Vinit's Tech Blog

Life has meaning as long as you keep learning.

Viewing Detailed ACL statistics in IOS XE

Recently I had a customer asking a question about how to view detailed ACL statistics on devices running IOS-XE such as ASR1000, ASR903, etc. The problem was the customer migrated from 7600 platform to ASR1000 platform and on Cisco 7600 platform, there is command to view detailed statistics view. Lets try to see this with the help of an example.

In the below example, there is an object-group configured on the 7600 platform and the object-group is referenced in the ACL. On 7600 using the command show tcam interface <int> acl in ip, we can view the detailed / expanded view of the ACL’s and the counters for the referenced entry in the object-group.

7600-RTR# sh ip access-lists internet_in
Extended IP access list internet_in
 10 permit ip addrgroup test any
 20 deny ip addrgroup test1 any
 30 permit tcp host host eq bgp
7600-RTR#sh object-group test1 | in

7600-RTR#show tcam interface Gi3/1 acl in ip | in
 deny ip host any (4 matches)

Thus, if there are 10 host entries in the object-group, there will be 10 entries in the show tcam output for “deny ip host host-ip-address any” and individual statistics for each entry.

This command is not available in platforms running IOS-XE and thus it becomes difficult to view the detailed statistics w.r.t. to each object-group entry.

On IOS-XE platforms, there is a hidden keyword “expand” with the show ip access-list command which displays the expanded view of the ACL. To enable the hidden command, service internal should be configured. This command enables hidden as well as internal platform commands which are used for troubleshooting purposes.

Show ip access-list <name> expand
If object-groups are huge, the above command dumps hundreds of ACE’s. This command is generally used for troubleshooting purpose and is available only in XE 3.X releases and not available in Polaris release i.e. 16.x release. 

object-group network test 
object-group network test1 
ip access-list extended internet_in
 deny ip object-group test any
 deny ip object-group test1 any
 permit tcp host host eq bgp
 deny ip any any
XE-1# show ip access-list internet_in expand
10 deny ip host any (8 matches)
20 deny ip host any (13 matches)
30 deny ip host any
40 deny ip host any
50 permit tcp host host eq bgp
60 deny ip any any (30 matches)

If the object-group list is huge, then it is recommended to filter the output for specific host entries.


Comments are closed