The "log" option isn't needed to get the "match" counts on Cisco routers -
they're shown for all access list statements.
But be aware that changing the order of an access list can affect what gets
filtered. Clearly
access-list 101 deny ip any any
access-list 101 permit ip 1.1.0.0 0.0.255.255 any log
is not the same as:
access-list 101 permit ip 1.1.0.0 0.0.255.255 any
access-list 101 deny ip any any
Tony Rall
"Norris, Wayne" <[EMAIL PROTECTED]> on 04/02/99 22:11:08
If you add the 'log' statement at the end of each line of your ACL, you can
measure hits against it. This will enable you to fairly accurately place
each rule.
eg
access-list 101 permit ip 1.1.0.0 0.0.255.255 any log
access-list 101 permit ip 2.2.0.0 0.0.255.255 any log
output from sh ip access-lists
permit ip 1.1.0.0 0.0.255.255 any (29068714 matches)
permit ip 2.2.0.0 0.0.255.255 any (61424 matches)
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
