cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1816
Views
0
Helpful
5
Replies

access-list, on ios15

I have used object-groups for a long time on the firewalls ASA, wiht in a access-list. On the firewalls the access-list will break down the object-group and show the hit counts per line. Now for a change we went ahead and put a object group on one of our routers, to reduse the size of the acces-list and eaiser coding. but the router does not expanded the access-list out like the firewall. The hit counters only show agaist the single line of the acl not each item in the object-group of a single acl line. Is there a way to expand the access-list to show the many-items in the object-group to see the hit count per item in the object group?

i have using a 3925.

5 Replies 5

IAN WHITMORE
Level 4
Level 4

Not sure. Haven't used IOS15 but what command are you using?

#sh access-list

or

#sh ip access-list

?

Regards,

Ian

both commands produce the same output.

Have you got the "log" keyword at the end of your access-list statements? That should keep a count of the packet matches.

By the way I'm not sure it's actually possible, just trying a few ideas...

example of one the issues:

20 deny ip object-group obj-block-address any log (1792293 matches)

it is keeping track on a per line track. But since i am using object groups to make the access-list smaller, it is not counting per item in the object. there is roughly about 40 - 50 address in obj-block-address.

I gotcha. I know like you said on the PIX and ASA it does...but don't know on the router. Maybe it's something Cisco need to work on.

Sorry dude. Maybe somebody else knows for sure?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco