Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

access-list port logging

I have an access-list, that looks similar to this:

ip access-list extended TestACL

deny ip any log-input

permit ip any any

When IOS logs hits against this ACL, it doesn't log the port numbers:

1568837: Aug 31 15:39:19.552 EDT: %SEC-6-IPACCESSLOGP: list TestACL denied tcp (Serial0/0 ) ->, 1 packet

I realize this is by design to speed things up, and IOS is discarding the packet before even reading the port information. But how could I actually make it log the port numbers?

My ACL basically denies a lot of stuff and has a statement at the bottom allowing everything else.

Thanks pros!


Re: access-list port logging

Try using an extended access list to deny the "tcp" packet that you are sending.

From what i see in the log "denied tcp", an extended ACL should help.

New Member

Re: access-list port logging

This ACL has about 60 lines, all using "deny ip". I need to not only block tcp, but also udp, icmp, and every other IP protocol. Is there any other way this could be accomplished? I'd like to still block all IP protocols, but also get the port info when logged.

Hall of Fame Super Silver

Re: access-list port logging


As you seem to acknowledge in your original post, if IOS is not checking port values then IOS can not log port values using the log parameter in the ACL. If you want the ACL logging to report the port numbers then your ACL must have at least one line checking some TCP port values and at least one line checking some UDP port values. Without knowing more about what your ACL is doing I would suggest that your ACL might have lines like this:

deny tcp any any range 1 65535 log

deny udp any any range 1 65535 log