As soon as you start using access control lists (ACLs), it is important to know which ACLs are being used. Even more beneficial is knowing how many times an ACL entry (ACE) was used and on which interface.
If an ACL or ACE is never used, then it is wasting space in your router's memory. If the applied ACL or ACE never matches any traffic, then it may be a sign that the router is misconfigured. A bad configuration could leave you with a security hole if you are not blocking the traffic you intended.
How do I view ACL usage statistics?
Keep in mind that at any time you can see what Cisco IOS options are available by using the ?. For example, here are the options available with the show access-lists command:
Router# show access-lists ?
<1-2699> ACL number
WORD ACL name
compiled Compiled access-list statistics
rate-limit Show rate-limit access lists
| Output modifiers
As you can see, there are a number of different ways to view ACLs and their usage. But without the new Cisco ACL Manageability features in IOS 12.4, you are viewing global statistics for only that ACL and ACE. In other words, if the same ACL is used in various places for various applications, and in different directions, every use is totaled and added in the statistics. Thus, you have no way of knowing if your ACL is getting all its usage over on interface F0/1 but none on interface Fa0/2.
Viewing ACL statistics by number
Router# show access-list 158
Extended IP access list 158
10 deny ip any any time-range denytime (active) (65951975 matches)
As you can see from the example, there are 65,951,975 packets that have been matched for this particular access list.
Viewing statistics by name
Router# show access-list MyACL
Extended IP access list MyACL
10 permit tcp host 184.108.40.206 eq telnet host 220.127.116.11
20 permit tcp host 18.104.22.168 eq 16100 host 22.214.171.124 (149407
30 permit tcp host 126.96.36.199 eq 17600 host 188.8.131.52 (80592
40 permit tcp host 184.108.40.206 eq 10701 host 220.127.116.11 (26008
As you can see from the example, this ACL has a lot of use but one ACE has no use at all.
For further information on the show access-list command, please see the Cisco IOS ACL "show access-list" documentation.
Cisco IOS ACL Manageability feature
Previously, the ACL infrastructure maintained only global statistics for each Access ACE in an ACL. A new feature was added to IOS 12.4, which allows you to display and clear ACE statistics per interface and per incoming or outgoing traffic. That is very useful if you have ACLs and ACEs applied in different places and in different directions.
Notice in the two examples below how you can show your access-lists per interface and per direction:
Router# show ip access-list interface FastEthernet 0/1 in
Router# show ip access-list interface FastEthernet 0/0 out
Note that if no direction is specified, any input and output ACLs applied to that interface are displayed. For more information on the new Cisco ACL Manageability feature, please see the Cisco ACL Manageability new feature documentation.Conclusion
In this article, you have learned that you can do various show commands that will give you detailed statistics on your access lists. You also learned about the Cisco IOS ACL Manageability feature, which allows you to retrieve ACL specific information on your packets coming in and going out of each interface and can be of great value in monitoring and securing your network.
For the official documentation covering Cisco ACLs, visit Cisco's Access Control Lists: Overview and Guidelines.
David Davis has worked in the IT industry for 15+ years and holds several certifications, including CCIE, CCNA, CCNP, MCSE, CISSP, VCP. He has authored hundreds of articles and numerous IT training videos. Today, David is the Director of Infrastructure at Train Signal.com. Train Signal, Inc. is the global leader in video training for IT Professionals and end users.
Want to learn more about router and switch management? Automatically sign up for our free Cisco Routers and Switches newsletter, delivered each Friday!