04-29-2024 06:39 AM
Good morning all,
I have created some large ACL's strictly for the task of triggering hit counts for static routes to tell me if the routes are even used any longer (for future cleanup purposes)
I am not getting any hit counts (Cisco 9604R) and have researched this is common for ACL's on L3 switches as they are processed in hardware vs software.
Is the answer to get the hit counts as simple as adding the log command at the end of each ACE, or is there a better way? (The total ACE count between both ACL's is almost 600, so I would like to avoid blowing my buffer up as well as syslog server with these if I can just simply see the hit count. )
04-29-2024 06:52 AM
log should help, also if you can send the logs to syslog you can extract using any coding.
04-29-2024 06:56 AM
I am trying to avoid making what I would think a simple task a harder one by offloading all these packets to a syslog server and figuring out how to parse it instead of just simply seeing hit counts next to the ACL
04-29-2024 07:07 AM
i know ACL not great option, if you ok possible you can have ASAv as container in the Cat 9K switches.
04-29-2024 07:29 AM
I am not sure I follow your suggestion? You want me to create a virtual firewall inside my core just to get hit counts?
04-29-2024 07:40 AM
My suggestion is ACL is not a good practice to manage manually, so now cisco can office ASA you can use contaner to replace ACL with Firewall (so easy to manage and other management capabilities) if that works for you.
04-29-2024 07:46 AM
That is not an option for me. We have firewalls (which I do not control), however firewalls do not show hit count on ACL entries, just the ACL's themselves.
Doing this on my core seemed like a great idea until realizing hits do not trigger outbound on interfaces, and nor do they trigger inbound on the interface when on an L3 device and forwarding as hardware ACL
04-29-2024 07:44 AM
You access via VTY
Add log' and I think c9000 support log interval with ACL' and then enable logging and terminal monitor
This way you can check the log in SW without need of syslog
Also ACL SW or HW both support hit count as I know
MHM
04-29-2024 07:51 AM - edited 04-29-2024 07:52 AM
This is going to be a long term data collection project to remove old static routes that no one knows what they are for. Logging to the buffer or terminal is not a feasible option as there may not be packets today, but there may be tomorrow, or next week. Also there are 600+ entries I need to match on.
All the posts I have seen on this forum indicate that ACL hits will not trigger on l3 switches in hardware. Also will not trigger hit count on outbound ACL's and only inbound.
My management ACL's trigger hit count fine, but nothing else in which i am assuming to VTY lines software based forwarding is being used?
04-29-2024 07:58 AM
I don't recall another method to easily obtain ACE hit counts, for HW processed ACLs, without using the log option.
Using the log option, though, can create performance issues too.
One technique you could consider is using a CBWFQ service policy with classes matching on a single ACL/ACE. I recall service policy class stats would should match counts.
04-29-2024 08:00 AM - edited 04-29-2024 08:01 AM
That is why I am hesistant to log all these ace's. Its 600+ aces.
Granted I am using big boy 9606R's, but I would hate to cause my cores to have any performance issues by issuing something that is really an administrative/info gathering task
I will research this service policy option you mentioned and see if it can work for me
04-29-2024 08:21 AM
If It for troubleshooting then only add
Deny ip any any log
This give you hint if traffic hit by other permit line or not
MHM
04-29-2024 08:25 AM
[quote] If It for troubleshooting then only add
Deny ip any any log
This give you hint if traffic hit by other permit line or not
MHM [quote]
I am not looking to deny traffic. I need to confirm if there are any hits on static routes pointing towards another device in my infrastructure.
If I do a deny any, I am going to take down my entire environment basically. Unless I do not understand what you are trying to say, this is TERRIBLE advice and would cause a resume generating event.
04-29-2024 08:30 AM
Add deny any any log in end of ACL ypu want to check' that what I am meaning.
And for static route what is relate to ACL of Interface? Can yoh more elaborate
MHM
04-29-2024 10:13 AM - edited 04-29-2024 10:14 AM
I am using an ACL to match specific traffic for monitoring purposes that is ingressing on specific interfaces (because egress apparently will not work by rules of ACL's and hit counts) via an access-group
So if I add a deny any, I am going to block all traffic to my firewalls which means I will be looking for a new job. Even if I could do this, this does not serve the purpose I need. I need to see if I am getting hits on all these BS static routes I have in my core. If there are no hits in a month, I am getting rid of them. If there are hits, they are here to stay and I will determine the destination and label them properly.
Unless you are referring to not applying the ACL to an interface access-group in which I believe I already tried this to no avail. Unless my logic of ACL's is just flawed
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide