[c-nsp] 'permit ip any any log' not logging?
Thorhallur Sverrisson
thorhs at basis.is
Mon Feb 26 15:02:59 EST 2007
Hi All,
I've been setting up access lists on my 4500 (WS-C4507R) running IOS
12.2(25)EWA4.
To help me figure out whether I need to open up further holes I placed a
'permit ip any any log' at the bottom to see all the traffic flowing
through without explicit permits.
The ACL is applied on a VLAN interface and is as follows:
SW00100#show ip access-lists vlan703-in
Extended IP access list vlan703-in
10 permit ip 10.24.3.0 0.0.0.255 10.24.1.0 0.0.0.255 (178 matches)
20 permit ip 10.24.3.0 0.0.0.255 10.24.2.0 0.0.0.255 (24981 matches)
30 permit ip 10.24.3.0 0.0.0.255 10.24.17.0 0.0.0.255 (4568 matches)
40 permit ip 10.24.3.0 0.0.0.255 10.24.51.0 0.0.0.255
45 permit ip 10.24.3.0 0.0.0.255 host 10.24.3.255 (63 matches)
46 permit ip 10.24.3.0 0.0.0.255 any log (25355 matches)
50 permit ip any any log (9385 matches)
This does not generate any messages in the router. Changing any of the
previous rules (10-30) generates the correct messages.
For the life of me I can not get this to work. I have not seen anything
in the documentation regarding 'wide' matches not to generate messages.
In fact, I have seen the 'permit ip any any log' line in countless
examples and HowTos.
This all smells of a bug, but before I start upgrading the switch and
what not I just want to be sure I'm not missing some obvious things.
Thank you,
Thorhallur Sverrisson
More information about the cisco-nsp
mailing list