10-113
IPv4 Access Control Lists (ACLs)
Enable ACL “Deny” Logging
ACL Logging Operation
When the switch detects a packet match with an ACE and the ACE includes 
both the deny action and the optional log parameter, an ACL log message is 
sent to the designated debug destination. The first time a packet matches an 
ACE with deny and log configured, the message is sent immediately to the 
destination and the switch starts a wait-period of approximately five minutes. 
(The exact duration of the period depends on how the packets are internally 
routed.) At the end of the collection period, the switch sends a single-line 
summary of any additional “deny” matches for that ACE (and any other “deny” 
ACEs for which the switch detected a match). If no further log messages are 
generated in the wait-period, the switch suspends the timer and resets itself 
to send a message as soon as a new “deny” match occurs. The data in the 
message includes the information illustrated in figure 10-43. 
Figure 10-43. Content of a Message Generated by an ACL-Deny Action
Feb 1 10:04:45 10.10.20.1 ACL:
ACL 02/01/07 10:04:45 List NO-TELNET, seq#10 denied 
tcp 10.10.10.3(1612)->10.10.20.2(23) on vlan 1, port A7
Feb 1 10:04:45 10.10.20.1 ACL:
ACL 02/01/07 10:04:45 : ACL NO-TELNET seq#10 denied 6 packets
Example of 
subsequent deny 
events detected by 
the switch for the 
same ACE.
Example Syslog 
report of the first 
deny event 
detected by the 
switch for this ACE.