Hello everyone
For example, if you set up an ACL on a vlanif via traffic-filter. The ACL is working and packets are matched, this is confirmed by the logs, but the display acl counters are not increased.
<SYS>display
logbuffer | including 3007
Logging buffer configuration
and contents : enabled
Allowed max buffer size :
1024
Actual buffer size : 512
Channel number : 4 ,
Channel name : logbuffer
Dropped messages : 0
Overwritten messages : 3500
Current messages : 512
Sep 21 2017 17:15:44+02:00
SwCore759 LE/4/ACLLOG(l)[0]:Slot=2;Acl 3007 deny GigabitEthernet2/0/28
00e0-4b5b-dfb2 -> ffff-ffff-ffff udp 10.116.78.71(48312) ->
255.255.255.255(2153) (1 packet).
Sep 21 2017 17:15:27+02:00
SwCore759 LE/4/ACLLOG(l)[6]:Slot=2;Acl 3007 deny GigabitEthernet2/0/32
00e0-4b5b-dfc1 -> ffff-ffff-ffff udp 10.116.78.73(55066) ->
255.255.255.255(2153) (1 packet).
Sep 21 2017 17:15:24+02:00
SwCore759 LE/4/ACLLOG(l)[8]:Slot=2;Acl 3007 deny GigabitEthernet2/0/29
00e0-4b5b-d6b2 -> ffff-ffff-ffff udp 10.116.78.75(55048) -> 255.255.255.255(2153)
(1 packet).
Sep 21 2017 17:15:22+02:00
SwCore759 LE/4/ACLLOG(l)[9]:Slot=2;Acl 3007 deny GigabitEthernet2/0/31
00e0-4b5b-e059 -> ffff-ffff-ffff udp 10.116.78.72(34856) ->
255.255.255.255(2153) (1 packet).
Sep 21 2017 17:15:13+02:00
SwCore759 LE/4/ACLLOG(l)[11]:Slot=2;Acl 3007 deny GigabitEthernet2/0/28
00e0-4b5b-dfb2 -> ffff-ffff-ffff udp 10.116.78.71(58832) ->
255.255.255.255(2153) (1 packet).
Sep 21 2017 17:14:57+02:00
SwCore759 LE/4/ACLLOG(l)[31]:Slot=2;Acl 3007 deny GigabitEthernet2/0/32
00e0-4b5b-dfc1 -> ffff-ffff-ffff udp 10.116.78.73(57574) ->
255.255.255.255(2153) (1 packet).
Sep 21 2017 17:14:54+02:00
SwCore759 LE/4/ACLLOG(l)[32]:Slot=2;Acl 3007 deny GigabitEthernet2/0/29
00e0-4b5b-d6b2 -> ffff-ffff-ffff udp 10.116.78.75(59760) ->
255.255.255.255(2153) (1 packet).
Sep 21 2017 17:14:52+02:00
SwCore759 LE/4/ACLLOG(l)[33]:Slot=2;Acl 3007 deny GigabitEthernet2/0/31
00e0-4b5b-e059 -> ffff-ffff-ffff udp 10.116.78.72(34466) ->
255.255.255.255(2153) (1 packet).
Sep 21 2017 17:14:44+02:00
SwCore759 LE/4/ACLLOG(l)[34]:Slot=2;Acl 3007 deny GigabitEthernet2/0/28
00e0-4b5b-dfb2 -> ffff-ffff-ffff udp 10.116.78.71(43828) ->
255.255.255.255(2153) (1 packet).
<HUAWEI> display acl name testAdvanced ACL test 3999, 1 rule, match-order is autoAcl's step is 5 rule 5 permit ip destination 10.10.10.1 0 (matched 0 times)
Why is this happening ?
To count the packets matching the ACL of a traffic policy, you can configure the count action in the traffic behavior associated with the traffic policy. In the output of the display acl command, the matched field indicates the number of packets that are sent to the CPU and match the ACL instead of the number of packets matching the ACL in the traffic policy. Therefore, the count displayed in the output of the display acl command is always 0 even many packets that match the ACL pass through the device. And some packets that match the ACL may not match the CPU, so these packets are not counted.