120 Labs for Cisco CCNA 200-125 and CCENT Exams

Lab 44: Logging ACL Matches

Lab Objective:

The objective of this lab exercise is for you to learn and understand how to configure access control lists to log traffic that matches any particular entry within the configured ACL.

Lab Purpose:

Logging traffic based on ACL rule configuration is a fundamental skill. Both named and numbered standard and extended ACLs can be configured to log information on matches against their configured rules. This logging can be performed locally (on the router or switch) or remotely (to a SYSLOG server). As a Cisco engineer, as well as in the Cisco CCNA exam, you will be expected to know how to configure ACLs to log information against configured rules.

Certification Level:

This lab is suitable for CCNA certification exam preparation.

Lab Difficulty:

This lab has a difficulty rating of 6/10.

Readiness Assessment:

When you are ready for your certification exam, you should complete this lab in no more than 5 minutes.

Lab Topology:

Please use the following topology to complete this lab exercise:

Task 1:

Configure the hostnames on routers R1 and R3 as illustrated in the topology.

Task 2:

Configure R1 S0/0, which is a DCE, to provide a clock rate of 768 Kbps to R3. Configure the IP addresses on the Serial interfaces of R1 and R3 as illustrated in the topology.

Task 3:

Enable local logging on R3. The logging level should be for informational messages only.

Task 4:

Configure an extended named ACL on R3 to permit all Telnet and ICMP traffic types. This ACL should log when Telnet or ICMP traffic matches it. Configure this ACL with the name MyACL and apply it inbound on R3 Serial0/0.

Task 5:

Clear the logs on R3 using the clear log command. Ping R3 from R1 and check the log on R3 with the show log command. If you have configured the ACL correctly, you will have a log message about the ACL line permitting ICMP traffic to R3. Telnet to R3 from R1 and check the log on R3 with the show log command. If you have configured the ACL correctly, you will have a log message about the ACL line permitting Telnet traffic to R3.

Configuration and Verification

Task 1:

For reference information on configuring hostnames, please refer to earlier labs.

Task 2:

For reference information on configuring DCE clocking, please refer to earlier labs.

Task 3:

R3#conf t 
Enter configuration commands, one per line.  End with CTRL/Z. 
R3(config)#logging on 
R3(config)#logging buffered informational 
R3(config)#end 
R3#

NOTE: When configuring logging, it is always good practice to enable logging with the logging on command. When logging messages to the buffer on the router, the options available are as follows:

 R3#conf t 
Configuring from terminal, memory, or network [terminal]? 
Enter configuration commands, one per line.  End with CTRL/Z.
R3(config)#logging buffered ? 
<0-7>              Logging severity level 
<4096-2147483647>  Logging buffer size 
alerts             Immediate action needed           (severity=1) 
critical           Critical conditions               (severity=2) 
debugging          Debugging messages                (severity=7) 
emergencies        System is unusable                (severity=0) 
errors             Error conditions                  (severity=3) 
informational      Informational messages            (severity=6) 
notifications      Normal but significant conditions (severity=5) 
warnings           Warning conditions                (severity=4) 
xml                Enable logging in XML to XML logging buffer 
<cr>

If you specify a severity of 5 (Notifications), then the router or switch will log all messages up to and including that severity level. In other words, the device will log message levels 1 through 5, inclusive. To see debugging output, you must enable a severity of 7. When logging debugging messages, ensure that there is enough buffer space for these messages. Use the logging buffered <4096-2147483647> command to specify the buffer size.

Task 4:

R3#conf t 
Enter configuration commands, one per line.  End with CTRL/Z. 
R3(config)#ip access-list extended MyACL
R3(config-ext-nacl)#permit tcp any any eq telnet log 
R3(config-ext-nacl)#permit icmp any any log 
R3(config-ext-nacl)#exit 
R3(config)#int s0/0 
R3(config-if)#ip access-group MyACL in 
R3(config-if)#end 
R3#show ip access-lists 
Extended IP access list MyACL 
  10 permit tcp any any eq telnet log 
  20 permit icmp any any log

Task 5:

For information on how to ping or telnet from Cisco routers, please see the earlier labs. Ensure that you enable Telnet access.

R3#clear log 
Clear logging buffer [confirm] 
R3# 
R3#show log 
Syslog logging: enabled (0 messages dropped, 1 messages rate-limited, 0 flushes, 0 overruns, xml disabled) 
Console logging: disabled 
Monitor logging: level debugging, 0 messages logged, xml disabled 
Buffer logging: level informational, 6 messages logged, xml disabled 
Logging Exception size (4096 bytes) 
Count and timestamp logging messages: disabled 
Trap logging: level informational, 35 message lines logged

Log Buffer (4096 bytes): 

*Mar  1 01:29:00.370: %SEC-6-IPACCESSLOGDP: list MyACL permitted icmp 172.16.1.1 -> 172.16.1.2 (0/0), 1 packet 
*Mar  1 01:29:54.771: %SEC-6-IPACCESSLOGP: list MyACL permitted tcp 172.16.1.1(17218) -> 172.16.1.2(23), 1 packet 
*Mar  1 01:30:16.751: %SEC-6-IPACCESSLOGDP: list MyACL permitted icmp 172.16.1.1 -> 172.16.1.2 (8/0), 1 packet 
*Mar  1 01:30:23.186: %SEC-6-IPACCESSLOGP: list MyACL permitted tcp 172.16.1.1(60418) -> 172.16.1.2(23), 1 packet

Related Articles

Subscribe
Notify of
guest

This site uses Akismet to reduce spam. Learn how your comment data is processed.

0 Comments
Inline Feedbacks
View all comments
Back to top button