| Author |
Message |
Chris
Guest
|
 Posted:
Wed Dec 15, 2004 4:25 am Post subject:
Given an IP Address: How to determine quickly which ACLs mat |
|
|
Hello All,
Does anyone know of a way to determine quickly which ACL or ACLs a given IP
address matches? I ask this because at my place of work it is not unusal
to have an interface configured with a dozen+ rate-limit statements and
lengthy ACLs associated with each rate-limit statement. When
troubleshooting one has to check against each ACL to determine if the IP in
question is matching ACL or going to default queue. Any input would be
greatly appreciated.
Regards,
Chris |
|
| Back to top |
|
 |
Walter Roberson
Guest
|
| Posted:
Wed Dec 15, 2004 10:55 am Post subject:
Re: Given an IP Address: How to determine quickly which ACLs |
|
|
In article <TLLvd.601$In1.70@fe11.lga>, Chris <c@c.com> wrote:
:Does anyone know of a way to determine quickly which ACL or ACLs a given IP
:address matches? I ask this because at my place of work it is not unusal
:to have an interface configured with a dozen+ rate-limit statements and
:lengthy ACLs associated with each rate-limit statement. When
:troubleshooting one has to check against each ACL to determine if the IP in
:question is matching ACL or going to default queue.
I don't know how it's done, but I understand that Cisco has
a whitepaper [which I haven't read] on how it compiles "turbo ACLs".
I haven't tried my hand at inventing an algorithm from scratch
just knowing that it can be done.
--
If a troll and a half can hook a reader and a half in a posting and a half,
how many readers can six trolls hook in six postings? |
|
| Back to top |
|
|
Ben
Guest
|
| Posted:
Wed Dec 15, 2004 2:45 pm Post subject:
Re: Given an IP Address: How to determine quickly which ACLs |
|
|
Walter Roberson wrote:
| Quote: | In article <TLLvd.601$In1.70@fe11.lga>, Chris <c@c.com> wrote:
:Does anyone know of a way to determine quickly which ACL or ACLs a given IP
:address matches? I ask this because at my place of work it is not unusal
:to have an interface configured with a dozen+ rate-limit statements and
:lengthy ACLs associated with each rate-limit statement. When
:troubleshooting one has to check against each ACL to determine if the IP in
:question is matching ACL or going to default queue.
I don't know how it's done, but I understand that Cisco has
a whitepaper [which I haven't read] on how it compiles "turbo ACLs".
I haven't tried my hand at inventing an algorithm from scratch
just knowing that it can be done.
|
Hi Walter/Chris,
The easiest way to achieve what you want is to simply debug the
access-lists one at a time and look at the debug output to determine
which packets are being matched.
As in:
ROUTER#debug ip packet ?
<1-199> Access list
<1300-2699> Access list (expanded range)
detail Print more debugging detail
<cr>
Or even better test in a controlled lab environment and just look at the
ACL counters.
Turbo ACL's are something else.
They are very handy if you have long ACL's as they will result in a
fixed maximum lookup time. It basically compiles all your ACL's into a
fancy array that will be able to match any packet in no more than 15
lookups. Your ACL's need to be longer than 4 lines to get a benefit
(though I think more than that to be worth it).
Ben C. |
|
| Back to top |
|
|
|
|
|
|
FAQ
Memberlist
Register
Profile
Log in to check your private messages
Log in