ACL logging operation

When the switch detects a packet match with an ACE and the ACE includes both the deny action and the optional log parameter, anACL log message is sent to the designated debug destination. The first time a packet matches an ACE with deny and log configured, the message is sent immediately to the destination and the switch starts a wait-period of approximately five minutes - the exact duration of the period depends on how the packets are internally routed. At the end of the collection period, the switch sends a single-line summary of any additional "deny" matches for that ACE, and any other "deny" ACEs for which the switch detected a match. If no further log messages are generated in the wait-period, the switch suspends the timer and resets itself to send a message as soon as a new "deny" match occurs. The data in the message includes the information illustrated in the following figure.

Content of a message generated by an ACL-deny action


show statistics

aclv4 acl-name-str port port-#

aclv4 acl-name-str vlan vid {<in | out | vlan>}

aclv6 acl-name-strport port-#

aclv6 acl-name-strvlan vid vlan

Displays the current match (hit) count per ACE for the specified IPv4 or IPv6 static ACL assignment on a specific interface.

For example:

switch# show statistics aclv6 IPV6-ACL vlan 20 vlan
HitCounts for ACL IPV6-ACL
 Total Delta
 ( 12) ( 2) 10 permit icmp ::/0 fe80::20:2/128 128
 ( 6) ( 0) 20 deny tcp ::/0 fe80::20:2/128 eq 23 log
 ( 41) ( 10) 30 permit ipv6 ::/0 ::/0

The command displays a counter for each ACE in an ACL assigned to an interface on the switch:


This column lists the running total of the matches the switch has detected for the ACEs in an applied ACL since the ACL's counters were last reset, and includes the match count listed in the Delta column for the same ACE.

ACE Counter Operation

For a given ACE in an assigned ACL, both counters increment by 1 each time the switch detects a packet that matches the criteria in that ACE. However, the Total counter maintains the running total of the matches since the last reset, while the Delta counter shows only the number of matches since either the last

show statistics {[aclv4] | [aclv6>]} command or the last time all counters in the ACL were reset.

For example, in line 10 below, there has been a total of 37 matches on the ACE in line 10 since the last time the ACL's counters were reset, and 9 of those matches have occurred after the last show statistics aclv4 command.

Total Delta
 ( 37) ( 9) 10 permit ip 255.255.255...

This ACL monitoring feature does not include hits on the "implicit deny" that is included at the end of all ACLs.

Resetting ACE Hit Counters to Zero:
  • Removing an ACL from an interface zeros the ACL's ACE counters for that interface only.

  • For a given ACL, either of the following actions clear the ACE counters to zero for all interfaces to which the ACL is assigned.
    • adding or removing a permit or deny ACE in the ACL

    • rebooting the switch

Example of ACL Performance Monitoring

The following figure shows a sample of performance monitoring output for an IPv6 ACL assigned as a VACL.

The following figure shows a sample of performance monitoring output for an IPv4 ACL assigned as a VACL.