ACL hitcounters on a Cisco 6500/7600 series - tracked in hardware and not in IOS
Whenever your testing if your connection is working (to be more specific if the traffic you are sending is really traversing the router/layer 3 switch) you can put an ACL on your router or layer 3 switch.
With this ACL you can specify the
- source IP address
- destination IP address
- if known the source port with the protocoltype (not really needed)
- the destination port with the protocoltype
With this access-list you can eather do a "debug ip packet access-list <access-list-name> detail" and see what is happening on the device in the logging.
Or you can just do a sh ip access-list <access-list-name> and check the hitcounts, correct?
WRONG!!! This is a method that is working for a spcific range of Cisco routers and for all the Cisco firewalls (ASA/PIX/FWSM)
When you do a simple sh ip access-list <access-list-name>you will only see the counts for packets that are destined to the router but not the packets that are actually passing trough the device.
The ACL hitcounts is tracked by the hardware within the ASICs and can be checked with the following command:
show tcam interface <interface> acl in ip
I've selected one of the 7600 routers that I manage to try this out
Output with the "sh ip access-lists TEST_ACL" command:
7600-router#sh ip access-lists TEST_ACL Extended IP access list TEST_ACL 10 permit ip any xx.xx.xx.xx 0.0.0.63 20 permit ip any xx.xx.xx.xx 0.0.0.255 30 permit ip any xx.xx.xx.xx 0.0.0.255 40 permit ip any xx.xx.xx.xx 0.0.0.15 50 permit ip any xx.xx.xx.xx 0.0.0.31 60 permit tcp host xx.xx.xx.xx host xx.xx.xx.xx eq bgp <strong>(28341 matches)</strong> 70 permit tcp host xx.xx.xx.xx host xx.xx.xx.xx eq bgp 80 permit icmp xx.xx.xx.xx 0.0.0.3 xx.xx.xx.xx 0.0.0.3 90 permit icmp xx.xx.xx.xx 0.0.0.3 xx.xx.xx.xx 0.0.0.3 100 permit icmp xx.xx.xx.xx 0.0.0.255 host xx.xx.xx.xx 110 permit icmp xx.xx.xx.xx 0.0.1.255 host xx.xx.xx.xx 120 permit icmp xx.xx.xx.xx 0.0.0.255 host xx.xx.xx.xx 130 permit icmp xx.xx.xx.xx 0.0.1.255 host xx.xx.xx.xx 140 deny ip any any <strong>(8 matches)</strong>
Output with the "sh tcam int X acl in ip" command:
7600-router#show tcam interface gigabitEthernet 1/0/1.100 acl in ip Global Defaults shared Entries from Bank 0 Entries from Bank 1 permit ip any xx.xx.xx.xx 0.0.0.255 <strong>(314 matches)</strong> permit ip any xx.xx.xx.xx 0.0.0.255 <strong>(1316 matches)</strong> permit ip any xx.xx.xx.xx 0.0.0.63 <strong>(68 matches)</strong> permit ip any xx.xx.xx.xx 0.0.0.31 <strong>(389 matches)</strong> permit ip any xx.xx.xx.xx 0.0.0.15 <strong>(2 matches)</strong> permit icmp xx.xx.xx.xx 0.0.0.3 xx.xx.xx.xx 0.0.0.3 permit icmp xx.xx.xx.xx 0.0.0.3 xx.xx.xx.xx 0.0.0.3 permit icmp xx.xx.xx.xx 0.0.1.255 host xx.xx.xx.xx permit icmp xx.xx.xx.xx 0.0.1.255 host xx.xx.xx.xx permit icmp xx.xx.xx.xx 0.0.0.255 host xx.xx.xx.xx permit icmp xx.xx.xx.xx 0.0.0.255 host xx.xx.xx.xx permit tcp host xx.xx.xx.xx host xx.xx.xx.xx fragments permit tcp host xx.xx.xx.xx host xx.xx.xx.xx fragments permit tcp host xx.xx.xx.xx host xx.xx.xx.xx eq bgp <strong>(14350 matches)</strong> permit tcp host xx.xx.xx.xx host xx.xx.xx.xx eq bgp