Monitoring static ACL performance

ACL statistics counters provide a means for monitoring ACL performance by using counters to display the current number of matches the switch has detected for each ACE in an ACL assigned to a switch interface. This can help in determining whether a particular traffic type is being filtered by the intended ACE in an assigned list, or if traffic from a particular device or network is being filtered as intended.

Syntax: 


<show|clear> statistics


aclv4 <acl-name-str> port <port-#>


aclv4 <acl-name-str> vlan <vid> <vlan>


aclv6 <acl-name-str> port <port-#>


aclv6 <acl-name-str> vlan <vid> <vlan>

Displays the current match (hit) count per ACE for the specified IPv6 or IPv4 static ACL assignment on a specific interface.

show: Displays the current match (hit) count per ACE for the specified IPv6 or IPv4 static ACL assignment on a specific interface.

clear: Resets ACE hit counters to zero for the specified IPv6 or IPv4 static ACL assignment on a specific interface.

Total: This column lists the running total of the matches the switch has detected for the ACEs in an applied ACL since the ACL’s counters were last reset to 0 (zero).

IPv6 and IPv4 ACL statistics

switch# show statistics aclv6 IPV6-ACL vlan 20 vlan
 
 HitCounts for ACL IPV6-ACL

  Total
(   12)  10 permit icmp ::/0 fe80::20:2/128
(    6)  20 deny tcp ::/0 fe80::20:2/128 eq 23 log
(   41)  30 permit ipv6 ::/0 ::/0

switch# show statistics aclv4 102 vlan 20 vlan

 HitCounts for ACL 102

  Total
(   4)  10 permit icmp 10.10.20.3 0.0.0.0 10.10.20.2 0.0.0.0 8
(   8)  20 deny icmp 0.0.0.0 255.255.255.255 10.10.20.2 0.0.0.0 8
(   2)  30 permit tcp 10.10.20.3 0.0.0.255 10.10.20.2 0.0.0.255 eq 23
(   2)  55 deny tcp 0.0.0.0 255.255.255.255 10.10.20.2 0.0.0.0 8
( 125)  60 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255

ACE counter operation: For a given ACE in an assigned ACL, the counter increments by 1 each time the switch detects a packet that matches the criteria in that ACE, and maintains a running total of the matches since the last counter reset.

NOTE:

This ACL monitoring feature does not include hits on the “implicit deny” that is included at the end of all ACLs.

Resetting ACE hit counters to zero:

  • Using the clear statistics command

  • Removing an ACL from an interface zeros the ACL’s ACE counters for that interface only.

  • For a given ACL, either of the following actions clear the ACE counters to zero for all interfaces to which the ACL is assigned.

    • adding or removing a permit or deny ACE in the ACL

    • rebooting the switch

The following example shows a sample of performance monitoring output for an IPv6 ACL assigned as a VACL.

IPv6 ACL performance monitoring output

switch# show statistics aclv6 V6-02 vlan 20 vlan

 HitCounts for ACL V6-02

  Total
(   5) 10 permit icmp ::/0 fe80::20:2/128
(   4) 20 permit icmp ::/0 fe80::20:3/128
( 136) 30 permit tcp fe80::20:1/128 ::/0 eq 23
(   2) 40 deny icmp ::/0 fe80::20:1/128
(  10) 50 deny tcp ::/0 ::/0 eq 23
(   8) 60 deny icmp ::/0 ::/0
( 155) 70 permit ipv6 ::/0 ::/0

The following example sample of performance monitoring output for an IPv4 ACL assigned as a VACL.

IPv4 ACL performance monitoring output

switch# show statistics aclv4 102 vlan 20 vlan

 HitCounts for ACL 102

  Total
(  1) 10 permit icmp 10.10.20.3 0.0.0.0 10.10.20.2 0.0.0.0 8
(  2) 20 deny icmp 10.10.20.3 0.0.0.0 10.10.20.1 0.0.0.0 8 log
(  2) 30 deny icmp 10.10.20.2 0.0.0.0 10.10.20.3 0.0.0.0 8 log
(  1) 40 deny icmp 10.10.20.2 0.0.0.0 10.10.20.1 0.0.0.0 8 log
( 10) 50 deny tcp 10.10.20.2 0.0.0.255 10.10.20.3 0.0.0.255 eq 23 log
( 27) 60 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255

The following example uses the counter activity in IPv6 ACL performance monitoring output to demonstrate using clear statistics to reset the counters to zero.

IPv6 ACL performance monitoring output

switch# show statistics aclv6 V6-02 vlan 20 vlan

 HitCounts for ACL V6-02

  Total

(   5) 10 permit icmp ::/0 fe80::20:2/128 128
(   4) 20 permit icmp ::/0 fe80::20:3/128 128
( 136) 30 permit tcp fe80::20:1/128 ::/0 eq 23
(   2) 40 deny icmp ::/0 fe80::20:1/128 128
(  10) 50 deny tcp ::/0 ::/0 eq 23
(   8) 60 deny icmp ::/0 ::/0 133
( 155) 70 permit ipv6 ::/0 ::/0

switch# clear statistics aclv6 V6-02 vlan 20 vlan
switch# show statistics aclv6 V6-02 vlan 20 vlan

 HitCounts for ACL V6-02
 
  Total

(   0) 10 permit icmp ::/0 fe80::20:2/128 128
(   0) 20 permit icmp ::/0 fe80::20:3/128 128
(   0) 30 permit tcp fe80::20:1/128 ::/0 eq 23
(   0) 40 deny icmp ::/0 fe80::20:1/128 128
(   0) 50 deny tcp ::/0 ::/0 eq 23
(   0) 60 deny icmp ::/0 ::/0 133
(   0) 70 permit ipv6 ::/0 ::/0