The ACL logging feature lets you log the number of permits or denies of a flow during a
specific period of time. A flow is defined by protocol, source IP address, source port,
destination IP address, and destination port. When a flow is permitted or denied, the system
checks to see if the flow already exists in the system. If not, an initial syslog message with a
hit count of 1 for the flow is generated. The flow entry is then created and the hit count for
the flow is incremented every time the flow is permitted or denied. The command syntax to
enable logging of the number of permits or denies of a flow by an ACL entry is as follows:
access-list acl-id [log [level] [interval seconds] | [disable|default]]
For an existing flow, a syslog message is generated at the end of each configurable interval to
report the nonzero hit count for the flow in the current interval. After the syslog message is
generated, the hit count for the flow is reset to 0 for the next interval. If there is no hit
recorded during the interval, the flow is deleted and no syslog message is generated. Large
numbers of flows may concurrently exist at any point in time. To prevent unlimited
consumption of memory and central processing unit (CPU) resources, a limit is placed on the
number of concurrent deny flows. When the limit is reached, no new deny flow will be
created until the existing deny flows expire. To specify the maximum number of concurrent
deny flows that can be created, enter the following command:
access-list deny-flow-max num-of-flows
The deny-flow-max keyword specifies the maximum number of concurrent deny flows that
can be created. New values for this option go into effect immediately. The default is set for
4096 flows allowed.
When the maximum number of flows has been reached, a syslog message (106101) is
generated. By default, this message is repeated once every 300 seconds.
The syslog message generated for the ACL entry has the following format:
106101: access-list
Advanced Protocol Handling
Some applications require special handling by the Cisco Security Appliance application
inspection function. These types of applications typically embed IP addressing information
in the user data packet or open secondary channels on dynamically assigned ports. The
application inspection function works with NAT to help identify the location of embedded
addressing information.
In addition to identifying embedded addressing information, the application inspection
function monitors sessions to determine the port numbers for secondary channels. Many
protocols open secondary TCP or UDP ports to improve performance. The initial session on
a well-known port is used to negotiate dynamically assigned port numbers. The application
inspection function monitors these sessions, identifies the dynamic port assignments, and
permits data exchange on these ports for the duration of the specific session. Multimedia
applications and FTP applications exhibit this kind of behavior.
Table 7-4 syslog Format Description
Field Description
the source or destination of the logged flow. This can include logical
(virtual LAN) interfaces.
field is 0.
this field is icmp-type.
ACL entry in the configured time interval. The value is 1 when the first
syslog message is generated for the flow.
first hit Displays the first message generated for this flow.
n-second interval Displays the interval over which the hit count is accumulated