Reset Search
 

 

Article

Why does ACL deny statement not log traffic as configured?

« Go Back

Information

 
TitleWhy does ACL deny statement not log traffic as configured?
Question
If you need to know which traffic is being blocked, and have messages identifying the traffic being blocked including ACL ID, IP source and destination addresses, and protocol and port being blocked you can use ACL DENY LOGGING feature. However, this feature is only supported for inbound traffic
Environment
Answer
ACL Deny Logging

The ACL Deny Logging feature records traffic flows that are denied by an ACL bound to a port. When a packet is denied by an ACL, a Syslog entry is generated and a timer is started to keep track of the packets from this packet flow. After the timer expires (default: 5 minutes), another Syslog entry is generated if there is any packet from the tracked packet flow that was denied.

Configuration Summary:
1. Configure the ACL with the log statement
2. Apply the ACL to the interface.
3. Enable the ACL deny logging feature on the interface you wish to track.
---------------------------------------------------------------------------------------------------------------------------------------------------------------------

Configuration Example:
ip access-list extended Test
permit tcp host10.10.10.11 eq dns any
permit tcp host 192.168.10.1 eq dns any
deny ip any any log ( The log entry specifies the traffic we needto log)

device(config)# interface ethernet 1/1
device(config-if-e1000-1/1)# ip access-group Test In
device(config-if-e1000-1/1)# ip access-group enable-deny-logging


Running this command on an interface is one of the conditions for enabling logging of traffic denied by IPv4 ACLs applied to the interface. The other condition is the inclusion of the log parameter in rules within such ACLs.
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Logging Example

[IPv4 Inbound ACL]
Dec 16 12:12:29:I:list test denied tcp 10.10.10.11(1024)(Ethernet 3/1 0000.0000.0010) - 10.20.20.1(1025), 27298224 event(s)

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Limitations
ACL Deny Logging is supported for the following:

  • IPv4 Inbound ACLs

  • IP Receive ACLs

ACL Deny Logging is not supported for the following:

  • ACL-based Rate Limiting

  • Policy Based Routing

  • IPv6 ACLs

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

ACL not logging denied traffic?

Make sure the configuration implemented does not hit any of the limitation, we have seen scenarios in which ACLs are configured to be outbound; hence, it will not log any entry, and not error message will be seen.

Additional notes

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255