Got it
Enterprise
Community Forums Switches
[Knowledge sharing]displa...

[Knowledge sharing]display acl command doesn't count the matched packets Highlighted

Latest reply: Oct 5, 2018 12:14:52 446 1 3 2
display all floors #1

Hello everyone,


This is a common question that many users are asking so I share with you why is this happening.
For example, if you set up an ACL on a vlanif via traffic-filter. The ACL is working and packets are matched, this is confirmed by the logs, but the display acl counters are not increased.

<SYS>display logbuffer | including 3007
Logging buffer configuration and contents : enabled
Allowed max buffer size : 1024
Actual buffer size : 512
Channel number : 4 , Channel name : logbuffer
Dropped messages : 0
Overwritten messages : 3500
Current messages : 512

Sep 21 2017 17:15:44+02:00 SwCore759 %ACLE/4/ACLLOG(l)[0]:Slot=2;Acl 3007 deny GigabitEthernet2/0/28 00e0-4b5b-dfb2 -> ffff-ffff-ffff udp 10.116.78.71(48312) -> 255.255.255.255(2153) (1 packet).
Sep 21 2017 17:15:27+02:00 SwCore759 %ACLE/4/ACLLOG(l)[6]:Slot=2;Acl 3007 deny GigabitEthernet2/0/32 00e0-4b5b-dfc1 -> ffff-ffff-ffff udp 10.116.78.73(55066) -> 255.255.255.255(2153) (1 packet).
Sep 21 2017 17:15:24+02:00 SwCore759 %ACLE/4/ACLLOG(l)[8]:Slot=2;Acl 3007 deny GigabitEthernet2/0/29 00e0-4b5b-d6b2 -> ffff-ffff-ffff udp 10.116.78.75(55048) -> 255.255.255.255(2153) (1 packet).
Sep 21 2017 17:15:22+02:00 SwCore759 %ACLE/4/ACLLOG(l)[9]:Slot=2;Acl 3007 deny GigabitEthernet2/0/31 00e0-4b5b-e059 -> ffff-ffff-ffff udp 10.116.78.72(34856) -> 255.255.255.255(2153) (1 packet).
Sep 21 2017 17:15:13+02:00 SwCore759 %ACLE/4/ACLLOG(l)[11]:Slot=2;Acl 3007 deny GigabitEthernet2/0/28 00e0-4b5b-dfb2 -> ffff-ffff-ffff udp 10.116.78.71(58832) -> 255.255.255.255(2153) (1 packet).
Sep 21 2017 17:14:57+02:00 SwCore759 %ACLE/4/ACLLOG(l)[31]:Slot=2;Acl 3007 deny GigabitEthernet2/0/32 00e0-4b5b-dfc1 -> ffff-ffff-ffff udp 10.116.78.73(57574) -> 255.255.255.255(2153) (1 packet).
Sep 21 2017 17:14:54+02:00 SwCore759 %ACLE/4/ACLLOG(l)[32]:Slot=2;Acl 3007 deny GigabitEthernet2/0/29 00e0-4b5b-d6b2 -> ffff-ffff-ffff udp 10.116.78.75(59760) -> 255.255.255.255(2153) (1 packet).
Sep 21 2017 17:14:52+02:00 SwCore759 %ACLE/4/ACLLOG(l)[33]:Slot=2;Acl 3007 deny GigabitEthernet2/0/31 00e0-4b5b-e059 -> ffff-ffff-ffff udp 10.116.78.72(34466) -> 255.255.255.255(2153) (1 packet).
Sep 21 2017 17:14:44+02:00 SwCore759 %ACLE/4/ACLLOG(l)[34]:Slot=2;Acl 3007 deny GigabitEthernet2/0/28 00e0-4b5b-dfb2 -> ffff-ffff-ffff udp 10.116.78.71(43828) -> 255.255.255.255(2153) (1 packet).


<HUAWEI> display acl name test
Advanced ACL test 3999, 1 rule, match-order is auto
Acl's step is 5
 rule 5 permit ip destination 10.10.10.1 0 (matched 0 times)


Why is this happening ?


To count the packets matching the ACL of a traffic policy, you can configure the count action in the traffic behavior associated with the traffic policy. In the output of the display acl command, the matched field indicates the number of packets that are sent to the CPU and match the ACL instead of the number of packets matching the ACL in the traffic policy. Therefore, the count displayed in the output of the display acl command is always 0 even many packets that match the ACL pass through the device. And some packets that match the ACL may not match the CPU, so these packets are not counted.

  • x
  • convention:

Helpful (3) Favorite(2) Share Report
Previous: Port mirroring feature in layer 3
Next: Switch with L4 Load balancing
razxy
Created Oct 5, 2018 12:14:52 Helpful(1) Helpful(1)

Very helpful!!!
View more
  • x
  • convention:
Back to list

Comment

Advanced
B Color Image Link Quote Code Smilies
You need to log in to comment to the post Login | Register
Comment

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."

My Followers

Login and enjoy all the member benefits

Login
Huawei Website Support About Huawei Privacy User Agreement Terms of Use Cookie Settings
Huawei Enterprise Huawei Carrier Forum Training & Certification

Copyright © 2021 Huawei Technologies Co., Ltd. All rights reserved.

APP

Block
Are you sure to block this user?
Users on your blacklist cannot comment on your post,cannot mention you, cannot send you private messages.
Reminder
Please bind your phone number to obtain invitation bonus.