Match-counter does not display any statistics when a rule is matched in an ACL

Created: Nov 6, 2018 20:38:37Latest reply: Dec 26, 2018 15:27:29 285 2 0 1
 Issue Description

Device: S9712

BoardType: EH1BS9712E00

Issue: Why the match-counter does not display any statistics when a rule is matched in an ACL?

L2 Name ACL no-ipv6 4000, 1 rule
ACL's step is 5
 rule 5 deny type ipv6 (
0 times matched
)        

transparent.gif Solution

This counter is only for the packets that are processed by CPU likewise the packets exchanged with the local device that hit the ACL rule. For example, FTP, TFTP, Telnet, SNMP, HTTP, routing, and multicast. The protocol packets exchanged with the local device are matched by the software ACL. For the forwarding traffic is meaningless.

There are two ways to view the match of an acl rule for the forwarding traffic:

1.      Is by implementing traffic statistic for the ACL using command below, then use the last command to display it:

<Huawei>sy

Enter system view, return user view with Ctrl+Z.

[Huawei]acl 3000

[Huawei-acl-adv-3000]q

[Huawei]traffic-statistic inbound acl 3000

[HUAWEI] display traffic-statistics interface gigabitethernet 1/0/1 inbound acl 3000

---------------------------------------------------------------------------                                                        

Interface GigabitEthernet1/0/1                                                                                                      

 ACL:3000 Rule:1                                                                                                                   

     matched:0 packets, passed:0 packets, dropped:0 packets                                                                         

---------------------------------------------------------------------------  

 

2.      The second one is a bit more complex and granular by enabling traffic statistics in a traffic behavior within a traffic policy then apply the traffic policy on the interface. To view the matches use the same command mentioned in point 1.

 

Example: Configuring the Switch to Collect Statistics on ICMP Packets

<HUAWEI> system-view

[HUAWEI] acl 3000

[HUAWEI-acl-adv-3000] rule 0 permit icmp source 192.168.1.1 0 destination 192.168.2.1 0

[HUAWEI-acl-adv-3000] rule 5 permit icmp source 192.168.2.1 0 destination 192.168.1.1 0

[HUAWEI-acl-adv-3000] quit

[HUAWEI] traffic classifier c1

[HUAWEI-classifier-c1] if-match acl 3000

[HUAWEI-classifier-c1] quit

[HUAWEI] traffic behavior b1

[HUAWEI-behavior-b1] statistic enable

[HUAWEI-behavior-b1] quit

[HUAWEI] traffic policy p1

[HUAWEI-trafficpolicy-p1] classifier c1 behavior b1

[HUAWEI-trafficpolicy-p1] quit

[HUAWEI] interface gigabitethernet 1/0/1

[HUAWEI-GigabitEthernet1/0/1] traffic-policy p1 inbound

[HUAWEI-GigabitEthernet1/0/1] traffic-policy p1 outbound

Display statistics on incoming packets matching the traffic policy that has been applied to the system:


  • x
  • convention:

xiaomumu  Visitor   Created Dec 24, 2018 09:36:19 Helpful(0) Helpful(0)

Learn more, great
  • x
  • convention:

dagui  Visitor   Created Dec 26, 2018 15:27:29 Helpful(0) Helpful(0)

The second one is a bit more complex and granular by enabling traffic statistics in a traffic behavior within a traffic policy then apply the traffic policy on the interface. Can you provide a more detailed explanation?
  • x
  • convention:

Reply

Reply
You need to log in to reply to the post Login | Register

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."
If the attachment button is not available, update the Adobe Flash Player to the latest version!
Fast reply Scroll to top