Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

3560 and logs

Hi,

I am configuring CISCO 3560 Switch with IOS version 12.2 (25r). I have

configured the following

logging on

logging monitor informational

terminal monitor

access-list 101 deny ip any any log

But in my telnet session I am not getting any log information (ie). the

packets that are denied. I find difficult to trouble shoot

Please let me know what is the mistake I am doing here?

thanks in advance

11 REPLIES
Hall of Fame Super Bronze

Re: 3560 and logs

ACLs are hardware assisted on switches so no logging mechanism is available since logging relies on the CPU for processing.

So, you aren't making any mistake, it's working as designed.

HTH,

__

Edison.

New Member

Re: 3560 and logs

Hi Edison,

Thanks for your reply.

Then how to troubleshoot in swithces. I am in maze to find out whether the packet is getting blocked / allowed.

How to achieve this? Hope you will help me

Hall of Fame Super Bronze

Re: 3560 and logs

I checked the documentation and it seems the 3560 works slightly different than the 6500 on this case as the routing is done in hardware but ACLs are performed in software, thus I retract my previous statement.

The first packet that matches the ACL will be logged and 5 minutes later you will get another log with a match count.

http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_50_se/configuration/guide/swacl.html#wp1667318

Going back to your original post, are you generating any kind of traffic that is being denied by the ACL?

HTH,

__

Edison.

New Member

Re: 3560 and logs

Yes Edison,

I am using ACL that denies the packet to the interface. I have all the ports in VLAN 1. The servers are connected to switch in ports gig 0/0 to gig 0/24. The clients are in ports gig 0/47 & gig 0/48

Now I am applying the ACL in port gig 0/47 & 0/48 as "ip access-group 101 in" so that clients are allowed to access only certain TCP ports in the server.

Hope this gives some background of this scenario

Hall of Fame Super Bronze

Re: 3560 and logs

Can you see any log by typing show log or you are unable to see the logs just during your telnet session?

New Member

Re: 3560 and logs

Are the ports you applied the ACL to routed or switched, because you did say all ports are in VLAN 1. If thats the case you will need to apply the ACL to interface vlan1, otherwise it will never work.

New Member

Re: 3560 and logs

Hi Kwillacey,

You rightly pointed out. Yes, I am applying this ACL in switched port and not in routed port or SVI.

I am using port ACL. Thanks in advance

New Member

Re: 3560 and logs

Hi Edison,

I am trying to see this in TELNET session. By entering "show logs" no logs are shown other than link up/down status

New Member

Re: 3560 and logs

Hi all,

Any clues, how to solive this

Hall of Fame Super Bronze

Re: 3560 and logs

I just checked and in order to see the logs, the 'ip access-group' command must be applied under a L3 interface.

So, you need to either change the switchport from L2 to L3 or place the 'ip access-group' under the L3 virtual interface.

HTH,

__

Edison.

New Member

Re: 3560 and logs

try logging to a syslog server if possible to see if it'll produce the logs you want.

1909
Views
0
Helpful
11
Replies