Cisco Community
English
Register
Register
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Join Customer Connection to register!
826
Views
0
Helpful
1
Replies
adil.nasser3
Beginner
Beginner
‎12-05-2012 06:16 AM
‎12-05-2012 06:16 AM

CAT4507R - keyword "log" not available for egress ACL

All,

When attempting to configure a test ACL to log hits to the ACE "permit ip any any log" so I can view what ports are being used for connections into a vlan I received the following message from the switch,

" The log keyword is not supported on ACLs attached to egress ports on this platform."

The current version image on the switch is:  "bootflash:cat4000-i9s-mz.122-25.EWA13.bin"

Can someone let me know if this keyword ("log") is available in a more recent version of the IOS image for this platform which I can upgrade to and please recommend a version to upgrade to get this feature?

Thank you,

Adil

Labels:
0 Helpful
1 REPLY 1
Arumugam Muthaiah
Cisco Employee
Cisco Employee
‎12-05-2012 08:01 AM
‎12-05-2012 08:01 AM

Hi,

Cat4k does not support logging on egress interfaces. Please refer the below doc and see in the 'Creating a PACL' section


"The input IP ACL logging option is supportednull, although logging is not supported for output IP ACLs, and MAC ACLsnull."

http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/37sg/configuration/guides/secure.html#wp1081668

Also go through the below DDTS to get more detail,

CSCek76253 - Egress PACL with log retained in config

Egress PACL with a log keyword is not supported on an L2 port. The ACL is diabled with the following message.


00:00:33: %C4K_COMMONHWACLMAN-4-PORTBASEDACLSDISABLED: Output Port Acl Security:101 has been disabled on port Fa3/1

However the ACL config is retained on the interface. The config should not be retained if not supported.

Workaround:

remove the command line manually with "no ip access-group ,,,,,"


Logging in an access control list on interfaces in the egress direction will disable the access control list from the interface.

Suggestion:

The workaround solution is to remove the "log" keyword and reapply the access control list on the interface in the egress direction

Regards,

Aru

*** Please rate if the post is usefull ***

Regards, Aru *** Please rate if the post useful ***
0 Helpful
Latest Contents
SD-WAN Advanced Deployment | Part.1
Created by Mohamed Alhenawy on 04-16-2021 12:13 AM
0
15
0
15
Today I'm going to talk about SD-wan including SD-WAN advanced lab ,, first thing let's take a small brief about the SD_WAN.  What is SD-WAN?   SD-WAN is Software define wide area network and SD-WAN is key part of the technology o... view more
Cisco Meraki IoT specialist will introduce you to new and in...
Created by sullskog on 04-15-2021 01:09 AM
0
0
0
0
Leopold Fisher, Cisco Meraki IoT specialist, will introduce you to new and innovative additions to the Meraki portfolio coming in April 2021.         Meraki Vision Session MV smart camera range is getting big... view more
Dynamic Routing Protocols with IPv6: Configuration, Verifica...
Created by ciscomoderator on 04-13-2021 02:39 PM
0
5
0
5
To participate in this event, please use the  button to ask your questions Dynamic Routing Protocols & IPv6 Have any questions on dynamic routing protocols with IPv6? In this event we will answer all your questions related to dynamic routing pro... view more
SD-WAN Advanced Deployment | Part.1
Created by Mohamed Alhenawy on 04-13-2021 09:24 AM
0
15
0
15
Today I'm going to talk about SD-wan including SD-WAN advanced , first thing let's take a small brief about the SD_WAN.What is SD-WAN? SD-WAN is Software define wide area network and SD-WAN is key part of the technology of software-definednetworking ... view more
Living on the Edge with the Secure Cats
Created by almuench on 04-07-2021 01:34 PM
0
0
0
0
The cat's out of the bag! In October 2020, Cisco announced the Next Generation of Enterprising Routing Platforms: the Catalyst 8000 Edge Platforms Family including the Catalyst 8200, Catalyst 8300, Catalyst 8500, and Catalyst 8000V. The new family of Cats... view more
Content for Community-Ad