show statistics access-list

Displays ACL statistics for an ACL type and inbound/outbound direction.

Syntax

show statistics access-list { ip | ipv6 | mac } acl-name { in | out }
show statistics access-list interface { ethernet slot / port | port-channel index | ve vlan_id | vlan vlan_id } { in | out }
show statistics access-list interface management mgmt-id in
show statistics access-list { ip | ipv6 } acl-name interface [ ethernet slot / port | port-channel index | ve vlan_id ] { in | out }
show statistics access-list { ip | ipv6 } name interface management mgmt-id in
show statistics access-list mac acl-name interface [ ethernet slot / port | port-channel index | vlan vlan_id ] { in | out }
show statistics access-list receive { ip | ipv6 } acl-name
show statistics access-list global-subnet-broadcast ip acl-name
show statistics access-list subnet-broadcast ip acl-name [ interface { ethernet slot / port | ve vlan-id } ]

Parameters

interface
Filter by interface.
ethernet
Specifies a physical Ethernet interface.
slot
Specifies a valid slot number. For devices that do not support line cards, specify 0.
port
Specifies a valid port number.
port-channel index
Specifies a port-channel interface.
ve vlan_id
Specifies a virtual Ethernet (VE) interface.
vlan vlan_id
Specifies a VLAN interface.
management mgmt-id
Specifies the management interface. The only supported value is 0.
in | out
Specifies the ACL binding direction (incoming or outgoing).
ip | ipv6 | mac
Specifies the network protocol.
acl-name
Specifies the ACL name.
receive
Specifies an IPv4 or IPv6 rACL.
global-subnet-broadcast ip
Specifies an IP broadcast ACL (bACL) applied at device level.
subnet-broadcast ip
Specifies an IP broadcast ACL (bACL) applied at physical-interface or VE level.

Modes

Privileged EXEC mode

Usage Guidelines

You can show statistics for a specific ACL or only for that ACL on a specific interface. You can display statistical information for all ACLs bound to a device physical or management interface, VLAN or VE. You can display statistical information for IPv4 or IPv6 receive-path ACLs. You can display statistical information for IP broadcast ACLs (bACLs).

Statistics are displayed only for rules that contain the count keyword.

When ACLs of multiple types are applied to an interface, for multiple matches the counter is incremented only for the higher priority match. Processing priority is as follows: rACLs > PBR > Layer 3 ACLs > Layer 2 ACLs.

Output

The show statistics access-list command displays the following information:

Output field Description
Unaccountable The counter resource is not allocated. This is typically seen if counting is not supported or if the hardware resources limit is reached.
Unwritten The rule is inactive and is not programmed in the hardware. This is typically seen when the hardware resources limit is reached.

Examples

The following example displays inbound ACL statistics for a named IPv4 ACL.
device# show statistics access-list ip l3ext in 
ip access-list l3ext Ethernet 1/8 in
seq 76 deny ip 10.10.75.10 0.0.0.0 any count log (795239 frames)
seq 77 hard-drop ip 10.10.75.10 0.0.0.0 10.10.11.0 0.0.0.255 count log (0 frames)
seq 78 hard-drop ip any 10.10.11.0 0.0.0.255 count log (0 frames)
seq 79 hard-drop ip any 10.10.0.0 0.0.255.255 count log (0 frames)
seq 80 hard-drop ip 10.10.75.10 0.0.0.0 any count log (0 frames)
seq 81 hard-drop ip 10.10.75.0 0.0.0.0 10.10.0.0 0.0.255.255 count log (0 frames)
seq 91 hard-drop ip any any count (0 frames)
seq 100 deny udp 10.10.75.0 0.0.0.255 10.10.76.0 0.0.0.255 count log (0 frames)
seq 1000 permit ip any any count log (0 frames)
The following example displays inbound ACL statistics for a specific interface. The ACL named ipv6-std-acl is applied on interface 4/1 to filter incoming routed traffic only.
device# show statistics access-list interface ethernet 4/1 in
ipv6 routed access-list ipv6-std-acl on Ethernet 4/1 at Ingress (From User)
    seq 10 permit host 0:1::1
    seq 20 deny 0:2::/64 
    seq 30 deny any count (100 frames)
The following example displays inbound statistics for all ACLs bound to a specific VE interface.
device# show statistics access-list interface ve 3010 in
ipv6 access-list ip_acl_3 on Ve 3010 at Ingress (From User)
    seq 10 deny ipv6 2001:3010:131:35::/64 2001:1001:1234:1::/64 count (0 frames)
    seq 20 permit ipv6 2001:3010:131:35::/64 2001:3001:1234:1::/64 
The following example displays inbound statistics for ACLs on the management interface.
device# show statistics access-list interface management 0 in
ip access-list mgmt-acl on Management 0 at Ingress (From User)
    seq 1 deny tcp host 1.1.1.1 any count (12854 frames)
    seq 2 deny udp host 2.2.2.2 any count (94 frames)
    seq 3 permit tcp any any 
    seq 4 permit udp any any 

ipv6 access-list mgmt-aclv6 on Management 0 at Ingress (From User)
    seq 1 permit tcp host 2001:4888:a3f:8036:b1b::112 any 
    seq 2 deny udp host 2001:4888:a3f:8036:b1c::113 any count (324 frames)
    seq 3 permit tcp any any count (4876 frames)
    seq 4 deny udp any any count (284 frames
This example displays statistics for packets that meet the permit and deny rules that are configured for control plane protection.
device# show statistics access-list receive ip ip-ssh
ip access-list extended ip-ssh
    seq 5 deny tcp any 14.14.14.14 0.0.0.0 eq 22 count (25 frames)
    seq 10 permit tcp 10.10.10.10 0.0.0.255 any eq 22 count (26 frames)
    seq 20 permit tcp 11.11.11.11 0.0.0.255 any eq 22 count (26 frames)
    seq 100 deny tcp any any eq 22 count (26 frames)
The following example displays an ACL definition that supports filtering non-fragmented packets.
device# show statistics access-list interface ethernet 0/7 in
ip access-list new_acl on Ethernet 0/7 at Ingress (From User)
    seq 10 permit ip any any non-fragment count (0 frames)
The following example displays an ACL definition that supports filtering fragmented packets.
device# show statistics access-list interface ethernet 0/7 in
ip access-list test on Ethernet 0/8 at Ingress (From User)
    seq 10 permit ip any any fragment

Example

The following example displays an ACL definition that supports flow based ingress miroring.
device# show statistics access-list interface ethernet 0/2 in
ip access-list mac1 on Ethernet 0/2 at Ingress (From User)
    seq 10 permit any host 1111.2222.3333 count mirror (100 frames)
    seq 20 permit host 4444.5555.6666 any count (200 frames)

Example

The following example displays an ACL definition that supports flow based egress miroring.
device# show statistics access-list interface ethernet 0/1 out
ip access-list mac1 on Ethernet 0/1 at Egress (From User)
    seq 10 permit any host 1111.2222.3333 count mirror (0 frames)
    seq 20 permit host 4444.5555.6666 any count (0 frames)