Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Attention: The Community will be in read-only mode on 12/14/2017 from 12:00 am pacific to 11:30 am.

During this time you will only be able to see content. Other interactions such as posting, replying to questions, or marking content as helpful will be disabled for few hours.

We apologize for the inconvenience while we perform important updates to the Community.

New Member

access-list, on ios15

I have used object-groups for a long time on the firewalls ASA, wiht in a access-list. On the firewalls the access-list will break down the object-group and show the hit counts per line. Now for a change we went ahead and put a object group on one of our routers, to reduse the size of the acces-list and eaiser coding. but the router does not expanded the access-list out like the firewall. The hit counters only show agaist the single line of the acl not each item in the object-group of a single acl line. Is there a way to expand the access-list to show the many-items in the object-group to see the hit count per item in the object group?

i have using a 3925.

Everyone's tags (7)
5 REPLIES

Re: access-list, on ios15

Not sure. Haven't used IOS15 but what command are you using?

#sh access-list

or

#sh ip access-list

?

Regards,

Ian

New Member

Re: access-list, on ios15

both commands produce the same output.

Re: access-list, on ios15

Have you got the "log" keyword at the end of your access-list statements? That should keep a count of the packet matches.

By the way I'm not sure it's actually possible, just trying a few ideas...

New Member

Re: access-list, on ios15

example of one the issues:

20 deny ip object-group obj-block-address any log (1792293 matches)

it is keeping track on a per line track. But since i am using object groups to make the access-list smaller, it is not counting per item in the object. there is roughly about 40 - 50 address in obj-block-address.

Re: access-list, on ios15

I gotcha. I know like you said on the PIX and ASA it does...but don't know on the router. Maybe it's something Cisco need to work on.

Sorry dude. Maybe somebody else knows for sure?

1197
Views
0
Helpful
5
Replies
CreatePlease to create content