show access-list hitcounts

Syntax


show access-list hitcounts { [{ip|ipv6|mac} <ACL-NAME>]
                             [interface IFNAME> [in|out] |
                              vlan <VLAN-ID> [in]] [vsx-peer] }

Description

Shows the hit count of the number of times an ACL has matched a packet or frame for ACEs with the count keyword. For ACEs without the count keyword, a dash is shown in place of a hit count.

Command context

Operator (>) or Manager (#)

Parameters

ip|ipv6|mac

Specifies the ACL type: ip for IPv4, ipv6 for IPv6, or mac for MAC.

<ACL-NAME>

Specifies the ACL name.

interface <IF-NAME>

Specifies the interface name (port or LAG).

vlan <VLAN-ID>

Specifies the VLAN.

in|out

Selects the traffic direction on which the ACL is applied.

  • in selects the inbound (ingress) traffic direction.

  • out (not applicable to VLANs) selects the outbound (egress) traffic direction. Only for IPv4 ACLs applied to route-only ports. Not available for ACLs applied to IPv4 bridged ports, IPv6 ports, or MAC ACLs applied to ports.

[vsx-peer]

Shows the output from the VSX peer switch. If the switches do not have the VSX configuration or the ISL is down, the output from the VSX peer switch is not displayed. This parameter is available on switches that support VSX.

Authority

Operators or Administrators or local user group members with execution rights for this command. Operators can execute this command from the operator context (>) only.

Usage

  • ACL hit counts are aggregated across all:
    • physical interfaces to which the ACL is applied to on ingress,

    • physical interfaces to which the ACL is applied to on egress,

    • VLANs to which the ACL is applied to on ingress.

  • If an ACL with an ACE with the count keyword is applied to multiple physical interfaces or VLANs, the hit counts are aggregated. There is one aggregation for physical interfaces and another for VLANs.

  • Accumulated hit counts for an applied ACL are cleared upon any modification of the ACL.

Examples

Showing the hit counts for My_ip_ACL applied to port 1/1/2:

switch# show access-list hitcounts ip My_ip_ACL interface 1/1/2
Statistics for ACL My_ip_ACL (ipv4):
interface 1/1/2* (out):
           Hit Count  Configuration
                   -  10 permit udp any 172.16.1.0/24
                   -  20 permit tcp 172.16.2.0/16 gt 1023 any
                   -  30 permit tcp 172.26.1.0/24 any syn ack dscp 10
                   0  40 deny any any any count
* access-list statistics are shared among each combination of
  context type (interface, VLAN, VRF) and direction (in, out, control-plane).
  Use 'access-list TYPE NAME copy' to create a new access-list for separate
  statistics.

Showing the hit counts for My_ip_ACL applied to VLAN 10:

switch# show access-list hitcounts ip My_ip_ACL vlan 10

Statistics for ACL My_ip_ACL (ipv4):
vlan 10* (in):
           Hit Count  Configuration
                   -  10 permit udp any 172.16.1.0/24
                   -  20 permit tcp 172.16.2.0/16 gt 1023 any
                   -  30 permit tcp 172.26.1.0/24 any syn ack dscp 10
                   0  40 deny any any any count
* access-list statistics are shared among each combination of
  context type (interface, VLAN, VRF) and direction (in, out, control-plane).
  Use 'access-list TYPE NAME copy' to create a new access-list for separate
  statistics.