access-list log-timer

Syntax

access-list log-timer {default|<VALUE>}

Description

Sets the log timer interval for all ACEs that have deny statements with the log parameter configured.

Command context

config

Parameters

default
Resets the log timer to its default 300 seconds.
<VALUE>

Specifies the log timer interval in seconds. Range: 30 to 300.

Authority

Administrators

Usage

The first packet that matches an entry with the log parameter within an ACL log timer window (configured with access-list log-timer command) has its header contents extracted and sent to the configured logging destination, such as the console and syslog server. Each time the ACL log timer expires, a summary of all ACEs with log configured are sent to the logging destination. This capability allows throttling of logging ACL hits.

When using multiple ACL types (IPv4, IPv6, or MAC) with logging on the same interface, the first packet that matches an ACE with the log option is logged. Any packets, matching other ACL types, do not create a log until the log-timer wait-period is over. At the end of the wait-period, a summary log is made of all the ACLs that were matched, regardless of type.

NOTE:

The 8320 and 8325 switches do not support logging for ACLs applied on the egress.

Examples

Enabling debug logging for the ACL logging module:

switch# debug acl log severity info
switch# show debug 
----------------------------------------------------------------
module sub_module severity vlan  port   ip     mac  instance vrf
----------------------------------------------------------------
acl    acl_log    info     ----- -----  -----  ---- -----    ---

Setting the debug destination to console with the minimum security level of info:

switch# debug destination console severity info
switch# show debug destination 
---------------------------------------------------------------------
                show debug destination                 
---------------------------------------------------------------------
CONSOLE:info

Setting the access list log-timer to 30 seconds:

switch(config)# access-list log-timer 30
switch(config)# do show access-list log-timer
ACL log timer length (frequency): 30 seconds

Creating an IPv4 ACL with one entry with the log parameter:

switch(config)# access-list ip MY_IP_ACL
switch(config-acl-ip)# deny icmp 1.1.1.1 1.1.1.2 log
switch(config-acl-ip)# do show access-list
Type       Name
  Sequence Comment
           Action                          L3 Protocol
           Source IP Address               Source L4 Port(s)
           Destination IP Address          Destination L4 Port(s)
           Additional Parameters
-------------------------------------------------------------------------------
IPv4       MY_IP_ACL
        10 deny                            icmp
           1.1.1.1
           1.1.1.2
           Logging: enabled
           Hit-counts: enabled

Enabling interface 1/1/1 and applying the ACL:

switch(config)# interface 1/1/1 
switch(config-if)# no shutdown
switch(config-if)# no routing
switch(config-if)# apply access-list ip MY_IP_ACL in
switch(config-if)# do show running-config interface 1/1/1
interface 1/1/1
   no shutdown
    apply access-list ip MY_IP_ACL in
   no routing
   vlan access 1
   exit

Sending packets that will match the ACE and observe the ACL logging message on the console:

2017-10-10T20:13:36.044+00:00 ops-switchd[875]: debug|LOG_INFO|AMM|1/5|ACL|ACL_LOG|
List MY_IP_ACL, seq# 10 denied icmp 1.1.1.1 -> 1.1.1.2 type 8 code 0, 
on vlan 1, port 1/1/1, direction in

When the access list log-timer expires, the summary message is printed on the console. The number 30 is the number of packets received during the last access list log-timer window.

2017-10-10T20:14:06.051+00:00 ops-switchd[875]: debug|LOG_INFO|AMM|1/5|ACL|ACL_LOG|
MY_IP_ACL on 1/1/1 (in): 30  10 deny icmp 1.1.1.1 1.1.1.2 log count

Resetting the ACL log timer to the default value:

switch(config)# access-list log-timer default