cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
323
Views
0
Helpful
1
Replies

interface ACL counters

linnea.wren
Level 1
Level 1

Hi,

Newbie here... 2 questions:

1. Say you do "sh access-list 109", and see something like this:

..permit tcp any any established

..permit udp any any eq bootps (116125 matches)

..permit icmp any any (782 matches)

..permit udp 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255 eq domain

..permit tcp 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255 eq domain

..deny ip any 10.0.0.0 0.255.255.255 (594854 matches)

..permit ip 10.0.0.0 0.255.255.255 any (4623174 matches)

Would you want to re-enter the access list entries in descending count order? Or maybe not. I see that sorting this list in descending count order produces this:

..access-list 109 deny ip any 10.0.0.0 0.255.255.255

..access-list 109 permit udp any any eq bootps

This order prevents some hits on the 2nd entry that were permitted in the original order... Right?

Would you remove the entries that are getting zero hits?

2. There's an implicit deny at the end of an access list. But, if you included an explicit, "deny ip any any" as your last statement, wouldn't that help by letting you get a count of traffic that got that far?

Generally speaking, while I get rules of ACLs conceptually speaking, I have no actual experience. I'm looking for ways to understand the effects of changes, and to evaluate if ACLs have unnecessary entries, or even contradictory entries...

TIA...

1 Reply 1

Richard Burts
Hall of Fame
Hall of Fame

Linnea

You are asking a good question about a topic that is quite complex and subtle. There are several things that one must be thinking about when you start to optimize an access list. I believe that two of these are:

1) is the access list achieving the intended result? is the right traffic being permitted and the right traffic being denied. To achieve this I usually advocate arranging the access list from most specific to more general (permit or deny hosts, then permit or deny subnets, then permit or deny networks, then permit or deny any). I believe this has the best chance of achieving correct behavior.

2) is the access list as efficient as possible? To achieve this one would want the access list entries with the most hits to come earliest in the access list. But the danger of this is that you may get the results that you point out where you deny any packet with source address in network 10 before you permit udp bootps from anywhere. As you point out the result is that no one in network 10 can do bootps.

So you need to thing carefully as you start to optimize the access list that you do not compromise its functionality.

Your second point is about specifically coding deny any any at the end of the access list. As you point out one benefit of this is that you would then get packet counts of what is falling through. And knowing this can be useful in some circumstances. Many of us do typically code access lists that way. But others do not code the deny any any because it is not needed and they want to minimize the lines in the access list. I do not believe that there is any clear cut answer about which is better.

HTH

Rick

HTH

Rick
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco