ACL counters not showing
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎08-23-2017 10:02 AM
Hi, I have an ACL defined to manage general access between subnets across switches, and as part of that some rules have counters assigned to them. The problem I am having is that when I use the show access-list counter command, not all of my counters are showing and I get a list that lookes similar to the below :
# show access-list counter
Policy Name Vlan Name Port Direction
Counter Name Packet Count Byte Count
==================================================================
ACCESS_CONTROL * * ingress
Rule1 163
Rule2 0
Rule3 0
not well-formed (invalid data)
if anyone can help I would like to know why it says "not well-formed (invalid data)"
Also if anyone has experience with defined counters not appearing...
i have compared ACL defined rules and cannot see any obviuos syntax differences between rules where the counter works and rules where it does not.. i havwe working counters and non working counters from rules both pretty much identical to the below:
entry Rule1 {
if {
source-address x.x.x.x;
destination-address y.y.y.y;
}
then {
permit;
count Rule1-Counter;
}
}
Any comments appreciated
Thanks
# show access-list counter
Policy Name Vlan Name Port Direction
Counter Name Packet Count Byte Count
==================================================================
ACCESS_CONTROL * * ingress
Rule1 163
Rule2 0
Rule3 0
not well-formed (invalid data)
if anyone can help I would like to know why it says "not well-formed (invalid data)"
Also if anyone has experience with defined counters not appearing...
i have compared ACL defined rules and cannot see any obviuos syntax differences between rules where the counter works and rules where it does not.. i havwe working counters and non working counters from rules both pretty much identical to the below:
entry Rule1 {
if {
source-address x.x.x.x;
destination-address y.y.y.y;
}
then {
permit;
count Rule1-Counter;
}
}
Any comments appreciated
Thanks
11 REPLIES 11
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎08-23-2017 01:30 PM
To say they are routed by the current device is not entirely accurate but could be depending on VRRP master / backup status etc... This ACL does exist on all device which could prossibly handle the L3 traffic defined in the rule... Communication between these x and y is blocked by a catch all at the bottom of the ACL unless specific IPs are defined as per the above example. The issue is not that the counter is not incrementing, but that is does not appear in the list at all.......
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎08-23-2017 10:59 AM
are x-x-x-x and y-y-y-y always on different subnets both routed via your current device?
