Logging When an Access-List Is Used
Problem
You want to know when the router invokes an access-list.
Solution
Access-lists can generate log messages. The following example allows all packets to pass, and records them:
Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#access-list 150 permit ip any any log
Router1(config)#interface Serial0/1
Router1(config-if)#ip access-group 150 in
Router1(config-if)#exit
Router1(config)#end
Router1#
And in this example, we use the log-input keyword to include additional information about where the packets came from:
Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#access-list 150 permit tcp any any log-input
Router1(config)#access-list 150 permit ip any any
Router1(config)#interface Serial0/1
Router1(config-if)#ip access-group 150 in
Router1(config-if)#exit
Router1(config)#end
Router1#
Discussion
The first example uses the log keyword to record a log message every time the ACL makes a match. Here are some log messages generated by this command:
Feb 6 13:01:19: %SEC-6-IPACCESSLOGRP: list 150 permitted ospf 10.1.1.1 -> 224.0.0.5, 9 packets
Feb 6 13:01:19: %SEC-6-IPACCESSLOGDP: list 150 permitted icmp 10.1.1.1 -> 10.1.1.2 (0/0), 4 packets
You can also get a breakdown of how many matches each line in the ACL has recorded with the show access-list command:
Router1#show access-list 150
Extended IP access list 150
permit ip any any log (15 matches)
Router1#
The second form, with the log-input keyword, causes the router to include other useful data in the log messages. With this option, the log messages will include the port where the packet was received:
Feb 6 13:08:31: %SEC-6-IPACCESSLOGP: list 150 permitted tcp 10.1.1.1(0) (Serial0/1 ) -> 10.1.1.2(0), 80 packets
Feb 6 13:08:38: %SEC-6-IPACCESSLOGP: list 150 permitted tcp 10.2.2.2(0) (Serial0/1 ) -> 172.25.26.5(0), 1 packet
Feb 6 13:10:29: %SEC-6-IPACCESSLOGP: list 150 permitted tcp 10.2.2.2(0) (Serial0/1 ) -> 172.20.100.1(0), 1 packet
If we apply this ACL on an Ethernet or Token Ring port, the log messages will also include MAC address information:
Feb 6 14:56:34: %SEC-6-IPACCESSLOGP: list 150 permitted tcp 172.25.1.1(0) (FastEthernet0/0.1 0010.4b09.5700) -> 172.25.25.1(0), 1 packet
Router1#
Feb 6 14:58:20: %SEC-6-IPACCESSLOGP: list 150 permitted tcp 172.25.1.7(0) (FastEthernet0/0.1 0000.0c92.bc6a) -> 172.25.1.5(0), 1 packet
The only problem with these commands is that they tend to produce huge numbers of log messages. To be really useful, we recommend using this feature in conjunction with a remote log server, as described in Chapter 18. Then you can store and analyze all of the messages without worrying that you will lose information when the router's internal log buffer overwrites itself. In Recipe 19.10, we offer a useful script for analyzing the messages to look for important patterns.
In general, we recommend logging all denied packets because they tend to represent the rejected traffic, which is not part of the normal functioning of the network. These are the log messages that the script in Recipe 19.10 looks for in particular.
Also note that while all of the examples in this recipe used extended ACLs, the log keyword is also available with standard ACLs:
Router1(config)#access-list 77 permit any log
The log-input option is only available for extended ACLs, however.