Cisco Community
English
Register
Cisco Community Events are getting a new name! LEARN MORE
Register
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
655
Views
0
Helpful
1
Replies
Highlighted
adil.nasser3
adil.nasser3 Beginner
Beginner
‎12-05-2012 06:16 AM
‎12-05-2012 06:16 AM

CAT4507R - keyword "log" not available for egress ACL

All,

When attempting to configure a test ACL to log hits to the ACE "permit ip any any log" so I can view what ports are being used for connections into a vlan I received the following message from the switch,

" The log keyword is not supported on ACLs attached to egress ports on this platform."

The current version image on the switch is:  "bootflash:cat4000-i9s-mz.122-25.EWA13.bin"

Can someone let me know if this keyword ("log") is available in a more recent version of the IOS image for this platform which I can upgrade to and please recommend a version to upgrade to get this feature?

Thank you,

Adil

Labels:
Everyone's tags (5)
0 Helpful
Reply
1 REPLY 1
Arumugam Muthaiah
Arumugam Muthaiah Cisco Employee
Cisco Employee
‎12-05-2012 08:01 AM
‎12-05-2012 08:01 AM

CAT4507R - keyword "log" not available for egress ACL

Hi,

Cat4k does not support logging on egress interfaces. Please refer the below doc and see in the 'Creating a PACL' section


"The input IP ACL logging option is supportednull, although logging is not supported for output IP ACLs, and MAC ACLsnull."

http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/37sg/configuration/guides/secure.html#wp1081668

Also go through the below DDTS to get more detail,

CSCek76253 - Egress PACL with log retained in config

Egress PACL with a log keyword is not supported on an L2 port. The ACL is diabled with the following message.


00:00:33: %C4K_COMMONHWACLMAN-4-PORTBASEDACLSDISABLED: Output Port Acl Security:101 has been disabled on port Fa3/1

However the ACL config is retained on the interface. The config should not be retained if not supported.

Workaround:

remove the command line manually with "no ip access-group ,,,,,"


Logging in an access control list on interfaces in the egress direction will disable the access control list from the interface.

Suggestion:

The workaround solution is to remove the "log" keyword and reapply the access control list on the interface in the egress direction

Regards,

Aru

*** Please rate if the post is usefull ***

Regards, Aru *** Please rate if the post useful ***
0 Helpful
Reply
Latest Contents
5 Minute Network Operations Survey
Created by jenchen3 on 09-18-2019 12:04 PM
0
0
0
0
Inviting all network professionals in operations! We'd like to understand what would be valuable for you in a mobile application. Your response will help Cisco improve a product feature that could benefit you. Thanks!  Click here to take the sur... view more
SD-WAN Controller Setup Guide (On-Prem, Non Cloud-Managed)
Created by hadhaliw on 09-16-2019 10:47 AM
0
5
0
5
Benefits Cisco’s software-defined wide area network (SD-WAN) solution allows user to quickly and seamlessly establish an overlay fabric to connect an enterprise’s data centers, branch and campus locations, as well as colocation facilities in order to imp... view more
How to get member id of Cisco DNAC for Cloud Canary Upgrade
Created by pbagga on 09-13-2019 01:37 PM
0
5
0
5
1. Log into CLI of DNAC:  ssh maglev@< DNAC appliance IP> -p 2222 2. Run this curl command to get token to get member id: curl -X POST -u admin:<admin user password> -H -V https://<CLUSTER-IP>/api/system/v1/identitymgmt/token Not... view more
16.12.2 Beta Release for Catalyst Switches
Created by okumar on 09-12-2019 10:27 PM
0
0
0
0
Enterprise Switching Business Unit is glad to announce Beta release 16.12.2 for all Catalyst 9200/9300/9400/9500/9600 and Catalyst 3650/3850 Platforms. This release is made available to allow users to test, evaluate and share fee... view more
Cisco SD-Access Deployment Best Practices - Transit Control ...
Created by Karthik Kumar Thatikonda on 09-11-2019 04:04 PM
0
0
0
0
Purpose of the document This document describes the general recommendations or best practices when designing and deploying the Cisco SD-Access technology. The document assumes that the reader has a general overview of Cisco's SD-Access for Distributed C... view more
CreatePlease to create content
Discussion
Blog
Document
Video
Content for Community-Ad
July's Community Spotlight Awards