Enabling ACL logging on the switch

  1. If you are using a syslog server, use the logging <ip–addr> command to configure the syslog server IP addresses; ensure that the switch can access any syslog servers you specify.
  2. Use logging facility syslog to enable the logging for syslog operation.
  3. Use the debug destination command to configure one or more log destinations.
  4. Destination options include logging and session. For more information on debug, see "debug and syslog messaging operation" in the latest management and configuration guide for your switch.
  5. Use debug acl or debug all to configure the debug operation to include ACL messages.
  6. Configure an ACL with the deny action and the log option in one or more ACEs.

For example, suppose that you want to do the following:
  • On port 10, configure an extended ACL with an ACL-ID of 143 to deny Telnet traffic from IP address

  • Configure the switch to send an ACL log message to the console and to a Syslog server at IP address on port 11 if the switch detects a match denying Telnet access from

Example of an ACL log application
Commands for applying an ACL with logging:
Switch(config)# access-list 143 deny tcp host any eq telnet
Switch(config)# access-list 143 permit ip any any
Switch(config)# interface 10 access–group 143 in
Switch(config)# logging
Switch(config)# debug ac1
Switch(config)# debug destination logging
Switch(config)# debug destination session
Switch(config)# write memory

Switch(config)# show debug
Debug Logging
 Enabled debug types:
  acl log