Cisco ACL question

Depending on how specific ACL is written and are match logged:
show access-list
show access-list [acl-name]
show logg

Hi Predrag;
I see the extended Access list expand out and I see all the permit stmts on the screen. What I am
looking for is how many hits did a given permit stmt had (say acl 20), in given extended ACL list (ACL-COS-AF4)?

Extended IP access list VTY
    10 deny tcp host 192.168.1.5 any eq 22 (3 matches)
    20 permit tcp host 192.168.1.5 any eq 2022 (114 matches)

For a single ACL

show access-list | incl {ACL-Name}

Petes-ASA# show access-list | incl inbound
access-list inbound; 11 elements; name hash: 0x793e9c88
access-list inbound line 1 extended permit tcp any object Obj-Core-SW eq ssh (hitcnt=2110) 0xeec1fa65
  access-list inbound line 1 extended permit tcp any host 192.168.254.1 eq ssh (hitcnt=2110) 0xeec1fa65
access-list inbound line 2 extended permit tcp any object Internal_FTP_Server eq ftp (hitcnt=223) 0x79574bdc
  access-list inbound line 2 extended permit tcp any host 192.168.100.10 eq ftp (hitcnt=223) 0x79574bdc
access-list inbound line 3 extended permit udp any object Internal_TFTP_Server eq tftp (hitcnt=25) 0x1009dc91
  access-list inbound line 3 extended permit udp any host 192.168.100.10 eq tftp (hitcnt=25) 0x1009dc91
access-list inbound line 4 extended permit tcp any object Internal_RDP_Server eq 3389 (hitcnt=14) 0x67ea11e1
  access-list inbound line 4 extended permit tcp any host 192.168.100.10 eq 3389 (hitcnt=14) 0x67ea11e1
access-list inbound line 5 extended permit tcp any object Internal_RDP_Client eq 3389 (hitcnt=14) 0xc2b17bd3
  access-list inbound line 5 extended permit tcp any host 192.168.100.77 eq 3389 (hitcnt=14) 0xc2b17bd3
access-list inbound line 6 extended permit tcp any object Internal_HTTP_Server eq www (hitcnt=6932) 0xbea499d4
  access-list inbound line 6 extended permit tcp any host 192.168.100.10 eq www (hitcnt=6932) 0xbea499d4
access-list inbound line 7 extended permit icmp6 any6 any6 echo (hitcnt=6794) 0x092094f3
access-list inbound line 8 extended permit icmp6 any6 any6 echo-reply (hitcnt=0) 0xe9dc8639
access-list inbound line 9 extended permit icmp6 any6 any6 unreachable (hitcnt=241) 0x26b280f9
access-list inbound line 10 extended permit icmp6 any6 any6 time-exceeded (hitcnt=4) 0x2afaa5ac
access-list inbound line 11 extended permit tcp any object Internal_Mail_Server eq smtp (hitcnt=955) 0xd649a992
  access-list inbound line 11 extended permit tcp any host 192.168.100.19 eq smtp (hitcnt=955) 0xd649a992

Select allOpen in new window

For a single ACE

show access-list | incl line {ACE-Line-number}

Petes-ASA# show access-list | incl line 6
access-list inbound line 6 extended permit tcp any object Internal_HTTP_Server eq www (hitcnt=6932) 0xbea499d4
  access-list inbound line 6 extended permit tcp any host 192.168.100.10 eq www (hitcnt=6932) 0xbea499d4

Select allOpen in new window

Pete

Is that the case with Cisco ISR-4K and ASR-1000 series routers too? I heard that they do not report the AC L matches  used by a service policy.
Please confirm.

Typically, they do not match ACL for service policy on all IOS versions.

So, Predrag
how do we know if we have  a match or not for a given ACL? Is there any other way?

Thanks;

Thank you so much for the link... it is a valuable link.. If there any way to find how many hits SIP Port 5060/5061 had
or if there was a way to figure total Kbytes used by this type of traffic?

Only if that traffic is the only traffic present in specific class-map (with the show policy-map interface).
I don't know other way.

Thanks Predrag, your comments were very helpful

You're welcome.