TR: logging access-list to syslog server

From: fathallah said (sfathallah@mail.cbi.net.ma)
Date: Thu Jan 09 2003 - 13:07:38 GMT-3

• Next message: Desmond: "changing AD for EIGRP External Route (D EX)"
• Previous message: martin vlahos: "RE: EIGRP Summary-address behavior"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Ellis,
The purpose of policy routing using route map and access-list is rerouting
when match and routing ( but not discard ) according to routing table when
don't match. I think that is the reason why you don't see the log in your
syslog server.
regards.
Said Fathallah.

-----Message d'origine-----
De : nobody@groupstudy.com [mailto:nobody@groupstudy.com]De la part de
Ellis Chan
Envoyi : jeudi 9 janvier 2003 08:22
@ : ccielab@groupstudy.com
Objet : logging access-list to syslog server

Dear group,

I knew that we can apply 'log' at the end of the access list to dirvert
logging to syslog server.
I have some problem when apply the access list with route map.

Partial config as follow:

--------------------
interface FastEthernet0/0
 ip address 202.83.202.150 255.255.255.248 secondary
 ip address 204.245.0.61 255.255.255.224
 no ip mroute-cache
 ip policy route-map TEST
 load-interval 30
 speed 100
 full-duplex
 fair-queue

access-list 109 permit ip 202.83.202.144 0.0.0.7 any
access-list 109 permit ip 202.83.202.152 0.0.0.7 any
access-list 109 permit ip 202.83.202.160 0.0.0.31 any
access-list 109 deny ip any any log
access-list 110 permit ip 204.245.0.128 0.0.0.31 any
access-list 110 permit ip 204.245.0.160 0.0.0.31 any
access-list 110 permit ip 204.245.0.192 0.0.0.31 any
access-list 110 permit ip 204.245.0.224 0.0.0.31 any
access-list 110 permit ip 204.245.0.32 0.0.0.31 any
access-list 110 deny ip any any log
!
route-map TEST permit 9
 match ip address 109
 set ip next-hop 204.245.0.102
!
route-map TEST permit 10
 match ip address 110
 set ip next-hop 204.245.0.106
--------------------

I can't see any deny log entries in syslog server. When I remove 'log'
keyword
in deny entries of access-list 109 and 110, I can see the match entries like
following:
--------------------------
sh access-list 109
Extended IP access list 109
    permit ip 202.83.202.144 0.0.0.7 any (29916 matches)
    permit ip 202.83.202.152 0.0.0.7 any
    permit ip 202.83.202.160 0.0.0.31 any (354785 matches)
    deny ip any any (504427 matches)
mper#sh access-list 110
Extended IP access list 110
    permit ip 204.245.0.128 0.0.0.31 any (11848 matches)
    permit ip 204.245.0.160 0.0.0.31 any (39549 matches)
    permit ip 204.245.0.192 0.0.0.31 any (82264 matches)
    permit ip 204.245.0.224 0.0.0.31 any (331420 matches)
    permit ip 204.245.0.32 0.0.0.31 any (41804 matches)
    deny ip any any (64 matches)
-----------------------------

Is there any limitation of access list when use with route map?
THanks and inputs are welcome!!

Regards,

Ellis
.
.

• Next message: Desmond: "changing AD for EIGRP External Route (D EX)"
• Previous message: martin vlahos: "RE: EIGRP Summary-address behavior"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sat Feb 01 2003 - 07:33:46 GMT-3