I have configured 100+ ACL on 6500. I see log of rules with matches but only few (i.e example 10 out of 100 matches ). And when i remove the rules which are not matches in the acl's the traffice does not go out of interface. It appears to me like a bug could some one tell what is causing this.
2 permit tcp any any established (23090 matches)
10 permit ospf 10.2.2.0 0.0.0.255 any (290892 matches)
30 permit ip 10.3.3.0 0.0.0.255 any (34362 matches)
40 permit ip 10.11.11 0.0.0.255 10.11.11.0 0.0.255 (679608 matches)
50 permit ip 10.80.0.0 0.3.255.255 10.80.0.0 0.3.255.255
60 permit ip 10.20.129.0 0.0.0.255 any
70 permit ip 10.0.0.0 0.0.0.0 10.12.9.0 0.0.0.255
80 permit ip 10.0.0.0 0.0.0.255 10.70.50.0 0.0.0.255
90 permit ip 10.0.0.0 0.0.0.255 10.20.0.7 0.0.0.255
100 permit ip 10.0.0.0 0.255.255.255 10.50.0.0 0.0.255.255 (15 matches)
It's not a bug, that's a 6500 feature. ACLs are processed in hardware not by the CPU. Any counts you see there, were packets punted to the CPU for some reason. It will not reflect the total count processed by such ACE.
Thanks for the update. But I have around 500 acl's and I want to clear the unnecessary ACL rules/entries on the switch which are not matching or not used,and keep only the rules which are needed and which are getting match.
But as soon as I remove the rules whih are not matching/not needed there is no traffic flows through the interface.
Is this the behaviour of the switch?? What is the alternate way to remove the acl's??
Question We run asr9001 with XR 6.1.3, and we have a very long delay to
login w/ SSH 1 or 2 to the device compare to IOS device. After
investigation, the there is 1s delay between the client KEXDH_INIT and
the server (XR) KEXDH_REPLY. After debug ssh serv...
Introduction The purpose of this document is to demonstrate the Open
Shortest Path First (OSPF) behavior when the V-bit (Virtual-link bit) is
present in a non-backbone area. The V-bit is signaled in Type-1 LSA only
if the router is the endpoint of one or ...
Hi, I am seeing quite a few issues with patch install and wanted to
share my experience and workaround to this. Login to admin via CLI, then
access root with the “shell” command Issue “df –h” and you’ll probably
see the following directory full or nearly ...