show access-list hitcounts


show access-list hitcounts {ip|ipv6|mac} <ACL-NAME> [interface
<ID> [{in|out}]] [vsx-peer]


Shows the number of times an ACL has matched a packet/frame. The command applies to ACEs with the count keyword in the specified ACL. If an entry does not have the count keyword enabled, it will show the dash character instead of a hit count.

Command context

Operator (>) or Manager (#)



Specifies an ACL type to display information for (ip for IPv4, ipv6 for IPv6 or mac for MAC ACL).


Specifies an ACL to display information for.

interface <ID>

Specifies an interface to display information for.


Selects in to view information for inbound (ingress) traffic or out to view information for outbound (egress) traffic.


Shows the output from the VSX peer switch. If the switches do not have the VSX configuration or the ISL is down, the output from the VSX peer switch is not displayed.


Operators or Administrators. Users without administrator authority can execute this command from the operator context (>) only.


Displaying the hit counts:

switch# show access-list hitcounts ip MY_ACL interface 1/1/1
Statistics for ACL MY_ACL (ipv4):
interface 1/1/1* (in):
           Hit Count  Configuration
                   -  10 permit udp any
                   -  20 permit tcp gt 1023 any
                   -  30 permit tcp any syn ack dscp 10
                   0  40 deny any any any count
* access-list statistics are shared among all applied interfaces
  use 'access-list TYPE NAME copy' to create a uniquely-named access-list