ACL statistics counters provide a means for monitoring ACL performance by using counters to display the current number of matches the switch has detected for each ACE in an ACL assigned to a switch interface. This can help in determining whether a particular traffic type is being filtered by the intended ACE in an assigned list, or if traffic from a particular device or network is being filtered as intended.
|
|
NOTE: This section describes the command for monitoring static ACL performance. To monitor RADIUS-assigned ACL performance, use either of the following commands: See Displaying the current RADIUS-assigned ACL activity on the switch. |
|
|
Syntax:
show
: Displays the current match (hit) count per ACE for the specified IPv6 or IPv4 static ACL assignment on a specific interface:
clear
: Resets ACE hit counters to zero for the specified IPv6 or IPv4 static ACL assignment on a specific interface.Total: This column lists the running total of the matches the switch has detected for the ACEs in an applied ACL since the ACL’s counters were last reset to 0 (zero)
IPv6 and IPv4 ACL statistics
HP Switch# show statistics aclv6 IPV6-ACL vlan 20 vlan HitCounts for ACL IPV6-ACL Total ( 12) 10 permit icmp ::/0 fe80::20:2/128 128 ( 6) 20 deny tcp ::/0 fe80::20:2/128 eq 23 log ( 41) 30 permit ipv6 ::/0 ::/0 HP Switch# show statistics aclv4 102 vlan 20 vlan HitCounts for ACL 102 Total ( 4) 10 permit icmp 10.10.20.3 0.0.0.0 10.10.20.2 0.0.0.0 8 ( 8) 20 deny icmp 0.0.0.0 255.255.255.255 10.10.20.2 0.0.0.0 8 ( 2) 30 permit tcp 10.10.20.3 0.0.0.255 10.10.20.2 0.0.0.255 eq 23 ( 2) 55 deny tcp 0.0.0.0 255.255.255.255 10.10.20.2 0.0.0.0 8 ( 125) 60 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
ACE Counter Operation: For a given ACE in an assigned ACL, the counter increments by 1 each time the switch detects a packet that matches the criteria in that ACE, and maintains a running total of the matches since the last counter reset.
For example, in ACL line 10 below, there has been a total of 37 matches on the ACE since the last time the ACL’s counters were reset.
Total
( 37) 10 permit icmp 10.10.20.3
|
|
NOTE: This ACL monitoring feature does not include hits on the “implicit deny” that is included at the end of all ACLs. |
|
|
Resetting ACE Hit Counters to Zero:
Below is an example of performance monitoring output for an IPv6 ACL assigned as a VACL.
IPv6 ACL performance monitoring output
HP Switch# show statistics aclv6 V6-02 vlan 20 vlan HitCounts for ACL V6-02 Total ( 5) 10 permit icmp ::/0 fe80::20:2/128 128 ( 4) 20 permit icmp ::/0 fe80::20:3/128 128 ( 136) 30 permit tcp fe80::20:1/128 ::/0 eq 23 ( 2) 40 deny icmp ::/0 fe80::20:1/128 128 ( 10) 50 deny tcp ::/0 ::/0 eq 23 ( 8) 60 deny icmp ::/0 ::/0 133 ( 155) 70 permit ipv6 ::/0 ::/0
Below is an example of performance monitoring output for an IPv4 ACL assigned as a VACL.
IPv4 ACL performance monitoring output
HP Switch# show statistics aclv4 102 vlan 20 vlan HitCounts for ACL 102 Total ( 1) 10 permit icmp 10.10.20.3 0.0.0.0 10.10.20.2 0.0.0.0 8 ( 2) 20 deny icmp 10.10.20.3 0.0.0.0 10.10.20.1 0.0.0.0 8 log ( 2) 30 deny icmp 10.10.20.2 0.0.0.0 10.10.20.3 0.0.0.0 8 log ( 1) 40 deny icmp 10.10.20.2 0.0.0.0 10.10.20.1 0.0.0.0 8 log ( 10) 50 deny tcp 10.10.20.2 0.0.0.255 10.10.20.3 0.0.0.255 eq 23 log ( 27) 60 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
The following example demonstrates using clear statistics
to reset the counters to zero.
IPv6 ACL performance monitoring output
HP Switch# show statistics aclv6 V6-02 vlan 20 vlan HitCounts for ACL V6-02 Total ( 5) 10 permit icmp ::/0 fe80::20:2/128 128 ( 4) 20 permit icmp ::/0 fe80::20:3/128 128 ( 136) 30 permit tcp fe80::20:1/128 ::/0 eq 23 ( 2) 40 deny icmp ::/0 fe80::20:1/128 128 ( 10) 50 deny tcp ::/0 ::/0 eq 23 ( 8) 60 deny icmp ::/0 ::/0 133 ( 155) 70 permit ipv6 ::/0 ::/0 HP Switch# clear statistics aclv6 V6-02 vlan 20 vlan HP Switch# show statistics aclv6 V6-02 vlan 20 vlan HitCounts for ACL V6-02 Total ( 0) 10 permit icmp ::/0 fe80::20:2/128 128 ( 0) 20 permit icmp ::/0 fe80::20:3/128 128 ( 0) 30 permit tcp fe80::20:1/128 ::/0 eq 23 ( 0) 40 deny icmp ::/0 fe80::20:1/128 128 ( 0) 50 deny tcp ::/0 ::/0 eq 23 ( 0) 60 deny icmp ::/0 ::/0 133 ( 0) 70 permit ipv6 ::/0 ::/0