I am configuring CISCO 3560 Switch with IOS version 12.2 (25r). I have
configured the following
logging monitor informational
access-list 101 deny ip any any log
But in my telnet session I am not getting any log information (ie). the
packets that are denied. I find difficult to trouble shoot
Please let me know what is the mistake I am doing here?
thanks in advance
ACLs are hardware assisted on switches so no logging mechanism is available since logging relies on the CPU for processing.
So, you aren't making any mistake, it's working as designed.
Thanks for your reply.
Then how to troubleshoot in swithces. I am in maze to find out whether the packet is getting blocked / allowed.
How to achieve this? Hope you will help me
I checked the documentation and it seems the 3560 works slightly different than the 6500 on this case as the routing is done in hardware but ACLs are performed in software, thus I retract my previous statement.
The first packet that matches the ACL will be logged and 5 minutes later you will get another log with a match count.
Going back to your original post, are you generating any kind of traffic that is being denied by the ACL?
I am using ACL that denies the packet to the interface. I have all the ports in VLAN 1. The servers are connected to switch in ports gig 0/0 to gig 0/24. The clients are in ports gig 0/47 & gig 0/48
Now I am applying the ACL in port gig 0/47 & 0/48 as "ip access-group 101 in" so that clients are allowed to access only certain TCP ports in the server.
Hope this gives some background of this scenario
Are the ports you applied the ACL to routed or switched, because you did say all ports are in VLAN 1. If thats the case you will need to apply the ACL to interface vlan1, otherwise it will never work.
You rightly pointed out. Yes, I am applying this ACL in switched port and not in routed port or SVI.
I am using port ACL. Thanks in advance
I just checked and in order to see the logs, the 'ip access-group' command must be applied under a L3 interface.
So, you need to either change the switchport from L2 to L3 or place the 'ip access-group' under the L3 virtual interface.