this is for 6509 w/ L3

Terry

The issue that you encounter is not platform specific but is general accross IOS. If the access list does not examine ports (if the permit and deny is based solely on IP addresses) then the log entries can not report vlaues for ports. If the access list does check ports then the log can report port values.

I believe that if you add these entries to the accesss list that you will get the port values that you want:

access-list 110 deny tcp 10.0.0.0 0.255.255.255 range 1 65535 any range 1 65535

access-list 110 deny udp 10.0.0.0 0.255.255.255 range 1 65535 any range 1 65535

access-list 110 deny ip 10.0.0.0 0.255.255.255 any

HTH

Rick

setup the acl with:

---denies_here---

permit tcp any any log

permit udp any any log

permit icmp any any log

permit ip any any log

set the logging level to 6(informational) and send the output to a syslog server (or increase the logging buffer and send it to the local buffer)**....however note the following:

The 6500 performance-wise is optimized for the acls to be executed from hardware (tcam programming). If you add the 'logging' keyword to the acl it will force acl processing into software. You should see logging entries and accumalation, however the performance will suffer. I may do this for testing but not as a long term solution. If feasable, a NAM module for the 6500 would be a good long-term solution. A cheaper solution than that would be just to SPAN the vlan(s) to an interface with PC running Ethereal(sniffer) and collect copies of traffic. Both NAM and SPAN have much less impact on performance than forcing acls into software.

**(if you do not get any output from the above, you can always issue a 'debug ip packet acl# detail', set the logging level to 7(debug). Just be careful in a production environment not to enable console logging or the cpu may shoot up) however before taking this step, look into control plane policing.