Monitoring static ACL usage

ACL statistics counters provide a means for monitoring ACL performance by using counters to display the current number of matches the switch has detected for each ACE in an ACL assigned to a switch interface. This can help, for example, to determine whether a particular traffic type is being filtered by the intended ACE in an assigned list, or if traffic from a particular device or network is being filtered as intended.

NOTE:

This section describes the command for monitoring static ACL performance. To monitor RADIUS-assigned ACL performance, use either of the following commands:

show access-list radius <all|port-list>

show access-list <authenticator|mac-based|web-based> clients <port-list> detailed

See the latest ArubaOS-Switch Access Security Guide for your switch.

Syntax:

<show|clear> statistics

Switch# show statistics aclv6 TEST-01 vlan 20 <vlan-in|vlan-out>
 HitCounts for ACL IPV6-ACL
  Total
(12)   10 permit icmp ::/0 fe80::20:2/128 128
(6)   20 deny tcp ::/0 fe80::20:2/128 eq 23 log
(41)   30 permit ipv6 ::/0 ::/0

Switch# show statistics aclv4 102 vlan 20 <vlan-in|vlan-out>
 
 HitCounts for ACL 102
  Total
(4)  10 permit icmp 10.10.20.3 0.0.0.0 10.10.20.2 0.0.0.0 8
(8)  20 deny icmp 0.0.0.0 255.255.255.255 10.10.20.2 0.0.0.0 8
(2)  30 permit tcp 10.10.20.3 0.0.0.255 10.10.20.2 0.0.0.255 eq 23
(2)  55 deny tcp 0.0.0.0 255.255.255.255 10.10.20.2 0.0.0.0 8
(125)  60 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255