Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1629
Views
20
Helpful
8
Replies

ACL logging + logging interval (will it still block ?)

Go to solution
SJ K
Level 5
Level 5

‎06-02-2016 10:03 AM - edited ‎03-08-2019 06:03 AM

Hi all,

I do not have a test device to test yet but does not want to directly make changes in production before knowing the impact.


I am reading

http://www.cisco.com/c/en/us/about/security-center/access-control-list-logging.html

q1) when adding a log or log-input to an ACE,  does it only log to syslog, or it logs to everywhere that logging is turn on for ?

q2) when e.g. "access-list logging interval 5000", does that means that for a period of 5 seconds, there will be no logging for matched ACE (with log turn on) after the 1st matched packet, but will the ACE still take effect ?

e.g. deny ip any any log

In the 5 seconds after the 1st matched packet,  will the above ACE

a) still take effect (blocking unwanted traffic, just that logging will be off)  or

b) it will be "turn off"  completely for 5 seconds - allowing any traffic to go through

-- reason being I saw something in the above doc that says "packet that are not process switched" will not be examined and will not be logged.

Regards,
Noob

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to SJ K

‎06-03-2016 05:41 AM

Noob

You are welcome. I am glad that my reply was helpful.

I am not clear what you are saying about "does it actually log to the syslog". It sounds like you expect syslog to be a place or a thing. But syslog is a service that runs on your device and that distributes log messages to the various destinations that you have configured.

So when you add the log parameter to an ACE then when a packet matches that ACE it generates a log message which is sent to the syslog process. Then the syslog process distributes a copy of that log message to the destinations that you have configured.

HTH

Rick 

HTH

Rick

View solution in original post

0 Helpful

Go to solution
Reza Sharifi
Hall of Fame
Hall of Fame
In response to SJ K

‎06-03-2016 11:08 AM

Hi,

That is the correct behavior.  You are telling the device to log the messages to multiple destinations (syslog, console, buffer, etc..) and the device will do that.

HTH

View solution in original post

0 Helpful
8 Replies 8

Go to solution
Richard Burts
Hall of Fame
Hall of Fame

‎06-02-2016 03:20 PM

I do not understand what you are asking in q1). It sounds like you believe that syslog is a single destination. When you add a log or log-input to an ACE then it sends it to syslog. And depending on how your device is configured then syslog may send copies of the message to the console, to the logging monitor, to the logging buffer, and to one or several logging servers.

q2) the ACE does take effect and will permit or deny traffic as configured. The impact of the logging interval is that you may not get a unique log message for each packet that matches the ACE. If the ACE matches the first packet then it generates a log message. The ACE continues to work, permitting or denying packets as configured, but IOS keeps track of how many matches happen during the logging interval and prints one log message for that group of packets.

So a) is the mostly right answer. The ACE does take effect and will block unwanted traffic. It is not so much that logging is off as it is that logging is working and grouping together packets that match the ACE so that it can print a log message that reports the group of packets.

HTH

Rick

HTH

Rick

Go to solution
SJ K
Level 5
Level 5
In response to Richard Burts

‎06-02-2016 06:14 PM

Hi Rick,

I am so glad to see you here again ! Thanks for your reply.

For q1) I have logging turn on for everywhere ( console, monitor, buffered , syslog ).

Thus I am thinking, when I add a "log" to the ACE, does it actually log to the syslog ? or does it log to everyplace whereby I turn on logging (e.g. console, monitor, buffered) above ?

Regards,
Noob

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to SJ K

‎06-03-2016 05:41 AM

Noob

You are welcome. I am glad that my reply was helpful.

I am not clear what you are saying about "does it actually log to the syslog". It sounds like you expect syslog to be a place or a thing. But syslog is a service that runs on your device and that distributes log messages to the various destinations that you have configured.

So when you add the log parameter to an ACE then when a packet matches that ACE it generates a log message which is sent to the syslog process. Then the syslog process distributes a copy of that log message to the destinations that you have configured.

HTH

Rick 

HTH

Rick
0 Helpful

Go to solution
SJ K
Level 5
Level 5
In response to Richard Burts

‎06-03-2016 10:55 AM

Hi Richard,

So sorry for the confusion.

I have configure the syslog logging to 2 different syslog servers.

My question earlier was suppose to mean that - if I where to put a "log" behind the ACE, will the logging for matched packets be only send to the syslog servers (via the syslog service) or it will be "log"  to whatever places whereby I have logging turn on
(that includes my console, monitor and buffered logging)

Testing today shows that the ACE logging will be "logged" to all places in which I have logging turn on.

- the console, buffered memory, monitor, as well as the 2 syslog servers (via the syslog service).

-- is the behaviour observed above correct ?

0 Helpful

Go to solution
Reza Sharifi
Hall of Fame
Hall of Fame
In response to SJ K

‎06-03-2016 11:08 AM

Hi,

That is the correct behavior.  You are telling the device to log the messages to multiple destinations (syslog, console, buffer, etc..) and the device will do that.

HTH

0 Helpful

Go to solution
SJ K
Level 5
Level 5
In response to Reza Sharifi

‎06-03-2016 11:52 AM

Hi Reza, Richard,

Thanks for your replies.

I have yet encountered another problem whereby my ACL is obviously working, but not displaying the matches/hits unless the "LOG" keyword is use together with the ACE.

I have raise another relevant post at

https://supportforums.cisco.com/discussion/13038141/acl-logging-cisco-3850-acl-matches-working-not-showing-uness-log-used

Hope you guys can shed some light on it

Regards,

Noob

0 Helpful

Go to solution
Reza Sharifi
Hall of Fame
Hall of Fame
In response to SJ K

‎06-03-2016 12:24 PM

Hi,

That should not be the case. If there is match in an access-list with no log configured, than "sh access-list xx" should show you the numbers are incrementing, but if you configure an access-list with log at the end of it you should also see it in logs.

HTH

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to Reza Sharifi

‎06-03-2016 12:54 PM

In his other post Noob identifies the devices as 3850s. I believe that they are doing packet forwarding and acl enforcement in hardware and in that case the show access-list may not show the hit count.

HTH

Rick

HTH

Rick
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card