Hello everyone,

This is a common question that many users are asking so I share with you why is this happening.

For example, if you set up an ACL on a vlanif via traffic-filter. The ACL is working and packets are matched, this is confirmed by the logs, but the display acl counters are not increased.

<SYS>display logbuffer | including 3007
Logging buffer configuration and contents : enabled
Allowed max buffer size : 1024
Actual buffer size : 512
Channel number : 4 , Channel name : logbuffer
Dropped messages : 0
Overwritten messages : 3500
Current messages : 512

Sep 21 2017 17:15:44+02:00 SwCore759 %ACLE/4/ACLLOG(l)[0]:Slot=2;Acl 3007 deny GigabitEthernet2/0/28 00e0-4b5b-dfb2 -> ffff-ffff-ffff udp 10.116.78.71(48312) -> 255.255.255.255(2153) (1 packet).
Sep 21 2017 17:15:27+02:00 SwCore759 %ACLE/4/ACLLOG(l)[6]:Slot=2;Acl 3007 deny GigabitEthernet2/0/32 00e0-4b5b-dfc1 -> ffff-ffff-ffff udp 10.116.78.73(55066) -> 255.255.255.255(2153) (1 packet).
Sep 21 2017 17:15:24+02:00 SwCore759 %ACLE/4/ACLLOG(l)[8]:Slot=2;Acl 3007 deny GigabitEthernet2/0/29 00e0-4b5b-d6b2 -> ffff-ffff-ffff udp 10.116.78.75(55048) -> 255.255.255.255(2153) (1 packet).
Sep 21 2017 17:15:22+02:00 SwCore759 %ACLE/4/ACLLOG(l)[9]:Slot=2;Acl 3007 deny GigabitEthernet2/0/31 00e0-4b5b-e059 -> ffff-ffff-ffff udp 10.116.78.72(34856) -> 255.255.255.255(2153) (1 packet).
Sep 21 2017 17:15:13+02:00 SwCore759 %ACLE/4/ACLLOG(l)[11]:Slot=2;Acl 3007 deny GigabitEthernet2/0/28 00e0-4b5b-dfb2 -> ffff-ffff-ffff udp 10.116.78.71(58832) -> 255.255.255.255(2153) (1 packet).
Sep 21 2017 17:14:57+02:00 SwCore759 %ACLE/4/ACLLOG(l)[31]:Slot=2;Acl 3007 deny GigabitEthernet2/0/32 00e0-4b5b-dfc1 -> ffff-ffff-ffff udp 10.116.78.73(57574) -> 255.255.255.255(2153) (1 packet).
Sep 21 2017 17:14:54+02:00 SwCore759 %ACLE/4/ACLLOG(l)[32]:Slot=2;Acl 3007 deny GigabitEthernet2/0/29 00e0-4b5b-d6b2 -> ffff-ffff-ffff udp 10.116.78.75(59760) -> 255.255.255.255(2153) (1 packet).
Sep 21 2017 17:14:52+02:00 SwCore759 %ACLE/4/ACLLOG(l)[33]:Slot=2;Acl 3007 deny GigabitEthernet2/0/31 00e0-4b5b-e059 -> ffff-ffff-ffff udp 10.116.78.72(34466) -> 255.255.255.255(2153) (1 packet).
Sep 21 2017 17:14:44+02:00 SwCore759 %ACLE/4/ACLLOG(l)[34]:Slot=2;Acl 3007 deny GigabitEthernet2/0/28 00e0-4b5b-dfb2 -> ffff-ffff-ffff udp 10.116.78.71(43828) -> 255.255.255.255(2153) (1 packet).

<HUAWEI> display acl name test
Advanced ACL test 3999, 1 rule, match-order is auto
Acl's step is 5
 rule 5 permit ip destination 10.10.10.1 0 (matched 0 times)

Why is this happening ?

To count the packets matching the ACL of a traffic policy, you can configure the count action in the traffic behavior associated with the traffic policy. In the output of the display acl command, the matched field indicates the number of packets that are sent to the CPU and match the ACL instead of the number of packets matching the ACL in the traffic policy. Therefore, the count displayed in the output of the display acl command is always 0 even many packets that match the ACL pass through the device. And some packets that match the ACL may not match the CPU, so these packets are not counted.