cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
760
Views
0
Helpful
1
Replies

log-input not available on ACL's SG300-10

adrian.oshea
Level 1
Level 1

hello running L3 version on SG300-10, but the ACL does not allow 'log-input' to be attached to a deny;

core-switch(config-if)#ip access-list extended test
core-switch(config-ip-al)#$17.35.181 0.0.0.0 any 172.16.32.4 0.0.0.0 1723
  dscp                 Configure DSCP filtering.
  precedence           Configure IP-PRECEDENCE filtering.
  match-all            List of TCP flags that should occur. If a flag should
                       be set it is prefixed by "+".If a flag should be unset
                       it is prefixed by "-". Available options are +urg,
                       +ack, +psh, +rst, +syn, +fin, -urg, -ack, -psh, -rst,
                       -syn and -fin.To define more than 1 flag - enter
                       additional flags one after another without a space
                       (example +syn-ack).
  time-range           Specify the time-range that applies to this permit
                       statement.
  disable-port         The Ethernet interface would be disabled if the
                       condition is matched
   <CR>
core-switch(config-ip-al)#$.17.35.181 0.0.0.0 any 172.16.32.4 0.0.0.0 1723

The CLI guide mentions it is available, but is not configurable;

+++++

log-input—Specifies sending an informational syslog message about the

packet that matches the entry. Because forwarding is done in hardware and

logging is done in software, if a large number of packets match a deny ACE

containing a log-input keyword, the software might not be able to match the

hardware processing rate, and not all packets will be logged

+++++++++++++

core-switch#sh ver
SW version    1.3.7.18 ( date  12-Jan-2014 time  18:02:59 )
Boot version    1.3.5.06 ( date  21-Jul-2013 time  15:12:10 )
HW version    V02
core-switch#

core-switch#sh system mode

Feature                 State
-------------------     ---------
Mode:                   Router

core-switch#

 

 

1 Accepted Solution

Accepted Solutions

adrian.oshea
Level 1
Level 1

many thanks cisco, now resolved in new version of code

 

core-switch(config)#do sh access-lists
Extended IP access list PPTP
    permit  tcp any 1723 host 172.16.32.4 any ace-priority 20 log-input
    permit  tcp any any host 172.16.32.4 1723 ace-priority 40 log-input
    permit  ip any any ace-priority 60
core-switch(config)#int gi5
core-switch(config-if)#service-acl input PPTP
core-switch(config-if)#end
core-switch#12-Sep-2014 12:02:54 %3SWCOS-I-LOGACLINETPORTS: gi5: permit ACE IPv4(TCP) 212.183.140.25(31203) -> 172.16.32.4(1723),trapped
12-Sep-2014 12:03:22 %3SWCOS-I-LOGACLINETPORTS: gi5: permit ACE IPv4(TCP) 212.183.128.21(44090) -> 172.16.32.4(1723),trapped

core-switch#
core-switch#sh ver
SW version    1.4.0.88 ( date  06-Aug-2014 time  16:55:55 )
Boot version    1.3.5.06 ( date  21-Jul-2013 time  15:12:10 )
HW version    V02
core-switch#

View solution in original post

1 Reply 1

adrian.oshea
Level 1
Level 1

many thanks cisco, now resolved in new version of code

 

core-switch(config)#do sh access-lists
Extended IP access list PPTP
    permit  tcp any 1723 host 172.16.32.4 any ace-priority 20 log-input
    permit  tcp any any host 172.16.32.4 1723 ace-priority 40 log-input
    permit  ip any any ace-priority 60
core-switch(config)#int gi5
core-switch(config-if)#service-acl input PPTP
core-switch(config-if)#end
core-switch#12-Sep-2014 12:02:54 %3SWCOS-I-LOGACLINETPORTS: gi5: permit ACE IPv4(TCP) 212.183.140.25(31203) -> 172.16.32.4(1723),trapped
12-Sep-2014 12:03:22 %3SWCOS-I-LOGACLINETPORTS: gi5: permit ACE IPv4(TCP) 212.183.128.21(44090) -> 172.16.32.4(1723),trapped

core-switch#
core-switch#sh ver
SW version    1.4.0.88 ( date  06-Aug-2014 time  16:55:55 )
Boot version    1.3.5.06 ( date  21-Jul-2013 time  15:12:10 )
HW version    V02
core-switch#