All,
When attempting to configure a test ACL to log hits to the ACE "permit ip any any log" so I can view what ports are being used for connections into a vlan I received the following message from the switch,
" The log keyword is not supported on ACLs attached to egress ports on this platform."
The current version image on the switch is: "bootflash:cat4000-i9s-mz.122-25.EWA13.bin"
Can someone let me know if this keyword ("log") is available in a more recent version of the IOS image for this platform which I can upgrade to and please recommend a version to upgrade to get this feature?
Thank you,
Adil
Hi,
Cat4k does not support logging on egress interfaces. Please refer the below doc and see in the 'Creating a PACL' section
"The input IP ACL logging option is supportednull, although logging is not supported for output IP ACLs, and MAC ACLsnull."
Also go through the below DDTS to get more detail,
CSCek76253 - Egress PACL with log retained in config
Egress PACL with a log keyword is not supported on an L2 port. The ACL is diabled with the following message.
00:00:33: %C4K_COMMONHWACLMAN-4-PORTBASEDACLSDISABLED: Output Port Acl Security:101 has been disabled on port Fa3/1
However the ACL config is retained on the interface. The config should not be retained if not supported.
Workaround:
remove the command line manually with "no ip access-group ,,,,,"
Logging in an access control list on interfaces in the egress direction will disable the access control list from the interface.
Suggestion:
The workaround solution is to remove the "log" keyword and reapply the access control list on the interface in the egress direction
Regards,
Aru
*** Please rate if the post is usefull ***