Configuring Logging For An Access Control Entry - Cisco Catalyst 6500 Series Configuration Manual
Catalyst 6500 series switch and
cisco 7600 series router firewall services
Hide thumbs
Also See for Catalyst 6500 Series:
- Software configuration manual (570 pages) ,
- Configuration note (212 pages) ,
- Installation manual (194 pages)
Table of Contents
Advertisement
Chapter 10
Controlling Network Access with Access Control Lists
A flow is defined by the source and destination IP addresses, protocols, and ports. Because the source
port might differ for a new connection between the same two hosts, you might not see the same flow
increment because a new flow was created for the connection. See the
on page 10-28
Permitted packets that belong to established connections do not need to be checked against ACLs; only
the initial packet is logged and included in the hit count. For connectionless protocols, such as ICMP, all
packets are logged even if they are permitted, and all denied packets are logged.
See the Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module System
Messages Guide for detailed information about this system message.
Configuring Logging for an Access Control Entry
To configure logging for an ACE, see the following information about the log option:
FWSM/contexta(config)# access-list acl_name [extended] {deny | permit} ... [log [[ level ]
[interval secs ] | disable | default]]
See the
syntax.
If you enter the log option without any arguments, you enable system log message 106100 at the default
level (6) and for the default interval (300 seconds). See the following options:
•
•
•
default—Enables logging to message 106023. This setting is the same as having no log option.
For example, you configure the following ACL:
FWSM/contexta(config)# access-list outside-acl permit ip host 1.1.1.1 any log 7 interval
600
FWSM/contexta(config)# access-list outside-acl permit ip host 2.2.2.2 any
FWSM/contexta(config)# access-list outside-acl deny ip any any log 2
FWSM/contexta(config)# access-group outside-acl in interface outside
When a packet is permitted by the first ACE of outside-acl, the FWSM generates the following system
message:
%FWSM-7-106100: access-list outside-acl permitted tcp outside/1.1.1.1(12345) ->
inside/192.168.1.1(1357) hit-cnt 1 (first hit)
Although 20 additional packets for this connection arrive on the outside interface, the traffic does not
have to be checked against the ACL, and the hit count does not increase.
If one more connection by the same host is initiated within the specified 10 minute interval (and the
source and destination ports remain the same), then the hit count is incremented by 1 and the following
message is displayed at the end of the 10 minute interval:
%FWSM-7-106100: access-list outside-acl permitted tcp outside/1.1.1.1(12345)->
inside/192.168.1.1(1357) hit-cnt 2 (600-second interval)
When a packet is denied by the third ACE, then the FWSM generates the following system message:
OL-6392-01
to limit the number of logging flows.
"Adding an Extended Access Control List" section on page 10-13
level—A severity level between 0 and 7. The default is 6.
interval secs—The time interval in seconds between system messages, from 1 to 600. The default
is 300. This value is also used as the timeout value for deleting an inactive flow.
disable—Disables all ACL logging.
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide
Logging Extended Access Control List Activity
"Managing Deny Flows" section
for complete access-list
10-27
Advertisement
Table of Contents
Troubleshooting
