3560 and logs

Unanswered Question
Jun 26th, 2009

Hi,

I am configuring CISCO 3560 Switch with IOS version 12.2 (25r). I have

configured the following

logging on

logging monitor informational

terminal monitor

access-list 101 deny ip any any log

But in my telnet session I am not getting any log information (ie). the

packets that are denied. I find difficult to trouble shoot

Please let me know what is the mistake I am doing here?

thanks in advance

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Edison Ortiz Fri, 06/26/2009 - 10:38

ACLs are hardware assisted on switches so no logging mechanism is available since logging relies on the CPU for processing.

So, you aren't making any mistake, it's working as designed.

HTH,

__

Edison.

hclisschennai Fri, 06/26/2009 - 10:50

Hi Edison,

Thanks for your reply.

Then how to troubleshoot in swithces. I am in maze to find out whether the packet is getting blocked / allowed.

How to achieve this? Hope you will help me

Edison Ortiz Fri, 06/26/2009 - 11:01

I checked the documentation and it seems the 3560 works slightly different than the 6500 on this case as the routing is done in hardware but ACLs are performed in software, thus I retract my previous statement.

The first packet that matches the ACL will be logged and 5 minutes later you will get another log with a match count.

http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_50_se/configuration/guide/swacl.html#wp1667318

Going back to your original post, are you generating any kind of traffic that is being denied by the ACL?

HTH,

__

Edison.

hclisschennai Fri, 06/26/2009 - 11:47

Yes Edison,

I am using ACL that denies the packet to the interface. I have all the ports in VLAN 1. The servers are connected to switch in ports gig 0/0 to gig 0/24. The clients are in ports gig 0/47 & gig 0/48

Now I am applying the ACL in port gig 0/47 & 0/48 as "ip access-group 101 in" so that clients are allowed to access only certain TCP ports in the server.

Hope this gives some background of this scenario

Edison Ortiz Fri, 06/26/2009 - 12:22

Can you see any log by typing show log or you are unable to see the logs just during your telnet session?

kwillacey Fri, 06/26/2009 - 13:48

Are the ports you applied the ACL to routed or switched, because you did say all ports are in VLAN 1. If thats the case you will need to apply the ACL to interface vlan1, otherwise it will never work.

hclisschennai Sat, 06/27/2009 - 21:34

Hi Kwillacey,

You rightly pointed out. Yes, I am applying this ACL in switched port and not in routed port or SVI.

I am using port ACL. Thanks in advance

hclisschennai Sat, 06/27/2009 - 21:29

Hi Edison,

I am trying to see this in TELNET session. By entering "show logs" no logs are shown other than link up/down status

Edison Ortiz Mon, 06/29/2009 - 07:28

I just checked and in order to see the logs, the 'ip access-group' command must be applied under a L3 interface.

So, you need to either change the switchport from L2 to L3 or place the 'ip access-group' under the L3 virtual interface.

HTH,

__

Edison.

wil_amaya Mon, 06/29/2009 - 09:18

try logging to a syslog server if possible to see if it'll produce the logs you want.

Actions

This Discussion