RE: No hit counts for Access-list.

Because for ipv4 traffic the acl's are served in hw (PFC/DFC's using
Tcam table) you can find more statistics when using acl using:
        Show tcam interface xxx acl in ip [detail]
        Show tcam interface xxx qos in ip [detail] (not so familiar
with)

There are some constraints:
1. the PFC's/DFC's should be 3B series or above.
2. if the interface is located on a DFC card you mandatory need to
specify the slot as in
        show tcam interface xxx acl in ip module yy

Hope it helps.

-----Original Message-----
From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
Lala Lander
Sent: 26 October 2009 21:14
To: Iwan Hoogendoorn
Cc: mike arnold; Cisco certification
Subject: Re: No hit counts for Access-list.

This is a classic misconception and a must interview question from my
side
:-)

will permit IP match ICMP traffic? 95% engineers answers it no!

ICMP rides over IP (Protocol 1) and hence will be matched by permit ip.

Mike your issue is 6500 hardware as it processes everything in hardware
and
hence you see very few or no ACL hits. Try adding log keyword and the
world
will change ;-)

On Mon, Oct 26, 2009 at 5:31 AM, Iwan Hoogendoorn <iwan_at_ipexpert.com>
wrote:

> Mike,
>
> If you want to count ping packets you should create an ACL that
> matches ICMP and not IP.
>
> --
> Regards,
>
> Iwan Hoogendoorn
> CCIE #13084 (R&S / Security / SP)
> Sr. Support Engineer IPexpert, Inc.
> URL: http://www.IPexpert.com
>
> On Mon, Oct 26, 2009 at 11:41 AM, mike arnold
<haynessmith70_at_gmail.com>
> wrote:
> > Hi,
> >
> > Am classifying traffic on Core 6500 for a customer A by Extended
> > access-list.access-list 101 permit 10.10.10.1 0.0.0.7 host
> > 10.30.30.1 ,Subnet configured on DS switch facing to customer A. Am
> calling
> > this access-list in class-map for classification of traffic and am
doing
> > policing for traffic at 4MBps,at egreess interface on core facing to
ISP
> > router. The connection to ISP is back to back VRF.i have created a
> virtual
> > interface on core for each customer and a layer 2 trunk is connected
to
> ISP
> > router.
> >
> > When i do a extended ping vrf for customer B from DS with source IP
of
> > access-list configured i dont see any hit counts on access-list.
> >
> > Secnario:
> >
> > A---DS----CORE---ISP/PE--P----PE---B
> >
> > CORE Configs
> >
> > The configs are on Core.
> >
> > Extended IP access list 101
> > 10 permit ip 10.10.10.0 0.0.0.7 host 10.30.30.1
> >
> > CORE#sh class-map test
> > Class Map match-all test (id 1)
> > Match access-group 101
> > Class Map match-any class-default (id 0)
> > Match any
> >
> > CORE #sh policy-map 4MB
> > Policy Map 4MB
> > Class test
> > police cir 4000000 bc 125000 be 125000
> > conform-action transmit
> > exceed-action transmit
> > violate-action drop
> >
> > CORE #sh run int vlan X
> > Building configuration...
> > Current configuration : 202 bytes
> > !
> > interface Vlan X
> > description connected to ISP for A
> > ip vrf forwarding A
> > ip address 10.X.X.X 255.255.255.254
> > ip flow ingress
> > service-policy output 4MB
> > end
> >
> > DIST#sh run int gig3/1
> > Building configuration...
> > Current configuration : 174 bytes
> > !
> > interface GigabitEthernet3/1
> > description Connected to link customer A
> > ip vrf forwarding A
> > ip address 10.10.10.1 255.255.255.248
> >
> > Thanks
> >
> >
> > Blogs and organic groups at http://www.ccie.net
> >
> >
Received on Tue Oct 27 2009 - 10:07:45 ART