Firewall Wizards mailing list archives
RE: Cisco acls
From: Scott Stursa <stursa () mailer fsu edu>
Date: Thu, 24 Mar 2005 12:53:46 -0500 (EST)
On Tue, 15 Mar 2005, Luke Butcher wrote:
Not sure about a lint checker and router ACLs unfortunately don't show a hit count like PIX ones.
Yes they do. The only place I've seen "missed" hits are on switches doing VLAN switching. Although the initial handshake will generate hits, once it goes into switching mode the ACL will never see the packets. The difference is clear if you have an ACL which begins with "permit tcp any any established"; on a non-switched interface this line will show the greatest number of hits in the ACL, on a switched one it will show the lowest.
So the only option is probably to add a log keyword to your permit statements and then watch the logs to see if the statements are being hit.
ACL logging is rate limited; only a percentage of the matches will be logged. Under high load conditions this percentage approaches zero. I will often use a logging ACL to audit a department's traffic. Because of the low percentage of matches that are actually logged, I usually run these for several days in order to get an accurate feel for the traffic patterns. - SLS ------------------------------------------------------------------------ Scott L. Stursa 850/645-2397 Network Security Assessment stursa () mailer fsu edu Technology Integration/User Services Florida State University - No good deed goes unpunished - _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: Cisco acls, (continued)
- RE: Cisco acls Matthew.Harvey () usdoj gov (Mar 04)
- RE: Cisco acls Paul Melson (Mar 04)
- Re: Cisco acls Luca Berra (Mar 07)
- RE: Cisco acls Luke Butcher (Mar 06)
- RE: Cisco acls Luke Butcher (Mar 07)
- RE: Cisco acls Andrew Yourtchenko (Mar 12)
- RE: Cisco acls MHawkins (Mar 07)
- RE: Cisco acls Scott Stursa (Mar 12)
- Re: Cisco acls Mark Teicher (Mar 24)
- RE: Cisco acls Luke Butcher (Mar 24)
- RE: Cisco acls Scott Stursa (Mar 24)
- Fwd: Re: Cisco acls Mark Teicher (Mar 24)
- RE: Cisco acls Luke Butcher (Mar 30)
- RE: Cisco acls MHawkins (Mar 31)