06-16-2014 03:15 AM
hello running L3 version on SG300-10, but the ACL does not allow 'log-input' to be attached to a deny;
core-switch(config-if)#ip access-list extended test
core-switch(config-ip-al)#$17.35.181 0.0.0.0 any 172.16.32.4 0.0.0.0 1723
dscp Configure DSCP filtering.
precedence Configure IP-PRECEDENCE filtering.
match-all List of TCP flags that should occur. If a flag should
be set it is prefixed by "+".If a flag should be unset
it is prefixed by "-". Available options are +urg,
+ack, +psh, +rst, +syn, +fin, -urg, -ack, -psh, -rst,
-syn and -fin.To define more than 1 flag - enter
additional flags one after another without a space
(example +syn-ack).
time-range Specify the time-range that applies to this permit
statement.
disable-port The Ethernet interface would be disabled if the
condition is matched
<CR>
core-switch(config-ip-al)#$.17.35.181 0.0.0.0 any 172.16.32.4 0.0.0.0 1723
The CLI guide mentions it is available, but is not configurable;
+++++
log-input—Specifies sending an informational syslog message about the
packet that matches the entry. Because forwarding is done in hardware and
logging is done in software, if a large number of packets match a deny ACE
containing a log-input keyword, the software might not be able to match the
hardware processing rate, and not all packets will be logged
+++++++++++++
core-switch#sh ver
SW version 1.3.7.18 ( date 12-Jan-2014 time 18:02:59 )
Boot version 1.3.5.06 ( date 21-Jul-2013 time 15:12:10 )
HW version V02
core-switch#
core-switch#sh system mode
Feature State
------------------- ---------
Mode: Router
core-switch#
Solved! Go to Solution.
09-12-2014 04:07 AM
many thanks cisco, now resolved in new version of code
core-switch(config)#do sh access-lists
Extended IP access list PPTP
permit tcp any 1723 host 172.16.32.4 any ace-priority 20 log-input
permit tcp any any host 172.16.32.4 1723 ace-priority 40 log-input
permit ip any any ace-priority 60
core-switch(config)#int gi5
core-switch(config-if)#service-acl input PPTP
core-switch(config-if)#end
core-switch#12-Sep-2014 12:02:54 %3SWCOS-I-LOGACLINETPORTS: gi5: permit ACE IPv4(TCP) 212.183.140.25(31203) -> 172.16.32.4(1723),trapped
12-Sep-2014 12:03:22 %3SWCOS-I-LOGACLINETPORTS: gi5: permit ACE IPv4(TCP) 212.183.128.21(44090) -> 172.16.32.4(1723),trapped
core-switch#
core-switch#sh ver
SW version 1.4.0.88 ( date 06-Aug-2014 time 16:55:55 )
Boot version 1.3.5.06 ( date 21-Jul-2013 time 15:12:10 )
HW version V02
core-switch#
09-12-2014 04:07 AM
many thanks cisco, now resolved in new version of code
core-switch(config)#do sh access-lists
Extended IP access list PPTP
permit tcp any 1723 host 172.16.32.4 any ace-priority 20 log-input
permit tcp any any host 172.16.32.4 1723 ace-priority 40 log-input
permit ip any any ace-priority 60
core-switch(config)#int gi5
core-switch(config-if)#service-acl input PPTP
core-switch(config-if)#end
core-switch#12-Sep-2014 12:02:54 %3SWCOS-I-LOGACLINETPORTS: gi5: permit ACE IPv4(TCP) 212.183.140.25(31203) -> 172.16.32.4(1723),trapped
12-Sep-2014 12:03:22 %3SWCOS-I-LOGACLINETPORTS: gi5: permit ACE IPv4(TCP) 212.183.128.21(44090) -> 172.16.32.4(1723),trapped
core-switch#
core-switch#sh ver
SW version 1.4.0.88 ( date 06-Aug-2014 time 16:55:55 )
Boot version 1.3.5.06 ( date 21-Jul-2013 time 15:12:10 )
HW version V02
core-switch#
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide