Logging Extended Access Control List Activity; Access Control List Logging Overview - Cisco Catalyst 6500 Series Configuration Manual
Catalyst 6500 series switch and
cisco 7600 series router firewall services
Hide thumbs
Also See for Catalyst 6500 Series:
- Software configuration manual (570 pages) ,
- Configuration note (212 pages) ,
- Installation manual (194 pages)
Table of Contents
Advertisement
Logging Extended Access Control List Activity
FWSM/contexta(config)# access-list OUT remark - this is the inside admin address
FWSM/contexta(config)# access-list OUT extended permit ip host 209.168.200.3 any
FWSM/contexta(config)# access-list OUT remark - this is the hr admin address
FWSM/contexta(config)# access-list OUT extended permit ip host 209.168.200.4 any
Logging Extended Access Control List Activity
This section describes how to configure ACL logging, and includes the following topics:
•
•
•
Access Control List Logging Overview
By default, when traffic is denied by an extended ACE, the FWSM generates system message 106023
for each denied packet, in the following form:
%FWSM-4-106023: Deny protocol src [ interface_name : source_address / source_port ] dst
interface_name : dest_address / dest_port [type { string }, code { code }] by access_group acl_id
If the FWSM is attacked, the number of system messages for denied packets can be very large. We
recommend that you instead enable logging using system message 106100, which provides statistics for
each ACE and lets you limit the number of system messages produced. Alternatively, you can disable all
logging.
Only ACEs in the ACL generate logging messages; the implicit deny at the end of the ACL does not
Note
generate a message. If you want all denied traffic to generate messages, add the implicit ACE manually
to the end of the ACL, as follows:
FWSM/contexta(config)# access-list TEST deny ip any any log
The log options at the end of the extended access-list command allow you to set the following behavior:
•
•
•
System message 106100 is in the following form:
%FWSM-n-106100: access-list acl_id {permitted | denied} protocol
interface_name / source_address ( source_port ) -> interface_name / dest_address ( dest_port )
hit-cnt number ({first hit | number -second interval})
When you enable logging for message 106100, if a packet matches an ACE, the FWSM creates a
flow entry to track the number of packets received within a specific interval. The FWSM generates a
system message at the first hit and at the end of each interval, identifying the total number of hits during
the interval. At the end of each interval, the FWSM resets the hit count to 0. If no packets match the ACE
during an interval, the FWSM deletes the flow entry.
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide
10-26
Access Control List Logging Overview, page 10-26
Configuring Logging for an Access Control Entry, page 10-27
Managing Deny Flows, page 10-28
Enable message 106100 instead of message 106023
Disable all logging
Return to the default logging using message 106023
Chapter 10
Controlling Network Access with Access Control Lists
OL-6392-01
Advertisement
Table of Contents
Troubleshooting
