Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1103
Views
0
Helpful
3
Replies

ACL Matching Problem

kevin.hu
Level 3
Level 3

‎06-16-2011 08:29 AM - edited ‎03-04-2019 12:44 PM

All,

A user from the Internet with an IP of 107.x.x.x was unable to access our internal network.  Later we determined that his traffic was blocked by the ingress ACL on our perimeter router.  Initially we didn't catch it for days because our ingress ACL has 5000 entries and the "include" didn't yield anything.

show ip access-list ingress-acl | include 107

After checking line by line, we found that network was supernetted.

ip access-list extended ingress-acl

     deny 104.0.0.0 3.255.255.255 any

Is there a command that can match all ACL entries that permit/deny 107.x.x.x no matter if it is a host entry, a subnet entry or a supernetted entry?  It is very difficult to catch this if we have a lot of entries.

Thanks.

Labels:
0 Helpful
3 Replies 3

cadet alain
VIP Alumni
VIP Alumni

‎06-16-2011 10:27 AM

Hi,

AFAIK there is no such command. You should use ip accounting feature to see which ACL is blocking traffic.

Regards.

Alain.

Don't forget to rate helpful posts.
0 Helpful

kevin.hu
Level 3
Level 3
In response to cadet alain

‎06-17-2011 12:41 PM

Alain,

Like ACL log command, ip accounting feature tells me what the offending ACL is but it does not tell me what offending ACL entry is.  It is great tool if I have many ACLs with a few ACL entries.  The problem I have is that I have only one ACL but a huge list.  I hope there is another way to track this down.

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to kevin.hu

‎06-19-2011 07:05 AM

Kevin

I have written a quick perl script that may help you, it is attached as a doc. It should run fine on Linux/Unix/MAC and probably windows but you can never be sure :-)

If you just run the script from the command line with no arguments it will tell you what to enter. Basically it takes an IP address, a file name and checks the IP against each line of the acl to see if it matches. It can understand simple wildcard masks eg.

0.0.0.255,  0.3.255.255, 0.0.7.255 etc.. but it hasn't been written to deal with complex wildcard masks eg 0.3.255.7 for example. However the vast majority of acl entries are simply reverse subnet masks so it may still be of use.

It should work fine against both types of acl ie.

access-list 101 permit ip 192.168.5.0 0.0.0.255 172.16.0.0 0.0.255.255

and

ip access-list extended ACL

10 permit 192.168.5.0 0.0.0.255 172.16.0.0 0.0.255.255

I say should as i have limited means of testing so there are no guarantees with it but if you run against your acl and it comes back with the same line that should give you some confidence.

You need to download the acl into a text file for the script to be able to read in the file. As a side note, perl does have a Cisco::Telnet module so it would be relatively easy to have the script login into the actual router and check the acl dynamically rather than have to download the acl.

Like i say, no guarantees but would be worth trying out. Let me know how it goes if you do decide to try it.

Edit - should also point out that the script needs tidying up if it proves useful ie. use strict, better var names etc.. so again let me know.

Jon

101810-aclcheck.zip
0 Helpful
Customers Also Viewed These Support Documents