Troubleshoot ACL
Execute the following commands to verify ACL programming on the router.
View Summary of ACLs Programmed on NPU
show platform npu acl summary -n <asic_id>
cisco@sfd-t2-lc0:~$ sudo show platform npu acl summary -n asic0
show acl all
ACL is not binding to L2 SERVICE PORT
+---------------------------------------------------------------------------------------------+
| L3 PORT ACL Bind |
+---------------------+-----------------------+-----------------------+-----------------------+
| L3 AC PORT(gid:oid) | Ingress IPv4 ACL ID/0 | Ingress IPv4 ACL ID/1 | Ingress IPv6 ACL ID/0 |
+---------------------+-----------------------+-----------------------+-----------------------+
| 0x40d:651 | 1769 | 1849 | 1851 |
| 0x449:668 | 1769 | 1849 | 1851 |
| 0x44a:688 | 1769 | 1849 | 1851 |
| 0x44b:708 | 1769 | 1849 | 1851 |
| 0x44c:728 | 1769 | 1849 | 1851 |
| 0x44d:748 | 1769 | 1849 | 1851 |
| 0x447:768 | 1769 | 1849 | 1851 |
| 0x448:788 | 1769 | 1849 | 1851 |
| 0x40e:871 | 1769 | 1849 | 1851 |
| 0x40f:951 | 1769 | 1849 | 1851 |
| 0x410:1171 | 1769 | 1849 | 1851 |
| 0x411:1349 | 1769 | 1849 | 1851 |
| 0x412:1369 | 1769 | 1849 | 1851 |
+---------------------+-----------------------+-----------------------+-----------------------+
| ACL Table |
+--------+------------+----------+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| ACL ID | ACE Number | Key Type | Avavilable | Key Profile | Command Profile |
+--------+------------+----------+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| 1767 | 0 | ETHERNET | -1 | Direction = {INGRESS},TCAM interface = {E_0},Resoure Type = {INGRESS_ETH_NARROW_DB1_INTERFACE0_ACL},Fields = { ETHER_TYPE } | Actions = {TRAFFIC_CLASS COLOR QOS_OR_METER_COUNTER_OFFSET ENCAP_EXP REMARK_FWD REMARK_GROUP DROP PUNT DO_MIRROR MIRROR_CMD COUNTER_TYPE COUNTER L2_DESTINATION L3_DESTINATION METER INBAND_NETWORK_TELEMETRY NO_TTL_DECREMENT URPF_BYPASS USER_DATA } |
| 1769 | 0 | IPV4 | 4599 | Direction = {INGRESS},TCAM interface = {E_0},Resoure Type = {INGRESS_IPV4_NARROW_DB1_INTERFACE0_ACL},Fields = {VLAN_OUTER TOS PROTOCOL IPV4_SIP IPV4_DIP SPORT DPORT MSG_CODE MSG_TYPE TCP_FLAGS } | Actions = {TRAFFIC_CLASS COLOR QOS_OR_METER_COUNTER_OFFSET ENCAP_EXP REMARK_FWD REMARK_GROUP DROP PUNT DO_MIRROR MIRROR_CMD COUNTER_TYPE COUNTER L2_DESTINATION L3_DESTINATION METER INBAND_NETWORK_TELEMETRY NO_TTL_DECREMENT URPF_BYPASS USER_DATA } |
| 1847 | 0 | ETHERNET | -1 | Direction = {INGRESS},TCAM interface = {E_0},Resoure Type = {INGRESS_ETH_NARROW_DB1_INTERFACE0_ACL},Fields = { ETHER_TYPE } | Actions = {TRAFFIC_CLASS COLOR QOS_OR_METER_COUNTER_OFFSET ENCAP_EXP REMARK_FWD REMARK_GROUP DROP PUNT DO_MIRROR MIRROR_CMD COUNTER_TYPE COUNTER L2_DESTINATION L3_DESTINATION METER INBAND_NETWORK_TELEMETRY NO_TTL_DECREMENT URPF_BYPASS USER_DATA } |
| 1849 | 0 | IPV4 | 4599 | Direction = {INGRESS},TCAM interface = {E_0},Resoure Type = {INGRESS_IPV4_NARROW_DB1_INTERFACE0_ACL},Fields = {VLAN_OUTER TOS PROTOCOL IPV4_SIP IPV4_DIP SPORT DPORT MSG_CODE MSG_TYPE TCP_FLAGS } | Actions = {TRAFFIC_CLASS COLOR QOS_OR_METER_COUNTER_OFFSET ENCAP_EXP REMARK_FWD REMARK_GROUP DROP PUNT DO_MIRROR MIRROR_CMD COUNTER_TYPE COUNTER L2_DESTINATION L3_DESTINATION METER INBAND_NETWORK_TELEMETRY NO_TTL_DECREMENT URPF_BYPASS USER_DATA } |
| 1851 | 0 | IPV6 | 2042 | Direction = {INGRESS},TCAM interface = {E_0_AND_1},Resoure Type = {INGRESS_IPV6_WIDE_DB1_INTERFACE0_ACL},Fields = {TOS LAST_NEXT_HEADER IPV6_SIP IPV6_DIP SPORT DPORT MSG_CODE MSG_TYPE TCP_FLAGS } | Actions = {TRAFFIC_CLASS COLOR QOS_OR_METER_COUNTER_OFFSET ENCAP_EXP REMARK_FWD REMARK_GROUP DROP PUNT DO_MIRROR MIRROR_CMD COUNTER_TYPE COUNTER L2_DESTINATION L3_DESTINATION METER INBAND_NETWORK_TELEMETRY NO_TTL_DECREMENT URPF_BYPASS USER_DATA } |
+--------+------------+----------+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| ACE Table |
+--------+----------+-------------+---------------------------+-------------------------------+---------------+---------------+-------------+-------------+-------------------+---------+---------------+
| ACL ID | Position | PROTOCOL(F) | IPV4_SIP(F) | IPV4_DIP(F) | SPORT(F) | DPORT(F) | MSG_CODE(F) | MSG_TYPE(F) | TCP_FLAGS(F) | DROP(C) | COUNTER(C) |
+--------+----------+-------------+---------------------------+-------------------------------+---------------+---------------+-------------+-------------+-------------------+---------+---------------+
| 2177 | 0 | | 20.0.0.2/255.255.255.255 | | | | | | | | 1/104 |
| 2177 | 1 | | | 192.168.0.252/255.255.255.255 | | | | | | | 1/104 |
| 2177 | 2 | | | 193.191.32.1/255.255.255.255 | | | | | | | 0/0 |
| 2177 | 3 | | | | 0x120d/0xffff | | | | | | 0/0 |
| 2177 | 4 | 126/255 | | | | | | | | | 1/104 |
| 2177 | 5 | 6/255 | | | | | | | 0b11011/0b11011 | | 1/104 |
| 2177 | 6 | | 20.0.0.3/255.255.255.255 | | | | | | | True | 1/104 |
| 2177 | 7 | | 20.0.0.3/255.255.255.255 | | | | | | | | 0/0 |
| 2177 | 8 | | | | | 0x1217/0xffff | | | | | 0/0 |
| 2177 | 9 | | | | 0x1230/0xfff0 | | | | | | 0/0 |
| 2177 | 10 | | | | | 0x1220/0xffe0 | | | | | 0/0 |
| 2177 | 11 | | | | | 0x1240/0xfff0 | | | | | 0/0 |
| 2177 | 12 | 1/255 | 20.0.0.4/255.255.255.255 | | | | | | | | 1/64 |
| 2177 | 13 | 17/255 | 20.0.0.4/255.255.255.255 | | | | | | | | 1/104 |
| 2177 | 14 | | 20.0.0.6/255.255.255.255 | | | | | | | True | 0/0 |
| 2177 | 15 | | | 192.168.0.251/255.255.255.255 | | | | | | True | 1/104 |
| 2177 | 16 | | | 193.221.112.1/255.255.255.255 | | | | | | True | 0/0 |
| 2177 | 17 | | | | 0x1271/0xffff | | | | | True | 1/104 |
| 2177 | 18 | 127/255 | | | | | | | | True | 1/104 |
| 2177 | 19 | 6/255 | | | | | | | 0b100100/0b100100 | True | 1/104 |
| 2177 | 20 | | 20.0.0.7/255.255.255.255 | | | | | | | | 0/0 |
| 2177 | 21 | | 20.0.0.7/255.255.255.255 | | | | | | | True | 0/0 |
| 2177 | 22 | | | | | 0x127b/0xffff | | | | True | 2/208 |
| 2177 | 23 | | | | 0x1298/0xfff8 | | | | | True | 0/0 |
| 2177 | 24 | | | | 0x1294/0xfffc | | | | | True | 0/0 |
| 2177 | 25 | | | | 0x12a0/0xfffc | | | | | True | 0/0 |
| 2177 | 26 | | | | | 0x1290/0xfff0 | | | | True | 0/0 |
| 2177 | 27 | | | | | 0x1288/0xfff8 | | | | True | 0/0 |
| 2177 | 28 | | | | | 0x1284/0xfffc | | | | True | 0/0 |
| 2177 | 29 | | | | | 0x12a0/0xfff0 | | | | True | 0/0 |
| 2177 | 30 | | | | | 0x12b0/0xfffc | | | | True | 0/0 |
| 2177 | 31 | 1/255 | 20.0.0.8/255.255.255.255 | | | | | | | True | 1/64 |
| 2177 | 32 | 17/255 | 20.0.0.8/255.255.255.255 | | | | | | | True | 1/104 |
| 2177 | 33 | | | | 0xb3/0xffff | | | | | | 59509/4736008 |
| 2177 | 34 | | | | | 0xb3/0xffff | | | | | 37157/3032851 |
| 2177 | 35 | 1/255 | 20.0.0.10/255.255.255.255 | | | | 1/255 | 3/255 | | | 0/0 |
| 2177 | 36 | | | | | | | | | True | 7/509 |
+--------+----------+-------------+---------------------------+-------------------------------+---------------+---------------+-------------+-------------+-------------------+---------+---------------+
