[c-nsp] Question about SVI interface acl counters + way of working
"Rolf Hanßen"
nsp at rhanssen.de
Wed Mar 20 10:42:09 EDT 2013
Hello,
Just wanted to drop some UDP flooding with an interface ACL.
I configured:
interface Vlan1373
ip access-group block-flood in
exit
Access-list is very simple:
edge1-ams3#sh ip access-lists block-flood
Extended IP access list block-flood
10 deny udp any host 1.2.3.4 (589878 matches)
20 permit ip any any (149516 matches)
edge1-ams3#
edge1-ams3#sh int Vl1373 | inc input rate
30 second input rate 2772775000 bits/sec, 435403 packets/sec
edge1-ams3#
The interface has a quite high amount of pps, but the acl hit count
increases only by less than 200/sec for both entries together.
Does that ACL not filter all traffic passing the interface or why does the
delta of ACL hits not match the number of incoming pps ?
Maybe it counts only packets going to the RP or something is cached and
counts only every x packets ?
Hardware is a Sup2T + WS-X6704-10GE, all traffic in that vlan is routed.
kind regards
Rolf
More information about the cisco-nsp
mailing list