Enabling ACL logging on the switch

Procedure
  1. If you are using a Syslog server, use the logging <ip-addr> command to configure the Syslog server IPv4 address. Ensure that the switch can access any Syslog server you specify.
  2. Use logging facility syslog to enable the logging for Syslog operation.
  3. Use the debug destination command to configure one or more log destinations. Destination options include logging and session. For more information, see the management and configuration guide for your switch.
  4. Use debug acl or debug all to configure the debug operation to include ACL messages.
  5. Configure one or more ACLs with the deny action and the log option.

Example

Suppose you want to configure the following operation:
  • On VLAN 10 configure an extended ACL with an ACL-ID of "NO-TELNET" and use the RACL in option to deny Telnet traffic entering the switch from 10.10.10.3 to any routed destination. Note: This assignment does not filter Telnet traffic from 10.10.10.3 to destinations on VLAN 10 itself.

  • Configure the switch to send an ACL log message to the current console session and to a Syslog server at 10.10.20.3 on VLAN 20 if the switch detects a packet match denying a Telnet attempt from 10.10.10.3.

This example assumes that IPv4 routing is already configured on the switch.

ACL log application
Commands for applying an ACL with logging to ACL log application