Logging When an Access-List Is Used

Problem

You want to know when the router invokes an access-list.

Solution

Access-lists can generate log messages. The following example allows all packets to pass, and records them:

Router1#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router1(config)#access-list 150 permit ip any any log
Router1(config)#interface Serial0/1
Router1(config-if)#ip access-group 150 in 
Router1(config-if)#exit
Router1(config)#end
Router1#

And in this example, we use the log-input keyword to include additional information about where the packets came from:

Router1#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router1(config)#access-list 150 permit tcp any any log-input
Router1(config)#access-list 150 permit ip any any 
Router1(config)#interface Serial0/1
Router1(config-if)#ip access-group 150 in 
Router1(config-if)#exit
Router1(config)#end
Router1#

Discussion

The first example uses the log keyword to record a log message every time the ACL makes a match. Here are some log messages generated by this command:

Feb  6 13:01:19: %SEC-6-IPACCESSLOGRP: list 150 permitted ospf 10.1.1.1 -> 224.0.0.5, 9 packets
Feb  6 13:01:19: %SEC-6-IPACCESSLOGDP: list 150 permitted icmp 10.1.1.1 -> 10.1.1.2 (0/0), 4 packets

You can also get a breakdown of how many matches each line in the ACL has recorded with the show access-list command:

Router1#show access-list 150 Extended IP access list 150 permit ip any any log (15 matches) Router1# ...

Get Cisco IOS Cookbook, 2nd Edition now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.