When logging is enabled in SGACL, the device logs the following information:
The log option applies to individual ACEs and causes packets that match the ACE to be logged. The first packet logged by the
log keyword generates a syslog message. Subsequent log messages are generated and reported at five-minute intervals. If the
logging-enabled ACE matches another packet (with characteristics identical to the packet that generated the log message),
the number of matched packets is incremented (counters) and then reported.
To enable logging, use the log keyword in front of the ACE definition in the SGACL configuration. For example, permit ip log .
The following is a sample log, displaying source and destination SGTs, ACE matches (for a permit or deny action), and the
protocol, that is, TCP, UDP, IGMP, and ICMP information:
*Jun 2 08:58:06.489: %C4K_IOSINTF-6-SGACLHIT: list deny_udp_src_port_log-30 Denied
udp 184.108.40.206(100) -> 220.127.116.11(100), SGT8 DGT 12
In addition to the existing ‘per cell’ SGACL statistics, which can be displayed using the show cts role-based counters command, you can also display ACE statistics, by using the show ip access-list sgacl_name command. No additional configuration is required for this.
The following example shows how you can use the show ip access-list command to display the ACE count:
Device# show ip access-control deny_udp_src_port_log-30
Role-based IP access list deny_udp_src_port_log-30 (downloaded)
10 deny udp src eq 100 log (283 matches)
20 permit ip log (50 matches)
When the incoming traffic matches the cell, but does not match the SGACL of the cell, the traffic is allowed and the counters
are incremented in the HW-Permit for the cell.
The following example shows how the SGACL of a cell works:
The SGACL policy is configured from 5 to 18 with “deny icmp echo” and there is incoming traffic from 5 to 18 with TCP header.
If the cell matches from 5 to 18 but traffic does not match with icmp, traffic will be allowed and HW-Permit counter of cell
5 to 18 will get incremented.
Device# show cts role-based permissions from 5 to 18
IPv4 Role-based permissions from group 5:sgt_5_Contractors to group 18:sgt_18_data_user2:sgacl_5_18-01
RBACL Monitor All for Dynamic Policies : FALSE
RBACL Monitor All for Configured Policies : FALSE
Device# show ip access-lists sgacl_5_18-01
Role-based IP access list sgacl_5_18-01 (downloaded)
10 deny icmp echo log (1 match)
Device# show cts role-based counters from 5 to 18
Role-based IPv4 counters
From To SW-Denied HW-Denied SW-Permitt HW-Permitt SW-Monitor HW-Monitor
5 18 0 0 0 1673202 0 0