Hello all,

   Is anybody successfully using 'log' at the end of their ACEs within a DACL?

   We've been running dot1x for quite some time now. I'm beginning to alter my policies to push a 'permit ip any any log' dacl to specific hosts. I'm finding that on almost every switch in our environment, no logging is sent to the switch's log buffer for hits on that dacl.

   The exception, is a 4500 (Sup 7L-E) running v03.06.08.E. This behavior is not listed in any release notes as new functionality, and I cannot find when it became a supported feature. I've opened a TAC case, and there's an associated bug ID (CSCvj79680). I've also come across a community post from 2 years ago with the same issue: https://community.cisco.com/t5/policy-and-access/dacl-logging-in-ise/td-p/2894112

   Just looking for any information out there I may not know about. Also trying to get a little more traction behind this issue in hopes it'll get on dev road maps to fix. The more we actively work to push DACLs, the more limitations we've found along the way.

Example output from the aforementioned 4500 switch:

729008: Jul 19 13:27:12.393 EDT: %SEC-6-IPACCESSLOGP: list NACL_xACSACLx-IP-mersive_dacl-5b3ba851 denied udp 172.16.60.22(1312) -> 8.8.8.8(53), 1 packet 
729009: Jul 19 13:28:11.953 EDT: %SEC-6-IPACCESSLOGP: list NACL_xACSACLx-IP-mersive_dacl-5b3ba851 denied udp 172.16.60.22(24296) -> 8.8.8.8(53), 1 packet 
729010: Jul 19 13:28:21.959 EDT: %SEC-6-IPACCESSLOGP: list NACL_xACSACLx-IP-mersive_dacl-5b3ba851 denied udp 172.16.60.22(55324) -> 8.8.8.8(53), 1 packet 
729011: Jul 19 13:30:12.392 EDT: %SEC-6-IPACCESSLOGP: list NACL_xACSACLx-IP-mersive_dacl-5b3ba851 denied udp 172.16.60.22(7806) -> 8.8.8.8(53), 1 packet