Once the ACL has been applied to an interface and some testing has occurred, the show access-lists command will show statistics for each statement that has been matched. In the output in Figure 1, note that some of the statements have been matched. When traffic is generated that should match an ACL statement, the matches shown in the show access-lists command output should increase. For instance in this example, if a ping is issued from PC1 to PC3 or PC4, the output will show an increase in the matches for the deny statement of ACL 1.
Both permit and deny statements will track statistics for matches; however, recall that every ACL has an implied deny any as the last statement. This statement will not appear in the show access-lists command, therefore, statistics for that statement will not appear. To view statistics for the implied deny any statement, the statement can be configured manually and will appear in the output. Extreme caution should be taken when manually configuring the deny any statement, as it will match all traffic. If this statement is not configured as the last statement in the ACL, it could cause unexpected results.
During testing of an ACL, the counters can be cleared using the clear access-list counters command. This command can be used alone or with the number or name of a specific ACL. As shown in Figure 2 this command clears the statistic counters for an ACL.