Product guide
Access Control Lists (ACLs) for the Series 3400cl and Series 6400cl Switches
Enable ACL “Deny” Logging
■ Receive notification when the switch detects attempts to transmit
traffic you have designed your ACLs to reject
The switch sends ACL messages to Syslog and optionally to the current
console, Telnet, or SSH session. You can configure up to six Syslog server
destinations.
Requirements for Using ACL Logging
■ The switch configuration must include an ACL (1) assigned to an
interface and (2) containing an ACE configured with the deny action
and the log option.
■ To screen routed packets with destination IP addresses outside of the
switch, IP routing must be enabled.
■ For ACL logging to a Syslog server, the server must be accessible to
the switch and identified (with the logging < ip-addr > command) in
the switch configuration.
■ Debug must be enabled for ACLs and one or both of the following:
• logging (for sending messages to Syslog)
• Session (for sending messages to the current console interface)
ACL Logging Operation
When the switch detects a packet match with an ACE and the ACE includes
both the deny action and the optional log parameter, an ACL log message is
sent to the designated debug destination. The first time a packet matches an
ACE with deny and log configured, the message is sent immediately to the
destination and the switch starts a wait-period of approximately five minutes.
(The exact duration of the period depends on how the packets are internally
routed.) At the end of the collection period, the switch sends a single-line
summary of any additional “deny” matches for that ACE (and any other “deny”
ACEs for which the switch detected a match). If no further log messages are
generated in the wait-period, the switch suspends the timer and resets itself
to send a message as soon as a new “deny” match occurs. The data in the
message includes the information illustrated in figure 10-33.
10-76