Enabling ACL logging on the switch

  1. If you are using a Syslog server, use the logging <ip-addr> command to configure the Syslog server IPv4 address. Ensure that the switch can access any Syslog server you specify.
  2. Use logging facility syslog to enable the logging for Syslog operation.
  3. Use the debug destination command to configure one or more log destinations. Destination options include logging and session. For more information, see the management and configuration guide for your switch.
  4. Use debug acl or debug all to configure the debug operation to include ACL messages.
  5. Configure one or more ACLs with the deny action and the log option.


Suppose you want to configure the following operation:
  • On VLAN 10 configure an extended ACL with an ACL-ID of "NO-TELNET" and use the RACL in option to deny Telnet traffic entering the switch from to any routed destination. Note: This assignment does not filter Telnet traffic from to destinations on VLAN 10 itself.

  • Configure the switch to send an ACL log message to the current console session and to a Syslog server at on VLAN 20 if the switch detects a packet match denying a Telnet attempt from

This example assumes that IPv4 routing is already configured on the switch.

ACL log application
Commands for applying an ACL with logging to ACL log application