access-list log-timer

Syntax

access-list log-timer {default|}

Description

Sets the log timer interval for all ACEs that have thelogparameter configured.

Command context

config

Parameters

default
Resets the log timer to its default 300 seconds.

Specifies the log timer interval in seconds. Range: 30 to 300.

Authority

Administrators or local user group members with execution rights for this command.

Usage

  • ACL logging keeps a log of the number of packets matching this ACE. Works with bothpermitanddenyactions. Works with ACLs applied on ingress or egress, except for control plane.

  • The first packet that matches an ACE with thelogparameter within an ACL log timer window (configured with theaccess-list log-timercommand) has its header contents extracted and sent to the configured logging destination, such as the console and syslog server. Each time the ACL log timer expires, a summary of all ACEs withlogconfigured are sent to the logging destination. This capability allows throttling of logging ACL hits.

  • If no further log messages are generated in the wait-period, the switch suspends the timer and resets itself to log as soon as a new match occurs.

  • When using multiple ACL types (IPv4, IPv6, or MAC) with logging on the same interface, the first packet that matches an ACE with thelogoption is logged. Any packets, matching other ACL types, do not create a log until the log-timer wait-period is over. At the end of the wait-period, a summary log is made of all the ACLs that were matched, regardless of type.

  • NOTE:

    Remarked ACL traffic may lose logging information when a QoS action or a classifier policy with remark is enabled. A classifier policy with remark takes precedence over QoS actions and QoS actions takes precedence over ACL remarked traffic.

  • You may see a minor discrepancy between the ACL logging statistics and the hit counts statistics due to the time required to record the log message.

Examples

NOTE:

Although these examples use debug logging, you can alternatively use event logging.

On the 6400 Switch Series, interface identification differs.

Enabling debug logging for the ACL logging module:

switch#debug acl log severity infoswitch#show debug---------------------------------------------------------------- module sub_module severity vlan port ip mac instance vrf ---------------------------------------------------------------- acl acl_log info ----- ----- ----- ---- ----- ---

Setting the debug destination to console with the minimum security level of info:

switch#debug destination console severity infoswitch#show debug destination--------------------------------------------------------------------- show debug destination --------------------------------------------------------------------- CONSOLE:info

Setting the access list log-timer to 30 seconds:

switch(config)#access-list log-timer 30switch(config)#do show access-list log-timerACL log timer length (frequency): 30 seconds

Creating an IPv4 ACL with one entry with the log parameter:

switch(config)#access-list ip MY_IP_ACLswitch(config-acl-ip)#deny icmp 1.1.1.1 1.1.1.2 logswitch(config-acl-ip)#do show access-list类型名顺ce Comment Action L3 Protocol Source IP Address Source L4 Port(s) Destination IP Address Destination L4 Port(s) Additional Parameters ------------------------------------------------------------------------------- IPv4 MY_IP_ACL 10 deny icmp 1.1.1.1 1.1.1.2 Logging: enabled Hit-counts: enabled

Enabling interface 1/1/1 and applying the ACL:

switch(config)#interface 1/1/1switch(config-if)#no shutdownswitch(config-if)#no routingswitch(config-if)#应用访问列表ip MY_IP_ACLswitch(config-if)#do show running-config interface 1/1/1interface 1/1/1 no shutdown apply access-list ip MY_IP_ACL in no routing vlan access 1 exit

Sending packets that will match the ACE and observe the ACL logging message on the console:

2017-10-10T20:13:36.044+00:00 ops-switchd[875]: debug|LOG_INFO|AMM|1/5|ACL|ACL_LOG| List MY_IP_ACL, seq# 10 denied icmp 1.1.1.1 -> 1.1.1.2 type 8 code 0, on vlan 1, port 1/1/1, direction in

When the access list log-timer expires, the summary message is printed on the console. The number 30 is the number of packets received during the last access list log-timer window.

2017-10-10T20:14:06.051+00:00 ops-switchd[875]: debug|LOG_INFO|AMM|1/5|ACL|ACL_LOG| MY_IP_ACL on 1/1/1 (in): 30 10 deny icmp 1.1.1.1 1.1.1.2 log count

Resetting the ACL log timer to the default value:

switch(config)#access-list log-timer default