The QoS Packet-Matching Statistics: Per ACE feature allows you to track and
display the number of packets and bytes matching individual ACEs
that are used in QoS policies (access groups used in class maps).
This feature provides hit counters for ACEs used in QoS policies. When this feature is enabled, it will add QoS hit counters
for the ACEs used in a QoS policy to the existing security access list counters for that particular ACE. The access list
counters can be seen in the following command output:
Router# show ip access-lists
Extended IP access list A1
10 permit ip 32.1.1.0 0.0.0.255 any (129580275 matches)
Extended IP access list A6and7
10 permit ip 32.1.6.0 0.0.0.255 any (341426749 matches)
20 permit ip 32.1.7.0 0.0.0.255 any (398245767 matches)
Extended IP access list source
10 permit ip any host 16.1.1.5 (16147976 matches)
The QoS hit counters (for the ACEs used in QoS
policies) will be added to the access list counters. We recommend that you pay attention to the following points when you
enable this feature:
-
Access list counts
are not interface specific, as can be seen in the output of the show ip access-lists command (there is no mention of interface). They are aggregate counters of
all the hits, for all the features that use the ACEs and support the
counts, across all interfaces and directions.
-
Interface-specific
counts are provided in the existing QoS command(show policy-map interface)
if the QoS Packet-Matching Statistics: Per Filter feature is enabled. However, the command specified previously shows only
the counts per filter (ACL or access group), not per ACE, as can be
seen in the following sample output:
Router# show access-lists
Extended IP access list A1
10 permit ip 32.1.1.0 0.0.0.255 any (2000 matches)
Router# show policy-map interface GigabitEthernet0/0/2
Service-policy input: simple
Class-map: A1-class (match-all)
1000 packets, 124000 bytes
5 minute offered rate 4000 bps
Match: access-group name A1
Class-map: class-default (match-any)
0 packets, 0 bytes
5 minute offered rate 261000 bps, drop rate 0 bps
Match: any
-
If an ACE is present in a QoS filter (match statement within a
class map), but the packet does not match the statement, the ACE
counter will not be incremented for that packet. This can happen
if:
-
Access list counts are an aggregate (for a particular ACE) of the
hit counts for all the features using that ACE, and support
the per ACE counts. (In Cisco IOS XE3.10, only Security and QoS ACLs support
per ACE counts, but that may change in future releases).
Therefore, it is possible
that a single packet will hit (and be counted by) multiple features
using the same ACE and hence result in multiple counts for the same
packet (as it traverses each feature). The following is an example of this:
ip access-list extended A1
permit ip 32.1.1.0 0.0.0.255 any
class-map match-all A1-class
match access-group name A1
interface GigabitEthernet0/0/2
ip address 32.0.0.1 240.0.0.0
ip access-group A1 in
duplex auto
speed auto
media-type rj45
no negotiation auto
service-policy input simple
Router# show access-lists
Extended IP access list A1
10 permit ip 32.1.1.0 0.0.0.255 any (2000 matches)
Router# show policy-map interface GigabitEthernet0/0/2
Service-policy input: simple
Class-map: A1-class (match-all)
1000 packets, 124000 bytes
5 minute offered rate 4000 bps
Match: access-group name A1
Class-map: class-default (match-any)
0 packets, 0 bytes
5 minute offered rate 261000 bps, drop rate 0 bps
Match: any