cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1898
Views
0
Helpful
5
Replies

logging ACL interface denies in N7K - OAL

CSCO11598534
Level 1
Level 1

Hello all!

Can someone please explain how ACL logging works in N7K?

I have used the following:

logging level acllog 5
logging logfile acllog 5
acllog match-log-level 5

1) What is the use of each command? According to Cisco, first two commands are supposed to have higher or equal value to the third command. What do we mean by "higher"? Higher severity or higher value?

2) The output is shown via "sh logging logfile". How can we enable/disable seeing the output in just "show logging"?

3) The output DO NOT show which ACL has matched. Even the command "show logg ip access-list cache" shows the interface where the packet first entered. Ho can we see which ACL matched?

Thank you!!

5 Replies 5

CSCO11598534
Level 1
Level 1
Hello people! Maybe someone can help me out here 🙂

Hi @CSCO11598534 

Allow me to answer your questions.

1) What is the use of each command?

Nexus-7000(config)# logging level acllog 5 
Nexus-7000(config)# logging level facility severity-level

This enables logging messages from the specified facility that have the specified severity level or higher (0,1,2,3,4,5)

 

Nexus-7000(config)# acllog match-log-level  5

This specifies the minimum severity level to log ACL matches. The default is 6 (informational). The range is from 0 (emergency) to 7 (debugging). Acllogs can only support logging levels of 3 or later (3,4,5,6,7)

 

 
Nexus-7000(config)# logging logfile acllog 5
Nexus-7000(config)# logging logfile
logfile-name severity-level [size bytes]

This command configures the name of the log file (acllog in your case) used to store system messages and the minimum severity level to log (5 in your case). You can optionally specify a maximum file size. The default severity level is 5.

 

According to Cisco, first two commands are supposed to have higher or equal value to the third command. What do we mean by "higher"? Higher severity or higher value?

This is from cfg guide:

The logging level for the acllog facility and the logging logfile severitymust be configured such that they are greater than or equal to the acllog match-log-level setting.   

So is the severity which needs to be higher.

 

2) The output is shown via "sh logging logfile". How can we enable/disable seeing the output in just "show logging"?

That is being controlled by "logging logfile" cmd. If you do not want to show the logs in logging file, (implicit show logging log) lower the severity to 6 or 7.  BUT, this contradicts with the requirements of higher or equal severity.

 

3) The output DO NOT show which ACL has matched. Even the command "show logg ip access-list cache" shows the interface where the packet first entered. Ho can we see which ACL matched?

Enter the logging ip access-list detailed command into the CLI in order to enable detailed logging. Here is an example:

Nexus-7000(config)# logging ip access-list detailed
ACL Log detailed Logging feature is enabled. Hit-count of existing ACL Flow entry will
be reset to zero and will contain Hit Count per ACL type Flow.
Nexus-7000(config)#

Here is an example logging output after detailed logging is enabled:

Nexus-7000(config)# show logging log
<snip>
Nexus7k-1-oal %ACLLOG-6-ACLLOG_FLOW_INTERVAL: Src IP: 10.10.10.1,
Dst IP: 172.16.10.10, Src Port: 0, Dst Port: 0, Src Intf: Ethernet4/5, Protocol:
"ICMP"(1), ACL Name: test1, ACE Action: Permit, Appl Intf: Ethernet4/5, Hit-count: 69
<\snip>

 

Hope it helps and stay safe!

Sergiu

Thank you very much.

It has been a long time since my post and it seems i need to get the basics first.

We have different sub-sections of logs,called facilities, correct?

We define the logging severity we want to match for each facility with:

# logging level facility severity-level

One of these facilities is  acllog which has to do with Access-lists, correct?

If yes, what does the following command add?

# acllog match-log-level  5

 Furthermore, What does the following command do? Does it define the name of the file that all logs (of all facilities) will be stored? And if yes, what is the use of the severity level, as we have already defined the level per facility?

# logging logfile TEST1 5

Thank you!!!

# acllog match-log-level  5

This command instructs the ACLLOG process to assign match logs severity 5.

# logging level acllog severity-level

This instructs the system to log events generated by ACLLOG which have the severity level mentioned in the command.

# logging logfile TEST1 5

This will redirect all logs with severity 5 (or higher) to a filename called logfile.

 

hope it helps,

Sergiu

Thanks Sergiu,

Still cannot see the difference between the first two commands. Both seem to configure the level for the ACLLOG facility.

Review Cisco Networking for a $25 gift card