topic ASP drop capture - filtering out a specific interface? in Network Security

ASP drop capture - filtering out a specific interface?

brian.emil.harris — Tue, 12 Mar 2019 07:29:06 GMT

I'm trying to troubleshoot acl-drop's in my ASP drop capture.

Unfortunately, a large number of these drops are from my outside interface, folks trying to come in to particular resources.

Is there a way to capture this while filtering out that Interface? I know that I can capture on a match of specific hosts, but didn't know if I can limit my capture to a particular interface, or, preferably, exclude an interface from capture.

Thank you!

Hello Brian,

Dinesh Moudgil — Mon, 14 Mar 2016 16:50:05 GMT

Hello Brian,

If you are aware of the specifc source and destination that you are tracking then you can perhaps use the following :

cap asp type asp-drop acl-drop match match ip <source subnet> <destination subnet>

Other then this, I don't think you will be able to filter the outside interface packets on ASP captures.

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Running 8.4(7), telling me

brian.emil.harris — Thu, 17 Mar 2016 20:49:09 GMT

Running 8.4(7), telling me that "match match" is invalid.

So, when trying to capture:

cap 209 type asp-drop acl-drop match ip any 10.200.9.0 255.255.255.0

displays a bunch of stuff that is neither source or destination of 10.200.9.0/24

cap 209 type asp-drop acl-drop match ip 10.0.0.0 255.0.0.0 10.200.9.0 255.255.255.0

displays the same behavior, that of traffic not matching the specified source/destination showing up in the capture.

Re: Running 8.4(7), telling me

Florin Barhala — Wed, 21 Mar 2018 13:59:45 GMT

Probably this was due to some old_SW_version bug.
I tried today on 9.6.x and it works as expected. I am still left with one question?

How can I find out what is the name of the enabled ACL that drops this? Maybe even better to find out ACE number? Is this at least scheduled by Cisco to "make it happen"?

Thanks!