.211.87.202 any
 78 deny ipv4 host 202.29.220.238 any
 79 deny udp any host 218.213.92.3
 80 deny udp any host 218.213.91.45
 81 deny ipv4 host 59.42.249.51 host 218.213.91.45

........

Also got the following:

RP/0/RSP0/CPU0:test#show access-lists ipv4 2020 hardware ingress interface gigabitEthernet 0/0/0/31 sequence 81 location 0/0/CPU0
Fri Aug 26 09:34:52.209 HKT
 
The interface does not have per-interface statistics enabled

RP/0/RSP0/CPU0:test(config-if)#ipv4 access-group 2020 ingress  interface-statistics

RP/0/RSP0/CPU0:test(config-if)#commit

Mon Aug  29 09:44:42.725 HKT

% Failed to commit one or more configuration items  during a pseudo-atomic operation. All changes made have been reverted. Please  issue 'show configuration failed' from this session to view the errors


Is there any configuration still missing?? 


Pls help.  Thanks!
4 Replies 4

mdebraba
Cisco Employee
Cisco Employee

Try adding 'hardware-count' so the NP counts the acl hits in hardware:

ipv4 access-group 2020 ingress hardware-count interface-statistics

If it still fails get a 'show config failed' after trying to commit to see why it wsa not accepted.

Thanks!

Have tried but still got the following:

RP/0/RSP0/CPU0:test(config-if)#show config failed

Wed Aug 31 09:41:58.730 HKT

!! SEMANTIC ERRORS: This configuration was rejected by

!! the system due to semantic errors. The individual

!! errors with each failed configuration command can be

!! found below.

interface GigabitEthernet0/0/0/23

ipv4 access-group 2020 ingress hardware-count interface-statistics

!!% 'pfilter-ea' detected the 'warning' condition 'Mode mismatch.ACL has been applied in different modes on this LC - interface stats and ace stats. '

!

end

Could you let me know the reason?  Thanks again.

It seems working now:

RP/0/RSP0/CPU0:test#show access-lists 2020 | in 2000

Wed Aug 31 10:48:49.335 HKT

2000 permit ipv4 any any (338 matches)

RP/0/RSP0/CPU0:test#show access-lists ipv4 2020 hardware ingress sequence 2000 location 0/0/CPU0

Wed Aug 31 10:49:40.734 HKT

ipv4 access-list 2020

2000 permit ipv4 any any (418319686845 hw matches)

But can you let me know why there's big difference between the counter values of the tow commands above?

Thanks!

The first one is a counter from the RSP processor, so it only shows punted packets (for us, or ip options, etc...), the second one shows all the packets forwarded by the linecard.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: