How to Check ACL Match Counters in Traffic-Filter on Switches？

Network administrators often rely on Access Control Lists (ACLs) to enforce traffic policies, block malicious activity, or prioritize critical data. But configuring ACLs is only half the battle—monitoring their effectiveness is equally vital. A common challenge arises when using traffic-filtering features on switches: How do you verify if your ACL rules are actually being triggered? If you’ve ever wondered why a security policy isn’t working as expected or needed proof of traffic patterns for audits, checking ACL match counters is the answer. This guide walks you through the process of retrieving these metrics, specifically tailored for enterprise switches, with actionable examples and optimization tips to ensure your configurations deliver results.

Understanding ACLs and Traffic-Filter Match Counters

ACLs are rule sets applied to interfaces to permit or deny traffic based on criteria like IP addresses, ports, or protocols. When using a traffic-filter command (common on Huawei, Cisco, and HPE switches), ACLs silently log each time a packet matches a rule—a counter that’s invaluable for:

• Validating security policies (e.g., blocking unauthorized SSH access).
• Identifying misconfigured rules (e.g., overly broad denies).
• Troubleshooting traffic flow issues.

However, these counters aren’t always visible by default. Administrators must explicitly enable statistics collection and know where to look.

Step 1: Enable ACL Statistics Tracking

Before checking counters, ensure your switch is configured to track ACL matches. On Huawei switches (e.g., S5700/S6300 series):

system-view  
 traffic-filter statistics enable  # Globally enable stats  

For Cisco IOS devices, use:

ip access-list logging  # Enable logging for ACL matches  

Note: Enabling statistics may marginally impact switch performance on older hardware.

Step 2: View ACL Match Counters via CLI

Huawei Switches

Use display traffic-filter statistics to show real-time data:

display traffic-filter statistics interface GigabitEthernet 0/0/1 inbound  

Output example:

Interface: GigabitEthernet0/0/1, Direction: Inbound  
ACL 3001, Rule 5: Deny tcp source 10.0.0.5 0.0.0.0 destination any  
  Matched Packets: 1,234  
  Last Matched Time: 2024-03-15 14:30:22  

This reveals how often a rule is triggered, timestamps, and the affected interface.

Cisco Switches

For Cisco Catalyst switches, run:

show access-lists  # Displays counters for all ACLs  

Output snippet:

Extended IP access list 101  
  deny tcp host 10.0.0.5 any eq 22 (15 matches)  
  permit ip any any (1205 matches)  

Figure 1: Sample CLI output displaying ACL match statistics on a Huawei switch interface.

Step 3: Analyze and Troubleshoot Common Issues

• Zero Matches: If counters remain at zero, check:
  • Is the traffic-filter applied to the correct interface and direction (inbound/outbound)?
  • Does traffic genuinely match the ACL criteria? Use packet captures to verify.
• Unexpected High Counters: A spike in denies could indicate an attack or a misconfigured whitelist.

Step 4: Automate Monitoring (Optional)

For large networks, manually checking CLI isn’t scalable. Consider these tools:

• SNMP Polling: Use OIDs like 1.3.6.1.2.1.14.3 (Cisco) or Huawei’s enterprise-specific MIBs.
• Network Automation Scripts: Python scripts with Paramiko/Netmiko can extract and log ACL stats daily.

Best Practices for ACL Management

1. Regular Audits: Review match counters weekly to detect unused rules or unintended blocks.
2. Reset Counters After Changes: Clear old data post-configuration to isolate new traffic patterns:

   reset traffic-filter statistics all  # Huawei command  
   clear access-list counters  # Cisco command  
   

3. Combine with Logging: For critical denies, enable syslog alerts to track real-time events.

ACL match counters are a goldmine of insights for network security and performance tuning—yet they’re frequently overlooked. By enabling statistics, mastering CLI queries, and automating data collection, administrators can transform vague policies into measurable, actionable strategies. Whether you’re hardening defenses or troubleshooting a baffling traffic drop, these metrics provide the visibility needed to stay in control.

Final Tip: Don’t let stale rules clutter your configurations. Use match counters to identify and prune obsolete ACLs, reducing complexity and freeing up switch resources. Pair this practice with regular firmware updates to ensure compatibility with the latest traffic-filtering features.