Recently I had a customer asking a question about how to view detailed ACL statistics on devices running IOS-XE such as ASR1000, ASR903, etc. The problem was the customer migrated from 7600 platform to ASR1000 platform and on Cisco 7600 platform, there is command to view detailed statistics view. Lets try to see this with the help of an example.
In the below example, there is an object-group configured on the 7600 platform and the object-group is referenced in the ACL. On 7600 using the command show tcam interface <int> acl in ip, we can view the detailed / expanded view of the ACL’s and the counters for the referenced entry in the object-group.
7600-RTR# sh ip access-lists internet_in
Extended IP access list internet_in
10 permit ip addrgroup test any
20 deny ip addrgroup test1 any
30 permit tcp host 184.108.40.206 host 220.127.116.11 eq bgp
7600-RTR#sh object-group test1 | in 10.10.10.10
7600-RTR#show tcam interface Gi3/1 acl in ip | in 10.10.10.10
deny ip host 10.10.10.10 any (4 matches)
Thus, if there are 10 host entries in the object-group, there will be 10 entries in the show tcam output for “deny ip host host-ip-address any” and individual statistics for each entry.
This command is not available in platforms running IOS-XE and thus it becomes difficult to view the detailed statistics w.r.t. to each object-group entry.
On IOS-XE platforms, there is a hidden keyword “expand” with the show ip access-list command which displays the expanded view of the ACL. To enable the hidden command, service internal should be configured. This command enables hidden as well as internal platform commands which are used for troubleshooting purposes.
Show ip access-list <name> expand
If object-groups are huge, the above command dumps hundreds of ACE’s. This command is generally used for troubleshooting purpose and is available only in XE 3.X releases and not available in Polaris release i.e. 16.x release.
object-group network test
object-group network test1
ip access-list extended internet_in
deny ip object-group test any
deny ip object-group test1 any
permit tcp host 18.104.22.168 host 22.214.171.124 eq bgp
deny ip any any
XE-1# show ip access-list internet_in expand
10 deny ip host 10.10.10.10 any (8 matches)
20 deny ip host 126.96.36.199 any (13 matches)
30 deny ip host 188.8.131.52 any
40 deny ip host 184.108.40.206 any
50 permit tcp host 220.127.116.11 host 18.104.22.168 eq bgp
60 deny ip any any (30 matches)
If the object-group list is huge, then it is recommended to filter the output for specific host entries.