[c-nsp] access-list on C6509 not matching packets
Rubens Kuhl Jr.
rubensk at gmail.com
Tue Feb 14 12:57:02 EST 2006
> I'm running native IOS on a 6509/Sup720, and have an L3 interface carrying
> about 4k pps:
> #sh int gigabitEthernet 7/2 | incl rate
> Queueing strategy: fifo
> 5 minute input rate 16816000 bits/sec, 4161 packets/sec
> 5 minute output rate 13295000 bits/sec, 3950 packets/sec
>
> I have an access list applied to the interface, which simply permits all.
> However, the ACL has only matched 9k packets over the past week:
Your Sup720 may be equipped with PFC3A, PFC3B or PFC3BXL; PFC3A
doesn't have "ACE counters" capability, so what you are seeing is
really a small fraction of traffic that got punted to the MSFC.
> #sh ip access-lists cluster-out
> Extended IP access list cluster-out
> 10 permit tcp any any eq ident
> 20 permit tcp any any eq pop3
> 30 permit tcp any any eq 143 (164 matches)
> 40 permit tcp any any eq smtp (172 matches)
> 50 permit tcp any any eq 22 (401 matches)
> 60 permit tcp any any eq sunrpc (27 matches)
> 70 permit tcp any any eq 995
> 80 permit tcp any any eq 4045
> 90 permit tcp any any eq 32771
> 100 permit tcp any any eq 32772 (8 matches)
> 110 permit tcp any any (4945 matches)
> 120 permit icmp any any (198 matches)
> 130 permit udp any any (3376 matches)
> 140 permit ip any any
If you want traffic analysis, go with Netflow instead of ACL counters
on a PFC3A platform.
Rubens
More information about the cisco-nsp
mailing list