Enabling ACL Logging
To see whether incoming packets are permitted or denied because of an ACL, you can
enable ACL Logging when applying the ACL. When ACL Logging is turned on, the
router prints out a message on the console about whether a packet is forwarded or
dropped. If you have a Syslog server configured for the IA, the same information will also
be sent to the Syslog server.
Before enabling ACL Logging, you should consider its impact on performance. With ACL
Logging enabled, the router prints out a message at the console before the packet is
actually forwarded or dropped. Even if the console is connected to the router at a high
baud rate, the delay caused by the console message is still significant. This can get worse if
the console is connected at a low baud rate, for example, 1200 baud. Furthermore, if a
Syslog server is configured, then a Syslog packet must also be sent to the Syslog server,
creating additional delay. Therefore, you should consider the potential performance
impact before turning on ACL Logging.
Monitoring ACLs
The IA provides a display of ACL configurations active in the system.
To display ACL information, enter the following commands in Enable mode.
Show all ACLs.
Show a specific ACL.
Show an ACL on a specific interface.
Show ACLs on all IP interfaces.
Show static entry filters.
Internet Appliance User Reference Manual
Chapter 13: Access Control List Configuration Guide
acl show all
acl show aclname
acl show interface
acl show interface all-ip
acl show service
<name>
| all
<name>
225