Solved: Re: dACL's Logging

rob.alvarado@live.com · ‎08-02-2018

Hi Experts,

I just need a simple yes or no. Does logging work for dACL's and if it does work how do we see the logging info?

Much appreciated,

-Robert

anthonylofreso · ‎08-02-2018

Ok, I'm testing with the 12port version of that switch. running code 15.2(6)E1

I also see hits:

Extended IP access list shure_acl
    5 permit igmp any any (15 matches)
    10 permit udp any eq snmptrap any
    20 permit udp any range 319 320 any
    30 permit udp any eq 2203 any
    40 permit udp any eq 4321 any
    50 permit udp any range 14336 14600 any
    60 permit udp any eq 4440 any
    70 permit udp any eq 4444 any
    80 permit udp any eq 4455 any
    90 permit udp any eq 5353 any (7 matches)
    100 permit udp any range 8700 8706 any (275 matches)
    110 permit udp any eq 8800 any
    120 permit udp any eq 8751 any
    130 permit udp any range 16000 65535 any
    140 permit icmp any any
    150 permit udp any any eq bootpc
    160 permit udp any 10.0.0.0 0.255.255.255 eq ntp
    170 permit tcp any 10.0.0.0 0.255.255.255 eq domain
    180 permit udp any 10.0.0.0 0.255.255.255 eq domain
    190 permit ip any host 10.200.105.31
    200 permit ip any host 10.200.105.32
    210 permit ip any host 10.200.105.33
    220 permit ip any host 10.200.105.34
    230 permit ip any host 10.200.105.35
    240 deny ip any any log (98 matches)

However, ACE #240 with the 'log' syntax does not log to the switch buffer.

In other words, if I do a 'sh log' I never see any entries for the DACL.

View solution in original post

anthonylofreso · ‎08-02-2018

No.

See my prior discussion on this.

rob.alvarado@live.com · ‎08-02-2018

TY much.

Timothy Abbott · ‎08-02-2018

I just checked using a switch in my lab and was able to see if there were matches from a dACL sent by ISE. I used "show access-lists." Hope that helps

Regards,

Tim

anthonylofreso · ‎08-02-2018

Do you see actual hits? or just that the ACLs now exist on the device?

Timothy Abbott · ‎08-02-2018

I see the number of hits.

Regards,
Tim

rob.alvarado@live.com · ‎08-02-2018

I see the dACL being applied but i do not see hits. Please share if you do see so!!! :)

Timothy Abbott · ‎08-02-2018

I see the dACL applied as well as the number of hits for the ACE. The switch I used was a 3850. Not sure if it applies to all switches though.

Regards,
Tim

anthonylofreso · ‎08-02-2018

What model switch, and what version of code? Also, paste the output?

I had a tac case open for a good month (684684694 if you're interested). I have dacl logging working on one switch in our environment on a specific version of code. But this functionality isn't listed in any of the release notes as a new feature. Using the feature search tool gives no good results either.

rob.alvarado@live.com · ‎08-02-2018

Its a little 12 port switch used for testing.

S-SecurityTestDEV#sho ver
Cisco IOS Software, C3560CX Software (C3560CX-UNIVERSALK9-M), Version 15.2(4)E2, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2016 by Cisco Systems, Inc.
Compiled Mon 27-Jun-16 09:08 by prod_rel_team

ROM: Bootstrap program is C3560CX boot loader
BOOTLDR: C3560CX Boot Loader (C3560CX-HBOOT-M) Version 15.2(3r)E2, RELEASE SOFTWARE (fc2)

S-SecurityTestDEV uptime is 2 hours, 12 minutes
System returned to ROM by power-on
System restarted at 08:52:55 CDT Thu Aug 2 2018
System image file is "flash:/c3560cx-universalk9-mz.152-4.E2/c3560cx-universalk9-mz.152-4.E2.bin"
Last reload reason: power-on

Switch Ports Model                     SW Version            SW Image
------ ----- -----                     ----------            ----------
*    1 12    WS-C3560CX-8PC-S          15.2(4)E2             C3560CX-UNIVERSALK9-M

anthonylofreso · ‎08-02-2018

Ok, I'm testing with the 12port version of that switch. running code 15.2(6)E1

I also see hits:

Extended IP access list shure_acl
    5 permit igmp any any (15 matches)
    10 permit udp any eq snmptrap any
    20 permit udp any range 319 320 any
    30 permit udp any eq 2203 any
    40 permit udp any eq 4321 any
    50 permit udp any range 14336 14600 any
    60 permit udp any eq 4440 any
    70 permit udp any eq 4444 any
    80 permit udp any eq 4455 any
    90 permit udp any eq 5353 any (7 matches)
    100 permit udp any range 8700 8706 any (275 matches)
    110 permit udp any eq 8800 any
    120 permit udp any eq 8751 any
    130 permit udp any range 16000 65535 any
    140 permit icmp any any
    150 permit udp any any eq bootpc
    160 permit udp any 10.0.0.0 0.255.255.255 eq ntp
    170 permit tcp any 10.0.0.0 0.255.255.255 eq domain
    180 permit udp any 10.0.0.0 0.255.255.255 eq domain
    190 permit ip any host 10.200.105.31
    200 permit ip any host 10.200.105.32
    210 permit ip any host 10.200.105.33
    220 permit ip any host 10.200.105.34
    230 permit ip any host 10.200.105.35
    240 deny ip any any log (98 matches)

However, ACE #240 with the 'log' syntax does not log to the switch buffer.

In other words, if I do a 'sh log' I never see any entries for the DACL.

anthonylofreso · ‎08-02-2018

We've been trying to send 'permit ip any any log' DACLs to specific iot endpoints in the lab network.

The thought being, we'll monitor the logs and determine how the endpoint communicates and what we need to permit. But just seeing whether a rule is being hit or not, has not been very useful.

Anwar Mohamed · ‎04-29-2019

I learned that these acls are processed in hardware and the hit count option is for access lists processed In software like the ones applied on SVI or layer 3 interfaces. So looks like you may not see the hits, unless the the switch you have processes this in a different way.

Anwar Mohamed · ‎04-29-2019

I learned that these acls are processed in hardware and the hit count option is for access lists processed In software like the ones applied on SVI or layer 3 interfaces. So looks like you may not see the hits, unless the the switch you have processes this in a different way.