Cisco Tips & Tricks

November 29, 2006

Access Violations

Filed under: Access-lists, cisco, security — ciscotips @ 10:54 pm

The cool feature of access lists allow monitoring / logging  ACL violations and it can be used to characterize traffic associated with network attacks, by logging the suspect traffic. By using the log keyword at the end of the acl you can do logging

Access-list 120   deny ip  any any log

This option causes logging of the IP addresses and port numbers associated with packets matching an access list entry. Newer versions of IOS also provide the log-input keyword, which adds information about the interface from which the packet was received, and the MAC address of the host that sent it. Either option causes an informational logging message about the matching packet to be sent to the console (by default). The message is generated for the first packet that matches, and then at 5-minute intervals, including the number of packets permitted or denied in the prior 5-minute interval.

This logging mechanism may drop some messages if either too many messages or more than one message in 1 second need to be displayed. This prevents the router from crashing due to too many logging packets. Therefore, the logging facility cannot be treated as an accurate source of information in terms of number of matches to an access list.

A more accurate tracking tool is accounting on the interface:

ip accounting [access-violations] [output-packets]

To display IP access violations use the following command:

show ip accounting access-violations

which shows information about packets that failed access lists and were not routed.

Blog at WordPress.com.