This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>

Enterprise
Community Group Switches
[Knowledge sharing]displa...

[Knowledge sharing]display acl command doesn't count the matched packets Highlighted

Latest reply: Oct 5, 2018 12:14:52 266 1 1 1
display all floors #1

Hello everyone,


This is a common question that many users are asking so I share with you why is this happening.
For example, if you set up an ACL on a vlanif via traffic-filter. The ACL is working and packets are matched, this is confirmed by the logs, but the display acl counters are not increased.

<SYS>display logbuffer | including 3007
Logging buffer configuration and contents : enabled
Allowed max buffer size : 1024
Actual buffer size : 512
Channel number : 4 , Channel name : logbuffer
Dropped messages : 0
Overwritten messages : 3500
Current messages : 512

Sep 21 2017 17:15:44+02:00 SwCore759 %ACLE/4/ACLLOG(l)[0]:Slot=2;Acl 3007 deny GigabitEthernet2/0/28 00e0-4b5b-dfb2 -> ffff-ffff-ffff udp 10.116.78.71(48312) -> 255.255.255.255(2153) (1 packet).
Sep 21 2017 17:15:27+02:00 SwCore759 %ACLE/4/ACLLOG(l)[6]:Slot=2;Acl 3007 deny GigabitEthernet2/0/32 00e0-4b5b-dfc1 -> ffff-ffff-ffff udp 10.116.78.73(55066) -> 255.255.255.255(2153) (1 packet).
Sep 21 2017 17:15:24+02:00 SwCore759 %ACLE/4/ACLLOG(l)[8]:Slot=2;Acl 3007 deny GigabitEthernet2/0/29 00e0-4b5b-d6b2 -> ffff-ffff-ffff udp 10.116.78.75(55048) -> 255.255.255.255(2153) (1 packet).
Sep 21 2017 17:15:22+02:00 SwCore759 %ACLE/4/ACLLOG(l)[9]:Slot=2;Acl 3007 deny GigabitEthernet2/0/31 00e0-4b5b-e059 -> ffff-ffff-ffff udp 10.116.78.72(34856) -> 255.255.255.255(2153) (1 packet).
Sep 21 2017 17:15:13+02:00 SwCore759 %ACLE/4/ACLLOG(l)[11]:Slot=2;Acl 3007 deny GigabitEthernet2/0/28 00e0-4b5b-dfb2 -> ffff-ffff-ffff udp 10.116.78.71(58832) -> 255.255.255.255(2153) (1 packet).
Sep 21 2017 17:14:57+02:00 SwCore759 %ACLE/4/ACLLOG(l)[31]:Slot=2;Acl 3007 deny GigabitEthernet2/0/32 00e0-4b5b-dfc1 -> ffff-ffff-ffff udp 10.116.78.73(57574) -> 255.255.255.255(2153) (1 packet).
Sep 21 2017 17:14:54+02:00 SwCore759 %ACLE/4/ACLLOG(l)[32]:Slot=2;Acl 3007 deny GigabitEthernet2/0/29 00e0-4b5b-d6b2 -> ffff-ffff-ffff udp 10.116.78.75(59760) -> 255.255.255.255(2153) (1 packet).
Sep 21 2017 17:14:52+02:00 SwCore759 %ACLE/4/ACLLOG(l)[33]:Slot=2;Acl 3007 deny GigabitEthernet2/0/31 00e0-4b5b-e059 -> ffff-ffff-ffff udp 10.116.78.72(34466) -> 255.255.255.255(2153) (1 packet).
Sep 21 2017 17:14:44+02:00 SwCore759 %ACLE/4/ACLLOG(l)[34]:Slot=2;Acl 3007 deny GigabitEthernet2/0/28 00e0-4b5b-dfb2 -> ffff-ffff-ffff udp 10.116.78.71(43828) -> 255.255.255.255(2153) (1 packet).


<HUAWEI> display acl name test
Advanced ACL test 3999, 1 rule, match-order is auto
Acl's step is 5
 rule 5 permit ip destination 10.10.10.1 0 (matched 0 times)


Why is this happening ?


To count the packets matching the ACL of a traffic policy, you can configure the count action in the traffic behavior associated with the traffic policy. In the output of the display acl command, the matched field indicates the number of packets that are sent to the CPU and match the ACL instead of the number of packets matching the ACL in the traffic policy. Therefore, the count displayed in the output of the display acl command is always 0 even many packets that match the ACL pass through the device. And some packets that match the ACL may not match the CPU, so these packets are not counted.

  • x
  • convention:

Helpful (1) Favorite(1) Share Report
Created Oct 5, 2018 12:14:52 Helpful(1) Helpful(1)

Very helpful!!!
  • x
  • convention:
Back to list

Reply

Reply
Advanced
B Color Image Link Quote Code Smilies
You need to log in to reply to the post Login | Register

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."
If the attachment button is not available, update the Adobe Flash Player to the latest version!

Login and enjoy all the member benefits

Login
Huawei Website Support About Huawei Privacy Terms of Use
Huawei Enterprise Huawei Carrier Forum Training & Certification

Copyright © 2019 Huawei Technologies Co., Ltd. All rights reserved.

Fast reply Scroll to top