ACLオプション (log と log-inputの違い)
[logオプション]
permit tcp any any log
permit udp any any log
permit ip any any log
permit tcp any any log
permit udp any any log
permit ip any any log
ACLの条件分の最後にこのキーワードを指定する事で、その条件分に合致するパケットがあればログが出力される。
設定例:
*May 1 22:12:13:243:%SEC-6-IPACCESSLOGDP:list ACL-IPv4-E0/0-IN permitted tcp 192.168.1.3(1024)→192.168.2.1(22),1 packet
*May 1 22:12:13:243:%SEC-6-IPACCESSLOGDP:list ACL-IPv4-E0/0-IN permitted tcp 192.168.1.3(1024)→192.168.2.1(22),9 packet
*May 1 22:12:13:243:%SEC-6-IPACCESSLOGDP:list ACL-IPv4-E0/0-IN permitted tcp 192.168.1.3(1024)→192.168.2.1(22),1 packet
*May 1 22:12:13:243:%SEC-6-IPACCESSLOGDP:list ACL-IPv4-E0/0-IN permitted tcp 192.168.1.3(1024)→192.168.2.1(22),9 packet
[log-inputオプション]
permit tcp any any log-input
permit udp any any log-input
permit ip any any log-input
permit tcp any any log-input
permit udp any any log-input
permit ip any any log-input
上記のログに入力インターフェースと送信元MACアドレスも追加される
設定例:
*May 1 22:12:13:243:%SEC-6-IPACCESSLOGDP:list ACL-IPv4-E0/0-IN permitted tcp 192.168.1.3(1024)(Ethernet0/0 000e.9b5a.9839)
→192.168.2.1(22),1 packet
*May 1 22:12:13:243:%SEC-6-IPACCESSLOGDP:list ACL-IPv4-E0/0-IN permitted tcp 192.168.1.3(1024)(Ethernet0/0 000e.9b5a.9839)
→192.168.2.1(22),9 packet
→192.168.2.1(22),1 packet
*May 1 22:12:13:243:%SEC-6-IPACCESSLOGDP:list ACL-IPv4-E0/0-IN permitted tcp 192.168.1.3(1024)(Ethernet0/0 000e.9b5a.9839)
→192.168.2.1(22),9 packet