RE: ip accouting access-violations

From: Michael Zuo (mzuo@ixiacom.com)
Date: Mon Oct 30 2006 - 21:12:26 ART

• Next message: Brian McGahan: "RE: OSPF Distribute List Behavior?"
• Previous message: Alan Mirkhan: "CCIE LAB preparation"
• Maybe in reply to: Mohamed Saeed: "ip accouting access-violations"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi Alexei,

Out of curiosity, couple of quick questions about your sample:

1. how come you have a local policy. Won't the ip access groups alone
trigger the access-violation?
2. how come the access list 1 is for incoming and 11 for outgoing,
should it be the way around?

thanks

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Alexei Monastyrnyi
Sent: Sunday, October 29, 2006 6:24 AM
To: Mohamed Saeed
Cc: ccielab@groupstudy.com
Subject: Re: ip accouting access-violations

Hi.

With access-violation it seems to capture both inbound and outbound
violations.

Here is an example.

(lo0) R1 (1.1.1.1/24) <-> (1.1.1.2/24) R2

By pinging the opposite IP from each router you will be able to see on
R1

R1#sh ip account access
   Source Destination Packets Bytes ACL
 2.2.2.2 1.1.1.1 5
280 1
 1.1.1.1 1.1.1.2 5
500 11
 1.1.1.2 1.1.1.1 7
700 1

Accounting data age is 13

R1#sh run | in inter|add|access|route-map

interface Loopback0
 ip address 2.2.2.2 255.255.255.0

interface Ethernet0/0
 ip address 1.1.1.1 255.255.255.0
 ip access-group 1 in
 ip access-group 11 out
 ip accounting access-violations

ip local policy route-map local

access-list 1 deny 1.1.1.2
access-list 11 deny 1.1.1.1

route-map local permit 10
 set interface Loopback0

HTH
A.

Mohamed Saeed wrote:
> Hi All,
>
>
>
> I am quite confused with the usage of the "access-violations" option
of
> the "ip accounting" command. It is supposed that using this option
will
> allow the "ip accounting" command to provide information about traffic
> that fails access lists applied on a certain interface.
>
>
>
> The point that is confusing me is that the "ip accounting" command
will
> only provide statistics for traffic transiting the interface in the
> outbound direction. Since traffic fails the access list applied on a
> certain interface will not flow via this interface, then the "ip
> accounting" command will not capture it.
>
>
>
> Would someone help by clarifying whether I am wrong and provide an
> example for how to test this option?
>
>
>
> Thanks and Kind Regards
>
> Mohamed Saeed, CCNP - CCIP
>
>

• Next message: Brian McGahan: "RE: OSPF Distribute List Behavior?"
• Previous message: Alan Mirkhan: "CCIE LAB preparation"
• Maybe in reply to: Mohamed Saeed: "ip accouting access-violations"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Wed Nov 01 2006 - 07:29:07 ART