Given an IP Address: How to determine quickly which ACLs match.

Discussion in 'Cisco' started by Chris, Dec 15, 2004.

  1. Chris

    Chris Guest

    Hello All,

    Does anyone know of a way to determine quickly which ACL or ACLs a given IP
    address matches? I ask this because at my place of work it is not unusal
    to have an interface configured with a dozen+ rate-limit statements and
    lengthy ACLs associated with each rate-limit statement. When
    troubleshooting one has to check against each ACL to determine if the IP in
    question is matching ACL or going to default queue. Any input would be
    greatly appreciated.

    Regards,

    Chris
     
    Chris, Dec 15, 2004
    #1
    1. Advertising

  2. In article <TLLvd.601$>, Chris <> wrote:
    :Does anyone know of a way to determine quickly which ACL or ACLs a given IP
    :address matches? I ask this because at my place of work it is not unusal
    :to have an interface configured with a dozen+ rate-limit statements and
    :lengthy ACLs associated with each rate-limit statement. When
    :troubleshooting one has to check against each ACL to determine if the IP in
    :question is matching ACL or going to default queue.

    I don't know how it's done, but I understand that Cisco has
    a whitepaper [which I haven't read] on how it compiles "turbo ACLs".
    I haven't tried my hand at inventing an algorithm from scratch
    just knowing that it can be done.
    --
    If a troll and a half can hook a reader and a half in a posting and a half,
    how many readers can six trolls hook in six postings?
     
    Walter Roberson, Dec 15, 2004
    #2
    1. Advertising

  3. Chris

    Ben Guest

    Walter Roberson wrote:
    > In article <TLLvd.601$>, Chris <> wrote:
    > :Does anyone know of a way to determine quickly which ACL or ACLs a given IP
    > :address matches? I ask this because at my place of work it is not unusal
    > :to have an interface configured with a dozen+ rate-limit statements and
    > :lengthy ACLs associated with each rate-limit statement. When
    > :troubleshooting one has to check against each ACL to determine if the IP in
    > :question is matching ACL or going to default queue.
    >
    > I don't know how it's done, but I understand that Cisco has
    > a whitepaper [which I haven't read] on how it compiles "turbo ACLs".
    > I haven't tried my hand at inventing an algorithm from scratch
    > just knowing that it can be done.


    Hi Walter/Chris,

    The easiest way to achieve what you want is to simply debug the
    access-lists one at a time and look at the debug output to determine
    which packets are being matched.

    As in:

    ROUTER#debug ip packet ?
    <1-199> Access list
    <1300-2699> Access list (expanded range)
    detail Print more debugging detail
    <cr>

    Or even better test in a controlled lab environment and just look at the
    ACL counters.

    Turbo ACL's are something else.
    They are very handy if you have long ACL's as they will result in a
    fixed maximum lookup time. It basically compiles all your ACL's into a
    fancy array that will be able to match any packet in no more than 15
    lookups. Your ACL's need to be longer than 4 lines to get a benefit
    (though I think more than that to be worth it).

    Ben C.
     
    Ben, Dec 15, 2004
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Replies:
    14
    Views:
    7,003
    Erik Freitag
    Dec 26, 2004
  2. ws00sw
    Replies:
    10
    Views:
    15,196
    ws00sw
    Mar 3, 2005
  3. John Oliver

    Get AS for given IP address?

    John Oliver, Oct 9, 2005, in forum: Cisco
    Replies:
    5
    Views:
    473
    David Schwartz
    Oct 10, 2005
  4. News Reader
    Replies:
    3
    Views:
    1,446
    News Reader
    Aug 24, 2006
  5. Replies:
    0
    Views:
    1,010
Loading...

Share This Page