How do I read ACL hit counters on a Cisco Catalyst 3560e switch?
Solution 1
If the ACL is being hit you should see counters in sh access-list
sw# sh run | i access-list 2 access-list 2 remark remote management acl access-list 2 permit 192.168.0.0 0.0.255.255 access-list 2 permit 10.11.0.0 0.0.255.255 sw# sh ip access-lists Standard IP access list 2 10 permit 192.168.0.0, wildcard bits 0.0.255.255 (79 matches) 20 permit 10.11.0.0, wildcard bits 0.0.255.255
Solution 2
That example is from a PIX firewall. I believe that default behavior of showing the match counter has been removed in later versions of Cisco IOS.
You can try to mimic this behavior by appending 'log' to the end of your ACL entries:
access-list 10 deny 10.1.2.0 0.0.0.255 log
Related videos on Youtube
Tim
Updated on September 18, 2022Comments
-
Tim over 1 year
I have a Cisco Catalyst 3560e switch, and I'm trying to learn how to work with ACLs. I've created a simple ACL and tested it by sending packets through the switch, and it seems to work. Some documentation indicates that I can see a count of the number of times an ACL is hit. A typical example (taken from a book) is:
PIX# sho access-list access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 1024) alert-interval 300 access-list Inbound; 15 elements access-list Inbound permit tcp any host web1. gad. net eq www (hitcnt=42942) access-list Inbound permit tcp any host web1. gad. net eq ssh (hitcnt=162) ...
If I do the same thing on my switch I don't see the counters:
> sho access-list Standard IP access list 1 10 deny 10.0.0.2 20 permit any
Are ACL counters supported on this switch? (How would I know, if not? I can't see anything about this in the release notes.) Am I missing some configuration?