cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

Who Me Too'd this topic

Cisco Nexus 7K/5K - Logging denies ACL

josebautista
Level 1
Level 1

Hello all,

I'm setting up the logging for Nexus 5k/7K, and after following the guides + this article

https://supportforums.cisco.com/community/netpro/network-infrastructure/switching/blog/2010/11/18/nexus-7000-acl-logging-oal

I wasnt able to see the "deny" logs when a packet gets denied...

This is what I’m doing:

  • •-          Create an ACL: 
    • ip access-list int_Vlan351_out 
      •   statistics per-entry
      •   10 deny ip 172.16.42.32/32 172.18.2.12/32 log
      •   20 permit ip any any
      • •-          Then I tried to connect to that box (of course its denied) 
        • I got:
          • IP access list int_Vlan351_out
          •         statistics per-entry
          •         10 deny ip 172.16.42.32/32 172.18.2.12/32 log [match=3]
          •         20 permit ip any any [match=177]
          • 2013 Feb 14 21:23:31.140 MOP-NX-7K-01-qaMZ %ACLLOG-3-ACLLOG_FLOW_INTERVAL: Source IP: 172.16.42.32, Destination IP: 172.18.2.12, Source Port: 65498, Destination Port: 23, Source Interface: Ethernet7/47, Protocol: "TCP"(6), Hit-count = 3
          • •-          But I don’t see the “DENY” in the logs, telling me that the packet has been denied! (as we normally see in the logs for the ACLs) 
            • In my SYSLOG server I see:
              • Feb 15 12:04:11 mop-nx-7k-01-qamz.qa.sfcommerce.com : 2013 Feb 15 17:04:05.114 UTC: %ACLLOG-3-ACLLOG_FLOW_INTERVAL: Source IP: 172.16.42.32, Destination IP: 172.18.2.12, Source Port: 53849, Destination Port: 23, Source Interface: Ethernet7/47, Protocol: "TCP"(6), Hit-count = 3

(It doesn’t say DENY!)

Talking to Cisco TAC they mentioned that this is a BUG:

CSCte69784    Nexus ACL should indicate if log entry was due to a permit or deny ACE

CSCth67151    ACLLOG needs to identify the name of ACL that pkts are matched

But for me it doesnt make sense, not able to see the "Deny" in the logs..

Anyone has the same experiience??

Thanks

Jose

Who Me Too'd this topic