RE: [fw-wiz] Cisco acls

From: Scott Stursa (stursa_at_mailer.fsu.edu)
Date: 03/24/05

  • Next message: Frederick M Avolio: "Re: [fw-wiz] SSL VPN vs. IPSec VPN" 
    To: Luke Butcher <Luke.Butcher@alphawest.com.au>
Date: Thu, 24 Mar 2005 12:53:46 -0500 (EST)

    On Tue, 15 Mar 2005, Luke Butcher wrote:

    > Not sure about a lint checker and router ACLs unfortunately don't show a
    > hit count like PIX ones.

    Yes they do.

    The only place I've seen "missed" hits are on switches doing VLAN
    switching. Although the initial handshake will generate hits, once it goes
    into switching mode the ACL will never see the packets. The difference is
    clear if you have an ACL which begins with "permit tcp any any
    established"; on a non-switched interface this line will show the greatest
    number of hits in the ACL, on a switched one it will show the lowest.

    > So the only option is probably to add a log
    > keyword to your permit statements and then watch the logs to see if the
    > statements are being hit.

    ACL logging is rate limited; only a percentage of the matches will be
    logged. Under high load conditions this percentage approaches zero.

    I will often use a logging ACL to audit a department's traffic. Because of
    the low percentage of matches that are actually logged, I usually run
    these for several days in order to get an accurate feel for the traffic
    patterns.

    - SLS

    ------------------------------------------------------------------------
    Scott L. Stursa 850/645-2397
    Network Security Assessment stursa@mailer.fsu.edu
    Technology Integration/User Services Florida State University

                         - No good deed goes unpunished -
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

  • Next message: Frederick M Avolio: "Re: [fw-wiz] SSL VPN vs. IPSec VPN"

    Relevant Pages

    • RE: [fw-wiz] Cisco acls
      ... show any hits at all on ACL entries. ... and up shows hits on both routing policy acl's and interface acl's. ... once it goes into switching mode the ACL will never see ... If you are not the intended recipient please notify the sender ...
      (Firewall-Wizards)
    • RE: [fw-wiz] Cisco acls
      ... show a hit count like PIX ones. ... > generate hits, once it goes into switching mode the ACL will never see ... in the ACL, on a switched one it will show the lowest. ...
      (Firewall-Wizards)