Hello Everyone -
hope you all are doing well. I have a query related to ACL on Cisco Switch. I have applied deny and permit ACL on the interface. When I write "show ip access-list". I got number of hits on deny ACL but I want to see which IP tried to access that rule which is denied now. I want to find out those IP. Please suggest the way to find out IP addresses those who are trying on switch and denied by my ACL rule.
Cisco Switch Model : 2960 catalyst series.
Please keep in mind that 2960 has limited buffer size. Have a look at attached image. You can reconfigure the buffer size using command
#logging buffered ?
<4096-2147483647> Logging buffer size
This will keep the acl deny logs depending on how big is your buffer configured.
Better approach would be to configure your switch (all switches) to send logs to a syslog server for longer retention and avoiding the risk of loosing them if the switch is rebooted.
Config to do that is below
service timestamps log datetime msec
logging source-interface ?
logging host IP_ADDRESS_OF_SYSLOG_SERVER
It is also a good idea to configure all switches in the network to a single time source so that they timestamp in log is consistent.
access-list 5 permit 192.168.16.11
access-list 5 permit 192.168.16.12
access-list 5 deny any log
ntp access-group peer 5
ntp server 192.168.16.11 source ?
ntp server 192.168.16.12 source ?