Enabling ACL logging on the switch
Procedure
- If you are using a Syslog server, use the logging <ip-addr> command to configure the Syslog server IPv4 address. Ensure that the switch can access any Syslog server you specify.
- Use
logging facility syslog
to enable the logging for Syslog operation. - Use the
debug
destination
command to configure one or more log destinations. Destination options includelogging
andsession
. For more information, see the management and configuration guide for your switch. - Use
debug acl
ordebug all
to configure the debug operation to include ACL messages. - Configure one or more ACLs
with the
deny
action and thelog
option.
Example
Suppose you want to configure the following operation:
On VLAN 10 configure an extended ACL with an ACL-ID of "NO-TELNET" and use the RACL
in
option to deny Telnet traffic entering the switch from 10.10.10.3 to any routed destination. Note: This assignment does not filter Telnet traffic from 10.10.10.3 to destinations on VLAN 10 itself.Configure the switch to send an ACL log message to the current console session and to a Syslog server at 10.10.20.3 on VLAN 20 if the switch detects a packet match denying a Telnet attempt from 10.10.10.3.
This example assumes that IPv4 routing is already configured on the switch.