Standard IP Access List Logging
The Standard IP Access List Logging feature provides the ability to log messages about packets that are permitted or denied by a standard IP access list. Any packet that matches the access list logs an information message about the packet at the device console.
This module provides information about standard IP access list logging.
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Restrictions for Standard IP Access List Logging
IP access list logging is supported only for routed interfaces or router access control lists (ACLs).
Information About Standard IP Access List Logging
Standard IP Access List Logging
The Standard IP Access List Logging feature provides the ability to log messages about packets that are permitted or denied by a standard IP access list. Any packet that matches the access list causes an information log message about the packet to be sent to the device console. The log level of messages that are printed to the device console is controlled by the
logging console command.
The first packet that the access list inspects triggers the access list to log a message at the device console. Subsequent packets are collected over 5-minute intervals before they are displayed or logged. Log messages include information about the access list number, the source IP address of packets, the number of packets from the same source that were permitted or denied in the previous 5-minute interval, and whether a packet was permitted or denied. You can also monitor the number of packets that are permitted or denied by a particular access list, including the source address of each packet.
How to Configure Standard IP Access List Logging
Creating a Standard IP Access
List Using Numbers
SUMMARY STEPS1.
enable
2.
configure
terminal
3.
access-list
access-list-number
{deny
|
permit}
host
address [log]
4.
access-list
access-list-number
{deny
|
permit}
any
[log]
5.
interface
type
number
6.
ip
access-group
access-list-number
{in
|
out}
7.
end
DETAILED STEPS | Command or Action | Purpose |
---|
Step 1 |
enable
Example:
|
Enables
privileged EXEC mode.
|
Step 2 |
configure
terminal
Example:
Device# configure terminal
|
Enters global
configuration mode.
|
Step 3 |
access-list
access-list-number
{deny
|
permit}
host
address [log]
Example:
Device(config)# access-list 1 permit host 10.1.1.1 log
|
Defines a
standard numbered IP access list using a source address and wildcard, and
configures the logging of informational messages about packets that match the
access list entry at the device console.
|
Step 4 |
access-list
access-list-number
{deny
|
permit}
any
[log]
Example:
Device(config)# access-list 1 permit any log
|
Defines a
standard numbered IP access list by using an abbreviation for the source and
source mask 0.0.0.0 255.255.255.255.
|
Step 5 |
interface
type
number
Example:
|
Configures an
interface and enters interface configuration mode.
|
Step 6 |
ip
access-group
access-list-number
{in
|
out}
Example:
Device(config-if)# ip access-group 1 in
|
Applies the
specified numbered access list to the incoming or outgoing interface.
|
Step 7 |
end
Example:
|
Exits interface
configuration mode and enters privileged EXEC mode.
|
Creating a Standard IP Access
List Using Names
SUMMARY STEPS1.
enable
2.
configure
terminal
3.
ip access-list standard
name
4.
{deny
|
permit} {host
address |
any}
log
5.
exit
6.
interface
type
number
7.
ip
access-group
access-list-name {in
|
out}
8.
end
DETAILED STEPS | Command or Action | Purpose |
---|
Step 1 |
enable
Example:
|
Enables
privileged EXEC mode.
|
Step 2 |
configure
terminal
Example:
Device# configure terminal
|
Enters global
configuration mode.
|
Step 3 |
ip access-list standard
name
Example:
Device(config)# ip access-list standard acl1
|
Defines a
standard IP access list and enters standard named access list configuration
mode.
|
Step 4 |
{deny
|
permit} {host
address |
any}
log
Example:
Device(config-std-nacl)# permit host 10.1.1.1 log
|
Sets conditions
in a named IP access list that will deny packets from entering a network or
permit packets to enter a network, and configures the logging of informational
messages about packets that match the access list entry at the device console.
|
Step 5 |
exit
Example:
Device(config-std-nacl)# exit
|
Exits standard
named access list configuration mode and enters global configuration mode.
|
Step 6 |
interface
type
number
Example:
|
Configures an
interface and enters interface configuration mode.
|
Step 7 |
ip
access-group
access-list-name {in
|
out}
Example:
Device(config-if)# ip access-group acl1 in
|
Applies the
specified access list to the incoming or outgoing interface.
|
Step 8 |
end
Example:
|
Exits interface
configuration mode and enters privileged EXEC mode.
|
Configuration Examples for Standard IP Access List Logging
Example: Creating a Standard
IP Access List Using Numbers
Device# configure terminal
Device(config)# access-list 1 permit host 10.1.1.1 log
Device(config)# access-list 1 permit any log
Device(config-if)# ip access-group 1 in
Example: Creating a Standard
IP Access List Using Names
Device# configure terminal
Device(config)# ip access-list standard acl1
Device(config-std-nacl)# permit host 10.1.1.1 log
Device(config-std-nacl)# exit
Device(config-if)# ip access-group acl1 in
Example: Limiting Debug Output
The following sample configuration uses an access list to limit the
debug command output. Limiting the
debug output restricts the volume of data to what you are interested in, saving you time and resources.
Device(config)# ip access-list acl1
Device(config-std-nacl)# remark Displays only advertisements for LDP peer in acl1
Device(config-std-nacl)# permit host 10.0.0.44
Device# debug mpls ldp advertisements peer-acl acl1
tagcon: peer 10.0.0.44:0 (pp 0x60E105BC): advertise 172.17.0.33
tagcon: peer 10.0.0.44:0 (pp 0x60E105BC): advertise 172.16.0.31
tagcon: peer 10.0.0.44:0 (pp 0x60E105BC): advertise 172.22.0.33
tagcon: peer 10.0.0.44:0 (pp 0x60E105BC): advertise 192.168.0.1
tagcon: peer 10.0.0.44:0 (pp 0x60E105BC): advertise 192.168.0.3
tagcon: peer 10.0.0.44:0 (pp 0x60E105BC): advertise 192.168.1.33
Additional References for Standard IP Access List Logging
Technical Assistance
Description
|
Link
|
The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password.
|
http://www.cisco.com/cisco/web/support/index.html
|
Feature Information for
Standard IP Access List Logging
The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Table 1 Feature Information for
Standard IP Access List Logging
Feature Name
|
Releases
|
Feature
Information
|
Standard IP
Access List Logging
|
|
The Standard
IP Access List Logging feature provides the ability to log messages about
packets that are permitted or denied by a standard IP access list. Any packet
that matches the access list logs an information message about the packet at
the device console.
|