Previous section   Next section

Recipe 19.8 Logging when an Access List Is Used

19.8.1 Problem

You want to know when the router invokes an access list.

19.8.2 Solution

Access lists can generate log messages. The following example will allow all packets to pass, but will record them:

Router1#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router1(config)#access-list 150 permit ip any any log
Router1(config)#interface Serial0/1
Router1(config-if)#ip access-group 150 in 
Router1(config-if)#end
Router1#

In this example, we use the log-input keyword to include additional information about where the packets came from:

Router1#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router1(config)#access-list 150 permit tcp any any log-input
Router1(config)#access-list 150 permit ip any any 
Router1(config)#interface Serial0/1
Router1(config-if)#ip access-group 150 in 
Router1(config-if)#end
Router1#

19.8.3 Discussion

The first example uses the log keyword to record a log message every time the ACL makes a match. Here are some log messages generated by this command:

Feb  6 13:01:19: %SEC-6-IPACCESSLOGRP: list 150 permitted ospf 10.1.1.1 ->
  224.0.0.5, 9 packets
Feb  6 13:01:19: %SEC-6-IPACCESSLOGDP: list 150 permitted icmp 10.1.1.1 ->
  10.1.1.2 (0/0), 4 packets

You can also get a breakdown of how many matches each line in the ACL has recorded with the show access-list command:

Router1#show access-list 150
Extended IP access list 150
    permit ip any any log (15 matches)
Router1#

The second form, with the log-input keyword, causes the router to include other useful data in the log messages. With this option, the log messages will include the port where the packet was received:

Feb  6 13:08:31: %SEC-6-IPACCESSLOGP: list 150 permitted tcp 10.1.1.1(0)
  (Serial0/1 ) -> 10.1.1.2(0), 80 packets
Feb  6 13:08:38: %SEC-6-IPACCESSLOGP: list 150 permitted tcp 10.2.2.2(0)
  (Serial0/1 ) -> 172.25.26.5(0), 1 packet
Feb  6 13:10:29: %SEC-6-IPACCESSLOGP: list 150 permitted tcp 10.2.2.2(0)
  (Serial0/1 ) -> 172.20.100.1(0), 1 packet

If we apply this ACL on an Ethernet or Token Ring port, the log messages will also include MAC address information:

Feb  6 14:56:34: %SEC-6-IPACCESSLOGP: list 150 permitted tcp 172.25.1.1(0) 
(FastEthernet0/0.1 0010.4b09.5700) -> 172.25.25.1(0), 1 packet
Router1#
Feb  6 14:58:20: %SEC-6-IPACCESSLOGP: list 150 permitted tcp 172.25.1.7(0) 
(FastEthernet0/0.1 0000.0c92.bc6a) -> 172.25.1.5(0), 1 packet

The only problem with these commands is that they tend to produce huge numbers of log messages. To be really useful, we recommend using this feature in conjunction with a remote log server, as described in Chapter 18. Then you can store and analyze all of the messages without worrying that you will lose information when the router's internal log buffer overwrites itself. We offer a useful script for analyzing the messages and look for important patterns in Recipe 19.10.

In general, we recommend logging all denied packets, because they tend to represent the rejected traffic that is not part of the normal functioning of the network.

While all of the examples in this recipe used extended ACLs, the log keyword is also available with standard ACLs:

Router1(config)#access-list 77 permit any log

However, the log-input option is available only for extended ACLs.

19.8.4 See Also

Recipe 19.10


  Previous section   Next section
Top