cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
drjarmon
New Contributor III

How can you get details of HW-Access List Deny entries?

Trying to identify traffic being denied:  The log only seems to tell how many times the rule is hit.

ip hw-access-list extended WWW-Access

  permit tcp 192.168.3.0 0.0.0.255  host 10.10.10.1 eq www   log

  permit tcp 192.168.3.0 0.0.0.255  host 10.10.10.1 eq https   log

  deny ip any 192.168.3.0 0.0 0.255 log

!


Thanks

Labels (1)
Tags (2)
0 Kudos
2 Replies
Anonymous
Not applicable

Re: How can you get details of HW-Access List Deny entries?

drjarmon‌ - Thanks for posting your question on the forum. Unfortunately, there isn't a way to identify the traffic being denied or matched with a hardware ACL.

One thing you could do is create a hardware ACL that is the opposite of the one you have applied to a VLAN or switchport. This hardware ACL will simply be used to filter the debug and would look something like this (based on the ACL you posted above):

ip hw-access-list ext test

  deny tcp 192.168.3.0 0.0.0.255 host 10.10.10.1 eq www log

  deny tcp 192.168.3.0 0.0.0.255 host 10.10.10.1 eq https log

  permit ip 192.168.3.0 0.0.0.255 any

router#debug ip packet test


The command "u a" will stop the debug.

This would display all traffic traversing the AOS device that is sourced from 192.168.3.x network but isn't destined for 10.10.10.1 on TCP ports 80 or 443. Please keep in mind if you suspect that this could burden the CPU if a lot of traffic matching the ACL is passing through the device.

Please do not hesitate to let us know if you have any questions.

Thanks,

Noor

evanh
Contributor III
Contributor III

Re: How can you get details of HW-Access List Deny entries?

Don,

I am marking this assumed answered. However, if you have more to add please do not hesitate to do so.

Thanks,

Evan