Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

"Log" word on ACL only producing port 0

I have been tasked with securing a SCADA LAN with many devices/app's that need to talk outside of this subnet. I thought that an easy way to build the ACL would be to use an ACL like "permit ip any any log" and then slowly add the lines as they appear in the logs. The problem is that this list only produces statements in the logs that show IP and protocol and not port. See below:

SEC-6-IPACCESSLOGP: list 100 permitted udp a.b.c.d(0) -> 224.0.6.127(0)

I tuned it further by doing this:

permit udp any any log

permit tcp any any log

This had the exact same results. Only port 0.

This is on a 1760 router running 123-7.T9

Can anyone tell me what I am doing wrong? Maybe it is just not possible to do this with a permit statement?

TIA

3 REPLIES
Silver

Re: "Log" word on ACL only producing port 0

The log keyword, causes an informational logging message about the packet that matches the entry to be sent to the console. (The level of messages logged to the console is controlled by the logging console command.)

The message includes the access list number, whether the packet was permitted or denied, the source address, and the number of packets. The message is generated for the first packet that matches, and then at 5-minute intervals, including the number of packets permitted or denied in the prior 5-minute interval.

The logging facility might drop some logging message packets if there are too many to be handled or if there is more than one logging message to be handled in 1 second. This behavior prevents the router from crashing due to too many logging packets.

When access lists are configured with the log-input keyword, tcp/udp ports are only displayed when the processing of the access lists requires the port number to be extracted for comparison. If the port is not required, the log messages will display 0 as the port number. The log is expected to report the port number if and only if a port number is mentioned in the ACL.

Gold

Re: "Log" word on ACL only producing port 0

Hugh,

Expanding on what Thomas said, try this:

permit udp any range 0 65535 any range 0 65535 log

permit tcp any range 0 65535 any range 0 65535 log

This will put TCP and UDP port numbers into your logged output. (Range 0 65535 covers all possible port numbers).

New Member

Re: "Log" word on ACL only producing port 0

Thanks for the replies guys. The TAC said the reason that the port numbers weren't showing up was because I did not have any port numbers in the same statement as the log. Putting in just one port number, even if it is a port you will never use, acts like a switch and activates port number display for everything.

212
Views
0
Helpful
3
Replies
CreatePlease login to create content