Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
472
Views
0
Helpful
3
Replies

AP1242 does not log access-list match

t.fiala
Level 1
Level 1

‎04-14-2006 06:25 AM - edited ‎07-04-2021 11:56 AM

I have tried ip access-list extended with "log" option. Filtering works well but nothing is logged. My AP is AIR-AP1242AG-E-K9 IOS Version 12.3(7)JA1

What could be wrong?

Labels:
0 Helpful
3 Replies 3

thomas.chen
Level 6
Level 6

‎04-20-2006 06:07 AM

Which command did you try to check the logs? Did you see hits in the "show access-list" command?

0 Helpful

t.fiala
Level 1
Level 1
In response to thomas.chen

‎04-28-2006 08:51 AM

Yes, "show access-list" displays the number of hits.

But "show log" does not display it and nothing is transmitted to syslog. I suppose this feature is not implemented well or not at all. It is not mentioned in the configuration guide - it is probably significant. I can configure "log" keyword in a statement but it is missing from the configuration at the time it should be of use. See example:

cw-dp#conf t

Enter configuration commands, one per line. End with CNTL/Z.

cw-dp(config)#no ip access-list extended ip-acl-working

cw-dp(config)#ip access-list extended ip-acl-working

cw-dp(config-ext-nacl)#permit udp any any eq bootps

cw-dp(config-ext-nacl)#permit ip host 10.126.104.2 any

cw-dp(config-ext-nacl)#permit ip host 10.126.104.4 any log

cw-dp(config-ext-nacl)#deny ip any any log

cw-dp(config-ext-nacl)#end

cw-dp#sh access-list ip-acl-working

Extended IP access list ip-acl-working

10 permit udp any any eq bootps

20 permit ip host 10.126.104.2 any (10 matches)

30 permit ip host 10.126.104.4 any (9 matches)

40 deny ip any any

cw-dp#

The "log" keywords remain in the configuration until is no match which should be logged. Then dissapear all "log" keywords.

Do you know where is the following "sl_def_acl" located?

Extended IP access list sl_def_acl

10 deny tcp any any eq telnet log

20 deny tcp any any eq www log

30 deny tcp any any eq 22 log

40 permit ip any any log

It is listed by the command "show access-lists" but is not included in the cofiguration listed by "show configuration".

Regards, Tom

P.S. Thanks for your answer and sorry for delay, I was too busy.

0 Helpful

clay.white
Level 1
Level 1
In response to t.fiala

‎06-20-2006 09:50 AM

I am having this same issue even with the newest code. I have the ACL on a dot11radio0 sub-interface restricting inbound traffic. I need to be able to see the ports being attempted but not in the ACL so that I can add them to the ACL and cannot because the log statement disappears from the config. "Show access-lists" will indicate that the "deny ip any any" rule is denying packets, but does not log them. This is a "feature" I'm guessing? Has anyone opened case with TAC on this?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card