Enabling ACL logging on the switch

Procedure
  1. If you are using a syslog server, use the logging ip-addr command to configure the syslog server IP addresses; ensure that the switch can access any syslog servers you specify.
  2. Use logging facility syslog to enable the logging for syslog operation.
  3. Use the debug destination command to configure one or more log destinations.
  4. Destination options include logging and session. For more information on debug, see "Debug and Syslog Messaging Operation" in the appendix, "Troubleshooting", in the latest Management and Configuration Guide for your switch.
  5. Use debug acl or debug all to configure the debug operation to include ACL messages.
  6. Configure an ACL with the deny or permit action and the log option in one or more ACEs.

Enabling ACL logging on the switch

Suppose that you want to configure the following on a switch receiving IPv6 traffic and configured for IPv4 routing:
  • For port B1 on VLAN 10, configure an IPv6 ACL with an ACL-ID of "NO-TELNET" and use the PACL in option to deny Telnet traffic entering the switch from IP address FE80::10:3.

  • Configure the switch to send an ACL log message to the current console session and to a syslog server at 10.10.50.173 on VLAN 50 if the switch detects a packet match denying a Telnet attempt from FE80::10:3.

    Figure 89: Example of an ACL log application