I have a Cisco Catalyst 3560e switch, and I'm trying to learn how to work with ACLs. I've created a simple ACL and tested it by sending packets through the switch, and it seems to work. Some documentation indicates that I can see a count of the number of times an ACL is hit. A typical example (taken from a book) is:
PIX# sho access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 1024)
alert-interval 300
access-list Inbound; 15 elements
access-list Inbound permit tcp any host web1. gad. net eq www (hitcnt=42942)
access-list Inbound permit tcp any host web1. gad. net eq ssh (hitcnt=162)
...
If I do the same thing on my switch I don't see the counters:
> sho access-list
Standard IP access list 1
10 deny 10.0.0.2
20 permit any
Are ACL counters supported on this switch? (How would I know, if not? I can't see anything about this in the release notes.) Am I missing some configuration?
That example is from a PIX firewall. I believe that default behavior of showing the match counter has been removed in later versions of Cisco IOS.
You can try to mimic this behavior by appending 'log' to the end of your ACL entries:
If the ACL is being hit you should see counters in
sh access-listsw# sh run | i access-list 2 access-list 2 remark remote management acl access-list 2 permit 192.168.0.0 0.0.255.255 access-list 2 permit 10.11.0.0 0.0.255.255 sw# sh ip access-lists Standard IP access list 2 10 permit 192.168.0.0, wildcard bits 0.0.255.255 (79 matches) 20 permit 10.11.0.0, wildcard bits 0.0.255.255