IP access lists matches

ged.ward1 · ‎10-05-2006

We have Policy based routing configured on a 6500. The policy map references an IP extended access list to see if packets are to be policy based routed.

We know the policy based routing is working as the packets are arriving at the correct destination. However if I issue a show IP access command the number of matches against the referenced access list is very low.

Is there any known IOS bug where the IOS does not correctly record the number of matches or could it be to do with some CEF process?

mheusinger · ‎10-05-2006

Hi,

your assumption is right, the counter is only increased, if the CPU has to deal with the IP packet. If CEF is used, the counter will not be increased, because the packet is not handled by the CPU, but forwarded through the use of FIB and adjacency table. In principle you can then only see the "new" headers and thus the number of packets will be low as most packets are part of a larger session.

Hope this helps! Please rate all posts.

Regards, Martin

royalblues · ‎10-05-2006

Hi

I had opened a TAC case for the same.

This is what they had to say.

Access-list not getting hits?

Ans:- it depends on which OS you're running on the other switch. In this case you're running IOS and the switch process the ACLs on the TCAM (Hardware) and that's why you don't see the hits. In CatOS, there's no TCAM but the ACLs can be processed in both Hardware and Software.

But if you're running IOS too, and you see the hits for the ACLs, this could mean that the Tcam is full and the ACLs start to be processed in Software, not in Hardware.

HTH

Narayan

pushkar1782 · ‎10-09-2006

yeah i think it means the same if its processed via h/w express fwd then its not taking a hit otherwise cpu i.e s/w forwarding takes a hit ..

thnx