ASP drop capture - filtering out a specific interface?

brian.emil.harris · ‎03-14-2016

I'm trying to troubleshoot acl-drop's in my ASP drop capture.

Unfortunately, a large number of these drops are from my outside interface, folks trying to come in to particular resources.

Is there a way to capture this while filtering out that Interface? I know that I can capture on a match of specific hosts, but didn't know if I can limit my capture to a particular interface, or, preferably, exclude an interface from capture.

Thank you!

Dinesh Moudgil · ‎03-14-2016

Hello Brian,

If you are aware of the specifc source and destination that you are tracking then you can perhaps use the following :

cap asp type asp-drop acl-drop match match ip <source subnet> <destination subnet>

Other then this, I don't think you will be able to filter the outside interface packets on ASP captures.

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/

brian.emil.harris · ‎03-17-2016

Running 8.4(7), telling me that "match match" is invalid.

So, when trying to capture:

cap 209 type asp-drop acl-drop match ip any 10.200.9.0 255.255.255.0

displays a bunch of stuff that is neither source or destination of 10.200.9.0/24

cap 209 type asp-drop acl-drop match ip 10.0.0.0 255.0.0.0 10.200.9.0 255.255.255.0

displays the same behavior, that of traffic not matching the specified source/destination showing up in the capture.

Florin Barhala · ‎03-21-2018

Probably this was due to some old_SW_version bug.
I tried today on 9.6.x and it works as expected. I am still left with one question?

How can I find out what is the name of the enabled ACL that drops this? Maybe even better to find out ACE number? Is this at least scheduled by Cisco to "make it happen"?

Thanks!