I am trying to avoid making what I would think a simple task a harder one by offloading all these packets to a syslog server and figuring out how to parse it instead of just simply seeing hit counts next to the ACL

i know ACL not great option, if you ok possible you can have ASAv as container in the Cat 9K switches.

I am not sure I follow your suggestion? You want me to create a virtual firewall inside my core just to get hit counts?

My suggestion is ACL is not a good practice to manage manually, so now cisco can office ASA you can use contaner to replace ACL with Firewall (so easy to manage and other management capabilities) if that works for you.

That is not an option for me. We have firewalls (which I do not control), however firewalls do not show hit count on ACL entries, just the ACL's themselves. 

Doing this on my core seemed like a great idea until realizing hits do not trigger outbound on interfaces, and nor do they trigger inbound on the interface when on an L3 device and forwarding as hardware ACL

You access via VTY

Add log' and I think c9000 support log interval with ACL' and then enable logging and terminal monitor 

This way you can check the log in SW without need of syslog

Also ACL SW or HW both support hit count as I know

MHM

This is going to be a long term data collection project to remove old static routes that no one knows what they are for. Logging to the buffer or terminal is not a feasible option as there may not be packets today, but there may be tomorrow, or next week. Also there are 600+ entries I need to match on.

All the posts I have seen on this forum indicate that ACL hits will not trigger on l3 switches in hardware. Also will not trigger hit count on outbound ACL's and only inbound. 

My management ACL's trigger hit count fine, but nothing else in which i am assuming to VTY lines software based forwarding is being used?

That is why I am hesistant to log all these ace's. Its 600+ aces. 

Granted I am using big boy 9606R's, but I would hate to cause my cores to have any performance issues by issuing something that is really an administrative/info gathering task

I will research this service policy option you mentioned and see if it can work for me

If It for troubleshooting then only add 

Deny ip any any log

This give you hint if traffic hit by other permit line or not

MHM

[quote] If It for troubleshooting then only add 

Deny ip any any log

This give you hint if traffic hit by other permit line or not

MHM    [quote]

I am not looking to deny traffic. I need to confirm if there are any hits on static routes pointing towards another device in my infrastructure. 

If I do a deny any, I am going to take down my entire environment basically. Unless I do not understand what you are trying to say, this is TERRIBLE advice and would cause a resume generating event. 

Add deny any any log in end of ACL ypu want to check' that what I am meaning.

And for static route what is relate to ACL of Interface? Can yoh more elaborate 

MHM

I am using an ACL to match specific traffic for monitoring purposes that is ingressing on specific interfaces (because egress apparently will not work by rules of ACL's and hit counts) via an access-group

So if I add a deny any, I am going to block all traffic to my firewalls which means I will be looking for a new job. Even if I could do this, this does not serve the purpose I need. I need to see if I am getting hits on all these BS static routes I have in my core. If there are no hits in a month, I am getting rid of them. If there are hits, they are here to stay and I will determine the destination and label them properly. 

Unless you are referring to not applying the ACL to an interface access-group in which I believe I already tried this to no avail. Unless my logic of ACL's is just flawed