access-list port logging

Unanswered Question

I have an access-list, that looks similar to this:

ip access-list extended TestACL

deny ip any log-input

permit ip any any

When IOS logs hits against this ACL, it doesn't log the port numbers:

1568837: Aug 31 15:39:19.552 EDT: %SEC-6-IPACCESSLOGP: list TestACL denied tcp (Serial0/0 ) ->, 1 packet

I realize this is by design to speed things up, and IOS is discarding the packet before even reading the port information. But how could I actually make it log the port numbers?

My ACL basically denies a lot of stuff and has a statement at the bottom allowing everything else.

Thanks pros!

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Pari Thiagasundaram Fri, 08/31/2007 - 11:57
User Badges:
  • Silver, 250 points or more

Try using an extended access list to deny the "tcp" packet that you are sending.

From what i see in the log "denied tcp", an extended ACL should help.

Richard Burts Fri, 08/31/2007 - 15:58
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN


As you seem to acknowledge in your original post, if IOS is not checking port values then IOS can not log port values using the log parameter in the ACL. If you want the ACL logging to report the port numbers then your ACL must have at least one line checking some TCP port values and at least one line checking some UDP port values. Without knowing more about what your ACL is doing I would suggest that your ACL might have lines like this:

deny tcp any any range 1 65535 log

deny udp any any range 1 65535 log




This Discussion