Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
334
Views
0
Helpful
3
Replies

Viewing ACL Log output via telnet sesion

d.calton
Level 1
Level 1

‎01-25-2006 08:44 AM - edited ‎03-03-2019 01:34 AM

I am trying to debug a client's 3560 remotely, and - as I can't use a sniffer - am trying to trap packages with an ACL with ACE entries set to log hits. I have config'd the vtys with logging sync level 7, and set up monitor, but no soap. Counters do increment on the ACEs that is applied to the interface being monitored, and I get a message back saying configuration was modified, but no log messages. Any one experienced this on these or similar switches?

Labels:
0 Helpful
3 Replies 3

pkhatri
Level 11
Level 11

‎01-25-2006 09:56 AM

Hi,

Enter in 'logging console 7' in global config mode and then 'term mon' in normal EXEC mode....

If that does not work, pls post the output of 'sh logging'

Hope that helps - pls rate the post if it does.

Paresh

0 Helpful

d.calton
Level 1
Level 1
In response to pkhatri

‎01-25-2006 11:29 AM

Thanks - that didn't solve it unfortunately. As you requested, here is the stripped config. Thanks for the response and assist!

version 12.2

no service pad

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

!

hostname 3560switch 1

!

enable password ********

!

no aaa new-model

ip subnet-zero

no ip domain-lookup

!

!

mls qos map cos-dscp 0 8 16 26 34 46 48 56

mls qos map ip-prec-dscp 0 8 16 26 34 46 48 56

mls qos srr-queue output cos-map queue 1 threshold 3 5

mls qos srr-queue output cos-map queue 2 threshold 2 3

mls qos srr-queue output dscp-map queue 1 threshold 3 46

mls qos srr-queue output dscp-map queue 2 threshold 2 24 26

mls qos queue-set output 1 threshold 2 70 80 100 100

mls qos

!

!

no file verify auto

!

mac access-list extended IPTPhones

permit xxxx.xxxx.0000 0000.0000.ffff any

spanning-tree mode pvst

spanning-tree extend system-id

!

vlan internal allocation policy ascending

!

class-map match-all VOICE-CONTROL

description VOICE Control

match access-group name VOICE-CONTROL

class-map match-all VOICE

description VOICE Bearer

match access-group name VOICE

class-map match-all VOICE-VLAN

match access-group name IPTPhones

!

!

policy-map Access-3560-LAN-EDGE-IN

class VOICE-VLAN

trust cos

!

!

interface FastEthernet0/1

switchport access vlan 3

switchport voice vlan 2

service-policy input Access-3560-LAN-EDGE-IN

duplex full

speed 100

srr-queue bandwidth share 1 70 25 5

srr-queue bandwidth shape 3 0 0 0

priority-queue out

mls qos trust ip-precedence

spanning-tree portfast

***Similar for other 47 FE ports *******

!

interface GigabitEthernet0/1

description to Distr Switch 1

switchport trunk encapsulation dot1q

switchport mode trunk

ip access-group testControl in

priority-queue out

mls qos trust dscp

!

interface GigabitEthernet0/2

description to second 3560 Switch

switchport trunk encapsulation dot1q

switchport mode trunk

priority-queue out

mls qos trust dscp

!

interface GigabitEthernet0/3

shutdown

!

interface GigabitEthernet0/4

shutdown

!

interface Vlan1

ip address x.x.x.x x.x.x.x

no ip route-cache

!

ip default-gateway x.x.x.x

ip classless

ip http server

!

ip access-list extended VOICE

remark Match VOICE Bearer

permit udp any any range 3462 3525

permit udp any range 3462 3525 any

ip access-list extended VOICE-CONTROL

remark Match VOICE Control

permit tcp any any range 60000 60032

permit udp any any range 3462 3525

permit udp any range 3462 3525 any

permit udp any any eq 3456

permit udp any any eq 3458

permit udp any any eq 3455

permit udp any any eq 4000

permit tcp any range 60000 60032 any

permit udp any eq 3456 any

permit udp any eq 3458 any

permit udp any eq 3455 any

permit udp any eq 4000 any

deny ip any any log

ip access-list extended testControl

permit ip any any dscp ef log

permit ip any any dscp cs3 log

permit ip any any dscp af31 log

permit udp any any range 3462 3525 log

permit udp any range 3462 3525 any log

permit tcp any any range 60000 60032 log

permit udp any any eq 3456 log

permit udp any any eq 3458 log

permit udp any any eq 3455 log

permit udp any any eq 4000 log

permit tcp any range 60000 60032 any log

permit udp any eq 3456 any log

permit udp any eq 3458 any log

permit udp any eq 3455 any log

permit udp any eq 4000 any log

permit ip any any log

!

!

control-plane

!

!

line con 0

logging synchronous

stopbits 1

line vty 0 15

session-timeout 60

exec-timeout 60 0

password ********

logging synchronous

no login

monitor

end

0 Helpful

smilburn
Level 1
Level 1
In response to d.calton

‎01-25-2006 12:50 PM

The problem is you CAN NOT log on a permit VACL only on deny.

These restrictions apply to VACL logging:

•Because of the rate-limiting function for redirected packets, VACL logging counters may not be accurate.

•Only _denied_ IP packets are logged.

http://www.cisco.com/en/US/customer/products/hw/switches/ps708/products_configuration_guide_chapter09186a0080160a7e.html#wp1041783

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents