10-07-2019 06:18 AM - edited 10-07-2019 06:38 AM
Using OS Code: 9.10(1)27
When I do show access-list it gives me output with ACLs having object-groups in source and destination however under that it also list the IPs covered under that object group. I do not want that detailed listing and only the ACLs.
Which syntax can help solve the issue?
Example:
access-list FROM_INSIDE line 210 extended permit tcp object-group TEST object-group TEST2 eq domain log informational interval 300 (hitcnt=579365) 0xf1ddea09
access-list FROM_INSIDE line 210 extended permit tcp host 10.10.11.38 host 172.16.16.34 eq domain log informational interval 300 (hitcnt=0) 0xd70b150e
access-list FROM_INSIDE line 210 extended permit tcp host 10.10.11.38 host 172.16.16.36 eq domain log informational interval 300 (hitcnt=577245) 0x9f14c919
access-list FROM_INSIDE line 211 extended permit udp object-group TEST object-group TEST2 eq domain log informational interval 300 (hitcnt=233) 0x8e1fe74c
access-list FROM_INSIDE line 211 extended permit udp host 10.10.11.38 host 172.16.16.34 eq domain log informational interval 300 (hitcnt=0) 0x499db61a
access-list FROM_INSIDE line 211 extended permit udp host 10.10.11.38 host 172.16.16.36 eq domain log informational interval 300 (hitcnt=233) 0xa10ea8f2
Want to get rid of line 2,3,5,6 in the output.
10-07-2019 06:35 AM
Hi there,
If you don't want the ACL expansion, why not just use sh run | inc access-list
cheers,
Seb.
10-07-2019 06:40 AM
10-07-2019 06:56 AM - edited 10-07-2019 06:56 AM
After the initial pipe ( | ) any subsequent vertical bar is interpreted as a logical OR.
You could try sh run access-list | inc domain
Unfortunately there are no attributes you could regex which would exclude the expanded ACL output. Something like:
^\s{2}access-list
...would work great! As it is, if you want hit counts you have to use sh access-list. You could always export the output to a text handler which is more regex compliant?
cheers,
Seb.
10-07-2019 07:01 AM
That's what I am doing , get output from show access-list | incl domain , copy in notepad and remove the undesired parts. Thought there might be a automated workaround for this.
10-07-2019 07:17 AM
You mention notepad so you must be using windows. If you have access to Linux, the process can be achieved with the following command:
grep -v '^\s\saccess-list' acl_input.txt > acl_output.txt
acl_input.txt would contain:
access-list foobar line 1 ext permit object-group FOO … access-list foobar line 1 ext permit 192.168.1.1 … access-list foobar line 1 ext permit 192.168.1.2 …
..the resulting output (acl_output.txt) would contain just:
access-list foobar line 1 ext permit object-group FOO …
I know Notepad++ support regex search, you might be able to leverage that to produce the output. Or just spin up a Linux VM.
cheers,
Seb.
05-18-2022 06:52 AM - edited 05-18-2022 07:25 AM
I agree that this is annoying, that there seems to be no command to allow seeing the hitcounts of the policies, but not the expansion.
I have discovered a way to see the hitcounts, without the expansion. Because the lines of the expansion are indented two spaces. you can use the following command to just see the non-expansion lines:
show access-list | exclude . access-list
Note, that is 'show access-list | ex (dot)(space)access-list'. I suspect regex gurus may have a cleaner way to do this, but it works.
This does not inherently match your example, as also excluding lines with 'domain' might be tricky.
Hope this helps.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: