Command of the Day

Aruba Employee
Posts: 1
Registered: ‎06-08-2007

COTD: Show acl hits

This command list all the access-list (user/port) that are acitively being hit by the client traffic. This output has 3 sections 'User Role ACL hits', 'Port Based Session ACL' and 'Port ACL'. This output clearly would indicate what policy is being applied on the client traffic and is very helpful in trouble-shooting.
A sample output. As in the output you can see that the client generated icmp, dns and dhcp traffic are all permited. The 'new hits' and the 'total hits' counters would keep incrementing as and when there is a new icmp, dns or dhcp traffic from the client. Similarly all other traffic from the client is currently being 'denied' by the 'implict deny' acls. The client is not generating traffic that matches to other policies applied in the role. For instance there could be a policy to permit 'http' traffic already applied in the role, something like 'user any svc-http permit'. The output below does not have any indication of this traffic, this means that client has so far not generated any 'http' traffic for the appropriate policy to be hit.
(Bipin) #show acl hits
User Role ACL Hits
Role Policy Src Dst Service Action Dest/Opcode New Hits Total Hits Index
---- ------ --- --- ------- ------ ----------- -------- ---------- -----
logon control any any svc-icmp permit 10 30 4194
logon control any any svc-dns permit 3 5 4195
logon control any any svc-dhcp permit 1 48 4199
logon any any any deny 30 18 4209
Port Based Session ACL
Policy Src Dst Service Action Dest/Opcode New Hits Total Hits Index
------ --- --- ------- ------ ----------- -------- ---------- -----
validuser any any any permit 0 4 4044
Port ACL Hits
ACL ACE New Hits Total Hits Index
--- --- -------- ---------- -----
(Bipin) #