RE: [fw-wiz] Cisco acls

From: Scott Stursa (
Date: 03/24/05

  • Next message: Frederick M Avolio: "Re: [fw-wiz] SSL VPN vs. IPSec VPN"
    To: Luke Butcher <>
    Date: Thu, 24 Mar 2005 12:53:46 -0500 (EST)

    On Tue, 15 Mar 2005, Luke Butcher wrote:

    > Not sure about a lint checker and router ACLs unfortunately don't show a
    > hit count like PIX ones.

    Yes they do.

    The only place I've seen "missed" hits are on switches doing VLAN
    switching. Although the initial handshake will generate hits, once it goes
    into switching mode the ACL will never see the packets. The difference is
    clear if you have an ACL which begins with "permit tcp any any
    established"; on a non-switched interface this line will show the greatest
    number of hits in the ACL, on a switched one it will show the lowest.

    > So the only option is probably to add a log
    > keyword to your permit statements and then watch the logs to see if the
    > statements are being hit.

    ACL logging is rate limited; only a percentage of the matches will be
    logged. Under high load conditions this percentage approaches zero.

    I will often use a logging ACL to audit a department's traffic. Because of
    the low percentage of matches that are actually logged, I usually run
    these for several days in order to get an accurate feel for the traffic

    - SLS

    Scott L. Stursa 850/645-2397
    Network Security Assessment
    Technology Integration/User Services Florida State University

                         - No good deed goes unpunished -
    firewall-wizards mailing list

  • Next message: Frederick M Avolio: "Re: [fw-wiz] SSL VPN vs. IPSec VPN"