Cisco Community
English
Register
The War in Ukraine - Supporting customers, partners and communities. LEARN MORE
Register
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
399
Views
0
Helpful
2
Replies
lonelyadmin
Beginner
Beginner
‎05-07-2019 12:32 PM
‎05-07-2019 12:32 PM

No cookie option for deny acl?

This is on a 4500X running 03.08.06.E

There doesn't seem to be a cookie option under the deny statements in an extended ip access-list.

 

ip access-list extended FOO
switch01(config-ext-nacl)#permit ip any object-group BLOCKED log ?
  WORD        User defined cookie (max of 64 char)
  dscp        Match packets with given dscp value
  fragments   Check non-initial fragments
  option      Match packets with given IP Options value
  precedence  Match packets with given precedence value
  reflect     Create reflexive access list entry
  time-range  Specify a time-range
  tos         Match packets with given TOS value
  <cr>

switch01(config-ext-nacl)#deny ip any object-group BLOCKED log ? 
  dscp        Match packets with given dscp value
  fragments   Check non-initial fragments
  option      Match packets with given IP Options value
  precedence  Match packets with given precedence value
  time-range  Specify a time-range
  tos         Match packets with given TOS value
  <cr>

No "WORD" option shown.

 

Is this intentional or some sort of bug?

Labels:
0 Helpful
2 REPLIES 2
Mark Malone
Mentor
Mentor
‎05-07-2019 01:45 PM
‎05-07-2019 01:45 PM

Hi
havent used it myself but does not a bug , its a user defined cookie looking at the config guides

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_data_acl/configuration/xe-3s/sec-data-acl-xe-3s-book/sec-acl-syslog.html#GUID-36AC3039-4323-4ABC-A99F-A5A314204D1F

https://nat0.net/cisco-acl-logging-with-cookies/
0 Helpful
lonelyadmin
Beginner
Beginner
In response to Mark Malone
‎05-07-2019 02:25 PM
‎05-07-2019 02:25 PM

Thanks, I saw those before I posted. They don't really say if it should be there on the deny or not. Not mentioned in 4500X docs either.

 

I opened a case with TAC too. I'll update here.

0 Helpful
Latest Contents
Upgrade Cisco DNA Center
Created by mclymer on 05-18-2022 12:20 PM
0
0
0
0
Learn more about Cisco DNA Center, Version 2.2.3.4
5-minute Cisco Survey – Enter Gift Card Giveaway!
Created by Robert Murphy on 05-18-2022 11:30 AM
1
5
1
5
Do you use Cisco DNA Center? Have you used and are you willing to provide your feedback in using the Cisco DNA Center help and documentation? If so, we’d like you to complete the survey linked below. Your feedback will help provide more effective and easi... view more
OSPF for CCIE Enterprise and Infrastructure Exam
Created by Meddane on 05-13-2022 02:24 AM
0
0
0
0
The ultimate is coming.  
Cisco Champion Radio: S9|E18 CC Unfiltered: Becoming an Expe...
Created by Amilee San Juan on 05-11-2022 12:57 PM
0
0
0
0
Listen: https://smarturl.it/CCRS9E18Follow us: https://twitter.com/CiscoChampion Reaching the height of your career is no simple feat. It often requires a combination of pursuing the right education, building the right professional network and being ... view more
SD-WAN and NAT Types
Created by Meddane on 05-08-2022 01:44 AM
0
0
0
0
In a typical production SD-WAN deployment, we would probably have many remote sites connected via many different Internet connections to a centralized data center or a regional hub. In most regions in the world, Internet providers will always use some typ... view more
Ask a Question
Create
+ Discussion
+ Blog
+ Document
+ Video
+ Project Story
Find more resources
Discussions
Blogs
Documents
Events
Videos
Project Gallery
New Community Member Guide
Related support document topics
Recognize Your Peers
Spotlight Award Nomination
Content for Community-Ad