Provides examples for configuring and displaying ACL statistics and counters using YANG and CLI commands.
ACL statistics and counters help you monitor access control list usage and rule matches. You can configure and view this data through YANG models or CLI commands.
YANG configuration examples
To configure ACL statistics and counters using yang:
Yang file: Cisco-IOS-XE-acl-oper.yang
grouping ace-oper-data {
description
"ACE operational data";
leaf match-counter {
type yang:counter64;
description
"Number of matches for an access list entry";
}
}Example configuration using yang model:
Router# show access-lists access-list ACL-1
ACCESS
CONTROL
LIST RULE MATCH
NAME NAME COUNTER
------------------------
ACL-1 1 0
2 0
Router# show access-lists access-list ACL-1 | display xml
<config xmlns="http://tail-f.com/ns/config/1.0">
<access-lists xmlns="http://cisco.com/ns/yang/Cisco-IOS-XE-acl-oper">
<access-list>
<access-control-list-name>ACL-1</access-control-list-name>
<access-list-entries>
<access-list-entry>
<rule-name>1</rule-name>
<access-list-entries-oper-data>
<match-counter>0</match-counter>
</access-list-entries-oper-data>
</access-list-entry>
<access-list-entry>
<rule-name>2</rule-name>
<access-list-entries-oper-data>
<match-counter>0</match-counter>
</access-list-entries-oper-data>
</access-list-entry>
</access-list-entries>
</access-list>
</access-lists>
</config>
Router#CLI display and clear commands
To display ACL statistics and counters using the CLI, use the command:
show ip access-list [access-list-number | access-list-name]Example statistics output using the CLI:
show ip access-list [access-list-number | access-list-name]
Router# show ip access-list ACL-1
Extended IP access list ACL-1
10 permit ip host 10.1.1.1 any (3 matches) 30
30 permit ip host 10.2.2.2 any (27 matches)
To clear counters in ACL stats:
clear ip access-list counters {access-list-number | access-list-name}