ACL Statistics

After ACL has configured and applied to an interface and block some traffic then we can check the statistics of the ACL using the show access-lists command. The command will show statistics for each statement that has been matched. The figure below illustrates some statistics on ACLs.

Statistics

Examine that some match has been found. So when traffic is matched to ACL and ACL take action on that traffic. The ACL will display the match state here. The matches shown at the output of the show access-lists command increased when traffic increased. For example, the above ACL is configured for network 192.168.30.0/24. If someone other than PC1 sends a ping to this network. The ACL will drop the packets and the match to deny state will increase.  If host 192.168.10.10 sends a ping to this network the state to permit statement will increased.

ACL Statistics 3

Now examine the following configuration of ACLs

ACL Statistics 4

Both permit and deny statements will track information for matches but, the ACL has an implied deny any as the last statement. This statement will not appear in the show access-lists command, therefore, statistics for that statement will not appear. To view statistics for the implied deny any statement, the statement can be configured manually and will appear in the output. If deny any statement is not configured as the last statement in the ACL, it could cause unexpected results.

We can clear the ACL statement counters using the clear access-list counters command. We can use this command alone or with the number or name of a specific ACL. The figure below illustrates the clear state of the ACL.