2 Replies Latest reply on May 29, 2015 7:14 AM by evanh

    How can you get details of HW-Access List Deny entries?

    drjarmon New Member

      Trying to identify traffic being denied:  The log only seems to tell how many times the rule is hit.

       

      ip hw-access-list extended WWW-Access

        permit tcp 192.168.3.0 0.0.0.255  host 10.10.10.1 eq www   log

        permit tcp 192.168.3.0 0.0.0.255  host 10.10.10.1 eq https   log

        deny ip any 192.168.3.0 0.0 0.255 log

      !


      Thanks

        • Re: How can you get details of HW-Access List Deny entries?
          Employee

          drjarmon - Thanks for posting your question on the forum. Unfortunately, there isn't a way to identify the traffic being denied or matched with a hardware ACL.

           

          One thing you could do is create a hardware ACL that is the opposite of the one you have applied to a VLAN or switchport. This hardware ACL will simply be used to filter the debug and would look something like this (based on the ACL you posted above):

           

          ip hw-access-list ext test

            deny tcp 192.168.3.0 0.0.0.255 host 10.10.10.1 eq www log

            deny tcp 192.168.3.0 0.0.0.255 host 10.10.10.1 eq https log

            permit ip 192.168.3.0 0.0.0.255 any

           

          router#debug ip packet test


          The command "u a" will stop the debug.

           

          This would display all traffic traversing the AOS device that is sourced from 192.168.3.x network but isn't destined for 10.10.10.1 on TCP ports 80 or 443. Please keep in mind if you suspect that this could burden the CPU if a lot of traffic matching the ACL is passing through the device.

           

          Please do not hesitate to let us know if you have any questions.

           

          Thanks,

          Noor

          • Re: How can you get details of HW-Access List Deny entries?
            evanh Employee

            Don,

             

            I am marking this assumed answered. However, if you have more to add please do not hesitate to do so.

             

            Thanks,

            Evan