Lab Objective:
The objective of this lab exercise is for you to learn and understand how to configure access control lists to log traffic that matches any particular entry within the configured ACL.
Lab Purpose:
Logging traffic based on ACL rule configuration is a fundamental skill. Both named and numbered standard and extended ACLs can be configured to log information on matches against their configured rules. This logging can be performed locally (on the router or switch) or remotely (to a SYSLOG server). As a Cisco engineer, as well as in the Cisco CCNA exam, you will be expected to know how to configure ACLs to log information against configured rules.
Certification Level:
This lab is suitable for CCNA certification exam preparation.
Lab Difficulty:
This lab has a difficulty rating of 6/10.
Readiness Assessment:
When you are ready for your certification exam, you should complete this lab in no more than 5 minutes.
Lab Topology:
Please use the following topology to complete this lab exercise:
Task 1:
Configure the hostnames on routers R1 and R3 as illustrated in the topology.
Task 2:
Configure R1 S0/0, which is a DCE, to provide a clock rate of 768 Kbps to R3. Configure the IP addresses on the Serial interfaces of R1 and R3 as illustrated in the topology.
Task 3:
Enable local logging on R3. The logging level should be for informational messages only.
Task 4:
Configure an extended named ACL on R3 to permit all Telnet and ICMP traffic types. This ACL should log when Telnet or ICMP traffic matches it. Configure this ACL with the name MyACL and apply it inbound on R3 Serial0/0.
Task 5:
Clear the logs on R3 using the clear log command. Ping R3 from R1 and check the log on R3 with the show log command. If you have configured the ACL correctly, you will have a log message about the ACL line permitting ICMP traffic to R3. Telnet to R3 from R1 and check the log on R3 with the show log command. If you have configured the ACL correctly, you will have a log message about the ACL line permitting Telnet traffic to R3.
Configuration and Verification
Task 1:
For reference information on configuring hostnames, please refer to earlier labs.
Task 2:
For reference information on configuring DCE clocking, please refer to earlier labs.
Task 3:
R3#conf t Enter configuration commands, one per line. End with CTRL/Z. R3(config)#logging on R3(config)#logging buffered informational R3(config)#end R3#
NOTE: When configuring logging, it is always good practice to enable logging with the logging on command. When logging messages to the buffer on the router, the options available are as follows:
R3#conf t Configuring from terminal, memory, or network [terminal]? Enter configuration commands, one per line. End with CTRL/Z. R3(config)#logging buffered ? <0-7> Logging severity level <4096-2147483647> Logging buffer size alerts Immediate action needed (severity=1) critical Critical conditions (severity=2) debugging Debugging messages (severity=7) emergencies System is unusable (severity=0) errors Error conditions (severity=3) informational Informational messages (severity=6) notifications Normal but significant conditions (severity=5) warnings Warning conditions (severity=4) xml Enable logging in XML to XML logging buffer <cr>
If you specify a severity of 5 (Notifications), then the router or switch will log all messages up to and including that severity level. In other words, the device will log message levels 1 through 5, inclusive. To see debugging output, you must enable a severity of 7. When logging debugging messages, ensure that there is enough buffer space for these messages. Use the logging buffered <4096-2147483647> command to specify the buffer size.
Task 4:
R3#conf t Enter configuration commands, one per line. End with CTRL/Z. R3(config)#ip access-list extended MyACL R3(config-ext-nacl)#permit tcp any any eq telnet log R3(config-ext-nacl)#permit icmp any any log R3(config-ext-nacl)#exit R3(config)#int s0/0 R3(config-if)#ip access-group MyACL in R3(config-if)#end R3#show ip access-lists Extended IP access list MyACL 10 permit tcp any any eq telnet log 20 permit icmp any any log
Task 5:
For information on how to ping or telnet from Cisco routers, please see the earlier labs. Ensure that you enable Telnet access.
R3#clear log Clear logging buffer [confirm] R3# R3#show log Syslog logging: enabled (0 messages dropped, 1 messages rate-limited, 0 flushes, 0 overruns, xml disabled) Console logging: disabled Monitor logging: level debugging, 0 messages logged, xml disabled Buffer logging: level informational, 6 messages logged, xml disabled Logging Exception size (4096 bytes) Count and timestamp logging messages: disabled Trap logging: level informational, 35 message lines logged Log Buffer (4096 bytes): *Mar 1 01:29:00.370: %SEC-6-IPACCESSLOGDP: list MyACL permitted icmp 172.16.1.1 -> 172.16.1.2 (0/0), 1 packet *Mar 1 01:29:54.771: %SEC-6-IPACCESSLOGP: list MyACL permitted tcp 172.16.1.1(17218) -> 172.16.1.2(23), 1 packet *Mar 1 01:30:16.751: %SEC-6-IPACCESSLOGDP: list MyACL permitted icmp 172.16.1.1 -> 172.16.1.2 (8/0), 1 packet *Mar 1 01:30:23.186: %SEC-6-IPACCESSLOGP: list MyACL permitted tcp 172.16.1.1(60418) -> 172.16.1.2(23), 1 packet