Check the number of times an ACL rule matches packets on an S series switch


Run the display acl { <acl-number> | name <acl-name> | all } command on an S series switch (except the S1700 switch) to check the configuration of an ACL.
In the command output, the match-counter field displays the number of times the ACL matches packets. To view the number of times the software-based ACL rule matches the packets, run the display acl command. To view the number of times the hardware-based ACL rule matches the packets, use other methods. For example, to view the number of times the ACL rule matches packets after a traffic policy is enforced, run the statistic enable command in the traffic behavior view to enable the traffic statistics collection in traffic behavior, and then run the display traffic policy statistics command.

Other related questions:
Matching rules of ACL
The display order of ACL rules determines the ACL matching principles. During ACL matching, a look-up is performed from the first rule displayed in the ACL. When one rule matches, the look-up is completed. The earlier a rule is displayed, the easier for it to be matched. The factors that determine the display order are the rule ID and matching methods. Matching methods include matching in configuration order or in automatic order. If the configuration order is used, the matching will be performed according to the order in which the ACL rules are configured. Rule IDs can be set by users, or can be automatically generated by the system based on the step, which is convenient for rule maintenance and insertion of new rules. For example, the default step of ACL is 5. If the user does not set a rule ID, the first rule ID automatically generated by the system is 5. When the user needs to insert a new rule before rule 5, a rule ID smaller than 5 can be set. The new rule now is the first rule. If the automatic order is used, the system automatically generates rule IDs, and ranks the rules with the highest precision to the top of the list. This can be achieved by comparing the length of the wildcard characters of addresses. The shorter the length is, the smaller the assigned NE range is.

ACL matching order on S series switches
If ACL rules repeat or conflict, the ACL matching order decides the matching result. S series switches (except S1700 switches) support the configuration order (config) and the automatic order (auto). Configuration order: The system matches packets against ACL rules in ascending order of rule IDs. That is, the rule with the smallest ID is processed first. If a smaller rule ID is manually specified for a rule, the rule is inserted in one of the front lines of an ACL, and the rule is processed earlier. If no ID is manually specified for a rule, the system allocates an ID to the rule. The rule ID is greater than the largest rule ID in the ACL and is the minimum multiple of the step. Therefore, this rule is processed last. Automatic order: The system arranges rules according to precision degree of the rules (depth first principle), and matches packets against the rules in descending order of precision. A rule with the highest precision defines strictest conditions, and has the highest priority. The system matches packets against this rule first.

Can a nonexistent time-range in an ACL be matched, and how does the rule take effect
When a time-range time-name in an ACL rule is matched, the router does not check whether the time-range time-name has been configured. Therefore, the configuration will be successful. For a nonexistent time-range time-name, the router considers corresponding rule as invalid and sets the time-range time-name to the Inactive state. After the time-range time-name is configured, if it is in the Active state, corresponding ACL rule is updated dynamically and changed from the Invalid state to the Valid state.

Can an ACL rule match a time range that does not exist? Does the ACL take effect
When the ACL rule is configured to match time-range time-name, the configuration takes effect regardless of whether the time-range time-name command has been configured. If the ACL rule matches no time-range time-name, the device considers that the ACL rule is invalid and the time-range time-name command is in inactive state. After the time-range time-name command is configured and in active state, the ACL rule automatically updates its status and changes to valid.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top