Have an account?

  •   Personalized content
  •   Your products and support

Need an account?

Create an account

Security Configuration Guide: Access Control Lists, Cisco IOS XE Fuji 16.7.x

Book Contents
Find Matches in This Book
Available Languages
Download Options

Book Title

Security Configuration Guide: Access Control Lists, Cisco IOS XE Fuji 16.7.x

Chapter Title

Standard IP Access List Logging

Results

Updated:
April 6, 2018

Chapter: Standard IP Access List Logging

Standard IP Access List Logging

The Standard IP Access List Logging feature provides the ability to log messages about packets that are permitted or denied by a standard IP access list. Any packet that matches the access list logs an information message about the packet at the device console.

This module provides information about standard IP access list logging.

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/​go/​cfn. An account on Cisco.com is not required.

Restrictions for Standard IP Access List Logging

IP access list logging is supported only for routed interfaces or router access control lists (ACLs).

Information About Standard IP Access List Logging

Standard IP Access List Logging

The Standard IP Access List Logging feature provides the ability to log messages about packets that are permitted or denied by a standard IP access list. Any packet that matches the access list causes an information log message about the packet to be sent to the device console. The log level of messages that are printed to the device console is controlled by the logging console command.

The first packet that the access list inspects triggers the access list to log a message at the device console. Subsequent packets are collected over 5-minute intervals before they are displayed or logged. Log messages include information about the access list number, the source IP address of packets, the number of packets from the same source that were permitted or denied in the previous 5-minute interval, and whether a packet was permitted or denied. You can also monitor the number of packets that are permitted or denied by a particular access list, including the source address of each packet.

How to Configure Standard IP Access List Logging

Creating a Standard IP Access List Using Numbers

SUMMARY STEPS

    1.    enable

    2.    configure terminal

    3.    access-list access-list-number {deny | permit} host address [log]

    4.    access-list access-list-number {deny | permit} any [log]

    5.    interface type number

    6.    ip access-group access-list-number {in | out}

    7.    end


DETAILED STEPS
     Command or ActionPurpose
    Step 1 enable


    Example: 
    Device> enable
     
    Enables privileged EXEC mode.

    • Enter your password if prompted.

     
    Step 2 configure terminal


    Example: 
    Device# configure terminal
     

    Enters global configuration mode.

     
    Step 3 access-list access-list-number {deny | permit} host address [log]


    Example: 
    Device(config)# access-list 1 permit host 10.1.1.1 log
     

    Defines a standard numbered IP access list using a source address and wildcard, and configures the logging of informational messages about packets that match the access list entry at the device console.

     
    Step 4 access-list access-list-number {deny | permit} any [log]


    Example: 
    Device(config)# access-list 1 permit any log
     

    Defines a standard numbered IP access list by using an abbreviation for the source and source mask 0.0.0.0 255.255.255.255.

     
    Step 5 interface type number


    Example:

     

    Configures an interface and enters interface configuration mode.

     
    Step 6 ip access-group access-list-number {in | out}


    Example: 
    Device(config-if)# ip access-group 1 in
     
    Applies the specified numbered access list to the incoming or outgoing interface.

    • When you filter based on source addresses, you typically apply the access list to an incoming interface.

     
    Step 7 end


    Example: 
    Device(config-if)# end
     

    Exits interface configuration mode and enters privileged EXEC mode.

     

    Creating a Standard IP Access List Using Names

    SUMMARY STEPS

      1.    enable

      2.    configure terminal

      3.    ip access-list standard name

      4.    {deny | permit} {host address | any} log

      5.    exit

      6.    interface type number

      7.    ip access-group access-list-name {in | out}

      8.    end


    DETAILED STEPS
       Command or ActionPurpose
      Step 1 enable


      Example: 
      Device> enable
       
      Enables privileged EXEC mode.

      • Enter your password if prompted.

       
      Step 2 configure terminal


      Example: 
      Device# configure terminal
       

      Enters global configuration mode.

       
      Step 3 ip access-list standard name


      Example: 
      Device(config)# ip access-list standard acl1
       

      Defines a standard IP access list and enters standard named access list configuration mode.

       
      Step 4 {deny | permit} {host address | any} log


      Example: 
      Device(config-std-nacl)# permit host 10.1.1.1 log
       

      Sets conditions in a named IP access list that will deny packets from entering a network or permit packets to enter a network, and configures the logging of informational messages about packets that match the access list entry at the device console.

       
      Step 5 exit


      Example: 
      Device(config-std-nacl)# exit
       

      Exits standard named access list configuration mode and enters global configuration mode.

       
      Step 6 interface type number


      Example:

       

      Configures an interface and enters interface configuration mode.

       
      Step 7 ip access-group access-list-name {in | out}


      Example: 
      Device(config-if)# ip access-group acl1 in
       
      Applies the specified access list to the incoming or outgoing interface.

      • When you filter based on source addresses, you typically apply the access list to an incoming interface.

       
      Step 8 end


      Example: 
      Device(config-if)# end
       

      Exits interface configuration mode and enters privileged EXEC mode.

       

      Configuration Examples for Standard IP Access List Logging

      Example: Creating a Standard IP Access List Using Numbers

      Device# configure terminal
Device(config)# access-list 1 permit host 10.1.1.1 log
Device(config)# access-list 1 permit any log

Device(config-if)# ip access-group 1 in

      Example: Creating a Standard IP Access List Using Names

      Device# configure terminal
Device(config)# ip access-list standard acl1
Device(config-std-nacl)# permit host 10.1.1.1 log
Device(config-std-nacl)# exit

Device(config-if)# ip access-group acl1 in

      Example: Limiting Debug Output

      The following sample configuration uses an access list to limit the debug command output. Limiting the debug output restricts the volume of data to what you are interested in, saving you time and resources. 

      Device(config)# ip access-list acl1
Device(config-std-nacl)# remark Displays only advertisements for LDP peer in acl1
Device(config-std-nacl)# permit host 10.0.0.44

Device# debug mpls ldp advertisements peer-acl acl1

tagcon: peer 10.0.0.44:0 (pp 0x60E105BC): advertise 172.17.0.33
tagcon: peer 10.0.0.44:0 (pp 0x60E105BC): advertise 172.16.0.31
tagcon: peer 10.0.0.44:0 (pp 0x60E105BC): advertise 172.22.0.33
tagcon: peer 10.0.0.44:0 (pp 0x60E105BC): advertise 192.168.0.1
tagcon: peer 10.0.0.44:0 (pp 0x60E105BC): advertise 192.168.0.3
tagcon: peer 10.0.0.44:0 (pp 0x60E105BC): advertise 192.168.1.33

      Additional References for Standard IP Access List Logging

      Related Documents

      Related Topic

      Document Title

      Cisco IOS commands

      Cisco IOS Master Commands List, All Releases

      Security commands

      Technical Assistance

      Description

      Link

      The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password.

      http:/​/​www.cisco.com/​cisco/​web/​support/​index.html

      Feature Information for Standard IP Access List Logging

      The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.

      Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/​go/​cfn. An account on Cisco.com is not required.
      Table 1 Feature Information for Standard IP Access List Logging

      Feature Name

      Releases

      Feature Information

      Standard IP Access List Logging

      The Standard IP Access List Logging feature provides the ability to log messages about packets that are permitted or denied by a standard IP access list. Any packet that matches the access list logs an information message about the packet at the device console.

      Was this Document Helpful?

      FeedbackFeedback

      Contact Cisco

      Related Cisco Community Discussions

      About Us
      Contact Us
      Work with Us