Monitoring static ACL performance

ACL statistics counters provide a means for monitoring ACL performance by using counters to display the current number of matches the switch has detected for each ACE in an ACL assigned to a switch interface. This can help in determining whether a particular traffic type is being filtered by the intended ACE in an assigned list, or if traffic from a particular device or network is being filtered as intended.

NOTE:
This section describes the command for monitoring static ACL performance. To monitor RADIUS-assigned ACL performance, use either of the following commands: 

show access-list radius <all|port-list>


show port-access <authenticator|mac-based|web-based> clients <port-list> detailed

See Displaying the current RADIUS-assigned ACL activity on the switch.

Syntax: 


<show|clear> statistics


aclv4 <acl-name-str> port <port-#>


aclv4 <acl-name-str> vlan <vid> <in|out|vlan>


aclv6 <acl-name-str> port <port-#>


aclv6 <acl-name-str> vlan <vid> <in|out|vlan>

show: Displays the current match (hit) count per ACE for the specified IPv6 or IPv4 static ACL assignment on a specific interface.

clear: Resets ACE hit counters to zero for the specified IPv6 or IPv4 static ACL assignment on a specific interface.

Total: This column lists the running total of the matches the switch has detected for the ACEs in an applied ACL since the ACL’s counters were last reset to 0 (zero).

Figure 69: IPv6 and IPv4 ACL statistics
switch# show statistics aclv6 IPV6-ACL vlan 20 vlan

 HitCounts for ACL IPV6-ACL

  Total

( 12) 10 permit icmp ::/0 fe80::20:2/128 128
( 6) 20 deny tcp ::/0 fe80::20:2/128 eq 23 log
( 41) 30 permit ipv6 ::/0 ::/0

Switch# show statistics aclv4 102 vlan 20 vlan

 HitCounts for ACL 102

  Total
(  4) 10 permit icmp 10.10.20.3 0.0.0.0 10.10.20.2 0.0.0.0 8
(  8) 20 deny icmp 0.0.0.0 255.255.255.255 10.10.20.2 0.0.0.0 8
(  2) 30 permit tcp 10.10.20.3 0.0.0.255 10.10.20.2 0.0.0.255 eq 23
(  2) 55 deny tcp 0.0.0.0 255.255.255.255 10.10.20.2 0.0.0.0 8
( 125) 60 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255

ACE Counter Operation: For a given ACE in an assigned ACL, the counter increments by 1 each time the switch detects a packet that matches the criteria in that ACE, and maintains a running total of the matches since the last counter reset.

For example, in ACL line 10 below, there has been a total of 37 matches on the ACE since the last time the ACL’s counters were reset. 

Total
( 37) 10 permit icmp 10.10.20.3
NOTE:

This ACL monitoring feature does not include hits on the “implicit deny” that is included at the end of all ACLs.

Resetting ACE Hit Counters to Zero:

  • Removing an ACL from an interface zeros the ACL’s ACE counters for that interface only.

  • For a given ACL, either of the following actions clear the ACE counters to zero for all interfaces to which the ACL is assigned.

    • adding or removing a permit or deny ACE in the ACL

    • rebooting the switch

Below is an example of performance monitoring output for an IPv6 ACL assigned as a VACL.

Figure 7072: IPv6 ACL performance monitoring output 
switch# show statistics aclv6 V6-02 vlan 20 vlan

 HitCounts for ACL V6-02

  Total

(   5) 10 permit icmp ::/0 fe80::20:2/128 128
(   4) 20 permit icmp ::/0 fe80::20:3/128 128
( 136) 30 permit tcp fe80::20:1/128 ::/0 eq 23
(   2) 40 deny icmp ::/0 fe80::20:1/128 128
(  10) 50 deny tcp ::/0 ::/0 eq 23
(   8) 60 deny icmp ::/0 ::/0 133
( 155) 70 permit ipv6 ::/0 ::/0

Below is an example of performance monitoring output for an IPv4 ACL assigned as a VACL.

Figure 71: IPv4 ACL performance monitoring output
switch# show statistics aclv4 102 vlan 20 vlan

 HitCounts for ACL 102

  Total

(  1) 10 permit icmp 10.10.20.3 0.0.0.0 10.10.20.2 0.0.0.0 8
(  2) 20 deny icmp 10.10.20.3 0.0.0.0 10.10.20.1 0.0.0.0 8 log
(  2) 30 deny icmp 10.10.20.2 0.0.0.0 10.10.20.3 0.0.0.0 8 log
(  1) 40 deny icmp 10.10.20.2 0.0.0.0 10.10.20.1 0.0.0.0 8 log
( 10) 50 deny tcp 10.10.20.2 0.0.0.255 10.10.20.3 0.0.0.255 eq 23 log
( 27) 60 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255

The following example demonstrates using clear statistics to reset the counters to zero.

Figure 7072: IPv6 ACL performance monitoring output 
switch# show statistics aclv6 V6-02 vlan 20 vlan
 
 HitCounts for ACL V6-02

  Total

(   5) 10 permit icmp ::/0 fe80::20:2/128 128
(   4) 20 permit icmp ::/0 fe80::20:3/128 128
( 136) 30 permit tcp fe80::20:1/128 ::/0 eq 23
(   2) 40 deny icmp ::/0 fe80::20:1/128 128
(  10) 50 deny tcp ::/0 ::/0 eq 23
(   8) 60 deny icmp ::/0 ::/0 133
( 155) 70 permit ipv6 ::/0 ::/0
switch# clear statistics aclv6 V6-02 vlan 20 vlan
switch# show statistics aclv6 V6-02 vlan 20 vlan

 HitCounts for ACL V6-02

  Total

( 0) 10 permit icmp ::/0 fe80::20:2/128 128
( 0) 20 permit icmp ::/0 fe80::20:3/128 128
( 0) 30 permit tcp fe80::20:1/128 ::/0 eq 23
( 0) 40 deny icmp ::/0 fe80::20:1/128 128
( 0) 50 deny tcp ::/0 ::/0 eq 23
( 0) 60 deny icmp ::/0 ::/0 133
( 0) 70 permit ipv6 ::/0 ::/0