How to log matched traffic in an ACL

  • 0
  • 1
  • Question
  • Updated 3 years ago
The log keyword of an ACL doesn't seem to work, take this simple policy as an example:

entry permit_ICMP {
       if {
          protocol icmp;
       then {
          count icmp;

The counter increments fine, the traffic is permitted (even with a deny any in the end) but there's no log.

Looking forward for an answer for this.

Thanks in advance.
Photo of Thiago


  • 216 Points 100 badge 2x thumb

Posted 3 years ago

  • 0
  • 1
Photo of Paul Russo

Paul Russo, Alum

  • 9,694 Points 5k badge 2x thumb
Hello Thiago

That log is not to log that the entry was executed in the switch log table.  it means you can send the packet to the CPU and get header information in the log table.

"log—Logs the packet header."
"log-raw—Logs the packet header  in hex format."

In order to have that data execute into the log you need to add a filter

"You must configure an EMS"
"filter to log these messages, for example, configure log filter DefaultFilter add event See the Status Monitoring and Statistics chapter  for information about"

To test that an entry is working use the counter

Hope that helps
Photo of Thiago


  • 216 Points 100 badge 2x thumb
Thank you Paul,

When I added "configure log filter DefaultFilter add event" it started to appear in the log.
Photo of Sumit Tokle

Sumit Tokle, Alum

  • 5,738 Points 5k badge 2x thumb
@ paul is absolutely correct.

It's better to use EMS instead of mirror traffic to CPU.