cisco access lists blocked packets

In article , ants wrote: :how can you see what packets are being blocked on an :access-list on a Cisco router? I know about show access-list xxx which :shows how many times an access-list rule has been used, but I want to :see the actual packets through the router

There might perhaps be a more direct way, but the way that comes to mind is this:

Don't apply the access-list directly to the interface in question. Instead, create policy-based routing (PBR) and use that access-list to permit traffic through in the first policy. In the second policy of the PBR, redirect the remaining traffic to a loopback interface. Now, SPAN or RSPAN the loopback interface to your monitoring equipment.

See also "debug ip packet detail" -- but that can overwhelm your system easily, and has the problem that the access-list controls what is to be captured. But you could use the PBR approach listed above and debug everything that got sent to the loopback interface I described.

You might also be able to take advantage of "ip traffic-export profile".

If you have one of the advanced security features with the firewall feature, then you can use NBAR to capture traffic:

Cisco's features for -direct- capture and display of traffic are deliberately restricted as a security precaution.

Add "log" to the end of all the "deny" lines in the ACL; if the ACL doesn't end with a "permit/deny ip any any" line (i.e. it's depending on the implicit deny), you should add "deny ip any any log". It will then log some information about all the packets that were blocked.

Hi

Try log in the end of the access-list line ..

ex. access-list 101 deny ip 172.16.0.0 0.0.15.255 any log

then you can se blocket packets in syslog. ex. sh log