Enabling ACL logging on the switch

Procedure
  1. If you are using a syslog server, use the logging <ip–addr> command to configure the syslog server IP addresses; ensure that the switch can access any syslog servers you specify.
  2. Use logging facility syslog to enable the logging for syslog operation.
  3. Use the debug destination command to configure one or more log destinations.
  4. Destination options include logging and session. For more information on debug, see "debug and syslog messaging operation" in the latest management and configuration guide for your switch.
  5. Use debug acl or debug all to configure the debug operation to include ACL messages.
  6. Configure an ACL with the deny action and the log option in one or more ACEs.

For example, suppose that you want to do the following:
  • On port 10, configure an extended ACL with an ACL-ID of 143 to deny Telnet traffic from IP address 10.38.100.127.

  • Configure the switch to send an ACL log message to the console and to a Syslog server at IP address 10.38.110.54 on port 11 if the switch detects a match denying Telnet access from 10.38.100.127.

Figure 7: Example of an ACL log application
Commands for applying an ACL with logging:
Switch(config)# access-list 143 deny tcp host 10.38.100.127 any eq telnet
log
Switch(config)# access-list 143 permit ip any any
Switch(config)# interface 10 access–group 143 in
Switch(config)# logging 10.38.110.54
Switch(config)# debug ac1
Switch(config)# debug destination logging
Switch(config)# debug destination session
Switch(config)# write memory

Switch(config)# show debug
Debug Logging
 Destination:
  Logging
   10.38.110.54
  Session
 Enabled debug types:
  event
  acl log