[rbak-nsp] hit counts on policy access list

Mariano Juliá mjuliaq at gmail.com
Thu Nov 18 10:19:45 EST 2010 

Hi,

This was a recurrent question from our support guys and we never found
a way to see hits with an access-list.

A workaround is to configure a metering or policing policy that does
not drop traffic, make sure you use the "counters" keyword. Example
config below

To see the matches do "sh circuit counters <slot/port>
[vlan-id|pvc|dlci] <#> detail

--------------------------------------

context cust_context

policy access-list 169
seq 10 permit icmp any host 10.204.234.16 dscp eq af11 class af11_packets
seq 70 permit icmp any host 10.204.234.16 dscp eq af31 class af31_packets
seq 80 permit icmp any host 10.204.234.16 dscp eq af32 class af32_packets
seq 110 permit icmp any host 10.204.234.16 dscp eq cs3 class cs3_packets
seq 120 permit icmp any host 10.204.234.16 dscp eq cs7 class cs7_packets
seq 130 permit icmp any host 10.204.234.16 dscp eq ef class ef_packets
seq 140 permit icmp any host 10.204.234.16 dscp eq df class df_packets
seq 150 permit ip any any class CATCH_ALL_PACKETS

qos policy COUNT_PACKETS policing
 rate informational 1000000 time-burst 1700 counters
  access-group 169 cust_context
    class af11_packets
      rate percentage 12 counters
      exceed no-action
      violate no-action
    class af31_packets
      rate percentage 12 counters
      exceed no-action
      violate no-action
    class af32_packets
      rate percentage 12 counters
      exceed no-action
      violate no-action
    class cs3_packets
      rate percentage 12 counters
      exceed no-action
      violate no-action
    class cs7_packets
      rate percentage 12 counters
      exceed no-action
      violate no-action
    class ef_packets
      rate percentage 12 counters
      exceed no-action
      violate no-action
    class df_packets
      rate percentage 12 counters
      exceed no-action
      violate no-action
    class CATCH_ALL_PACKETS
      rate percentage 12 counters
      exceed no-action
      violate no-action

port atm 3/2
 atm pvc 0 200 profile 5MB-VBRNRT encapsulation route1483
  qos policy policing COUNT_PACKETS

On 18 November 2010 13:59, Richard Clayton <sledge121 at gmail.com> wrote:
> Hello
>
> Is there a command I can run that will show hit counts on access lists, I
> ran 'show policy access-list' but it didn't show hits, I'm not sure if this
> is how the command works or I may just not be matching anything with my
> access list.
>
> Thanks
> Rick
> _______________________________________________
> redback-nsp mailing list
> redback-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/redback-nsp
>
>

More information about the redback-nsp mailing list