[rbak-nsp] hit counts on policy access list
Stefano Rapari
s.rapari at gmail.com
Thu Nov 18 11:16:39 EST 2010
I think this is what you are looking for:
[stefano_ppp]se32-srapari#sh access-group ip-filter 5/10 vlan-id 300 in counters
Circuit 5/10 vlan-id 300 pppoe 2130, slot 5, access-list test, in, 2 rules
Hit Count: 0 No Match (Default)
Hit Count: 0 seq 10 permit ip any any
Hit Count: 0 seq 20 deny ip any any
[stefano_ppp]se32-srapari#sh sub act all
stefanofreebsd at stefano_ppp
Circuit 5/10 vlan-id 300 pppoe 2130
Internal Circuit 5/10:1023:63/1/2/8214
Interface bound SUBSCRIBER
Current port-limit unlimited
profile test (applied)
context-name stefano_ppp (applied)
ip address 2.1.1.1 (applied)
ppp mtu 1492 (applied from sub_default)
dns primary 155.53.247.12 (applied from sub_default)
dns secondary 155.53.12.12 (applied from sub_default)
idle timeout direction in (applied from sub_default)
timeout absolute 86400 (applied)
ip access-group in test (applied with count)
ip access-group out test (applied with count)
timeout idle 900 (applied from sub_default)
[stefano_ppp]se32-srapari#
Thanks
Stefano
>
> This was a recurrent question from our support guys and we never found
> a way to see hits with an access-list.
>
> A workaround is to configure a metering or policing policy that does
> not drop traffic, make sure you use the "counters" keyword. Example
> config below
>
> To see the matches do "sh circuit counters <slot/port>
> [vlan-id|pvc|dlci] <#> detail
>
> --------------------------------------
>
> context cust_context
>
> policy access-list 169
> seq 10 permit icmp any host 10.204.234.16 dscp eq af11 class af11_packets
> seq 70 permit icmp any host 10.204.234.16 dscp eq af31 class af31_packets
> seq 80 permit icmp any host 10.204.234.16 dscp eq af32 class af32_packets
> seq 110 permit icmp any host 10.204.234.16 dscp eq cs3 class cs3_packets
> seq 120 permit icmp any host 10.204.234.16 dscp eq cs7 class cs7_packets
> seq 130 permit icmp any host 10.204.234.16 dscp eq ef class ef_packets
> seq 140 permit icmp any host 10.204.234.16 dscp eq df class df_packets
> seq 150 permit ip any any class CATCH_ALL_PACKETS
>
> qos policy COUNT_PACKETS policing
> rate informational 1000000 time-burst 1700 counters
> access-group 169 cust_context
> class af11_packets
> rate percentage 12 counters
> exceed no-action
> violate no-action
> class af31_packets
> rate percentage 12 counters
> exceed no-action
> violate no-action
> class af32_packets
> rate percentage 12 counters
> exceed no-action
> violate no-action
> class cs3_packets
> rate percentage 12 counters
> exceed no-action
> violate no-action
> class cs7_packets
> rate percentage 12 counters
> exceed no-action
> violate no-action
> class ef_packets
> rate percentage 12 counters
> exceed no-action
> violate no-action
> class df_packets
> rate percentage 12 counters
> exceed no-action
> violate no-action
> class CATCH_ALL_PACKETS
> rate percentage 12 counters
> exceed no-action
> violate no-action
>
> port atm 3/2
> atm pvc 0 200 profile 5MB-VBRNRT encapsulation route1483
> qos policy policing COUNT_PACKETS
>
> On 18 November 2010 13:59, Richard Clayton <sledge121 at gmail.com> wrote:
>> Hello
>>
>> Is there a command I can run that will show hit counts on access lists, I
>> ran 'show policy access-list' but it didn't show hits, I'm not sure if this
>> is how the command works or I may just not be matching anything with my
>> access list.
>>
>> Thanks
>> Rick
>> _______________________________________________
>> redback-nsp mailing list
>> redback-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/redback-nsp
>>
>>
> _______________________________________________
> redback-nsp mailing list
> redback-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/redback-nsp
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/redback-nsp/attachments/20101118/026fc619/attachment-0001.html>
More information about the redback-nsp
mailing list