Acl Logging - Cisco 500 Series Administration Manual

Access Control
Access Control Lists
Cisco 500 Series Stackable Managed Switch Administration Guide

ACL Logging

This feature enables adding a logging option to ACEs. When the feature is enabled,
any packet that was permitted or denied by the ACE, generates an informational
SYSLOG message related to it.
If ACL logging is enabled, it can be specified per interface by binding the ACL to
an interface. In this case, SYSLOGs are generated for packets that matched the
permit or deny ACEs associated with the interface.
A flow is defined as a stream of packets with identical characteristics, as follows:
• Layer 2 Packets—Identical source and destination MAC addresses
• Layer 3 Packets—Identical source and destination IP addresses
• Layer 4 Packets—Identical source and destination IP and L4 port
For any new flow, the first packet that is trapped from a specific interface causes
the generation of an informational SYSLOG message. Additional packets from the
same flow are trapped to the CPU, but SYSLOG messages for this flow are limited
to one message every 5 minutes. This SYSLOG informs that at least one packet
was trapped in the last 5 minutes.
After handling the trapped packet, the packets are forwarded in case of permit
and discarded in case of deny.
The number of supported flows per unit of a stack is 150.
SYSLOGs
The SYSLOG messages are in Informational severity, and state if the packet
matched a deny rule or a permit rule.
• For layer 2 packets, the SYSLOG includes the information (if applicable):
source MAC, destination MAC, Ethertype, VLAN-ID, and CoS queue.
• For layer 3 packets, the SYSLOG includes the information (if applicable):
source IP, destination IP address, protocol, DSCP value, ICMP type, ICMP
code, and IGMP type.
• For layer 4 packets the SYSLOG includes the information (if applicable):
source port, destination port, and TCP flag.
The following are examples of possible SYSLOGs:
• For a non-IP packet:
27
582