[c-nsp] access-list on C6509 not matching packets
Zitibake
zitibake at yahoo.com
Tue Feb 14 12:28:06 EST 2006
I'm running native IOS on a 6509/Sup720, and have an L3 interface carrying
about 4k pps:
#sh int gigabitEthernet 7/2 | incl rate
Queueing strategy: fifo
5 minute input rate 16816000 bits/sec, 4161 packets/sec
5 minute output rate 13295000 bits/sec, 3950 packets/sec
I have an access list applied to the interface, which simply permits all.
However, the ACL has only matched 9k packets over the past week:
#sh ip access-lists cluster-out
Extended IP access list cluster-out
10 permit tcp any any eq ident
20 permit tcp any any eq pop3
30 permit tcp any any eq 143 (164 matches)
40 permit tcp any any eq smtp (172 matches)
50 permit tcp any any eq 22 (401 matches)
60 permit tcp any any eq sunrpc (27 matches)
70 permit tcp any any eq 995
80 permit tcp any any eq 4045
90 permit tcp any any eq 32771
100 permit tcp any any eq 32772 (8 matches)
110 permit tcp any any (4945 matches)
120 permit icmp any any (198 matches)
130 permit udp any any (3376 matches)
140 permit ip any any
Under "show tcam counts", the largest percent used is 6% for ANDOR.
"show security acl resource-usage" does not appear to be a valid command
(s72033-pk9sv-mz.122-18.SXD5.bin).
Is there something I need to do to manually merge ACLs?
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
More information about the cisco-nsp
mailing list