access-list, on ios15

Unanswered Question
Aug 16th, 2010

I have used object-groups for a long time on the firewalls ASA, wiht in a access-list. On the firewalls the access-list will break down the object-group and show the hit counts per line. Now for a change we went ahead and put a object group on one of our routers, to reduse the size of the acces-list and eaiser coding. but the router does not expanded the access-list out like the firewall. The hit counters only show agaist the single line of the acl not each item in the object-group of a single acl line. Is there a way to expand the access-list to show the many-items in the object-group to see the hit count per item in the object group?

i have using a 3925.

I have this problem too.
1 vote
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
IAN WHITMORE Mon, 02/21/2011 - 01:23

Not sure. Haven't used IOS15 but what command are you using?

#sh access-list


#sh ip access-list




IAN WHITMORE Tue, 02/22/2011 - 11:23

Have you got the "log" keyword at the end of your access-list statements? That should keep a count of the packet matches.

By the way I'm not sure it's actually possible, just trying a few ideas...

Nicholas Wysocki Tue, 02/22/2011 - 11:29

example of one the issues:

20 deny ip object-group obj-block-address any log (1792293 matches)

it is keeping track on a per line track. But since i am using object groups to make the access-list smaller, it is not counting per item in the object. there is roughly about 40 - 50 address in obj-block-address.

IAN WHITMORE Wed, 02/23/2011 - 00:16

I gotcha. I know like you said on the PIX and ASA it does...but don't know on the router. Maybe it's something Cisco need to work on.

Sorry dude. Maybe somebody else knows for sure?


This Discussion

Related Content