Logging Access List Activity
Only ACEs in the access list generate logging messages; the implicit deny at the end of the access list
Note
does not generate a message. If you want all denied traffic to generate messages, add the implicit ACE
manually to the end of the access list, as follows.
hostname(config)# access-list TEST deny ip any any log
The log options at the end of the extended access-list command lets you to set the following behavior:
•
•
•
System log message 106100 is in the following form:
%XXX-n-106100: access-list acl_id {permitted | denied} protocol
interface_name/source_address(source_port) -> interface_name/dest_address(dest_port)
hit-cnt number ({first hit | number-second interval})
When you enable logging for message 106100, if a packet matches an ACE, the FWSM creates a
flow entry to track the number of packets received within a specific interval. The FWSM generates a
system log message at the first hit and at the end of each interval, identifying the total number of hits
during the interval. At the end of each interval, the FWSM resets the hit count to 0. If no packets match
the ACE during an interval, the FWSM deletes the flow entry.
Note
An ACL only denies SYN packets, so if another type of packet comes in, that packet will not show up
in the access-list hit counters. TCP packet types other than SYN packets (including RST, SYN-ACK,
ACK, PSH, and FIN) are dropped by the FWSM before they can be dropped by an access list. Only SYN
packets can create a session in the Adaptive Security Algorithm, so only SYN packets are assessed by
the access list.
A flow is defined by the source and destination IP addresses, protocols, and ports. Because the source
port might differ for a new connection between the same two hosts, you might not see the same flow
increment because a new flow was created for the connection.
Permitted packets that belong to established connections do not need to be checked against access lists;
only the initial packet is logged and included in the hit count. For connectionless protocols, such as
ICMP, all packets are logged even if they are permitted, and all denied packets are logged.
See the Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module System Log
Messages for detailed information about this system log message.
Configuring Logging for an ACE
To configure logging for an ACE, see the following information about the log option:
hostname(config)# access-list access_list_name [extended] {deny | permit}...[log [[level]
[interval secs] | disable | default]]
See the
syntax.
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM
13-26
Enable message 106100 instead of message 106023
Disable all logging
Return to the default logging using message 106023
"Adding an Extended Access List" section on page 13-6
Chapter 13
Identifying Traffic with Access Lists
for complete access-list command
OL-20748-01