View ACL Key Profile Information
show platform npu acl key-profile -n <asic_id>
cisco@sfd-t2-lc0:~$ sudo show platform npu acl key-profile -n asic0
+---------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| ACL key profile |
+----------+-----------+----------------+----------------------------------------+------------------------------------------------------------------------------------+
| Type | Direction | TCAM interface | Resoure Type | Fields |
+----------+-----------+----------------+----------------------------------------+------------------------------------------------------------------------------------+
| ETHERNET | INGRESS | E_0 | INGRESS_ETH_NARROW_DB1_INTERFACE0_ACL | ETHER_TYPE |
| IPV4 | INGRESS | E_0 | INGRESS_IPV4_NARROW_DB1_INTERFACE0_ACL | VLAN_OUTER TOS PROTOCOL IPV4_SIP IPV4_DIP SPORT DPORT MSG_CODE MSG_TYPE TCP_FLAGS |
| IPV6 | INGRESS | E_0_AND_1 | INGRESS_IPV6_WIDE_DB1_INTERFACE0_ACL | TOS LAST_NEXT_HEADER IPV6_SIP IPV6_DIP SPORT DPORT MSG_CODE MSG_TYPE TCP_FLAGS |
| IPV4 | EGRESS | E_0 | EGRESS_IPV4_ACL | TOS PROTOCOL IPV4_SIP IPV4_DIP SPORT DPORT MSG_CODE MSG_TYPE TCP_FLAGS |
| IPV6 | EGRESS | E_0 | EGRESS_IPV6_ACL | TOS LAST_NEXT_HEADER IPV6_SIP IPV6_DIP SPORT DPORT MSG_CODE MSG_TYPE TCP_FLAGS |
+----------+-----------+----------------+----------------------------------------+------------------------------------------------------------------------------------+
View ACE Details
show platform npu acl ace -a <aclid> -p position -n <asic_id>
cisco@sfd-t2-lc0:~$ sudo show platform acl ace -a 2177 -p 1 -n asic0
+----------------------------------------------------------------+
| ACL ACE |
+--------+----------+-------------------------------+------------+
| ACL ID | Position | IPV4_DIP(F) | COUNTER(C) |
+--------+----------+-------------------------------+------------+
| 2177 | 1 | 192.168.0.252/255.255.255.255 | 1/104 |
+--------+----------+-------------------------------+------------+
+-------------------------------------------+
| ACE Counter Detail |
+--------------+-------------+------+-------+
| ACE Position | Counter idx | Pkts | Bytes |
+--------------+-------------+------+-------+
| 1 | 0 | 1 | 104 |
+--------------+-------------+------+-------+
View ACL Object ID (OID) Information
show platform npu acl oid -a <aclid> -n <asic_id>
cisco@sfd-t2-lc0:~$ sudo show platform npu acl oid -a 1767 -n asic0
show acl oid 1767 normal
+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| ACL Table |
+--------+------------+----------+------------+-----------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| ACL ID | ACE Number | Key Type | Avavilable | Key Profile | Command Profile |
+--------+------------+----------+------------+-----------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| 1767 | 0 | ETHERNET | -1 | Direction = {INGRESS},TCAM interface = {E_0},Resoure Type = {INGRESS_ETH_NARROW_DB1_INTERFACE0_ACL},Fields = { ETHER_TYPE } | Actions = {TRAFFIC_CLASS COLOR QOS_OR_METER_COUNTER_OFFSET ENCAP_EXP REMARK_FWD REMARK_GROUP DROP PUNT DO_MIRROR MIRROR_CMD COUNTER_TYPE COUNTER L2_DESTINATION L3_DESTINATION METER INBAND_NETWORK_TELEMETRY NO_TTL_DECREMENT URPF_BYPASS USER_DATA } |
+--------+------------+----------+------------+-----------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
View ACL Bind Information
show platform npu acl bind -p <portid> -n <asic_id>
cisco@sfd-t2-lc0:~$ sudo show platform npu acl bind -p 651 -n asic0