01-25-2006 08:44 AM - edited 03-03-2019 01:34 AM
I am trying to debug a client's 3560 remotely, and - as I can't use a sniffer - am trying to trap packages with an ACL with ACE entries set to log hits. I have config'd the vtys with logging sync level 7, and set up monitor, but no soap. Counters do increment on the ACEs that is applied to the interface being monitored, and I get a message back saying configuration was modified, but no log messages. Any one experienced this on these or similar switches?
01-25-2006 09:56 AM
Hi,
Enter in 'logging console 7' in global config mode and then 'term mon' in normal EXEC mode....
If that does not work, pls post the output of 'sh logging'
Hope that helps - pls rate the post if it does.
Paresh
01-25-2006 11:29 AM
Thanks - that didn't solve it unfortunately. As you requested, here is the stripped config. Thanks for the response and assist!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname 3560switch 1
!
enable password ********
!
no aaa new-model
ip subnet-zero
no ip domain-lookup
!
!
mls qos map cos-dscp 0 8 16 26 34 46 48 56
mls qos map ip-prec-dscp 0 8 16 26 34 46 48 56
mls qos srr-queue output cos-map queue 1 threshold 3 5
mls qos srr-queue output cos-map queue 2 threshold 2 3
mls qos srr-queue output dscp-map queue 1 threshold 3 46
mls qos srr-queue output dscp-map queue 2 threshold 2 24 26
mls qos queue-set output 1 threshold 2 70 80 100 100
mls qos
!
!
no file verify auto
!
mac access-list extended IPTPhones
permit xxxx.xxxx.0000 0000.0000.ffff any
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
class-map match-all VOICE-CONTROL
description VOICE Control
match access-group name VOICE-CONTROL
class-map match-all VOICE
description VOICE Bearer
match access-group name VOICE
class-map match-all VOICE-VLAN
match access-group name IPTPhones
!
!
policy-map Access-3560-LAN-EDGE-IN
class VOICE-VLAN
trust cos
!
!
interface FastEthernet0/1
switchport access vlan 3
switchport voice vlan 2
service-policy input Access-3560-LAN-EDGE-IN
duplex full
speed 100
srr-queue bandwidth share 1 70 25 5
srr-queue bandwidth shape 3 0 0 0
priority-queue out
mls qos trust ip-precedence
spanning-tree portfast
***Similar for other 47 FE ports *******
!
interface GigabitEthernet0/1
description to Distr Switch 1
switchport trunk encapsulation dot1q
switchport mode trunk
ip access-group testControl in
priority-queue out
mls qos trust dscp
!
interface GigabitEthernet0/2
description to second 3560 Switch
switchport trunk encapsulation dot1q
switchport mode trunk
priority-queue out
mls qos trust dscp
!
interface GigabitEthernet0/3
shutdown
!
interface GigabitEthernet0/4
shutdown
!
interface Vlan1
ip address x.x.x.x x.x.x.x
no ip route-cache
!
ip default-gateway x.x.x.x
ip classless
ip http server
!
ip access-list extended VOICE
remark Match VOICE Bearer
permit udp any any range 3462 3525
permit udp any range 3462 3525 any
ip access-list extended VOICE-CONTROL
remark Match VOICE Control
permit tcp any any range 60000 60032
permit udp any any range 3462 3525
permit udp any range 3462 3525 any
permit udp any any eq 3456
permit udp any any eq 3458
permit udp any any eq 3455
permit udp any any eq 4000
permit tcp any range 60000 60032 any
permit udp any eq 3456 any
permit udp any eq 3458 any
permit udp any eq 3455 any
permit udp any eq 4000 any
deny ip any any log
ip access-list extended testControl
permit ip any any dscp ef log
permit ip any any dscp cs3 log
permit ip any any dscp af31 log
permit udp any any range 3462 3525 log
permit udp any range 3462 3525 any log
permit tcp any any range 60000 60032 log
permit udp any any eq 3456 log
permit udp any any eq 3458 log
permit udp any any eq 3455 log
permit udp any any eq 4000 log
permit tcp any range 60000 60032 any log
permit udp any eq 3456 any log
permit udp any eq 3458 any log
permit udp any eq 3455 any log
permit udp any eq 4000 any log
permit ip any any log
!
!
control-plane
!
!
line con 0
logging synchronous
stopbits 1
line vty 0 15
session-timeout 60
exec-timeout 60 0
password ********
logging synchronous
no login
monitor
end
01-25-2006 12:50 PM
The problem is you CAN NOT log on a permit VACL only on deny.
These restrictions apply to VACL logging:
Because of the rate-limiting function for redirected packets, VACL logging counters may not be accurate.
Only _denied_ IP packets are logged.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: