Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > Given an IP Address: How to determine quickly which ACLs match.

Reply
Thread Tools

Given an IP Address: How to determine quickly which ACLs match.

 
 
Chris
Guest
Posts: n/a
 
      12-15-2004
Hello All,

Does anyone know of a way to determine quickly which ACL or ACLs a given IP
address matches? I ask this because at my place of work it is not unusal
to have an interface configured with a dozen+ rate-limit statements and
lengthy ACLs associated with each rate-limit statement. When
troubleshooting one has to check against each ACL to determine if the IP in
question is matching ACL or going to default queue. Any input would be
greatly appreciated.

Regards,

Chris


 
Reply With Quote
 
 
 
 
Walter Roberson
Guest
Posts: n/a
 
      12-15-2004
In article <TLLvd.601$(E-Mail Removed)>, Chris <(E-Mail Removed)> wrote:
oes anyone know of a way to determine quickly which ACL or ACLs a given IP
:address matches? I ask this because at my place of work it is not unusal
:to have an interface configured with a dozen+ rate-limit statements and
:lengthy ACLs associated with each rate-limit statement. When
:troubleshooting one has to check against each ACL to determine if the IP in
:question is matching ACL or going to default queue.

I don't know how it's done, but I understand that Cisco has
a whitepaper [which I haven't read] on how it compiles "turbo ACLs".
I haven't tried my hand at inventing an algorithm from scratch
just knowing that it can be done.
--
If a troll and a half can hook a reader and a half in a posting and a half,
how many readers can six trolls hook in six postings?
 
Reply With Quote
 
 
 
 
Ben
Guest
Posts: n/a
 
      12-15-2004
Walter Roberson wrote:
> In article <TLLvd.601$(E-Mail Removed)>, Chris <(E-Mail Removed)> wrote:
> oes anyone know of a way to determine quickly which ACL or ACLs a given IP
> :address matches? I ask this because at my place of work it is not unusal
> :to have an interface configured with a dozen+ rate-limit statements and
> :lengthy ACLs associated with each rate-limit statement. When
> :troubleshooting one has to check against each ACL to determine if the IP in
> :question is matching ACL or going to default queue.
>
> I don't know how it's done, but I understand that Cisco has
> a whitepaper [which I haven't read] on how it compiles "turbo ACLs".
> I haven't tried my hand at inventing an algorithm from scratch
> just knowing that it can be done.


Hi Walter/Chris,

The easiest way to achieve what you want is to simply debug the
access-lists one at a time and look at the debug output to determine
which packets are being matched.

As in:

ROUTER#debug ip packet ?
<1-199> Access list
<1300-2699> Access list (expanded range)
detail Print more debugging detail
<cr>

Or even better test in a controlled lab environment and just look at the
ACL counters.

Turbo ACL's are something else.
They are very handy if you have long ACL's as they will result in a
fixed maximum lookup time. It basically compiles all your ACL's into a
fancy array that will be able to match any packet in no more than 15
lookups. Your ACL's need to be longer than 4 lines to get a benefit
(though I think more than that to be worth it).

Ben C.




 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Has thought been given given to a cleaned up C? Possibly called C+. Casey Hawthorne C Programming 385 04-04-2010 02:11 AM
" Given BACK what was freely GIVEN " 2Barter.net C++ 0 12-13-2006 02:56 AM
Days in a given date range for a given month......... Lord0 Java 1 04-19-2006 04:54 PM
generate all possible strings of given length given a set of characters chiara C Programming 6 10-06-2005 01:43 AM
Determine the device is a router or switch given the Device IP kiranreddyd@gmail.com Cisco 14 12-26-2004 04:11 PM



Advertisments