topic Re: Cisco 4500x Viewing VLAN Interface ACL Logging in Network Security

Cisco 4500x Viewing VLAN Interface ACL Logging

OSUOPT — Fri, 12 Jan 2024 16:18:52 GMT

Hello I am attempting to figure out an odd Inbound ACL issue where for some reason none of the traffic that is going to a VLAN is not matching any of the subnets (In the case for the two I am testing they are coming through the edge firewall first that I have permitted in the ACL and will only match to a "permit ip any any".

Here is the ACL that I have temporary applied to log traffic running to it.

Extended IP access list "name"
10 permit ip any any log (14 match)

Is there a way to check and see the source and destination traffic information on the cisco 4500x itself or force it to log and send those type of logs to my syslog?

Here is my current logging setup

logging buffered informational
logging console informational
logging monitor informational

ip access-list log-update threshold 10

logging host x.x.x.x

Re: Cisco 4500x Viewing VLAN Interface ACL Logging

MHM Cisco World — Fri, 12 Jan 2024 16:23:20 GMT

Did you add log to end of acl?

Are this acl is port-acl or vlan acl?

MHM

Re: Cisco 4500x Viewing VLAN Interface ACL Logging

OSUOPT — Fri, 12 Jan 2024 16:27:12 GMT

I have log in the line "10 permit ip any any log". Do I need to add another line to that ACL separately to have it log?

This ACL is applied to a VLAN interface

Re: Cisco 4500x Viewing VLAN Interface ACL Logging

MHM Cisco World — Fri, 12 Jan 2024 16:39:12 GMT

are this ACL apply OUT or IN ?
MHM

Re: Cisco 4500x Viewing VLAN Interface ACL Logging

OSUOPT — Fri, 12 Jan 2024 16:41:11 GMT

The ACL is applied IN

Re: Cisco 4500x Viewing VLAN Interface ACL Logging

Rob Ingram — Fri, 12 Jan 2024 16:46:12 GMT

@OSUOPT use "logging trap <level>" to set syslog logging and obviously the "logging host".

Re: Cisco 4500x Viewing VLAN Interface ACL Logging

OSUOPT — Fri, 12 Jan 2024 16:52:55 GMT

Forgot to include logging trap but I have that set to "logging trap informational" and I do have the logging host set as mentioned in the initial but without the IP set for it

Re: Cisco 4500x Viewing VLAN Interface ACL Logging

MHM Cisco World — Fri, 12 Jan 2024 16:54:11 GMT

use log-input instead of log
MHM

Re: Cisco 4500x Viewing VLAN Interface ACL Logging

OSUOPT — Fri, 12 Jan 2024 17:01:53 GMT

Just updated the ACL with to include log-input instead of log and with log-input that should show where the packets come from correct?

Re: Cisco 4500x Viewing VLAN Interface ACL Logging

MHM Cisco World — Fri, 12 Jan 2024 17:06:14 GMT

Yes and also I hope it appear for each source/destination
what in my mind

the log is not generate when each packet hit the ACL but when first packet hit the ACL then if same packet same ACL it generate log in specific rate
I hope when we use log-input we get log for each destination.
try it and check
MHM

Re: Cisco 4500x Viewing VLAN Interface ACL Logging

Rob Ingram — Fri, 12 Jan 2024 17:07:39 GMT

@OSUOPT the log-input option will contain the ingress interface and source MAC address information.

The log option would be enough to tell you the source and destination though? example:-

*Jan 12 16:53:56.537: %SEC-6-IPACCESSLOGDP: list ACL permitted icmp 192.168.10.2 -> 192.168.10.1 (0/0), 5