access-list log-timer

Syntax

access-list log-timer {default|<INTERVAL>}

Description

Sets the log timer interval for all ACEs that have the log parameter configured.

Command context

config

Parameters

default
Resets the log timer to its default 300 seconds.
<INTERVAL>

Specifies the log timer interval in seconds. Range: 30 to 300.

Authority

Administrators or local user group members with execution rights for this command.

Usage

  • ACL logging keeps a log of the number of packets matching this ACE. Works with both permit and deny actions. Works with ACLs applied on ingress or egress, except for control plane.

  • The first packet that matches an ACE with the log parameter within an ACL log timer window (configured with the access-list log-timer command) has its header contents extracted and sent to the configured logging destination, such as the console and syslog server. Each time the ACL log timer expires, a summary of all ACEs with log configured are sent to the logging destination. This capability allows throttling of logging ACL hits.

  • If no further log messages are generated in the wait-period, the switch suspends the timer and resets itself to log as soon as a new match occurs.

  • When using multiple ACL types (IPv4, IPv6, or MAC) with logging on the same interface, the first packet that matches an ACE with the log option is logged. Any packets, matching other ACL types, do not create a log until the log-timer wait-period is over. At the end of the wait-period, a summary log is made of all the ACLs that were matched, regardless of type.

  • NOTE:

    Remarked ACL traffic may lose logging information when a QoS action or a classifier policy with remark is enabled. A classifier policy with remark takes precedence over QoS actions and QoS actions takes precedence over ACL remarked traffic.

  • You may see a minor discrepancy between the ACL logging statistics and the hit counts statistics due to the time required to record the log message.

Examples

NOTE:

Although these examples use debug logging, you can alternatively use event logging.

On the 6400 Switch Series, interface identification differs.

Enabling debug logging for the ACL logging module:

switch# debug acl log severity info
switch# show debug 
----------------------------------------------------------------
module sub_module severity vlan  port   ip     mac  instance vrf
----------------------------------------------------------------
acl    acl_log    info     ----- -----  -----  ---- -----    ---

Setting the debug destination to console with the minimum security level of info:

switch# debug destination console severity info
switch# show debug destination 
---------------------------------------------------------------------
                show debug destination                 
---------------------------------------------------------------------
CONSOLE:info

Setting the access list log-timer to 30 seconds:

switch(config)# access-list log-timer 30
switch(config)# do show access-list log-timer
ACL log timer length (frequency): 30 seconds

Creating an IPv4 ACL with one entry with the log parameter:

switch(config)# access-list ip MY_IP_ACL
switch(config-acl-ip)# deny icmp 1.1.1.1 1.1.1.2 log
switch(config-acl-ip)# do show access-list
Type       Name
  Sequence Comment
           Action                          L3 Protocol
           Source IP Address               Source L4 Port(s)
           Destination IP Address          Destination L4 Port(s)
           Additional Parameters
-------------------------------------------------------------------------------
IPv4       MY_IP_ACL
        10 deny                            icmp
           1.1.1.1
           1.1.1.2
           Logging: enabled
           Hit-counts: enabled

Enabling interface 1/1/1 and applying the ACL:

switch(config)# interface 1/1/1 
switch(config-if)# no shutdown
switch(config-if)# no routing
switch(config-if)# apply access-list ip MY_IP_ACL in
switch(config-if)# do show running-config interface 1/1/1
interface 1/1/1
   no shutdown
   apply access-list ip MY_IP_ACL in
   no routing
   vlan access 1
   exit

Sending packets that will match the ACE and observe the ACL logging message on the console:

2017-10-10T20:13:36.044+00:00 ops-switchd[875]: debug|LOG_INFO|AMM|1/5|ACL|ACL_LOG|
List MY_IP_ACL, seq# 10 denied icmp 1.1.1.1 -> 1.1.1.2 type 8 code 0, 
on vlan 1, port 1/1/1, direction in

When the access list log-timer expires, the summary message is printed on the console. The number 30 is the number of packets received during the last access list log-timer window.

2017-10-10T20:14:06.051+00:00 ops-switchd[875]: debug|LOG_INFO|AMM|1/5|ACL|ACL_LOG|
MY_IP_ACL on 1/1/1 (in): 30  10 deny icmp 1.1.1.1 1.1.1.2 log count

Resetting the ACL log timer to the default value:

switch(config)# access-list log-timer default