Cisco ACL question

Hi;
How do we find out if a given ACL statemet in acl set (Cisco) did have had a match in past, that this on running traffic if certain IP Address and port had a match?

Thanks;
totaramAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

JustInCaseCommented:
Depending on how specific ACL is written and are match logged:
show access-list
show access-list [acl-name]
show logg
0
totaramAuthor Commented:
Hi Predrag;
I see the extended Access list expand out and I see all the permit stmts on the screen. What I am
looking for is how many hits did a given permit stmt had (say acl 20), in given extended ACL list (ACL-COS-AF4)?
0
JustInCaseCommented:
Extended IP access list VTY
    10 deny tcp host 192.168.1.5 any eq 22 (3 matches)
    20 permit tcp host 192.168.1.5 any eq 2022 (114 matches)
0
Check Out How Miercom Evaluates Wi-Fi Security!

It's not just about Wi-Fi connectivity anymore. A wireless security breach can cost your business large amounts of time, trouble, and expense. Plus, hear first-hand from Miercom on how WatchGuard's Wi-Fi security stacks up against the competition plus a LIVE demo!

Pete LongTechnical ConsultantCommented:
For a single ACL

show access-list | incl {ACL-Name}
Petes-ASA# show access-list | incl inbound
access-list inbound; 11 elements; name hash: 0x793e9c88
access-list inbound line 1 extended permit tcp any object Obj-Core-SW eq ssh (hitcnt=2110) 0xeec1fa65
  access-list inbound line 1 extended permit tcp any host 192.168.254.1 eq ssh (hitcnt=2110) 0xeec1fa65
access-list inbound line 2 extended permit tcp any object Internal_FTP_Server eq ftp (hitcnt=223) 0x79574bdc
  access-list inbound line 2 extended permit tcp any host 192.168.100.10 eq ftp (hitcnt=223) 0x79574bdc
access-list inbound line 3 extended permit udp any object Internal_TFTP_Server eq tftp (hitcnt=25) 0x1009dc91
  access-list inbound line 3 extended permit udp any host 192.168.100.10 eq tftp (hitcnt=25) 0x1009dc91
access-list inbound line 4 extended permit tcp any object Internal_RDP_Server eq 3389 (hitcnt=14) 0x67ea11e1
  access-list inbound line 4 extended permit tcp any host 192.168.100.10 eq 3389 (hitcnt=14) 0x67ea11e1
access-list inbound line 5 extended permit tcp any object Internal_RDP_Client eq 3389 (hitcnt=14) 0xc2b17bd3
  access-list inbound line 5 extended permit tcp any host 192.168.100.77 eq 3389 (hitcnt=14) 0xc2b17bd3
access-list inbound line 6 extended permit tcp any object Internal_HTTP_Server eq www (hitcnt=6932) 0xbea499d4
  access-list inbound line 6 extended permit tcp any host 192.168.100.10 eq www (hitcnt=6932) 0xbea499d4
access-list inbound line 7 extended permit icmp6 any6 any6 echo (hitcnt=6794) 0x092094f3
access-list inbound line 8 extended permit icmp6 any6 any6 echo-reply (hitcnt=0) 0xe9dc8639
access-list inbound line 9 extended permit icmp6 any6 any6 unreachable (hitcnt=241) 0x26b280f9
access-list inbound line 10 extended permit icmp6 any6 any6 time-exceeded (hitcnt=4) 0x2afaa5ac
access-list inbound line 11 extended permit tcp any object Internal_Mail_Server eq smtp (hitcnt=955) 0xd649a992
  access-list inbound line 11 extended permit tcp any host 192.168.100.19 eq smtp (hitcnt=955) 0xd649a992

Open in new window


For a single ACE

show access-list | incl line {ACE-Line-number}
Petes-ASA# show access-list | incl line 6
access-list inbound line 6 extended permit tcp any object Internal_HTTP_Server eq www (hitcnt=6932) 0xbea499d4
  access-list inbound line 6 extended permit tcp any host 192.168.100.10 eq www (hitcnt=6932) 0xbea499d4

Open in new window



Pete
0
totaramAuthor Commented:
Is that the case with Cisco ISR-4K and ASR-1000 series routers too? I heard that they do not report the AC L matches  used by a service policy.
Please confirm.
0
JustInCaseCommented:
Typically, they do not match ACL for service policy on all IOS versions.
0
totaramAuthor Commented:
So, Predrag
how do we know if we have  a match or not for a given ACL? Is there any other way?

Thanks;
0
JustInCaseCommented:
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
totaramAuthor Commented:
Thank you so much for the link... it is a valuable link.. If there any way to find how many hits SIP Port 5060/5061 had
or if there was a way to figure total Kbytes used by this type of traffic?
0
JustInCaseCommented:
Only if that traffic is the only traffic present in specific class-map (with the show policy-map interface).
I don't know other way.
0
totaramAuthor Commented:
Thanks Predrag, your comments were very helpful
0
JustInCaseCommented:
You're welcome.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Networking Protocols

From novice to tech pro — start learning today.