Hi.i am intended to find some way to counting the total ACL hit on by border Routers/Switchs as a base-lining method and detect the DOS attack facing my network.after 2 month searching cisco and googeling i find no explicit way to do that (for example with SNMP MIB), so i try to write a shell script that can process the ACL logged messages stored on my central Syslog server and visualizing the result via RRD-Tool.that work but it seems Syslog messages stored on Syslog server sometimes differs with each other in string format.that cause the shell script (it use awk programming languages and other unix shell utility) failed to process the log files and crash.the result is no update on RRD and it's graph.i want to know is there other way to count the ACL hit (total ACE hits for a given ACL)without my messy and cumbersome code ? is there any MIB for ACL hits count ? also i use "Fwlogwatch" a very powerful log analyzer and "Rsyslog" (central syslog server with mysql support and log separation by Host).
it seems there is not any MIB support for both Security ACL / QOS ACL.i use "snmpwalk" to browse the full MIB Tree on cisco gears but there wasn't any useful information (even about the ACE list , ACL name , ...).i am wonderful regarding to Cisco MIB broad range of capability , why still Cisco gears suffer from such no-exist very important feature.
you are right Davistan.but think about how it can be useful if you be able to count the ACL Hit on your policy enforcement devices.Netflow is perfect but what it give you just traffic accounting.i believe Base-line methodology with Netflow don't let you know about access violation,but counting the ACL hits (especially on the Edge) give you quick view about reconnaissance attack , DOS attack.something else : even with Snmp RW access to cisco gear you can't add,delete or modify the ACL on the fly.the only way is to copy "config" file via snmp to NMS and change the config file by hand, then uploading the config file to device.as you can see this limitation not from security concern point of view.
As above posters indicated... this is not possible via SNMP. I researched this back when the blaster virus hit my network at a previous company. I had TAC cases opened and ended up submitting a feature request but nothing ever came from it.
In years since, if I need this functionality the only way to extract it was via scripts that logged in and parsed out what I wanted.
to solving this problem , i complete my last effort and complete my Shell-Script to work bug freee.that work fine , and now i have a baseline for Dropped packets and detect spikes on ACL occur on Edge-devices.what i do was :
1- send SYSLOG from my policy enforcement devices to a central syslog server.i use "Rsyslog" because it can separate syslog messages by SENDER address and log them to separate files (also log them in Mysql DB)
2- run my shell-script every 10 minute and calculate the ACL Hit on Edge devcies.
3- visualizing the result by RRD-Tool.
it is wonderful.now i can detect attacks , DOS and traffic anomalies within second.now i don't consume my time for checking the policy violation.if someone interest about the shell script i can post it.
We are pleased to announce availability of Beta software for 16.6.3. 16.6.3 will be the second rebuild on the 16.6 release train targeted towards Catalyst 9500/9400/9300/3850/3650 switching platforms. We are looking for early feedback from custome...