CAT4507R - keyword "log" not available for egress ACL

adil.nasser3 · ‎12-05-2012

All,

When attempting to configure a test ACL to log hits to the ACE "permit ip any any log" so I can view what ports are being used for connections into a vlan I received the following message from the switch,

" The log keyword is not supported on ACLs attached to egress ports on this platform."

The current version image on the switch is: "bootflash:cat4000-i9s-mz.122-25.EWA13.bin"

Can someone let me know if this keyword ("log") is available in a more recent version of the IOS image for this platform which I can upgrade to and please recommend a version to upgrade to get this feature?

Thank you,

Adil

Arumugam Muthaiah · ‎12-05-2012

Hi,

Cat4k does not support logging on egress interfaces. Please refer the below doc and see in the 'Creating a PACL' section

"The input IP ACL logging option is supportednull, although logging is not supported for output IP ACLs, and MAC ACLsnull."

http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/37sg/configuration/guides/secure.html#wp1081668

Also go through the below DDTS to get more detail,

CSCek76253 - Egress PACL with log retained in config

Egress PACL with a log keyword is not supported on an L2 port. The ACL is diabled with the following message.

00:00:33: %C4K_COMMONHWACLMAN-4-PORTBASEDACLSDISABLED: Output Port Acl Security:101 has been disabled on port Fa3/1

However the ACL config is retained on the interface. The config should not be retained if not supported.

Workaround:

remove the command line manually with "no ip access-group ,,,,,"

Logging in an access control list on interfaces in the egress direction will disable the access control list from the interface.

Suggestion:

The workaround solution is to remove the "log" keyword and reapply the access control list on the interface in the egress direction

Regards,

Aru

*** Please rate if the post is usefull ***

Regards, Aru *** Please rate if the post useful ***