08-16-2010 02:42 PM - edited 03-03-2019 06:01 AM
I have used object-groups for a long time on the firewalls ASA, wiht in a access-list. On the firewalls the access-list will break down the object-group and show the hit counts per line. Now for a change we went ahead and put a object group on one of our routers, to reduse the size of the acces-list and eaiser coding. but the router does not expanded the access-list out like the firewall. The hit counters only show agaist the single line of the acl not each item in the object-group of a single acl line. Is there a way to expand the access-list to show the many-items in the object-group to see the hit count per item in the object group?
i have using a 3925.
02-21-2011 01:23 AM
Not sure. Haven't used IOS15 but what command are you using?
#sh access-list
or
#sh ip access-list
?
Regards,
Ian
02-22-2011 07:28 AM
both commands produce the same output.
02-22-2011 11:23 AM
Have you got the "log" keyword at the end of your access-list statements? That should keep a count of the packet matches.
By the way I'm not sure it's actually possible, just trying a few ideas...
02-22-2011 11:29 AM
example of one the issues:
20 deny ip object-group obj-block-address any log (1792293 matches)
it is keeping track on a per line track. But since i am using object groups to make the access-list smaller, it is not counting per item in the object. there is roughly about 40 - 50 address in obj-block-address.
02-23-2011 12:16 AM
I gotcha. I know like you said on the PIX and ASA it does...but don't know on the router. Maybe it's something Cisco need to work on.
Sorry dude. Maybe somebody else knows for sure?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: