Monitoring static ACL performance
ACL statistics counters provide a means for monitoring ACL performance by using counters to display the current number of matches the switch has detected for each ACE in an ACL assigned to a switch interface. This can help in determining whether a particular traffic type is being filtered by the intended ACE in an assigned list, or if traffic from a particular device or network is being filtered as intended.
This section describes the command for monitoring static ACL performance. To monitor RADIUS-assigned ACL performance, use either of the following commands:
show access-list radius <all|port-list>
show port-access <authenticator|mac-based|web-based> clients <port-list> detailed
See Displaying the current RADIUS-assigned ACL activity on the switch.
Syntax:
<show|clear> statistics
aclv4 <acl-name-str> port <port-#>
aclv4 <acl-name-str> vlan <vid> <in|out|vlan>
aclv6 <acl-name-str> port <port-#>
aclv6 <acl-name-str> vlan <vid> <in|out|vlan>
show
: Displays the current match (hit) count per ACE for the specified IPv6 or IPv4 static ACL assignment on a specific interface:
clear
: Resets ACE hit counters to zero for the specified IPv6 or IPv4 static ACL assignment on a specific interface.
Total: This column lists the running total of the matches the switch has detected for the ACEs in an applied ACL since the ACL’s counters were last reset to 0 (zero)
ACE Counter Operation: For a given ACE in an assigned ACL, the counter increments by 1 each time the switch detects a packet that matches the criteria in that ACE, and maintains a running total of the matches since the last counter reset.
For example, in ACL line 10 below, there has been a total of 37 matches on the ACE since the last time the ACL’s counters were reset.
Total
( 37) 10 permit icmp 10.10.20.3
This ACL monitoring feature does not include hits on the “implicit deny” that is included at the end of all ACLs.
Resetting ACE Hit Counters to Zero:
-
Removing an ACL from an interface zeros the ACL’s ACE counters for that interface only.
-
For a given ACL, either of the following actions clear the ACE counters to zero for all interfaces to which the ACL is assigned.
-
adding or removing a permit or deny ACE in the ACL
-
rebooting the switch
-
Below is an example of performance monitoring output for an IPv6 ACL assigned as a VACL.