Cisco ACL question

totaram
totaram used Ask the Experts™
on
Hi;
How do we find out if a given ACL statemet in acl set (Cisco) did have had a match in past, that this on running traffic if certain IP Address and port had a match?

Thanks;
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Distinguished Expert 2018

Commented:
Depending on how specific ACL is written and are match logged:
show access-list
show access-list [acl-name]
show logg

Author

Commented:
Hi Predrag;
I see the extended Access list expand out and I see all the permit stmts on the screen. What I am
looking for is how many hits did a given permit stmt had (say acl 20), in given extended ACL list (ACL-COS-AF4)?
Distinguished Expert 2018

Commented:
Extended IP access list VTY
    10 deny tcp host 192.168.1.5 any eq 22 (3 matches)
    20 permit tcp host 192.168.1.5 any eq 2022 (114 matches)
Success in ‘20 With a Profitable Pricing Strategy

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Pete LongTechnical Consultant

Commented:
For a single ACL

show access-list | incl {ACL-Name}
Petes-ASA# show access-list | incl inbound
access-list inbound; 11 elements; name hash: 0x793e9c88
access-list inbound line 1 extended permit tcp any object Obj-Core-SW eq ssh (hitcnt=2110) 0xeec1fa65
  access-list inbound line 1 extended permit tcp any host 192.168.254.1 eq ssh (hitcnt=2110) 0xeec1fa65
access-list inbound line 2 extended permit tcp any object Internal_FTP_Server eq ftp (hitcnt=223) 0x79574bdc
  access-list inbound line 2 extended permit tcp any host 192.168.100.10 eq ftp (hitcnt=223) 0x79574bdc
access-list inbound line 3 extended permit udp any object Internal_TFTP_Server eq tftp (hitcnt=25) 0x1009dc91
  access-list inbound line 3 extended permit udp any host 192.168.100.10 eq tftp (hitcnt=25) 0x1009dc91
access-list inbound line 4 extended permit tcp any object Internal_RDP_Server eq 3389 (hitcnt=14) 0x67ea11e1
  access-list inbound line 4 extended permit tcp any host 192.168.100.10 eq 3389 (hitcnt=14) 0x67ea11e1
access-list inbound line 5 extended permit tcp any object Internal_RDP_Client eq 3389 (hitcnt=14) 0xc2b17bd3
  access-list inbound line 5 extended permit tcp any host 192.168.100.77 eq 3389 (hitcnt=14) 0xc2b17bd3
access-list inbound line 6 extended permit tcp any object Internal_HTTP_Server eq www (hitcnt=6932) 0xbea499d4
  access-list inbound line 6 extended permit tcp any host 192.168.100.10 eq www (hitcnt=6932) 0xbea499d4
access-list inbound line 7 extended permit icmp6 any6 any6 echo (hitcnt=6794) 0x092094f3
access-list inbound line 8 extended permit icmp6 any6 any6 echo-reply (hitcnt=0) 0xe9dc8639
access-list inbound line 9 extended permit icmp6 any6 any6 unreachable (hitcnt=241) 0x26b280f9
access-list inbound line 10 extended permit icmp6 any6 any6 time-exceeded (hitcnt=4) 0x2afaa5ac
access-list inbound line 11 extended permit tcp any object Internal_Mail_Server eq smtp (hitcnt=955) 0xd649a992
  access-list inbound line 11 extended permit tcp any host 192.168.100.19 eq smtp (hitcnt=955) 0xd649a992

Open in new window


For a single ACE

show access-list | incl line {ACE-Line-number}
Petes-ASA# show access-list | incl line 6
access-list inbound line 6 extended permit tcp any object Internal_HTTP_Server eq www (hitcnt=6932) 0xbea499d4
  access-list inbound line 6 extended permit tcp any host 192.168.100.10 eq www (hitcnt=6932) 0xbea499d4

Open in new window



Pete

Author

Commented:
Is that the case with Cisco ISR-4K and ASR-1000 series routers too? I heard that they do not report the AC L matches  used by a service policy.
Please confirm.
Distinguished Expert 2018

Commented:
Typically, they do not match ACL for service policy on all IOS versions.

Author

Commented:
So, Predrag
how do we know if we have  a match or not for a given ACL? Is there any other way?

Thanks;
Distinguished Expert 2018
Commented:

Author

Commented:
Thank you so much for the link... it is a valuable link.. If there any way to find how many hits SIP Port 5060/5061 had
or if there was a way to figure total Kbytes used by this type of traffic?
Distinguished Expert 2018

Commented:
Only if that traffic is the only traffic present in specific class-map (with the show policy-map interface).
I don't know other way.

Author

Commented:
Thanks Predrag, your comments were very helpful
Distinguished Expert 2018

Commented:
You're welcome.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial