cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1917
Views
7
Helpful
6
Replies

Debug Named Access-List ACL

jayjz
Level 1
Level 1

Hi everyone, 

Is there a way to debug named ACL?

We have a named ACL in our environment for example: Extended IP access list Testing123.

debug ip packet command only asks for a ACL number. 

(CAT9K_IOSXE), Version 16.9.5

6 Replies 6

M02@rt37
VIP
VIP

Hello @jayjz,

You can not do a debug ip packet on a named ACL.

Add log keyword on your ACL permit and deny rules.

ip access-list extended Testing123
permit ip 192.168.1.0 0.0.0.255 any log
deny ip any any log

By adding "log" to these rules, any traffic that matches them will be logged in your device's syslog. This allows you to track and monitor the matched traffic without the need for packet debugging. You can view the logs in your syslog server or through the console, depending on your logging configuration.

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

Hmm, I wouldn't consider ACE logging the equivalent, and there are "considerations" using the ACE log keyword.  That said, depending on the information being sought, might be an alternative approach, as might some devices support for built-in packet capture.

That's rigth @Joseph W. Doherty, it is an alternative approach. Best way in that case is a numbered extended ACL - but if its config approach is to use named ACL.....it's a pitty to not have such debug for named ACL.

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

".....it's a pitty to not have such debug for named ACL."

BTW, when I wrote I recall bumping into this years and years ago, probably more accurate to say decades and decades ago.  I think back when named ACLs were still a new feature.

Which is why I was only surprised, not shocked, then.

All these years (decades) later, I'm surprised, perhaps even shocked, this is still true.

On the other hand, I haven't tried to use that feature in the interim.  Perhaps others didn't either and so Cisco never saw much demand to add it.

Conversely, I was surprised when I stumbled across IOS supporting named ACL editing for numbered ACLs (I recall, this wasn't initially true).

Torbjørn
Spotlight
Spotlight

You will unfortunately need to recreate the ACL as a numbered ACL for this. Conditional debugging using named access lists is not supported.

Happy to help! Please mark as helpful/solution if applicable.
Get in touch: https://torbjorn.dev

Joseph W. Doherty
Hall of Fame
Hall of Fame

Might not be supported.

(I have a very vague recollection of bumping into this issue, years and years ago, and being surprised.)

If not, make a like numbered extended ACL and use it.

Review Cisco Networking for a $25 gift card