From: DERY, FREDERIC (frederic.dery@xxxxxxxxxxx)
Date: Fri Jan 14 2000 - 11:58:14 GMT-3
By default, on some access-list entry, in some IOS version you will see
the matches in the output of "show ip access-list". Check if this is
enough for you, this way you will not have to change your access-lists.
Because of Fast Switching, I do not think using the LOG keyword is
effective when you want to really see what is going on right now. If you
want to monitor in near real time and your box is running low on cpu
usage, and the link you want to monitor is not very busy and as a low
throughput (1 or 2 mbps) try a "debug ip packet <ACCESS-LIST NUMBER>".
This as been useful for me in the past.
Hope this help
Frederic Dery
Luan M Nguyen wrote:
>
> The simplest way is just put a log at the end of each statement and term
> mon.
> access list 101 permit icpm any any log
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
> Stein, Jared
> Sent: Thursday, January 13, 2000 8:59 PM
> To: 'ccielab@groupstudy.com'
> Subject: debugging access list
>
> Is there anyway to find out what is trying to get through you access list
> applied on an interface.
>
> Example
>
> access list 101 permit icmp any any
>
> can I see what traffic is failing by port? how could I see if gre was
> failing, ftp etc.
>
> Thanks
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 08:22:44 GMT-3