IPv4 Access Control Lists (ACLs)
Enable ACL "Deny" Logging
9-96
Enable ACL "Deny" Logging
ACL logging enables the switch to generate a message when IP traffic meets
the criteria for a match with an ACE that results in an explicit "deny" action.
You can use ACL logging to help:
Test your network to ensure that your ACL configuration is detecting
■
and denying the IP traffic you do not want forwarded
Receive notification when the switch detects attempts to forward IP
■
traffic you have designed your ACLs to reject (deny)
The switch sends ACL messages to Syslog and optionally to the current
console, Telnet, or SSH session. You can use logging < > to configure up to six
Syslog server destinations.
Requirements for Using ACL Logging
■
The switch configuration must include an ACL (1) assigned to a port
or trunk and (2) containing an ACE configured with the deny action
and the log option.
■
For ACL logging to a Syslog server:
•
The server must be accessible to the switch and identified in the
running configuration.
•
The logging facility must be enabled for Syslog.
•
Debug must be configured to:
–
support ACL messages
–
send debug messages to the desired debug destination
These requirements are described in more detail under "Enabling ACL
Logging on the Switch" on page 9-98.