How to display ACL counters attached to snmp?


I have created an ACL called acl167.pol that has a few IP addresses permited to access the switch via snmp readonly. Here is the ACL: entry e1 { if { source-address 1xx.72.68.38/32; } then { permit; count e1; }} entry e2 { if { source-address 1xx.72.200.158/32; } then { permit; count e2; }} entry e3 { if { source-address 1xx.72.200.194/32; } then { permit; count e3; }} entry e4 { if { source-address 1xx.72.43.0 mask 255.255.255.128; } then { permit; count e4; }} entry denyall { if { } then { deny; count denyall; }} I apply it to snmp here: configure snmp access-profile acl167 readonly Now, I'd like to see if the counters are incrementing but I can't figure out how to do that. Here are a couple more commands to show: Eng_lab_8810A.39 # ls -rw-rw-rw- 1 root 0 398 Feb 24 13:45 acl167.pol -rw-rw-rw- 1 root 0 370165 Feb 24 13:32 primary.cfg drwxrwxrwx 2 root 0 0 Feb 13 18:27 vmt -rw-rw-rw- 1 root 0 6605 Feb 19 08:40 voice_subnet_restriction.pol The other ACL is attached to a vlan and it is the only one that shows up when I do a: Eng_lab_8810A.42 # sh access-list counter Policy Name Vlan Name Port Direction Counter Name Packet Count Byte Count ================================================================== voice_subnet_restriction voice990 * ingress denyallcntr 188456 Eng_lab_8810A.43 # Any idea how I can show the counters for acl167.pol?

8 replies

Userlevel 5
Hi Jim,

To see the counters from an access-profile you need to get the counters for that specific process. The normal counters do apply to the port or vlan statistics.

To display the snmp process counter statistics, use the "show access-list counters process snmp" command.

The permit or deny counters are updated accordingly, regardless of whether the rule is
configured to add counters.

Thanks,

Ron
Hi Ron - Thanks for the response. I went ahead and did as you suggested, but was unable to get any results. I have the ACL applied to the snmp process, but the output of 'show access-list counter process snmpMaster returns no ACLs. Here are some show commands showing snmp is enabled, the ACL is applied but in the end shows as not applies: configure snmp access-profile acl167 readonly ------------------------------------------ Eng_lab_8810A.8 # sh snmp vr "VR-Default" SNMP access : Enabled SNMP ifMib ifAlias size : Default SNMP Traps : Enabled SNMP TrapReceivers : None SNMP stats: InPkts 72 OutPkts 0 Errors 0 AuthErrors 72 Gets 0 GetNexts 0 Sets 0 Drops 0 SNMP traps: Sent 0 AuthTraps Enabled ----------------------------------------- Eng_lab_8810A.2 # sh access-list counter process snmp ================================================================================ Access-list Permit Packets Deny Packets ================================================================================ ================================================================================ Total Rules : 0 ---------------------------------------- Any other ideas? Jim
Userlevel 5
Hi Jim,

It looks like this is not working for access-profile based on policy files.

I used two dynamic ACL rules and then it worked:

create access-list pc-1 " source-address 10.10.2.102/32 ;" " permit ;" application "Cli"
create access-list Deny-all " source-address 0.0.0.0/0 ;" " deny ;" application "Cli"

configure snmp access-profile add "pc-1" first
configure snmp access-profile add "Deny-all" after "pc-1"

* X460-48p.3 # sh access-list counter process snmp
================================================================================
Access-list Permit Packets Deny Packets
================================================================================
pc-1 20 0
Deny-all 0 1264
================================================================================
Total Rules : 2

With a similar policy file it does not show the rules. I think that this is a wrong behavior.

To have a proper follow up and a possible fix for the policy files, I suggest that you open a TAC case so we can follow the escalation process towards development.

Thanks,

Ron
Ron Huygens wrote:

Hi Jim,

It looks like this is not working for access-profile based on policy files.

I used two dynamic ACL rules and then it worked:

create access-list pc-1 " source-address 10.10.2.102/32 ;" " permit ;" application "Cli"
create access-list Deny-all " source-address 0.0.0.0/0 ;" " deny ;" application "Cli"

configure snmp access-profile add "pc-1" first
configure snmp access-profile add "Deny-all" after "pc-1"

* X460-48p.3 # sh access-list counter process snmp
================================================================================
Access-list Permit Packets Deny Packets
================================================================================
pc-1 20 0
Deny-all 0 1264
================================================================================
Total Rules : 2

With a similar policy file it does not show the rules. I think that this is a wrong behavior.

To have a proper follow up and a possible fix for the policy files, I suggest that you open a TAC case so we can follow the escalation process towards development.

Thanks,

Ron

Thanks Ron - I built the ACL as you suggested and it works also. I'll go ahead and open up a TAC case on this. It's much easier to create a policy than a dynamic ACL. One last question about this. When I was trying the policy, I attached it to snmp with: "configure snmp access-profile acl167 readonly" meaning (I think) that the readonly string is required. How do I require the readonly string with a dynamic ACL? Is there anyother keyword after each line?
Userlevel 6
Hello Jim

In your first post you use 1.xx in your policy. The xx are not valid options. Did you do a check policy acl167 on your file?

Try changing those settings to actual IP addresses and see if that gives you other results. As Ron said you need to look at the counters per process when using access-profiles

P
Paul Russo wrote:

Hello Jim

In your first post you use 1.xx in your policy. The xx are not valid options. Did you do a check policy acl167 on your file?

Try changing those settings to actual IP addresses and see if that gives you other results. As Ron said you need to look at the counters per process when using access-profiles

P

Hi Paul - I used 1.xx to blank out the real address. In the Policy I used the actual IP. Thanks for pointing that out though.
Userlevel 5
Hi Jim,

I did some further investigation. This may expected behavior, but then we need to be more clear on that in our documentation.
From the documentation it seems that the default counter support is added only for ACL rules and not for policy files. For policy files you must configure count action. The command "show access-list counters process snmp" is however only mentioned at the dynamic rules section.
I still suggest to open a SR for clarification on this topic.

The readonly / readwrite option is only available for use on a policy file.

Thanks,

Ron
Thanks Ron - I appreciate your time with this. Cheers

Reply