Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Viewing ACL Log output via telnet sesion

I am trying to debug a client's 3560 remotely, and - as I can't use a sniffer - am trying to trap packages with an ACL with ACE entries set to log hits. I have config'd the vtys with logging sync level 7, and set up monitor, but no soap. Counters do increment on the ACEs that is applied to the interface being monitored, and I get a message back saying configuration was modified, but no log messages. Any one experienced this on these or similar switches?

  • Other Network Infrastructure Subjects
3 REPLIES
Purple

Re: Viewing ACL Log output via telnet sesion

Hi,

Enter in 'logging console 7' in global config mode and then 'term mon' in normal EXEC mode....

If that does not work, pls post the output of 'sh logging'

Hope that helps - pls rate the post if it does.

Paresh

New Member

Re: Viewing ACL Log output via telnet sesion

Thanks - that didn't solve it unfortunately. As you requested, here is the stripped config. Thanks for the response and assist!

version 12.2

no service pad

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

!

hostname 3560switch 1

!

enable password ********

!

no aaa new-model

ip subnet-zero

no ip domain-lookup

!

!

mls qos map cos-dscp 0 8 16 26 34 46 48 56

mls qos map ip-prec-dscp 0 8 16 26 34 46 48 56

mls qos srr-queue output cos-map queue 1 threshold 3 5

mls qos srr-queue output cos-map queue 2 threshold 2 3

mls qos srr-queue output dscp-map queue 1 threshold 3 46

mls qos srr-queue output dscp-map queue 2 threshold 2 24 26

mls qos queue-set output 1 threshold 2 70 80 100 100

mls qos

!

!

no file verify auto

!

mac access-list extended IPTPhones

permit xxxx.xxxx.0000 0000.0000.ffff any

spanning-tree mode pvst

spanning-tree extend system-id

!

vlan internal allocation policy ascending

!

class-map match-all VOICE-CONTROL

description VOICE Control

match access-group name VOICE-CONTROL

class-map match-all VOICE

description VOICE Bearer

match access-group name VOICE

class-map match-all VOICE-VLAN

match access-group name IPTPhones

!

!

policy-map Access-3560-LAN-EDGE-IN

class VOICE-VLAN

trust cos

!

!

interface FastEthernet0/1

switchport access vlan 3

switchport voice vlan 2

service-policy input Access-3560-LAN-EDGE-IN

duplex full

speed 100

srr-queue bandwidth share 1 70 25 5

srr-queue bandwidth shape 3 0 0 0

priority-queue out

mls qos trust ip-precedence

spanning-tree portfast

***Similar for other 47 FE ports *******

!

interface GigabitEthernet0/1

description to Distr Switch 1

switchport trunk encapsulation dot1q

switchport mode trunk

ip access-group testControl in

priority-queue out

mls qos trust dscp

!

interface GigabitEthernet0/2

description to second 3560 Switch

switchport trunk encapsulation dot1q

switchport mode trunk

priority-queue out

mls qos trust dscp

!

interface GigabitEthernet0/3

shutdown

!

interface GigabitEthernet0/4

shutdown

!

interface Vlan1

ip address x.x.x.x x.x.x.x

no ip route-cache

!

ip default-gateway x.x.x.x

ip classless

ip http server

!

ip access-list extended VOICE

remark Match VOICE Bearer

permit udp any any range 3462 3525

permit udp any range 3462 3525 any

ip access-list extended VOICE-CONTROL

remark Match VOICE Control

permit tcp any any range 60000 60032

permit udp any any range 3462 3525

permit udp any range 3462 3525 any

permit udp any any eq 3456

permit udp any any eq 3458

permit udp any any eq 3455

permit udp any any eq 4000

permit tcp any range 60000 60032 any

permit udp any eq 3456 any

permit udp any eq 3458 any

permit udp any eq 3455 any

permit udp any eq 4000 any

deny ip any any log

ip access-list extended testControl

permit ip any any dscp ef log

permit ip any any dscp cs3 log

permit ip any any dscp af31 log

permit udp any any range 3462 3525 log

permit udp any range 3462 3525 any log

permit tcp any any range 60000 60032 log

permit udp any any eq 3456 log

permit udp any any eq 3458 log

permit udp any any eq 3455 log

permit udp any any eq 4000 log

permit tcp any range 60000 60032 any log

permit udp any eq 3456 any log

permit udp any eq 3458 any log

permit udp any eq 3455 any log

permit udp any eq 4000 any log

permit ip any any log

!

!

control-plane

!

!

line con 0

logging synchronous

stopbits 1

line vty 0 15

session-timeout 60

exec-timeout 60 0

password ********

logging synchronous

no login

monitor

end

New Member

Re: Viewing ACL Log output via telnet sesion

The problem is you CAN NOT log on a permit VACL only on deny.

These restrictions apply to VACL logging:

•Because of the rate-limiting function for redirected packets, VACL logging counters may not be accurate.

•Only _denied_ IP packets are logged.

http://www.cisco.com/en/US/customer/products/hw/switches/ps708/products_configuration_guide_chapter09186a0080160a7e.html#wp1041783

148
Views
0
Helpful
3
Replies
This widget could not be displayed.