cisco access lists blocked packets

Discussion in 'Cisco' started by ants, Sep 23, 2005.

  1. ants

    ants Guest

    Hi,
    how can you see what packets are being blocked on an
    access-list on a Cisco router? I know about show access-list xxx which
    shows how many times an access-list rule has been used, but I want to
    see the actual packets through the router

    this possible?
    thanks in advance
     
    ants, Sep 23, 2005
    #1
    1. Advertisements

  2. :how can you see what packets are being blocked on an
    :access-list on a Cisco router? I know about show access-list xxx which
    :shows how many times an access-list rule has been used, but I want to
    :see the actual packets through the router

    There might perhaps be a more direct way, but the way that comes
    to mind is this:

    Don't apply the access-list directly to the interface in question.
    Instead, create policy-based routing (PBR) and use that access-list
    to permit traffic through in the first policy. In the second policy
    of the PBR, redirect the remaining traffic to a loopback interface.
    Now, SPAN or RSPAN the loopback interface to your monitoring equipment.


    See also "debug ip packet detail" -- but that can overwhelm your system
    easily, and has the problem that the access-list controls what is
    to be captured. But you could use the PBR approach listed above and
    debug everything that got sent to the loopback interface I described.

    You might also be able to take advantage of "ip traffic-export profile".

    If you have one of the advanced security features with the firewall
    feature, then you can use NBAR to capture traffic:
    http://www.cisco.com/warp/public/105/custompdlms.html


    Cisco's features for -direct- capture and display of traffic are
    deliberately restricted as a security precaution.
     
    Walter Roberson, Sep 23, 2005
    #2
    1. Advertisements

  3. Add "log" to the end of all the "deny" lines in the ACL; if the ACL
    doesn't end with a "permit/deny ip any any" line (i.e. it's depending on
    the implicit deny), you should add "deny ip any any log". It will then
    log some information about all the packets that were blocked.
     
    Barry Margolin, Sep 24, 2005
    #3
  4. ants

    Peter Norén Guest

    Hi

    Try log in the end of the access-list line ..

    ex.
    access-list 101 deny ip 172.16.0.0 0.0.15.255 any log

    then you can se blocket packets in syslog.
    ex.
    sh log
     
    Peter Norén, Sep 24, 2005
    #4
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.