[c-nsp] access-list on C6509 not matching packets

Ian Cox icox at cisco.com
Tue Feb 14 12:57:35 EST 2006

Please read the following url:

Show access-lists only shows packets that were punted to software, 
and not packets dropped or forwarded in the hardware forwarding path. 
Depending on the version of Sup720 being used counters for packets 
dropped in the TCAM lookup may or may not be available (3b/3bXL yes, 
3A no.) -> show tcam interface gig x/y acl in ip


At 09:28 AM 2/14/2006 -0800, Zitibake wrote:
>I'm running native IOS on a 6509/Sup720, and have an L3 interface carrying
>about 4k pps:
>#sh int gigabitEthernet 7/2 | incl rate
>   Queueing strategy: fifo
>   5 minute input rate 16816000 bits/sec, 4161 packets/sec
>   5 minute output rate 13295000 bits/sec, 3950 packets/sec
>I have an access list applied to the interface, which simply permits all.
>However, the ACL has only matched 9k packets over the past week:
>#sh ip access-lists cluster-out
>Extended IP access list cluster-out
>     10 permit tcp any any eq ident
>     20 permit tcp any any eq pop3
>     30 permit tcp any any eq 143 (164 matches)
>     40 permit tcp any any eq smtp (172 matches)
>     50 permit tcp any any eq 22 (401 matches)
>     60 permit tcp any any eq sunrpc (27 matches)
>     70 permit tcp any any eq 995
>     80 permit tcp any any eq 4045
>     90 permit tcp any any eq 32771
>     100 permit tcp any any eq 32772 (8 matches)
>     110 permit tcp any any (4945 matches)
>     120 permit icmp any any (198 matches)
>     130 permit udp any any (3376 matches)
>     140 permit ip any any
>Under "show tcam counts", the largest percent used is 6% for ANDOR.
>"show security acl resource-usage" does not appear to be a valid command
>Is there something I need to do to manually merge ACLs?
>Do You Yahoo!?
>Tired of spam?  Yahoo! Mail has the best spam protection around
>cisco-nsp mailing list  cisco-nsp at puck.nether.net
>archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list