06-26-2009 10:22 AM - edited 03-06-2019 06:29 AM
Hi,
I am configuring CISCO 3560 Switch with IOS version 12.2 (25r). I have
configured the following
logging on
logging monitor informational
terminal monitor
access-list 101 deny ip any any log
But in my telnet session I am not getting any log information (ie). the
packets that are denied. I find difficult to trouble shoot
Please let me know what is the mistake I am doing here?
thanks in advance
06-26-2009 10:38 AM
ACLs are hardware assisted on switches so no logging mechanism is available since logging relies on the CPU for processing.
So, you aren't making any mistake, it's working as designed.
HTH,
__
Edison.
06-26-2009 10:50 AM
Hi Edison,
Thanks for your reply.
Then how to troubleshoot in swithces. I am in maze to find out whether the packet is getting blocked / allowed.
How to achieve this? Hope you will help me
06-26-2009 11:01 AM
I checked the documentation and it seems the 3560 works slightly different than the 6500 on this case as the routing is done in hardware but ACLs are performed in software, thus I retract my previous statement.
The first packet that matches the ACL will be logged and 5 minutes later you will get another log with a match count.
Going back to your original post, are you generating any kind of traffic that is being denied by the ACL?
HTH,
__
Edison.
06-26-2009 11:47 AM
Yes Edison,
I am using ACL that denies the packet to the interface. I have all the ports in VLAN 1. The servers are connected to switch in ports gig 0/0 to gig 0/24. The clients are in ports gig 0/47 & gig 0/48
Now I am applying the ACL in port gig 0/47 & 0/48 as "ip access-group 101 in" so that clients are allowed to access only certain TCP ports in the server.
Hope this gives some background of this scenario
06-26-2009 12:22 PM
Can you see any log by typing show log or you are unable to see the logs just during your telnet session?
06-26-2009 01:48 PM
Are the ports you applied the ACL to routed or switched, because you did say all ports are in VLAN 1. If thats the case you will need to apply the ACL to interface vlan1, otherwise it will never work.
06-27-2009 09:34 PM
Hi Kwillacey,
You rightly pointed out. Yes, I am applying this ACL in switched port and not in routed port or SVI.
I am using port ACL. Thanks in advance
06-27-2009 09:29 PM
Hi Edison,
I am trying to see this in TELNET session. By entering "show logs" no logs are shown other than link up/down status
06-28-2009 09:27 AM
Hi all,
Any clues, how to solive this
06-29-2009 07:28 AM
I just checked and in order to see the logs, the 'ip access-group' command must be applied under a L3 interface.
So, you need to either change the switchport from L2 to L3 or place the 'ip access-group' under the L3 virtual interface.
HTH,
__
Edison.
06-29-2009 09:18 AM
try logging to a syslog server if possible to see if it'll produce the logs you want.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: