About ACL Contract Permit and Deny Logs
To log and/or monitor the traffic flow for a contract rule, you can enable and view the logging of packets or flows that were allowed to be sent because of contract permit rules or the logging of packets or flows that were dropped because of:
-
Taboo contract deny rules
-
Deny actions in contract subjects
-
Contract or subject exceptions
-
ACL contract permit in the ACI fabric is only supported on Nexus 9000 Series switches with names that end in EX or FX, and all later models. For example, N9K-C93180LC-EX or N9K-C9336C-FX.
-
Deny logging in the ACI fabric is supported on all platforms.
-
Using log directive on filters in management contracts is not supported. Setting the log directive will cause zoning-rule deployment failure.
For information on standard and taboo contracts and subjects, see Cisco Application Centric Infrastructure Fundamentals and Cisco APIC Basic Configuration Guide.
EPG Data Included in ACL Permit and Deny Log Output
Up to Cisco APIC, Release 3.2(1), the ACL permit and deny logs did not identify the EPGs associated with the contracts being logged. In release 3.2(1) the source EPG and destination EPG are added to the output of ACI permit and deny logs. ACL permit and deny logs include the relevant EPGs with the following limitations:
-
Depending on the position of the EPG in the network, EPG data may not be available for the logs.
-
When configuration changes occur, log data may be out of date. In steady state, log data is accurate.
The most accurate EPG data in the permit and deny logs results when the logs are focussed on:
-
Flows from EPG to EPG, where the ingress policy is installed at the ingress TOR and the egress policy is installed at the egress TOR.
-
Flows from EPG to L3Out, where one policy is applied on the border leaf TOR and the other policy is applied on a non-BL TOR.
EPGs in the log output are not supported for uSeg EPGs or for EPGs used in shared services (including shared L3Outs).