[c-nsp] 'permit ip any any log' not logging?

Ge Moua moua0100 at umn.edu
Mon Feb 26 15:56:08 EST 2007 

Make sure your debugging level for "buffer" is at least 6 or above (go to
level 7 to elminate any doubts).  See below:

"logging buffered 16384 debugging"

Buffer logging: level debugging, 27110 messages logged

Feb 26 13:56:36: %SEC-6-IPACCESSLOGP: list vlan726_ingress denied tcp
210.179.159.32(24389) -> 134.84.189.127(22), 1 packet 



:-)
Regards,
Ge Moua | Email: moua0100 at umn.edu

Network Design Engineer
University of Minnesota | Networking & Telecommunications Services
2218 University Ave SE | Minneapolis, MN 55414-3029
Office: 612.626.2779 | Pager: 612.648.0103 | Fax: 612.626.1818

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Thorhallur
Sverrisson
Sent: Monday, February 26, 2007 2:03 PM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] 'permit ip any any log' not logging?

Hi All,

I've been setting up access lists on my 4500 (WS-C4507R) running IOS
12.2(25)EWA4.

To help me figure out whether I need to open up further holes I placed a
'permit ip any any log' at the bottom to see all the traffic flowing through
without explicit permits.

The ACL is applied on a VLAN interface and is as follows:
SW00100#show ip access-lists vlan703-in
Extended IP access list vlan703-in
     10 permit ip 10.24.3.0 0.0.0.255 10.24.1.0 0.0.0.255 (178 matches)
     20 permit ip 10.24.3.0 0.0.0.255 10.24.2.0 0.0.0.255 (24981 matches)
     30 permit ip 10.24.3.0 0.0.0.255 10.24.17.0 0.0.0.255 (4568 matches)
     40 permit ip 10.24.3.0 0.0.0.255 10.24.51.0 0.0.0.255
     45 permit ip 10.24.3.0 0.0.0.255 host 10.24.3.255 (63 matches)
     46 permit ip 10.24.3.0 0.0.0.255 any log (25355 matches)
     50 permit ip any any log (9385 matches)

This does not generate any messages in the router.  Changing any of the
previous rules (10-30) generates the correct messages.

For the life of me I can not get this to work.  I have not seen anything in
the documentation regarding 'wide' matches not to generate messages. 
  In fact, I have seen the 'permit ip any any log' line in countless
examples and HowTos.

This all smells of a bug, but before I start upgrading the switch and what
not I just want to be sure I'm not missing some obvious things.

Thank you,

Thorhallur Sverrisson

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list