cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1166
Views
0
Helpful
2
Replies

IP identification blocking by ACL

Hello Everyone -

hope you all are doing well. I have a query related to ACL on Cisco Switch. I have applied deny and permit ACL on the interface. When I write "show ip access-list". I got number of hits on deny ACL but I want to see which IP tried to access that rule which is denied now. I want to find out those IP. Please suggest the way to find out IP addresses those who are trying on switch and denied by my ACL rule.

 

Cisco Switch Model : 2960 catalyst series.

2 Replies 2

Mark Malone
VIP Alumni
VIP Alumni
Hi
add logging to the acl , then you use show log to see IP


access-list 159 deny ip any any log

021416: Jun 10 15:53:02.612 UTC: %SEC-6-IPACCESSLOGP: list 159 denied tcp 185.137.233.126(58408) -> 0.0.0.0(22), 1 packet

Please keep in mind that 2960 has limited buffer size. Have a look at attached image. You can reconfigure the buffer size using command

 

#logging buffered ?
<4096-2147483647> Logging buffer size

This will keep the acl deny logs depending on how big is your buffer configured.

 

Better approach would be to configure your switch (all switches) to send logs to a syslog server for longer retention and avoiding the risk of loosing them if the switch is rebooted.

Config to do that is below

conf t

service timestamps log datetime msec
logging source-interface ?
logging host IP_ADDRESS_OF_SYSLOG_SERVER

 

It is also a good idea to configure all switches in the network to a single time source so that they timestamp in log is consistent.

 

access-list 5 permit 192.168.16.11
access-list 5 permit 192.168.16.12
access-list 5 deny any log

 

ntp access-group peer 5
ntp server 192.168.16.11 source ?
ntp server 192.168.16.12 source ?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: