Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

IP access lists matches

Unanswered Question
Oct 5th, 2006
User Badges:

We have Policy based routing configured on a 6500. The policy map references an IP extended access list to see if packets are to be policy based routed.

We know the policy based routing is working as the packets are arriving at the correct destination. However if I issue a show IP access command the number of matches against the referenced access list is very low.

Is there any known IOS bug where the IOS does not correctly record the number of matches or could it be to do with some CEF process?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (2 ratings)
mheusinger Thu, 10/05/2006 - 03:35
User Badges:
  • Green, 3000 points or more


your assumption is right, the counter is only increased, if the CPU has to deal with the IP packet. If CEF is used, the counter will not be increased, because the packet is not handled by the CPU, but forwarded through the use of FIB and adjacency table. In principle you can then only see the "new" headers and thus the number of packets will be low as most packets are part of a larger session.

Hope this helps! Please rate all posts.

Regards, Martin

royalblues Thu, 10/05/2006 - 06:43
User Badges:
  • Green, 3000 points or more


I had opened a TAC case for the same.

This is what they had to say.

Access-list not getting hits?

Ans:- it depends on which OS you're running on the other switch. In this case you're running IOS and the switch process the ACLs on the TCAM (Hardware) and that's why you don't see the hits. In CatOS, there's no TCAM but the ACLs can be processed in both Hardware and Software.

But if you're running IOS too, and you see the hits for the ACLs, this could mean that the Tcam is full and the ACLs start to be processed in Software, not in Hardware.



pushkar1782 Mon, 10/09/2006 - 05:46
User Badges:

yeah i think it means the same if its processed via h/w express fwd then its not taking a hit otherwise cpu i.e s/w forwarding takes a hit ..



This Discussion