Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Access list (acl) stats, hardware and otherwise ASR 9010

I have this access list I would like to look at the statistics.  So I do a

RP/0/RSP0/CPU0:iplwin75csre08#show access-lists ipv4 internet-inbound                                    
Tue Mar 11 10:22:06.703 EDT
ipv4 access-list internet-inbound
 10 remark Add specific hosts to block first
 30 deny ipv4 any host 192.69.183.212
 50 remark * Nothing goes to 69.174.150.0/24 *************
 70 deny ipv4 any 69.174.150.0 0.0.0.255
 90 remark *********************************************************
 100 remark Deny port zero traffic
 102 deny tcp any any eq 0
 104 deny udp any any eq 0
 106 deny tcp any eq 0 any
 108 deny udp any eq 0 any
 110 remark Deny any spoofed Metronet IP blocks
 [ remaining removed ]

This access list is applied to interface ten0/0/0/1 and I understand if I apply it with the "hardware-count"  I can get counter out of the hardware, so I add this to the interface:

ipv4 access-group internet-inbound ingress hardware-count
 

The command

show access-lists ipv4 internet-inbound

shows no change, however this command:

show access-lists ipv4 internet-inbound hardware ingress location 0/0/CPU0

Tue Mar 11 10:12:38.112 EDT
ipv4 access-list internet-inbound
 30 deny ipv4 any host 192.69.183.212 (8070 hw matches)
 70 deny ipv4 any 69.174.150.0 0.0.0.255 (5939129 hw matches)
 102 deny tcp any any eq 0 (150141 hw matches)
 104 deny udp any any eq 0 (24993 hw matches)
 106 deny tcp any eq 0 any (3648 hw matches)
 108 deny udp any eq 0 any (12395 hw matches)
 130 deny ipv4 69.174.128.0 0.0.31.255 any (314 hw matches)
 150 deny ipv4 69.174.160.0 0.0.15.255 any (3626 hw matches)
 [ deleted ]

However, I go to my other ASR9010 that is identically configured except for the "hardware-count" on the access-group:

RP/0/RSP0/CPU0:iplwin75csre08#show access-lists ipv4 internet-inbound hardware ingress location 0/0/CPU0
Tue Mar 11 11:04:46.001 EDT
ipv4 access-list internet-inbound
 30 deny ipv4 any host 192.69.183.212 (7970 hw matches)
 70 deny ipv4 any 69.174.150.0 0.0.0.255 (5617282 hw matches)
 102 deny tcp any any eq 0 (87733 hw matches)
 104 deny udp any any eq 0 (20207 hw matches)
 106 deny tcp any eq 0 any (7809 hw matches)
 108 deny udp any eq 0 any (17328 hw matches)
 130 deny ipv4 69.174.128.0 0.0.31.255 any (96706 hw matches)
 150 deny ipv4 69.174.160.0 0.0.15.255 any (176001 hw matches)
 170 deny ipv4 208.38.224.0 0.0.31.255 any (123785 hw matches)
 190 deny ipv4 184.170.160.0 0.0.15.255 any (23488 hw matches)
 210 deny ipv4 199.66.64.0 0.0.7.255 any (6530 hw matches)

[ deleted ]

I get the same thing?! Huh?!

Also the ONLY location that will work is 0/0/CPU0, I would expect 0/0/1 would be the location with the statistics.

Obviously I do not understand how access-list statistics work in ASR!

 

Tim

 

4 REPLIES
Cisco Employee

Hi Tim,If believe that hw

Hi Tim,

If believe that hw counters for 10 and 100G interfaces are enabled by default, so that should probably explain that situation.

the location keyword provides the target from where the hw counts have to be derived.

Stats manager periodically updates LC stats to the RP. If the location keyword is omitted we'll look at the RP.

Also which version do you have here? if 423 there were some fixes in this regard in smu pack1, if you are on 434 you shoudl be all fine.

regards

xander

Xander Thuijs CCIE #6775 Principal Engineer ASR9000, CRS, NCS6000 & IOS-XR
New Member

Xander,Running 4.3.2, I do

Xander,

Running 4.3.2, I do not have pack1 installed yet.  Getting ready to update SMU's in the next couple of weeks.

 

thanks,

Tim

New Member

So Router A, has:interface

So Router A, has:

interface TenGigE0/0/0/1
 ipv4 access-group internet-inbound ingress

while Router B has:

interface TenGigE0/0/0/1
 ipv4 access-group internet-inbound ingress hardware-count

 

As Tim stated earlier, we get an identical output w/ hw-matches on Router A and Router B when we issue show access-list ipv4 internet-inbound hardware ingress location 0/0/CPU0. Is this command showing us access-list counters from the perspective of the LC CPU, not the 10GE interface per se?

 

Also, on Router B that has interface hardware-count enabled, we get the following when we run this:

RP/0/RSP0/CPU0:iplwin75csre09#sh access-lists ipv4 internet-inbound hardware ingress interface TenGigE 0/0/0/1 location 0/0/0
Tue Mar 11 14:18:27.305 EDT
Unrecognized location

 

This puzzles me a bit. Is there something else that you need to add first to actually pull access-list counters off the physical interfaces from the Interface Stats memory on the LC 0/0/0 ?

Cisco Employee

hi Derek,You would get the

hi Derek,

You would get the "location" from the output of "show platform". IOS XR uses r/s/m/p or

rack/slot/module or bay/port for standard port nomenclature (additional nomenclature for features live nV/ASR9K or port slicing/NCS)

Instead of 0/0/0, use 0/0/cpu0 for the location.

Regarding ACL statistics:

Use the use the “hardware-count” parameter to see acl hw counters per Line Card

Use the use the “hardware-count interface-statistics” parameter to see acl hw counters per physical port on a given linecard.

336
Views
0
Helpful
4
Replies