Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
2962
Views
7
Helpful
6
Replies

Debug Named Access-List ACL

jayjz
Level 1
Level 1

‎10-31-2023 06:09 AM

Hi everyone, 

Is there a way to debug named ACL?

We have a named ACL in our environment for example: Extended IP access list Testing123.

debug ip packet command only asks for a ACL number. 

(CAT9K_IOSXE), Version 16.9.5

Labels:
6 Replies 6

M02@rt37
VIP
VIP

‎10-31-2023 06:41 AM

Hello @jayjz,

You can not do a debug ip packet on a named ACL.

Add log keyword on your ACL permit and deny rules.

ip access-list extended Testing123
permit ip 192.168.1.0 0.0.0.255 any log
deny ip any any log

By adding "log" to these rules, any traffic that matches them will be logged in your device's syslog. This allows you to track and monitor the matched traffic without the need for packet debugging. You can view the logs in your syslog server or through the console, depending on your logging configuration.

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

Joseph W. Doherty
Hall of Fame
Hall of Fame
In response to M02@rt37

‎10-31-2023 06:52 AM

Hmm, I wouldn't consider ACE logging the equivalent, and there are "considerations" using the ACE log keyword.  That said, depending on the information being sought, might be an alternative approach, as might some devices support for built-in packet capture.

M02@rt37
VIP
VIP
In response to Joseph W. Doherty

‎10-31-2023 06:57 AM

That's rigth @Joseph W. Doherty, it is an alternative approach. Best way in that case is a numbered extended ACL - but if its config approach is to use named ACL.....it's a pitty to not have such debug for named ACL.

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

Joseph W. Doherty
Hall of Fame
Hall of Fame
In response to M02@rt37

‎10-31-2023 07:42 AM

".....it's a pitty to not have such debug for named ACL."

BTW, when I wrote I recall bumping into this years and years ago, probably more accurate to say decades and decades ago.  I think back when named ACLs were still a new feature.

Which is why I was only surprised, not shocked, then.

All these years (decades) later, I'm surprised, perhaps even shocked, this is still true.

On the other hand, I haven't tried to use that feature in the interim.  Perhaps others didn't either and so Cisco never saw much demand to add it.

Conversely, I was surprised when I stumbled across IOS supporting named ACL editing for numbered ACLs (I recall, this wasn't initially true).

Torbjørn
VIP
VIP

‎10-31-2023 06:42 AM

You will unfortunately need to recreate the ACL as a numbered ACL for this. Conditional debugging using named access lists is not supported.

Happy to help! Please mark as helpful/solution if applicable.
Get in touch: https://torbjorn.dev

Joseph W. Doherty
Hall of Fame
Hall of Fame

‎10-31-2023 06:42 AM

Might not be supported.

(I have a very vague recollection of bumping into this issue, years and years ago, and being surprised.)

If not, make a like numbered extended ACL and use it.

Related community topics
Top