RE: Cisco acls

[Scott Stursa <stursa () mailer fsu edu>]

On Tue, 15 Mar 2005, Luke Butcher wrote:

> Not sure about a lint checker and router ACLs unfortunately don't show a
> hit count like PIX ones.

Yes they do.

The only place I've seen "missed" hits are on switches doing VLAN
switching. Although the initial handshake will generate hits, once it goes
into switching mode the ACL will never see the packets. The difference is
clear if you have an ACL which begins with "permit tcp any any
established"; on a non-switched interface this line will show the greatest
number of hits in the ACL, on a switched one it will show the lowest.


> So the only option is probably to add a log
> keyword to your permit statements and then watch the logs to see if the
> statements are being hit.

ACL logging is rate limited; only a percentage of the matches will be
logged. Under high load conditions this percentage approaches zero.

I will often use a logging ACL to audit a department's traffic. Because of
the low percentage of matches that are actually logged, I usually run
these for several days in order to get an accurate feel for the traffic
patterns.

- SLS

------------------------------------------------------------------------
Scott L. Stursa                                             850/645-2397
Network Security Assessment                        stursa () mailer fsu edu
Technology Integration/User Services            Florida State University

                     - No good deed goes unpunished -
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards