Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Webcast-Catalyst9k
New Member

ACL Hit counting

Hi.i am intended to find some way to counting the total ACL hit on by border Routers/Switchs as a base-lining method and detect the DOS attack facing my network.after 2 month searching cisco and googeling i find no explicit way to do that (for example with SNMP MIB), so i try to write a shell script that can process the ACL logged messages stored on my central Syslog server and visualizing the result via RRD-Tool.that work but it seems Syslog messages stored on Syslog server sometimes differs with each other in string format.that cause the shell script (it use awk programming languages and other unix shell utility) failed to process the log files and crash.the result is no update on RRD and it's graph.i want to know is there other way to count the ACL hit (total ACE hits for a given ACL)without my messy and cumbersome code ? is there any MIB for ACL hits count ? also i use "Fwlogwatch" a very powerful log analyzer and "Rsyslog" (central syslog server with mysql support and log separation by Host).

6 REPLIES
Cisco Employee

Re: ACL Hit counting

It doesn't look like there is a MIB object currently available to record ACL hits. There have been a couple of enhancement requests filed to add this support, but none yet.

Previously you could use an object from the OLD-CISCO-IP-MIB as a workaround -- "actViolation" but as

it has been deprecated it may not be supported or return the expected results.

New Member

Re: ACL Hit counting

it seems there is not any MIB support for both Security ACL / QOS ACL.i use "snmpwalk" to browse the full MIB Tree on cisco gears but there wasn't any useful information (even about the ACE list , ACL name , ...).i am wonderful regarding to Cisco MIB broad range of capability , why still Cisco gears suffer from such no-exist very important feature.

Cisco Employee

Re: ACL Hit counting

I know that part of the reason we don't have a specific MIB for ACL's is due to security. If someone can query all of the ACL info on a device then it may create security issues.

I know that if you have snmp RW you can pull the config, but I wouldn't think RO access to read ACL info being a good idea. It may be useful, but could be more trouble than its worth.

New Member

Re: ACL Hit counting

you are right Davistan.but think about how it can be useful if you be able to count the ACL Hit on your policy enforcement devices.Netflow is perfect but what it give you just traffic accounting.i believe Base-line methodology with Netflow don't let you know about access violation,but counting the ACL hits (especially on the Edge) give you quick view about reconnaissance attack , DOS attack.something else : even with Snmp RW access to cisco gear you can't add,delete or modify the ACL on the fly.the only way is to copy "config" file via snmp to NMS and change the config file by hand, then uploading the config file to device.as you can see this limitation not from security concern point of view.

Bronze

Re: ACL Hit counting

As above posters indicated... this is not possible via SNMP. I researched this back when the blaster virus hit my network at a previous company. I had TAC cases opened and ended up submitting a feature request but nothing ever came from it.

In years since, if I need this functionality the only way to extract it was via scripts that logged in and parsed out what I wanted.

New Member

Re: ACL Hit counting

to solving this problem , i complete my last effort and complete my Shell-Script to work bug freee.that work fine , and now i have a baseline for Dropped packets and detect spikes on ACL occur on Edge-devices.what i do was :

1- send SYSLOG from my policy enforcement devices to a central syslog server.i use "Rsyslog" because it can separate syslog messages by SENDER address and log them to separate files (also log them in Mysql DB)

2- run my shell-script every 10 minute and calculate the ACL Hit on Edge devcies.

3- visualizing the result by RRD-Tool.

it is wonderful.now i can detect attacks , DOS and traffic anomalies within second.now i don't consume my time for checking the policy violation.if someone interest about the shell script i can post it.

137
Views
13
Helpful
6
Replies
CreatePlease to create content