[c-nsp] Question about SVI interface acl counters + way of working
Phil Mayers
p.mayers at imperial.ac.uk
Wed Mar 20 10:58:21 EDT 2013
On 20/03/13 14:42, "Rolf Hanßen" wrote:
> Hello,
>
> Just wanted to drop some UDP flooding with an interface ACL.
> I configured:
>
> interface Vlan1373
> ip access-group block-flood in
> exit
>
> Access-list is very simple:
> edge1-ams3#sh ip access-lists block-flood
> Extended IP access list block-flood
> 10 deny udp any host 1.2.3.4 (589878 matches)
> 20 permit ip any any (149516 matches)
> edge1-ams3#
>
> edge1-ams3#sh int Vl1373 | inc input rate
> 30 second input rate 2772775000 bits/sec, 435403 packets/sec
> edge1-ams3#
>
> The interface has a quite high amount of pps, but the acl hit count
> increases only by less than 200/sec for both entries together.
>
> Does that ACL not filter all traffic passing the interface or why does the
> delta of ACL hits not match the number of incoming pps ?
> Maybe it counts only packets going to the RP or something is cached and
> counts only every x packets ?
Typically you will find the ACL counters on hardware platforms may
under-count, unless you enable specific features.
On Sup2T, you want:
ip access-list ...
hardware statistics
You may (or may not) find OAL interesting as well.
See here:
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/15.1SY/config_guide/sup2T/ios_acl_support.html#wp1111231
More information about the cisco-nsp
mailing list