No cookie option for deny acl?

lonelyadmin · ‎05-07-2019

This is on a 4500X running 03.08.06.E

There doesn't seem to be a cookie option under the deny statements in an extended ip access-list.

ip access-list extended FOO
switch01(config-ext-nacl)#permit ip any object-group BLOCKED log ?
  WORD        User defined cookie (max of 64 char)
  dscp        Match packets with given dscp value
  fragments   Check non-initial fragments
  option      Match packets with given IP Options value
  precedence  Match packets with given precedence value
  reflect     Create reflexive access list entry
  time-range  Specify a time-range
  tos         Match packets with given TOS value
  <cr>

switch01(config-ext-nacl)#deny ip any object-group BLOCKED log ? 
  dscp        Match packets with given dscp value
  fragments   Check non-initial fragments
  option      Match packets with given IP Options value
  precedence  Match packets with given precedence value
  time-range  Specify a time-range
  tos         Match packets with given TOS value
  <cr>

No "WORD" option shown.

Is this intentional or some sort of bug?

Mark Malone · ‎05-07-2019

Hi
havent used it myself but does not a bug , its a user defined cookie looking at the config guides

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_data_acl/configuration/xe-3s/sec-data-acl-xe-3s-book/sec-acl-syslog.html#GUID-36AC3039-4323-4ABC-A99F-A5A314204D1F

https://nat0.net/cisco-acl-logging-with-cookies/

lonelyadmin · ‎05-07-2019

Thanks, I saw those before I posted. They don't really say if it should be there on the deny or not. Not mentioned in 4500X docs either.

I opened a case with TAC too. I'll update here.

BrianSekleckiGE · ‎09-28-2023

Is this absence of "User defined cookie" a global feature missing from IOS-XE ?

Joseph W. Doherty · ‎09-28-2023

If not defined in documentation, likely a feature not supported.