Displays ACL statistics for an ACL type and inbound/outbound direction.
Privileged EXEC mode
You can show statistics for a specific ACL or only for that ACL on a specific interface. You can display statistical information for all ACLs bound to a device physical or management interface, VLAN or VE. You can display statistical information for IPv4 or IPv6 receive-path ACLs. You can display statistical information for IP broadcast ACLs (bACLs).
Statistics are displayed only for rules that contain the count keyword.
When ACLs of multiple types are applied to an interface, for multiple matches the counter is incremented only for the higher priority match. Processing priority is as follows: rACLs > PBR > Layer 3 ACLs > Layer 2 ACLs.
The show statistics access-list command displays the following information:
| Output field | Description |
|---|---|
| Unaccountable | The counter resource is not allocated. This is typically seen if counting is not supported or if the hardware resources limit is reached. |
| Unwritten | The rule is inactive and is not programmed in the hardware. This is typically seen when the hardware resources limit is reached. |
device# show statistics access-list ip l3ext in ip access-list l3ext Ethernet 1/8 in seq 76 deny ip 10.10.75.10 0.0.0.0 any count log (795239 frames) seq 77 hard-drop ip 10.10.75.10 0.0.0.0 10.10.11.0 0.0.0.255 count log (0 frames) seq 78 hard-drop ip any 10.10.11.0 0.0.0.255 count log (0 frames) seq 79 hard-drop ip any 10.10.0.0 0.0.255.255 count log (0 frames) seq 80 hard-drop ip 10.10.75.10 0.0.0.0 any count log (0 frames) seq 81 hard-drop ip 10.10.75.0 0.0.0.0 10.10.0.0 0.0.255.255 count log (0 frames) seq 91 hard-drop ip any any count (0 frames) seq 100 deny udp 10.10.75.0 0.0.0.255 10.10.76.0 0.0.0.255 count log (0 frames) seq 1000 permit ip any any count log (0 frames)
device# show statistics access-list interface ethernet 4/1 in
ipv6 routed access-list ipv6-std-acl on Ethernet 4/1 at Ingress (From User)
seq 10 permit host 0:1::1
seq 20 deny 0:2::/64
seq 30 deny any count (100 frames)
device# show statistics access-list interface ve 3010 in
ipv6 access-list ip_acl_3 on Ve 3010 at Ingress (From User)
seq 10 deny ipv6 2001:3010:131:35::/64 2001:1001:1234:1::/64 count (0 frames)
seq 20 permit ipv6 2001:3010:131:35::/64 2001:3001:1234:1::/64
device# show statistics access-list interface management 0 in
ip access-list mgmt-acl on Management 0 at Ingress (From User)
seq 1 deny tcp host 1.1.1.1 any count (12854 frames)
seq 2 deny udp host 2.2.2.2 any count (94 frames)
seq 3 permit tcp any any
seq 4 permit udp any any
ipv6 access-list mgmt-aclv6 on Management 0 at Ingress (From User)
seq 1 permit tcp host 2001:4888:a3f:8036:b1b::112 any
seq 2 deny udp host 2001:4888:a3f:8036:b1c::113 any count (324 frames)
seq 3 permit tcp any any count (4876 frames)
seq 4 deny udp any any count (284 frames
device# show statistics access-list receive ip ip-ssh
ip access-list extended ip-ssh
seq 5 deny tcp any 14.14.14.14 0.0.0.0 eq 22 count (25 frames)
seq 10 permit tcp 10.10.10.10 0.0.0.255 any eq 22 count (26 frames)
seq 20 permit tcp 11.11.11.11 0.0.0.255 any eq 22 count (26 frames)
seq 100 deny tcp any any eq 22 count (26 frames)
device# show statistics access-list interface ethernet 0/7 in
ip access-list new_acl on Ethernet 0/7 at Ingress (From User)
seq 10 permit ip any any non-fragment count (0 frames)
device# show statistics access-list interface ethernet 0/7 in
ip access-list test on Ethernet 0/8 at Ingress (From User)
seq 10 permit ip any any fragment
device# show statistics access-list interface ethernet 0/2 in
ip access-list mac1 on Ethernet 0/2 at Ingress (From User)
seq 10 permit any host 1111.2222.3333 count mirror (100 frames)
seq 20 permit host 4444.5555.6666 any count (200 frames)
device# show statistics access-list interface ethernet 0/1 out
ip access-list mac1 on Ethernet 0/1 at Egress (From User)
seq 10 permit any host 1111.2222.3333 count mirror (0 frames)
seq 20 permit host 4444.5555.6666 any count (0 frames)