When you create ACL rules for which you want to enable logging, you must include the
log parameter.
-
Enter the
configure terminal command to access global configuration mode.
device# configure terminal
-
Enter the
ip access-list command to create or modify an access list.
device(config)# ip access-list standard ip_acl_1
-
For each ACL rule for which you need logging, include the
log keyword.
device(conf-ipacl-std)# seq 5 permit host 10.20.33.4 log
-
Apply the ACL that you created to the appropriate interface.
-
(Optional) To display ACL logs, enter the
show access-list log buffer command.
device# show access-list-log buffer
Frames Logged on interface 2/1 :
--------------------------------
Frame Received Time : Fri Dec 9 3:8:48 2011
Ethernet, Src : (00:34:56:78:0a:ab), Dst: (00:12:ab:54:67:da)
Ethtype : 0x8100
Vlan tag type : 0x800
VlanID : 0x1
Internet proto, Src : 192.85.1.2, Dst: 192.0.0.1
Interface :
Type of service : 0
Length : 110
Identification : 0
Fragmentation : 00 00
TTL : 255
protocol : 253
Checksum : 39 3a
Payload type :
packet(s) repeated : 30
Ingress Deny Logged
Note
If an ACL with rules that contain the
log
keyword is applied to the management interface, logs are not recorded for that
ACL.
