From: Brian Dennis (bdennis@internetworkexpert.com)
Date: Thu Jul 21 2005 - 20:26:18 GMT-3
Take a look at the documentation for VLAN maps and look at the
restrictions for logging:
Configuring Network Security with ACLs
http://www.cisco.com/univercd/cc/td/doc/product/lan/c3550/12225se/3550sc
g/swacl.htm
HTH,
Brian Dennis, CCIE #2210 (R&S/ISP-Dial/Security)
bdennis@internetworkexpert.com
Internetwork Expert, Inc.
http://www.InternetworkExpert.com
Toll Free: 877-224-8987
Direct: 775-745-6404 (Outside the US and Canada)
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
gladston@br.ibm.com
Sent: Thursday, July 21, 2005 2:59 PM
To: ccielab@groupstudy.com
Subject: 3550 Logging
Do you know if there is a way to make 3550 logging work with
access-list?
In this test there is a vlan map that uses match ip-address 111. It
denies dlsw, but logging does not indicate it.
Logging is enabled.
Rack2CAT1#sh logg
Syslog logging: enabled (0 messages dropped, 3 messages rate-limited, 0
flushes, 0 overruns)
Console logging: level debugging, 180 messages logged
Monitor logging: level debugging, 0 messages logged
Buffer logging: level debugging, 183 messages logged
Exception Logging: size (4096 bytes)
File logging: disabled
Trap logging: level informational, 187 message lines logged
Rack2CAT1#sh access-list 111
Extended IP access list 111
deny tcp any eq 2065 any log-in
deny tcp any any eq 2065 log-in
deny tcp any eq 2067 any log-in
deny tcp any any eq 2067 log-in
The access-list is working; as soon as it permits dlsw, connection is
established.
This archive was generated by hypermail 2.1.4 : Sun Sep 04 2005 - 17:00:30 GMT-3