Extreme Networks

Rich6 · ‎08-23-2017

Hi, I have an ACL defined to manage general access between subnets across switches, and as part of that some rules have counters assigned to them. The problem I am having is that when I use the show access-list counter command, not all of my counters are showing and I get a list that lookes similar to the below :

# show access-list counter
Policy Name Vlan Name Port Direction
Counter Name Packet Count Byte Count
==================================================================
ACCESS_CONTROL * * ingress
Rule1 163
Rule2 0
Rule3 0
not well-formed (invalid data)

if anyone can help I would like to know why it says "not well-formed (invalid data)"
Also if anyone has experience with defined counters not appearing...

i have compared ACL defined rules and cannot see any obviuos syntax differences between rules where the counter works and rules where it does not.. i havwe working counters and non working counters from rules both pretty much identical to the below:

entry Rule1 {
if {
source-address x.x.x.x;
destination-address y.y.y.y;
}
then {
permit;
count Rule1-Counter;
}
}

Any comments appreciated

Thanks

Rich6 · ‎02-14-2018

Hi All. I know this reply is 6 months old now....... This issue went back below radar for a while, and now has raised its head again.... boo, hiss, boo.....

Anyway, I did try changing the naming convention of counters and no difference was seen. The code on the switches in question has been updated and is now 16.1.3.6.

Does anyone else see this "not well-formed (invalid data)" line at the bottom of their counter list?

What is odd, is that some of the counters showing actuall appear to have longer names, use a non standard character (&) and are further down the ACL than other defined counters which do not appear in the counter list?

If anyone else has seen this it might give me an idea on why the ACL passes syntax checking but the deinfed counters seem to be random in the fact that some work and some dont...

Thanks

Rich

Jarek · ‎08-25-2017

Hmmm... maybe it is similar issue -> https://gtacknowledge.extremenetworks.com/articles/Solution/ACL-counter-not-printed-correctly-in-cle...

Please try change counter name and use only a-z A-Z 0-9 and _ - chars.

--
Jarek

Rich6 · ‎08-25-2017

Thanks for the comments Ariyakudi.

I will look at this in more detail, but my initial thought is that the maximum "count" value is not being hit. I cant help going back to the "not well-formed (invalid data)" statement being displayed to me when I look at the list of counters. Are you able to find out what would cause this output from the "show acces-list counter" command? I also wonder if any other ACL's you have access to might also show this?

I have looked at my ACL over and over and I just cannot see any discernable difference (in the ACL) between defined counter statements that are listed by the show command and those which are missing?

here is an example of the output when I look at counters (it is identical on other switch also having the same ACL) :

(fig A) :

# show access-list counter
Policy Name Vlan Name Port Direction
Counter Name Packet Count Byte Count
==================================================================
ACCESS_CONTROL * * ingress
Allow103_to200&201_counter 329422
Allow10_68_to201_58_counter 0
Allow10_68_to201_59_counter 0
Allow10_68_to201_61_counter 0
Allow10_68_to201_62_counter 0
Allow144_to102_RDP_Counter 0
Allow144_to240_RDP_Counter 0
Allow145_to200&201_counter 0
Allow178_200_to200_8080_counter 0
Allow_100_to200&201-Counter 1194658
not well-formed (invalid data)

Here are some rules from the ACL. I have copied out a rule which is shown in the "show" output and one that is not.....

Does not show:

entry Allow_MAPI_to200 {
if {
source-address x.x.x.x;
destination-address y.y.y.y;
}
then {
permit;
count Allow_MAPI_to200-Counter;

Does show :

entry Allow_100_to200&201 {
if {
source-address a.a.a.a;
destination-address b.b.b.b;
}
then {
permit;
count Allow_100_to200&201-Counter;
}
}

Additionally the list of "shown" counters (fig A) (above) does seem to be identical on multiple switches (using the exact same ACL in the same way)
but the layout does not seem to be drawn out of the ACL script in an logical order, and does not lead to any clue as the where in the script an error might be, or why counters from much further down the ACL are listed higher than others in (fig A)?

Do you think I should raise this to GTAC?

Thanks in advance for any further help..

Ariyakudi_Srini · ‎08-25-2017

Hi Rich,

In regards to the counters, on Summit family switches, the maximum number of packets that can be counted with token packet-count or count is 4,294,967,296. On the same switches, the maximum number of bytes that can be counted with byte-count is also 4,294,967,296 which is equivalent to 67,108,864 packets that are sized at 64 bytes.

The above piece of information is from the EXOS User Guide.

And considering the acl usage in the switch. The output of "show access-list usage port " can give you an idea of the available space for ACL that is configurable.

But then, if the ACL limit is hit, you would ideally get an error message something in the lines of "Error: ACL install operation failed - slice hardware full for vlan *, port ". But this does not seem to be the case when applying the ACL in the switch.

Thank You,

Extreme Networks

ACL counters not showing

ACL counters not showing