Display IP packet filters attached to router's interfaces

A few days ago, Jeremy Stretch asked me whether there's a command to display packet lists attached to router's interfaces. While he got pretty far with the output filters, he would like to have a nice tabular format as well as the contents of the access lists displayed next to the interfaces. The show ip access-list interface name command comes pretty close, but it displays the information only for a single interface, so it was time to write another Tcl script. To install it on your router:

  1. Download it from my web site and copy it to your router's flash or NVRAM.
  2. Define an alias, for example alias exec filters tclsh flash:packetFilters.tcl.

The script recognizes two parameters: the all parameter displays all interfaces, including ones with no access lists and the verbose parameter displays the contents of the access list after the interface name.

Here are a few sample printouts from one of my lab routers:
R2#filters
Interface Inbound Outbound
=========================================================
Serial1/0 101
Serial1/2 ICMP 101

R2#filters verbose

Serial1/0
====================
in: Extended IP access list 101
    10 permit ip any any (2012 matches)

Serial1/2
====================
in: Extended IP access list ICMP
    10 deny icmp any host 10.0.1.2 echo
    20 deny icmp any host 10.2.0.2 echo
    30 permit ip any any (637 matches)

out:Extended IP access list 101
    10 permit ip any any (2012 matches)

Note: This article is part of You've asked for it series.

4 comments:

  1. I did another thing. I modified your ipInterfaces.tcl-script to also include ACL-in and ACL-out columns.

    It gives me a nice tabular view of which interfaces have which access-lists.

    ReplyDelete
  2. Good - are you accepting "enhancement requests" ? :)

    a) for the script to pause and print a "more" or similar when reaches line 24 - or whatever the term len is. Otherwise, with long access lists, the output just scrolls out :)

    b) would be cool to actually READ the access-list from the running-config and print (if any) the REMarks associated with the lines - something sadly missing from the "sh access-l X" command :(

    c) could the script tabulate and maybe sort by proto the matches? not necessarily in the order the ACL has been written. Example ACL:

    deny tcp any any eq 80
    deny udp any any eq 161
    deny tcp any any eq 23

    it would be nice to have something like:

    ACTION | PROTO | SRC | DST | PORTS | HITS
    deny | tcp | any | any | 23 | 200
    deny | tcp | any | any | 80 | 120
    deny | udp | any | any | 161 | 977

    Just some ideas to make it more useful :)

    ReplyDelete
  3. @Anonymous: of course I'm accepting enhancement requests :)

    #A: doable, will write a post when finished.

    #B: doable, but I am not sure whether the "general public" would find it usable. The "show running" command can take quite a long time.

    #C: this is the one thing I would not even try to address (well, maybe in some distant future ;). I am positive each IOS user would like to see a different format. I might get back to this one when I'll start going deeper into writing web-based applications for IOS (it's been on my back-burner for quite some time).

    ReplyDelete
  4. Well - guess I can always learn TCL and do (C) - and contribute back. Not likely, though ;)

    BTW: CSCse26966 - show access-list should provide an option to print configured remarks

    ReplyDelete

You don't have to log in to post a comment, but please do provide your real name/URL. Anonymous comments might get deleted.

Ivan Pepelnjak, CCIE#1354, is the chief technology advisor for NIL Data Communications. He has been designing and implementing large-scale data communications networks as well as teaching and writing books about advanced technologies since 1990. See his full profile, contact him or follow @ioshints on Twitter.