Access List Monitoring and Accounting

 

It is useful to be able to examine an access list, or even all access lists, without having to display the entire router configuration file. The command show ip access-list displays an abbreviated syntax of all IP access lists on the router. If a specific access list is to be observed , the list may be specified by name or number (Figure B.15). If you leave off the ip keyword ( show access-list ), all access lists will be displayed.

Figure B.15. The show ip access-list command displays an abbreviated syntax of the access lists.

graphics/bfig15.gif

It is also useful, as part of a security plan or a capacity planning strategy, to track packets that have been denied by an access list. The command ip accounting access-violations may be configured on individual interfaces to create a database of all packets that have been denied by any access lists on that interface. To examine the database, use the command show ip accounting access-violations . The source and destination addresses, the number of packets and number of bytes matching these addresses, and the access list number that denied the packet will be shown (Figure B.16). The command clear ip accounting clears the accounting database.

Figure B.16. The access list accounting database can be observed with the command show ip accounting access-violations.

graphics/bfig16.gif

Accounting will disable autonomous and silicon switching on an interface. Do not use accounting on an interface where these switching modes are required.

As a final "trick," you should be aware that hits accounting does not track packets discarded by the implicit deny any at the end of the list.

To track these packets, simply configure a deny any at the end of the list:

 
access-list110permittcpany172.22.0.00.0.255.255established
access-list110permittcpanyhost172.22.15.83eqsmtp
access-list110permittcp10.0.0.00.255.255.255172.22.114.00.0.0.255eqtelnet
access-list110permitudp10.64.32.00.0.0.255host172.22.15.87eqtftp
access-list110permitudpanyhost172.22.15.85eqdomain
access-list110permitudpanyanyeqsnmp
access-list110denyipanyany1

Dynamic access lists are not covered in this book. Refer to Cisco's documentation for more information.



Routing TCP[s]IP (Vol. 11998)
Routing TCP[s]IP (Vol. 11998)
ISBN: N/A
EAN: N/A
Year: 2004
Pages: 224

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net