ACL logging enables the switch to generate a message when IP traffic meets the criteria for a match with an ACE that results in an explicit “deny” or “permit” action. You can use ACL logging to help:
Test your network to ensure that your ACL configuration is detecting and denying or “permitting” the IPv4 traffic you do not want forwarded.
Receive notification when the switch detects attempts to forward IPv4 traffic you have designed your ACLs to reject (deny) or allow (permit).
The switch sends ACL messages to and optionally to the current console, Telnet, or SSH session. You can use
logging < > to configure up to six server destinations.
Requirements for using ACL logging
The switch configuration must include an ACL (1) assigned to a port, trunk, or static VLAN interface and (2) containing an ACE configured with the
permitaction and the
See AlsoACI object moquery Cheat Sheet
The server must be accessible to the switch and identified in the running configuration.
These requirements are described in more detail in Enabling ACL logging on the switch.
ACL logging operation
When the switch detects a packet match with an ACE and the ACE includes either the
permit action and the optional
log parameter, an ACL log message is sent to the designated debug destination.
The first time a packet matches an ACE with
log configured, the message is sent immediately to the destination and the switch starts a wait-period of approximately five minutes. (The exact duration of the period depends on how the packets are internally routed.) At the end of the collection period, the switch sends a single-line summary of any additional “deny” or “permit” matches for that ACE (and any other “deny” or “permit” ACEs for which the switch detected a match).
If no further log messages are generated in the wait-period, the switch suspends the timer and resets itself to send a message as soon as a new “deny” or “permit” match occurs. If subsequent packets matching the already logged ACL entries are detected, then a new logged event will be generated that summarizes the number of packets that matched each specific entry (with the time period). The data in the message includes the information illustrated in Content of a message generated by an ACL-deny action.
Enabling ACL logging on the switch
If you are using a Syslog server, use the
logging <command to configure the Syslog server IPv4 address. Ensure that the switch can access any Syslog server you specify.
ip-addr>(Video) Configuring Access Control Lists (ACL) | Cisco ASA Firewalls
logging facility syslogto enable the logging for Syslog operation.
destinationcommand to configure one or more log destinations. Destination options include
session. For more information on debug, see the “Troubleshooting” section of the Management and Configuration Guide for your switch.
debug allto configure the debug operation to include ACL messages.
Configure one or more ACLs with the
permitaction and the
HP Switch(config)# ip access-list extended NO-TELNETHP Switch(config-ext-nacl)# remark "DENY 10.10.10.3 TELNET TRAFFIC IN"HP Switch(config-ext-nacl)# deny tcp host 10.10.10.3 any eq telnet logHP Switch(config-ext-nacl)# permit ip any anyHP Switch(config-ext-nacl)# exitHP Switch(config)# logging 10.10.20.3HP Switch(config)# logging facility syslogHP Switch(config)# debug destination loggingHP Switch(config)# debug destination sessionHP Switch(config)# debug aclHP Switch(config)# write memHP Switch(config)# show debug Debug Logging Destination: Logging -- 10.10.20.3 Facility = syslog Session Enabled debug types: event acl logHP Switch(config)# show access-list configip access-list extended "NO-TELNET" 10 remark "DENY 10.10.10.3 TELNET TRAFFIC" 10 deny tcp 10.10.10.5 0.0.0.0 0.0.0.0 255.255.255.255 eq 23 log 20 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 exit
Configuring logging timer
By default, the wait period for logging "deny" matches (described above in "ACL Logging Operation") is approximately five minutes (300 seconds). You can manually set the wait period timer to an interval between 30 and 300 seconds, using the
access-list command from the
config context. This setting is stored in the switch configuration.
access-list logtimer <default<30-300>>
This command sets the wait period timer for logging "deny" or “permit“ messages to the SYSLOG server or other destination device. The first time a packet matches an ACE with deny and
logconfigured, the message is sent immediately to the destination and the switch starts a wait period of approximately five minutes (default value). The exact duration of the period depends on how the packets are internally routed. At the end of the wait period, the switch sends a single-line summary of any additional “deny“ or “permit” matches for that ACE, and any other “deny“ or “permit” ACEs for which the switch detected a match. If no further log messages are generated in the wait period, the switch suspends the timer and resets itself to send a message as soon as a new “deny“ or “permit” match occurs.(Video) DENY Telnet using Extended ACL | CCNA Tutorial
Monitoring static ACL performance
ACL statistics counters provide a means for monitoring ACL performance by using counters to display the current number of matches the switch has detected for each ACE in an ACL assigned to a switch interface. This can help in determining whether a particular traffic type is being filtered by the intended ACE in an assigned list, or if traffic from a particular device or network is being filtered as intended.
NOTE: This section describes the command for monitoring static ACL performance. To monitor RADIUS-assigned ACL performance, use either of the following commands: