Logging a specific port on a switch

Unanswered Question
Dec 14th, 2007
User Badges:


I have a server which is serving secure web pages. However from time to time the websites stop responding, but the server is still working fine. This server only serves webpages for office members. (ie it's intranet, so no outside access allowed.)

I need to monitor the port of the server via my switch in order to see how many people access the site.

Am I correct by saying that I can set up and ACL to log access for port 443 and then apply it to the port the server connects to?



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jon Marshall Fri, 12/14/2007 - 04:19
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN


Is it a layer or 3 port ?

If layer 3 yes apply in the outbound direction.

If layer 2 you need to apply it to the L3 interface for that subnet


access-list 101 permit tcp any host "server ip" eq 443 log

access-list 101 permit ip any any

under the L3 interface

ip access-group 101 out



willemvwyk Mon, 12/17/2007 - 21:51
User Badges:

Hi Jon

Thank you for the response :)

The problem is that the traffic don't traverse a layer 3 device (in this case a router). So it means the server is connected straight to the switch (port G1/0/2) and this specific port is what I am trying to monitor for traffic on port 443.



Kevin Dorrell Fri, 12/14/2007 - 04:56
User Badges:
  • Green, 3000 points or more


It depends on the platform - each one has different limitations. For example, I have mainly 4500, and on this you can apply a layer-3/4 access list on a layer-2 switchport, with certain complicated restrictions, which I shall try and outline for you. In this context, they are known as "Port ACLs" or PACL. You can find the full text in


The rules for a 4500 are, briefly:

1. You can only have one layer-3 ACL in each direction on any particular port.

2. There is generally no restriction on output PACLs

3. You cannot have an input PACL and a VLAN map on its VLAN at the same time. (If you try and put both, there are commands to determine which takes precedence.)

4. You cannot have an input ACL on a switchport, and an input ACL on the SVI of its VLAN.

See also http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/25ewa/configuration/guide/secure.html#wp1071413

I have used layer-3/4 IP input PACLs quite succesfully, even on a trunk switchport interface.

Kevin Dorrell


willemvwyk Mon, 12/17/2007 - 21:55
User Badges:

Hi Kevin

Thank you for your help :) The device I am using is a 3750 although I am reading through the URL's as they contain interesting points.

Do you think using a mac acl in my case will be useful?

As I mentioned to Jon, the web server is directly connected to the switch port. On this switch port I need to check for traffic on port 443.

Thank you


Kevin Dorrell Mon, 12/17/2007 - 23:45
User Badges:
  • Green, 3000 points or more


I don't think a MAC ACL will help in this case because, AFAIK, MAC ACLs apply only to non-IP traffic. (I do know, however, that there are people on this board who disagree with me on that interpretation of the docs. So you could try it if you want to experiment.)


"After you create a MAC ACL, you can apply it to a Layer 2 interface to filter non-IP traffic coming in that interface."

Sadly, it seems that the 3750 does not support those PACLs I was telling you about. The best it can offer for your purposes, I think, is a VLAN access-map, or VACL. This will filter at layer-3 on the layer-2 bridge, but over the entire VLAN rather than on a single port. But I guess you could get what you want by carefully designing the ACL. Here is the reference:


Kevin Dorrell


willemvwyk Wed, 12/19/2007 - 00:46
User Badges:

Hi Kevin,

Thank you for your assistance :) I had a look at the MAC ACL's on the 3750 yesterday. They do not filter by port traffic (ie all traffic on port 443). So that has limited my options even more.

I am reading through your URL's and will see if I can create anything from them.

Thank you for all your help :)



Danilo Dy Thu, 12/20/2007 - 07:11
User Badges:
  • Blue, 1500 points or more


What web server/service are you running (IIS, Apache, iPlanet) and in what platform (Windows, UNIX, LINUX, AIX)?

There are utilities in the internet to convert the logs to sort the source ip address and the port (i.e. 443) they are trying to access.

Check also the configured maximum number of concurrent connections of your web server/service. Anything else, it sound like a DDOS which bring down the web server/service but not the server.




This Discussion