Enabling ACL logging on the switch
Procedure
-
If you are using a syslog server, use the
logging ip-addr
command to configure the syslog server IP addresses; ensure that the switch can access any syslog servers you specify. -
Use
logging facility syslog
to enable the logging for syslog operation. -
Use the
debug destination
command to configure one or more log destinations. - Destination options include logging and session. For more information on debug, see "Debug and Syslog Messaging Operation" in the appendix, "Troubleshooting", in the latest Management and Configuration Guide for your switch.
-
Use
debug acl
ordebug all
to configure the debug operation to include ACL messages. -
Configure an ACL with the
deny
orpermit
action and thelog
option in one or more ACEs.
Enabling ACL logging on the switch
Suppose that you want to configure the following on a switch receiving IPv6 traffic and configured for IPv4 routing:-
For port B1 on VLAN 10, configure an IPv6 ACL with an ACL-ID of "NO-TELNET" and use the PACL
in
option to deny Telnet traffic entering the switch from IP address FE80::10:3. -
Configure the switch to send an ACL log message to the current console session and to a syslog server at 10.10.50.173 on VLAN 50 if the switch detects a packet match denying a Telnet attempt from FE80::10:3.