Unable to see the traffic that is blocked by the ACL

Issue Description

We know there is a lot of traffic being discarded on switch S5720-28X-LI-AC + V200R010C00SPC600 + V200R010SPH008 and we would like to see this and confirm this traffic.

Alarm Information	No alarm present, we can only confirm that the traffic is going via the interface XGi0/0/1 using the graphic below.
Handling Process	1. Check configuration: # acl number 3000 rule 145 permit udp destination X.5.2.101 0 rule 145 description CASXXXXX rule 185 permit udp destination X.5.2.111 0 rule 185 description TELEXXXX rule 190 permit udp destination X.5.2.112 0 rule 190 description LA OTXXX rule 580 permit udp destination X.5.2.140 0 rule 580 description Sevixxxx rule 590 permit udp destination X.5.2.137 0 rule 590 description Interxxxxxxx rule 645 permit udp destination X.192.0.17 0 rule 645 description Betxxx rule 650 permit udp destination X.1.1.89 0 rule 650 description SevXXXXX rule 999 deny udp ######## interface XGigabitEthernet0/0/1 description Servicio TV port link-type access port default vlan 419 stp root-protection stp bpdu-filter enable # 2. Apply a traffic policy and refer the ACL in the classifier to check the matches: <GPON La Linea>display traffic policy statistics interface xgigabitethernet 0/0/1 inbound Interface: XGigabitEthernet0/0/1 Traffic policy inbound: p1 Rule number: 8 Current status: success Statistics interval: 300 --------------------------------------------------------------------- Board : 0 --------------------------------------------------------------------- Matched \| Packets: 0 \| Bytes: - \| Rate(pps): 0 \| Rate(bps): - --------------------------------------------------------------------- Passed \| Packets: 0 \| Bytes: - \| Rate(pps): 0 \| Rate(bps): - --------------------------------------------------------------------- Dropped \| Packets: 0 \| Bytes: - \| Rate(pps): 0 \| Rate(bps): - --------------------------------------------------------------------- Filter \| Packets: 0 \| Bytes: - --------------------------------------------------------------------- Car \| Packets: 0 \| Bytes: - --------------------------------------------------------------------- <GPON La Linea>display traffic policy statistics interface xgigabitethernet 0/0/1 outbound Interface: XGigabitEthernet0/0/1 Traffic policy outbound: p1 Rule number: 8 Current status: success Statistics interval: 300 --------------------------------------------------------------------- Board : 0 --------------------------------------------------------------------- Matched \| Packets: 0 \| Bytes: - \| Rate(pps): 0 \| Rate(bps): - --------------------------------------------------------------------- Passed \| Packets: 0 \| Bytes: - \| Rate(pps): 0 \| Rate(bps): - --------------------------------------------------------------------- Dropped \| Packets: 0 \| Bytes: - \| Rate(pps): 0 \| Rate(bps): - --------------------------------------------------------------------- Filter \| Packets: 0 \| Bytes: - --------------------------------------------------------------------- Car \| Packets: 0 \| Bytes: - --------------------------------------------------------------------- <GPON La Linea>display acl 3000 Advanced ACL 3000, 8 rules Acl's step is 5 rule 145 permit udp destination X.5.2.101 0 rule 145 description CASTIXXXXX rule 185 permit udp destination X.5.2.111 0 rule 185 description TELEXXXXX rule 190 permit udp destination X.5.2.112 0 rule 190 description LA OXXXX rule 580 permit udp destination X.5.2.140 0 rule 580 description Sevixxxx rule 590 permit udp destination X.5.2.137 0 rule 590 description Interxxxxx rule 645 permit udp destination X.192.0.17 0 rule 645 description Bexxx rule 650 permit udp destination X.1.1.89 0 rule 650 description Sevxxxxx rule 999 deny udp <GPON La Linea>display traffic classifier user-defined User Defined Classifier Information: Classifier: c1 Operator: AND Rule(s) : if-match acl 3000 Total classifier number is 1 <GPON La Linea>dis traffic policy user-defined p1 User Defined Traffic Policy Information: Policy: p1 Classifier: c1 Operator: AND Behavior: b1 Statistic: enable <GPON La Linea>dis current-configuration interface XGigabitEthernet 0/0/1 # interface XGigabitEthernet0/0/1 description Servicio TV port link-type access port default vlan 419 stp root-protection stp bpdu-filter enable traffic-policy p1 inbound traffic-policy p1 outbound # return 3. Check the BUG list and applied DTS2018042001972 - ACLs do not take effect after a switch runs for a long time. 4. We also did the tests with protocol ICMP instead of UDP and traffic was matched this time:
Root Cause	Multicast traffic cannot be used for statistics as traffic goes directly to CPU.
Solution	FTP, TFTP, Telnet, SNMP, HTTP, routing, and multicast packets must be sent to the CPU and once the packet is moved to CPU, it’s not possible to obtain traffic statistics for it. Other packets match hardware ACL rules and the number of times the packets match hardware ACL rules can be checked using other methods, such as traffic statistics using traffic-policy. That’s why when the IP rule was used the statistics were obtained.
Suggestions	If we want to confirm that the packets are indeed dropped, it’s good to do port mirroring in outbound interfaces.