[c-nsp] access-list on C6509 not matching packets

Tim Stevenson tstevens at cisco.com
Tue Feb 14 12:53:50 EST 2006

sh ip access returns only s/w matched packet stats. If you have 
PFC3B/BXL you can use sh tcam interface to get h/w matched packets. 
Otherwise, you are kinda flying blind.


At 09:28 AM 2/14/2006, Zitibake submitted:
>I'm running native IOS on a 6509/Sup720, and have an L3 interface carrying
>about 4k pps:
>#sh int gigabitEthernet 7/2 | incl rate
>   Queueing strategy: fifo
>   5 minute input rate 16816000 bits/sec, 4161 packets/sec
>   5 minute output rate 13295000 bits/sec, 3950 packets/sec
>I have an access list applied to the interface, which simply permits all.
>However, the ACL has only matched 9k packets over the past week:
>#sh ip access-lists cluster-out
>Extended IP access list cluster-out
>     10 permit tcp any any eq ident
>     20 permit tcp any any eq pop3
>     30 permit tcp any any eq 143 (164 matches)
>     40 permit tcp any any eq smtp (172 matches)
>     50 permit tcp any any eq 22 (401 matches)
>     60 permit tcp any any eq sunrpc (27 matches)
>     70 permit tcp any any eq 995
>     80 permit tcp any any eq 4045
>     90 permit tcp any any eq 32771
>     100 permit tcp any any eq 32772 (8 matches)
>     110 permit tcp any any (4945 matches)
>     120 permit icmp any any (198 matches)
>     130 permit udp any any (3376 matches)
>     140 permit ip any any
>Under "show tcam counts", the largest percent used is 6% for ANDOR.
>"show security acl resource-usage" does not appear to be a valid command
>Is there something I need to do to manually merge ACLs?
>Do You Yahoo!?
>Tired of spam?  Yahoo! Mail has the best spam protection around
>cisco-nsp mailing list  cisco-nsp at puck.nether.net
>archive at http://puck.nether.net/pipermail/cisco-nsp/

Tim Stevenson, tstevens at cisco.com
Routing & Switching CCIE #5561
Technical Marketing Engineer, Catalyst 6500
Cisco Systems, http://www.cisco.com
IP Phone: 408-526-6759
The contents of this message may be *Cisco Confidential*
and are intended for the specified recipients only.

More information about the cisco-nsp mailing list