Viewing access list violations

Author	All Replies
rileymartin Premium join:2007-06-01 Bellmore, NY	Viewing access list violations Hi all, I have two extended access lists and I can't figure out how to display a history or log of blocked traffic. I tried the following but don't see any traffic: On the interface to monitor type the following command: ip accounting access-violations Then at the enable prompt type the following command: show ip accounting access-violations All I see is the following: R2821#show ip accounting access-violations Source Destination Packets Bytes ACL On the access lists I added the two statements at the top: deny ip any host 91.212.226.59 log deny ip host 91.212.226.59 any log At the console I do see traffic getting blocked but was hoping to see some sort of historical data to see when and how often the attempts were made Jul 14 02:01:41.706: %SEC-6-IPACCESSLOGP: list Outgoing denied tcp xx.xx.xx.xx (0) -> 91.212.226.59(0), 1 packet Jul 14 02:04:57.522: %SEC-6-IPACCESSLOGDP: list Outgoing denied icmp xx.xx.xx.xx -> 91.212.226.59 (0/0), 11 packets Thanks, Riley
	to forum · permalink · 2010-07-13 23:31:32 ·
aryoba Premium,MVM join:2002-08-22 kudos:3	If you issue show command to show the access list (show access-list [ACL name), you should be able to see hit counts on each ACL statement line (the xxxx matches) where the xxxx represents the hit counts. The hit counts as you may expect represent how often the attempts were made.
	to forum · permalink · 2010-07-14 09:45:34 ·
rileymartin Premium join:2007-06-01 Bellmore, NY	Thanks. I can see what's being triggered. I see the values next to the permit and deny statements. How do I clear those counters so I can see if there are any new 'hits'? How can I view more detail to see what internal addresses are causing the values next to the deny statements to increase? Do I need the 'ip accounting access-violation' command on the interface for any of this logging to show up? When I type: R2821#sh ip accounting access-violations I see columns/headers for the data I would like to see but no data shows up ex: Source Destination Packets Bytes ACL
	to forum · permalink · 2010-07-14 13:07:41 ·
aryoba Premium,MVM join:2002-08-22 kudos:3	said by rileymartin: Thanks. I can see what's being triggered. I see the values next to the permit and deny statements. No problem said by rileymartin: How do I clear those counters so I can see if there are any new 'hits'? clear access-list counters command resets the counters on specified ACL. said by rileymartin: How can I view more detail to see what internal addresses are causing the values next to the deny statements to increase? In general, the show logging provides such info as you may know. If there are too many of these in the logs, then you may need to setup syslog server to collect all of those logs. Another approach is adding ACL statement lines with more specific IP address or subnet instead of just any IP address or subnet. said by rileymartin: Do I need the 'ip accounting access-violation' command on the interface for any of this logging to show up? When I type: R2821#sh ip accounting access-violations I see columns/headers for the data I would like to see but no data shows up ex: Source Destination Packets Bytes ACL Do you have ip accounting command enabled on your source and destination interfaces? If not, then you should enable the command. If you are unsure which interfaces the traffic originating from or the traffic leaving towards, you can enable the command on all interfaces.
	to forum · permalink · 2010-07-14 13:33:01 ·

rileymartin Premium join:2007-06-01 Bellmore, NY	Thanks for the follow up. I only have 'ip accounting access-violations' enabled on my external interface. I must not have logging enabled properly because the output is very minimal: R2821#sh logging Syslog logging: enabled (11 messages dropped, 1 messages rate-limited, 0 flushes, 0 overruns, xml disabled, filtering disabled) Console logging: level debugging, 1543 messages logged, xml disabled, filtering disabled Monitor logging: level debugging, 1244 messages logged, xml disabled, filtering disabled Buffer logging: disabled, xml disabled, filtering disabled Logging Exception size (4096 bytes) Count and timestamp logging messages: disabled No active filter modules. Trap logging: level informational, 65 message lines logged R2821#sh logging history Syslog History Table:1 maximum table entries, saving level warnings or higher 59 messages ignored, 11 dropped, 0 recursion drops 1 table entries flushed SNMP notifications not enabled entry number 2 : LINK-3-UPDOWN Interface GigabitEthernet0/1, changed state to up timestamp: 1142
	to forum · permalink · 2010-07-14 21:31:23 ·
HELLFIRE join:2009-11-25 kudos:7	reply to rileymartin Alternatively you could send your logs to a syslog server and use grep or something similar to get historical on the data. If you're storing locally they get wiped when the buffer fills up. Regards
	to forum · permalink · 2010-07-15 13:33:33 ·
cramer join:2007-04-10 Raleigh, NC kudos:7	reply to rileymartin Buffer logging: disabled "show log" isn't showing anything because it's disabled. `logging buffered 131072` will do. (128k buffer)
	to forum · permalink · 2010-07-22 17:51:19 ·
rileymartin Premium join:2007-06-01 Bellmore, NY	Thanks, I just enabled it.
	to forum · permalink · 2010-08-05 21:27:50 ·

Equipment Support > Hardware By Brand > Cisco > Viewing access list violations