Cisco Cisco ASA for Nexus 1000V Series Switch
19
Cisco ASA NetFlow Implementation Guide
About NSEL
ACL ID Fields
The 12-byte raw ACL ID must be divided into its three constituent parts, as follows:
•
The first four bytes are the ACL Name ID.
•
The next four bytes are the ACL Entry ID (ACE)/Object-Group ID.
•
The final four bytes are the Extended ACL Entry ID.
These individual values can be looked up in the output of the show access-list command from the ASA.
The ACL Name ID is at the end of the ACL first line in this output. The ACE ID is at the end of each
individual ACL entry line.
The ACL Name ID is at the end of the ACL first line in this output. The ACE ID is at the end of each
individual ACL entry line.
Note
If you use an object-group in an access list, then the second four-byte ID is not actually the ACE ID; it
is the Object-Group ID. The Extended ACE ID (the final four-byte part) refers to the actual individual
ACL Entry ID. The following example shows these entries:
is the Object-Group ID. The Extended ACE ID (the final four-byte part) refers to the actual individual
ACL Entry ID. The following example shows these entries:
ciscoasa(config)# show access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
alert-interval 300
access-list foo; 2 elements; name hash: 0x102154c1
access-list foo line 1 extended permit tcp object-group host_grp_1 any eq www 0xd0e5806e
access-list foo line 1 extended permit tcp host 209.165.200.254 any eq www (hitcnt=4)
0x7e5ad93b
access-list foo line 1 extended permit tcp host 209.165.201.1 any eq www (hitcnt=0)
0xe0c1846b
access-list bar; 1 elements; name hash: 0x5da9bb69
access-list bar line 1 extended deny tcp any any (hitcnt=41) 0x84434b4b
This example is similar to the example shown in
.
In the denied flow example, the ACL IDs are divided into their constituent parts as follows:
•
NF_F_INGRESS_ACL_ID: InAcl: 0x102154c1d0e5806e7e5ad93b
where 0x102154c1 are the first four bytes, 0xd0e5806e are the second four bytes, and 0x7e5ad93b
are the final four bytes.
are the final four bytes.
•
NF_F_EGRESS_ACL_ID: 0x5da9bb6984434b4b00000000
where 0x5da9bb69 are the first four bytes, 0x84434b4b are the second four bytes, and 0x00000000
are the final four bytes.
are the final four bytes.
Note
Each of these IDs corresponds to lines from the show access-list command example.
From these IDs, you can deduce that access-list foo was applied on the input interface, and that
access-list bar was applied on the output interface. That information is also available through the show
run access-group command, but the added benefit of these ACL IDs is that you can identify the
individual ACE that caused the permit or deny action. Because this flow was denied on egress
(determined from the extended event code), you know that the ingress ACL ID identifies the ACE line
that permitted the flow and that the egress ACL ID identifies the ACE that denied the flow.
access-list bar was applied on the output interface. That information is also available through the show
run access-group command, but the added benefit of these ACL IDs is that you can identify the
individual ACE that caused the permit or deny action. Because this flow was denied on egress
(determined from the extended event code), you know that the ingress ACL ID identifies the ACE line
that permitted the flow and that the egress ACL ID identifies the ACE that denied the flow.
Event Codes
You must hard code event codes into the collector, because the ASA only issues four different high-level
event types (creation, teardown, denial, and update).
event types (creation, teardown, denial, and update).