Access List Monitoring and Accounting

Previous page
Table of content
Next page

It is useful to examine an access list, or even all access lists, without having to display the entire router configuration file. The command show ip access-list displays an abbreviated syntax of all IP access lists on the router. If a specific access list is to be observed, the list can be specified by name or number (Example B-21). If you leave off the ip keyword (show access-list), all access lists will display.

Example B-21. The show ip access-list command displays an abbreviated syntax of the access lists.
Woody#show ip access-list 110 Extended IP access list 110     10 permit tcp any 172.22.0.0 0.0.255.255 established     20 permit tcp any host 172.22.15.83 eq smtp     30 permit tcp 10.0.0.0 0.255.255.255 172.22.114.0 0.0.0.255 eq telnet     40 permit udp 10.64.32.0 0.0.0.255 host 172.22.15.87 eq tftp     50 permit udp any host 172.22.15.85 eq domain     60 permit udp any any eq snmp Woody#

It is also useful, as part of a security plan or a capacity planning strategy, to track packets that have been denied by an access list.

The command ip accounting access-violations might be configured on individual interfaces to create a database of all packets that have been denied by any access lists on that interface. To examine the database, use the command show ip accounting access-violations. The source and destination addresses, the number of packets and number of bytes matching these addresses, and the access list number that denied the packet will be shown (Example B-22). The command clear ip accounting clears the accounting database.

Example B-22. The access list accounting database can be observed with the command show ip accounting access-violations.
Woody#show ip accounting access-violations    Source          Destination             Packets          Bytes     ACL   10.1.4.1       255.255.255.255                13            936     110   10.1.4.1       172.22.1.1                     12           1088     110 Accounting data age is 10 Woody#

Accounting disables autonomous and silicon switching on an interface. Do not use accounting on an interface where these switching modes are required.

As a final "trick," be aware that its accounting does not track packets discarded by the implicit deny any at the end of the list. To track these packets, simply configure a deny any at the end of the list as in Example B-23.

Example B-23. A deny any entry is added to the end of the access list to track packets discarded because they did not match any other entry in the list.
access-list 110 permit tcp any 172.22.0.0 0.0.255.255 established access-list 110 permit tcp any host 172.22.15.83 eq smtp access-list 110 permit tcp 10.0.0.0 0.255.255.255 172.22.114.0 0.0.0.255 eq telnet access-list 110 permit udp 10.64.32.0 0.0.0.255 host 172.22.15.87 eq tftp access-list 110 permit udp any host 172.22.15.85 eq domain access-list 110 permit udp any any eq snmp access-list 110 deny ip any any 1



Previous page
Table of content
Next page
CCIE Professional Development Routing TCP/IP (Vol. 12005)
Routing TCP/IP, Volume 1 (2nd Edition)
ISBN: 1587052024
EAN: 2147483647
Year: 2005
Pages: 233
Authors: Jeff Doyle, Jennifer Carroll
BUY ON AMAZON
Metrics and Models in Software Quality Engineering (2nd Edition)
Lotus Notes and Domino 6 Development (2nd Edition)
Developing Tablet PC Applications (Charles River Media Programming)
C++ How to Program (5th Edition)
.NET System Management Services
Cultural Imperative: Global Trends in the 21st Century
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy