You want to know when the router invokes an access list.
Access lists can generate log messages. The following example will allow all packets to pass, but will record them:
Router1#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router1(config)#access-list 150 permit ip any any log Router1(config)#interface Serial0/1 Router1(config-if)#ip access-group 150 in Router1(config-if)#end Router1#
In this example, we use the log-input keyword to include additional information about where the packets came from:
Router1#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router1(config)#access-list 150 permit tcp any any log-input Router1(config)#access-list 150 permit ip any any Router1(config)#interface Serial0/1 Router1(config-if)#ip access-group 150 in Router1(config-if)#end Router1#
The first example uses the log keyword to record a log message every time the ACL makes a match. Here are some log messages generated by this command:
Feb 6 13:01:19: %SEC-6-IPACCESSLOGRP: list 150 permitted ospf 10.1.1.1 -> 224.0.0.5, 9 packets Feb 6 13:01:19: %SEC-6-IPACCESSLOGDP: list 150 permitted icmp 10.1.1.1 -> 10.1.1.2 (0/0), 4 packets
You can also get a breakdown of how many matches each line in the ACL has recorded with the show access-list command:
Router1#show access-list 150
Extended IP access list 150
permit ip any any log (15 matches)
Router1#
The second form, with the log-input keyword, causes the router to include other useful data in the log messages. With this option, the log messages will include the port where the packet was received:
Feb 6 13:08:31: %SEC-6-IPACCESSLOGP: list 150 permitted tcp 10.1.1.1(0) (Serial0/1 ) -> 10.1.1.2(0), 80 packets Feb 6 13:08:38: %SEC-6-IPACCESSLOGP: list 150 permitted tcp 10.2.2.2(0) (Serial0/1 ) -> 172.25.26.5(0), 1 packet Feb 6 13:10:29: %SEC-6-IPACCESSLOGP: list 150 permitted tcp 10.2.2.2(0) (Serial0/1 ) -> 172.20.100.1(0), 1 packet
If we apply this ACL on an Ethernet or Token Ring port, the log messages will also include MAC address information:
Feb 6 14:56:34: %SEC-6-IPACCESSLOGP: list 150 permitted tcp 172.25.1.1(0) (FastEthernet0/0.1 0010.4b09.5700) -> 172.25.25.1(0), 1 packet Router1# Feb 6 14:58:20: %SEC-6-IPACCESSLOGP: list 150 permitted tcp 172.25.1.7(0) (FastEthernet0/0.1 0000.0c92.bc6a) -> 172.25.1.5(0), 1 packet
The only problem with these commands is that they tend to produce huge numbers of log messages. To be really useful, we recommend using this feature in conjunction with a remote log server, as described in Chapter 18. Then you can store and analyze all of the messages without worrying that you will lose information when the router's internal log buffer overwrites itself. We offer a useful script for analyzing the messages and look for important patterns in Recipe 19.10.
In general, we recommend logging all denied packets, because they tend to represent the rejected traffic that is not part of the normal functioning of the network.
While all of the examples in this recipe used extended ACLs, the log keyword is also available with standard ACLs:
Router1(config)#access-list 77 permit any log
However, the log-input option is available only for extended ACLs.
|
|
|
| Top |