Posted on August 16, 2021 7:17 pm
 |  Asked by Scott Jamieson
 |  184 views
RESOLVED
0
0
Print Friendly, PDF & Email

My ACL shows the following line  when I type show ip access-list

85 deny ip any any log [match 1211 packets, 0:42:44 ago]

When I type show logging I see no logged information for this ACL.

Is there a special logging configuration?

0
Posted by Vikram
Answered on August 16, 2021 9:23 pm

Hi Scott,

On 7010 and other 7050 series based platforms Egress ACL Logging is not supported. If this is for ingress ACLs then could you please post the output of `show run | no-more` and `show version` from the switch or alternatively pls open a tac case so we could investigate further. Thanks

0
Posted by Vijai Gopal
Answered on August 16, 2021 10:54 pm

Hello Scott,

Thank you for posting your query on EOS Forum !

  1. Egress Deny logging is not supported on 7010 platform.
  2. Ingress Deny logging is supported.
  3. There is no need of any additional configuration to view the deny logs under "show logging". Please refer to the example below :

(config)#sh run int et1
interface Ethernet1
no switchport
ip address 1.1.1.1/24
ip access-group test in

 

(config)#sh ip ac test
IP Access List test
counters per-entry
20 deny ip any any log [match 5 packets, 0:00:00 ago]

(config)#sh logging | grep denied
Aug 16 22:21:06 mn433 Acl: %ACL-6-IPACCESS: list test Ethernet1 denied icmp 1.1.1.2 -> 1.1.1.1 type=8 code=0
Aug 16 22:24:14 mn433 Acl: %ACL-6-IPACCESS: list test Ethernet1 denied icmp 1.1.1.2 -> 1.1.1.1 type=0 code=0

 

(config)#sh ip access-lists test
IP Access List test
counters per-entry
20 deny ip host 1.1.1.2 any log [match 5 packets, 0:16:17 ago]

(config)#sh logging | grep denied

Aug 16 22:27:28 mn433 Acl: %ACL-6-IPACCESS: list test Ethernet1 denied icmp 1.1.1.2 -> 1.1.1.1 type=8 code=0
Aug 16 22:27:51 mn433 Acl: %ACL-6-IPACCESS: list test Ethernet1 denied icmp 1.1.1.2 -> 1.1.1.1 type=8 code=0
Aug 16 22:32:52 mn433 Acl: %ACL-6-IPACCESS: list test Ethernet1 denied icmp 1.1.1.2 -> 1.1.1.1 type=8 code=0

 

I hope the above information helps. Could you please confirm if the ACL is applied on the ingress or egress. ?

Alternatively, please feel free to open a ticket with us by sending an email to <support@arista.com>, in case you need further assistance on this issue.

0
Posted by Kushal Nepali
Answered on August 17, 2021 1:24 am

Hi Scott,

Thank you for your question on ACL logging.

I understand that you are using 7010T.

May I know what is EOS version you are running? [CMD: show version]

Additionally, can you please run the command below so that we can understand debugging level configured on the device?

Example:

SW(config)#show logging
Syslog logging: enabled
Buffer logging: level debugging
Console logging: level errors
Monitor logging: level errors
Synchronous logging: disabled
Trap logging: level informational
Sequence numbers: disabled
Syslog facility: local4
Hostname format: Hostname only
Repeat logging interval: disabled

Facility Severity Effective Severity
-------------------- ------------- ------------------
aaa debugging debugging
accounting debugging debugging
acl debugging debugging
agent debugging debugging
ale debugging debugging
arp debugging debugging

<SNIP>

xmpp debugging debugging
ztp debugging debugging

Log Buffer:
Apr 21 05:51:59 mt708 Launcher: %LAUNCHER-6-PROCESS_START: Configuring process 'PhyEthtool' to start in role 'AllCells'
Apr 21 05:52:00 mt708 CleanConfigAgent: %AGENT-6-INITIALIZED: Agent 'CleanConfigAgent' initialized; pid=2320
Apr 21 05:52:02 mt708 Launcher: %LAUNCHER-6-PROCESS_START: Configuring process 'Scd' to start in role 'AllCells'

Regards.

 

0
Posted by Scott Jamieson
Answered on August 17, 2021 12:03 pm

Thanks everyone.  It was an Egress ACL.

Post your Answer

You must be logged in to post an answer.