On 20/03/13 14:42, "Rolf Hanßen" wrote:
Hello,Just wanted to drop some UDP flooding with an interface ACL. I configured: interface Vlan1373 ip access-group block-flood in exit Access-list is very simple: edge1-ams3#sh ip access-lists block-flood Extended IP access list block-flood 10 deny udp any host 1.2.3.4 (589878 matches) 20 permit ip any any (149516 matches) edge1-ams3# edge1-ams3#sh int Vl1373 | inc input rate 30 second input rate 2772775000 bits/sec, 435403 packets/sec edge1-ams3# The interface has a quite high amount of pps, but the acl hit count increases only by less than 200/sec for both entries together. Does that ACL not filter all traffic passing the interface or why does the delta of ACL hits not match the number of incoming pps ? Maybe it counts only packets going to the RP or something is cached and counts only every x packets ?
Typically you will find the ACL counters on hardware platforms may under-count, unless you enable specific features.
On Sup2T, you want: ip access-list ... hardware statistics You may (or may not) find OAL interesting as well. See here: http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/15.1SY/config_guide/sup2T/ios_acl_support.html#wp1111231 _______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
