RE: No hit counts for Access-list.

When 6500 uses hardware to process packets you will not see any matches.
Matches are only shown in software.

To force software packet switching you can add log statement at the end
of each line for your ACL.

I am pretty sure this is a case.

-----Original Message-----
From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
Robert Steeneken
Sent: Monday, October 26, 2009 8:35 AM
To: Ryan West
Cc: Rick Mur; Iwan Hoogendoorn; mike arnold; Cisco certification
Subject: Re: No hit counts for Access-list.

Just checked my 6500 who has a service-policy for two years now, and the
acl
hits are very very low, while the show service policy interface shows
alot
of packets per second.

On Mon, Oct 26, 2009 at 2:29 PM, Ryan West <rwest_at_zyedge.com> wrote:

> Rick,
>
> You should get ACL hits for class-map hits, although the behavior may
be
> different on a 6500.
>
> Class-map: xo-out (match-any)
> 35652148 packets, 7992116020 bytes
> 5 minute offered rate 10000 bps, drop rate 0 bps
> Match: access-group name xo-out
> 35652157 packets, 7992116755 bytes
> 5 minute rate 10000 bps
>
> Extended IP access list xo-out
> 10 permit ip host x.x.x.x any (71305108 matches)
> 20 permit ip any host x.x.x.x (88200420 matches)
>
> -ryan
>
> -----Original Message-----
> From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf
Of
> Rick Mur
> Sent: Monday, October 26, 2009 9:23 AM
> To: Iwan Hoogendoorn
> Cc: mike arnold; Cisco certification
> Subject: Re: No hit counts for Access-list.
>
> Try putting the ACL on the interface instead of in the class-map. I
don't
> know if you see ACL hits if it's used within a class-map.
>
> If you issue the 'show policy-map interface' you should see traffic
being
> matched by that class. Which is another way of seeing if the traffic
really
> hits your QoS policy.
>
> And a ACL that matches IP traffic also matches ICMP traffic, so no
need for
> changing that :-)
>
> --
>
> Regards,
>
> Rick Mur
> CCIE2 #21946 (R&S / Service Provider)
> Sr. Support Engineer IPexpert, Inc.
> URL: http://www.IPexpert.com
>
>
> On Mon, Oct 26, 2009 at 1:31 PM, Iwan Hoogendoorn <iwan_at_ipexpert.com>
> wrote:
>
> > Mike,
> >
> > If you want to count ping packets you should create an ACL that
> > matches ICMP and not IP.
> >
> > --
> > Regards,
> >
> > Iwan Hoogendoorn
> > CCIE #13084 (R&S / Security / SP)
> > Sr. Support Engineer IPexpert, Inc.
> > URL: http://www.IPexpert.com
> >
> > On Mon, Oct 26, 2009 at 11:41 AM, mike arnold
<haynessmith70_at_gmail.com>
> > wrote:
> > > Hi,
> > >
> > > Am classifying traffic on Core 6500 for a customer A by Extended
> > > access-list.access-list 101 permit 10.10.10.1 0.0.0.7 host
> > > 10.30.30.1 ,Subnet configured on DS switch facing to customer A.
Am
> > calling
> > > this access-list in class-map for classification of traffic and am
> doing
> > > policing for traffic at 4MBps,at egreess interface on core facing
to
> ISP
> > > router. The connection to ISP is back to back VRF.i have created a
> > virtual
> > > interface on core for each customer and a layer 2 trunk is
connected to
> > ISP
> > > router.
> > >
> > > When i do a extended ping vrf for customer B from DS with source
IP of
> > > access-list configured i dont see any hit counts on access-list.
> > >
> > > Secnario:
> > >
> > > A---DS----CORE---ISP/PE--P----PE---B
> > >
> > > CORE Configs
> > >
> > > The configs are on Core.
> > >
> > > Extended IP access list 101
> > > 10 permit ip 10.10.10.0 0.0.0.7 host 10.30.30.1
> > >
> > > CORE#sh class-map test
> > > Class Map match-all test (id 1)
> > > Match access-group 101
> > > Class Map match-any class-default (id 0)
> > > Match any
> > >
> > > CORE #sh policy-map 4MB
> > > Policy Map 4MB
> > > Class test
> > > police cir 4000000 bc 125000 be 125000
> > > conform-action transmit
> > > exceed-action transmit
> > > violate-action drop
> > >
> > > CORE #sh run int vlan X
> > > Building configuration...
> > > Current configuration : 202 bytes
> > > !
> > > interface Vlan X
> > > description connected to ISP for A
> > > ip vrf forwarding A
> > > ip address 10.X.X.X 255.255.255.254
> > > ip flow ingress
> > > service-policy output 4MB
> > > end
> > >
> > > DIST#sh run int gig3/1
> > > Building configuration...
> > > Current configuration : 174 bytes
> > > !
> > > interface GigabitEthernet3/1
> > > description Connected to link customer A
> > > ip vrf forwarding A
> > > ip address 10.10.10.1 255.255.255.248
> > >
> > > Thanks
> > >
> > >
> > > Blogs and organic groups at http://www.ccie.net
> > >
> > >
Received on Mon Oct 26 2009 - 08:43:02 ART