Previous Page
Next Page

Access List Monitoring and Accounting

It is useful to examine an access list, or even all access lists, without having to display the entire router configuration file. The command show ip access-list displays an abbreviated syntax of all IP access lists on the router. If a specific access list is to be observed, the list can be specified by name or number (Example B-21). If you leave off the ip keyword (show access-list), all access lists will display.

Example B-21. The show ip access-list command displays an abbreviated syntax of the access lists.
Woody#show ip access-list 110
Extended IP access list 110
    10 permit tcp any 172.22.0.0 0.0.255.255 established
    20 permit tcp any host 172.22.15.83 eq smtp
    30 permit tcp 10.0.0.0 0.255.255.255 172.22.114.0 0.0.0.255 eq telnet
    40 permit udp 10.64.32.0 0.0.0.255 host 172.22.15.87 eq tftp
    50 permit udp any host 172.22.15.85 eq domain
    60 permit udp any any eq snmp
Woody#

It is also useful, as part of a security plan or a capacity planning strategy, to track packets that have been denied by an access list.

The command ip accounting access-violations might be configured on individual interfaces to create a database of all packets that have been denied by any access lists on that interface. To examine the database, use the command show ip accounting access-violations. The source and destination addresses, the number of packets and number of bytes matching these addresses, and the access list number that denied the packet will be shown (Example B-22). The command clear ip accounting clears the accounting database.

Example B-22. The access list accounting database can be observed with the command show ip accounting access-violations.
Woody#show ip accounting access-violations
   Source          Destination             Packets          Bytes     ACL
  10.1.4.1       255.255.255.255                13            936     110
  10.1.4.1       172.22.1.1                     12           1088     110

Accounting data age is 10
Woody#

Accounting disables autonomous and silicon switching on an interface. Do not use accounting on an interface where these switching modes are required.

As a final "trick," be aware that its accounting does not track packets discarded by the implicit deny any at the end of the list. To track these packets, simply configure a deny any at the end of the list as in Example B-23.

Example B-23. A deny any entry is added to the end of the access list to track packets discarded because they did not match any other entry in the list.
access-list 110 permit tcp any 172.22.0.0 0.0.255.255 established
access-list 110 permit tcp any host 172.22.15.83 eq smtp
access-list 110 permit tcp 10.0.0.0 0.255.255.255 172.22.114.0 0.0.0.255 eq telnet
access-list 110 permit udp 10.64.32.0 0.0.0.255 host 172.22.15.87 eq tftp
access-list 110 permit udp any host 172.22.15.85 eq domain
access-list 110 permit udp any any eq snmp
access-list 110 deny ip any any 1


Previous Page
Next Page