Enable ACL “deny” or “permit” logging (2023)

Table of Contents
Requirements for using ACL logging ACL logging operation Enabling ACL logging on the switch Configuring logging timer Monitoring static ACL performance Videos

ACL logging enables the switch to generate a message when IP traffic meets the criteria for a match with an ACE that results in an explicit “deny” or “permit” action. You can use ACL logging to help:

  • Test your network to ensure that your ACL configuration is detecting and denying or “permitting” the IPv4 traffic you do not want forwarded.

  • Receive notification when the switch detects attempts to forward IPv4 traffic you have designed your ACLs to reject (deny) or allow (permit).

The switch sends ACL messages to and optionally to the current console, Telnet, or SSH session. You can use logging < > to configure up to six server destinations.

Requirements for using ACL logging

  • The switch configuration must include an ACL (1) assigned to a port, trunk, or static VLAN interface and (2) containing an ACE configured with the deny or permit action and the log option.

  • For ACL logging to a server:

    • The server must be accessible to the switch and identified in the running configuration.

    • The logging facility must be enabled for Syslog.

    • Debug must be configured to:

      • support ACL messages

      • send debug messages to the desired debug destination

    See Also
    ACI object moquery Cheat Sheet
(Video) Block Network via Standard ACL (Access Control List) in Routers

These requirements are described in more detail in Enabling ACL logging on the switch.

ACL logging operation

(Video) Block Host via Standard ACL (Access Control List) in Routers

When the switch detects a packet match with an ACE and the ACE includes either the deny or permit action and the optional log parameter, an ACL log message is sent to the designated debug destination.

The first time a packet matches an ACE with deny or permit and log configured, the message is sent immediately to the destination and the switch starts a wait-period of approximately five minutes. (The exact duration of the period depends on how the packets are internally routed.) At the end of the collection period, the switch sends a single-line summary of any additional “deny” or “permit” matches for that ACE (and any other “deny” or “permit” ACEs for which the switch detected a match).

If no further log messages are generated in the wait-period, the switch suspends the timer and resets itself to send a message as soon as a new “deny” or “permit” match occurs. If subsequent packets matching the already logged ACL entries are detected, then a new logged event will be generated that summarizes the number of packets that matched each specific entry (with the time period). The data in the message includes the information illustrated in Content of a message generated by an ACL-deny action.

Content of a message generated by an ACL-deny action

Enable ACL “deny” or “permit” logging (1)

Enabling ACL logging on the switch

  1. If you are using a Syslog server, use the logging <ip-addr> command to configure the Syslog server IPv4 address. Ensure that the switch can access any Syslog server you specify.

    (Video) Configuring Access Control Lists (ACL) | Cisco ASA Firewalls

  2. Use logging facility syslog to enable the logging for Syslog operation.

  3. Use the debug destination command to configure one or more log destinations. Destination options include logging and session. For more information on debug, see the “Troubleshooting” section of the Management and Configuration Guide for your switch.

  4. Use debug acl or debug all to configure the debug operation to include ACL messages.

  5. Configure one or more ACLs with the deny or permit action and the log option.

HP Switch(config)# ip access-list extended NO-TELNETHP Switch(config-ext-nacl)# remark "DENY 10.10.10.3 TELNET TRAFFIC IN"HP Switch(config-ext-nacl)# deny tcp host 10.10.10.3 any eq telnet logHP Switch(config-ext-nacl)# permit ip any anyHP Switch(config-ext-nacl)# exitHP Switch(config)# logging 10.10.20.3HP Switch(config)# logging facility syslogHP Switch(config)# debug destination loggingHP Switch(config)# debug destination sessionHP Switch(config)# debug aclHP Switch(config)# write memHP Switch(config)# show debug Debug Logging Destination: Logging -- 10.10.20.3 Facility = syslog Session Enabled debug types: event acl logHP Switch(config)# show access-list configip access-list extended "NO-TELNET" 10 remark "DENY 10.10.10.3 TELNET TRAFFIC" 10 deny tcp 10.10.10.5 0.0.0.0 0.0.0.0 255.255.255.255 eq 23 log 20 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 exit

Configuring logging timer

By default, the wait period for logging "deny" matches (described above in "ACL Logging Operation") is approximately five minutes (300 seconds). You can manually set the wait period timer to an interval between 30 and 300 seconds, using the access-list command from the config context. This setting is stored in the switch configuration.

Syntax:

access-list logtimer <default <30-300>>

From config context:

This command sets the wait period timer for logging "deny" or “permit“ messages to the SYSLOG server or other destination device. The first time a packet matches an ACE with deny and log configured, the message is sent immediately to the destination and the switch starts a wait period of approximately five minutes (default value). The exact duration of the period depends on how the packets are internally routed. At the end of the wait period, the switch sends a single-line summary of any additional “deny“ or “permit” matches for that ACE, and any other “deny“ or “permit” ACEs for which the switch detected a match. If no further log messages are generated in the wait period, the switch suspends the timer and resets itself to send a message as soon as a new “deny“ or “permit” match occurs.

(Video) DENY Telnet using Extended ACL | CCNA Tutorial

  • default – Sets the wait period timer to 300 seconds.

  • <30-300> – Sets the wait period timer to the specified number of seconds.

Monitoring static ACL performance

ACL statistics counters provide a means for monitoring ACL performance by using counters to display the current number of matches the switch has detected for each ACE in an ACL assigned to a switch interface. This can help in determining whether a particular traffic type is being filtered by the intended ACE in an assigned list, or if traffic from a particular device or network is being filtered as intended.

Enable ACL “deny” or “permit” logging (2)

NOTE: This section describes the command for monitoring static ACL performance. To monitor RADIUS-assigned ACL performance, use either of the following commands:

show access-list radius <all|port-list>

show port-access <authenticator|mac-based|web-based> clients <port-list> detailed

Syntax:

<clear> statistics

clear: Resets ACE hit counters to zero for the specified IPv6 or IPv4 static ACL assignment on a specific interface.

(Video) Block PING via Extended ACL (Access Control List) in Routers

Videos

1. MicroNugget: How to Configure Extended ACLs on Cisco Routers
(CBT Nuggets)
2. Block Telnet via Extended ACL (Access Control List) in Routers
(TechEngineerTV)
3. Understanding Access Control Lists | Network Fundamentals Part 14
(Network Direction)
4. How to Deny PC to Access Another Device CISCO PACKET TRACER Copy
(Odin)
5. How to block FTP Port via ACL | Packet Tracer
(Asim Sunar)
6. Configuring an ACL on VTY Lines (Telnet/SSH)
(Network Engineer Pro)
Top Articles
Latest Posts
Article information

Author: Laurine Ryan

Last Updated: 27/06/2023

Views: 5946

Rating: 4.7 / 5 (77 voted)

Reviews: 92% of readers found this page helpful

Author information

Name: Laurine Ryan

Birthday: 1994-12-23

Address: Suite 751 871 Lissette Throughway, West Kittie, NH 41603

Phone: +2366831109631

Job: Sales Producer

Hobby: Creative writing, Motor sports, Do it yourself, Skateboarding, Coffee roasting, Calligraphy, Stand-up comedy

Introduction: My name is Laurine Ryan, I am a adorable, fair, graceful, spotless, gorgeous, homely, cooperative person who loves writing and wants to share my knowledge and understanding with you.