When logging is enabled in SGACL, the switch logs the following information:
The log option applies to individual ACEs and causes packets that match the ACE to be logged. The first packet logged by the
log keyword generates a syslog message. Subsequent log messages are generated and reported at five-minute intervals. If the
logging-enabled ACE matches another packet (with characteristics identical to the packet that generated the log message),
the number of matched packets is incremented (counters) and then reported.
To enable logging, use the log keyword in front of the ACE definition in the SGACL configuration. For example, permit ip log .
The following is a sample log, displaying source and destination SGTs, ACE matches (for a permit or deny action), and the
protocol, that is, TCP, UDP, IGMP, and ICMP information:
*Jun 2 08:58:06.489: %C4K_IOSINTF-6-SGACLHIT: list deny_udp_src_port_log-30 Denied
udp 24.0.0.23(100) -> 28.0.0.91(100), SGT8 DGT 12
In addition to the existing ‘per cell’ SGACL statistics, which can be displayed using the show cts role-based counters command, you can also display ACE statistics, by using the show ip access-list sgacl_name command. No additional configuration is required for this.
The following example shows how you can use the show ip access-list command to display the ACE count:
Switch# show ip access-control deny_udp_src_port_log-30
Role-based IP access list deny_udp_src_port_log-30 (downloaded)
10 deny udp src eq 100 log (283 matches)
20 permit ip log (50 matches)