CCNA LAB 44: Logging ACL Matches

小乔

Lab Objective:
The objective of this lab exercise is for you to learn and understand how to configure access control lists to log traffic that matches any particular entry within the configured ACL.

Lab Purpose:
Logging traffic based on ACL rule configuration is a fundamental skill. Both named and numbered standard and extended ACLs can be configured to log information on matches against their configured rules. This logging can be performed locally (on the router or switch) or remotely (to a SYSLOG server). As a Cisco engineer, as well as in the Cisco CCNA exam, you will be expected to know how to configure ACLs to log information against configured rules.

Certification Level:
This lab is suitable for CCNA certification exam preparation.

Lab Difficulty:
This lab has a difficulty rating of 6/10.

Readiness Assessment:
When you are ready for your certification exam, you should complete this lab in no more than 5 minutes.

Lab Topology:
Please use the following topology to complete this lab exercise:



Task 1:
Configure the hostnames on routers R1 and R3 as illustrated in the topology.

Task 2:
Configure R1 S0/0, which is a DCE, to provide a clock rate of 768 Kbps to R3. Configure the IP addresses on the Serial interfaces of R1 and R3 as illustrated in the topology.

Task 3:
Enable local logging on R3. The logging level should be for informational messages only.

Task 4:
Configure an extended named ACL on R3 to permit all Telnet and ICMP traffic types. This ACL should log when Telnet or ICMP traffic matches it. Configure this ACL with the name MyACL and apply it inbound on R3 Serial0/0.

Task 5:
Clear the logs on R3 using the clear log command. Ping R3 from R1 and check the log on R3 with the show log command. If you have configured the ACL correctly, you will have a log message about the ACL line permitting ICMP traffic to R3. Telnet to R3 from R1 and check the log on R3 with the show log command. If you have configured the ACL correctly, you will have a log message about the ACL line permitting Telnet traffic to R3.

Configuration and Verification
Task 1:
For reference information on configuring hostnames, please refer to earlier labs.

Task 2:
For reference information on configuring DCE clocking, please refer to earlier labs.

Task 3:
R3#conf t
Enter configuration commands, one per line.  End with CTRL/Z.
R3(config)#logging on
R3(config)#logging buffered informational
R3(config)#end
R3#
NOTE: When configuring logging, it is always good practice to enable logging with the logging on command. When logging messages to the buffer on the router, the options available are as follows:

R3#conf t
Configuring from terminal, memory, or network [terminal]?
Enter configuration commands, one per line.  End with CTRL/Z.
R3(config)#logging buffered ?
<0-7>              Logging severity level
<4096-2147483647>  Logging buffer size
alerts             Immediate action needed           (severity=1)
critical           Critical conditions               (severity=2)
debugging          Debugging messages                (severity=7)
emergencies        System is unusable                (severity=0)
errors             Error conditions                  (severity=3)
informational      Informational messages            (severity=6)
notifications      Normal but significant conditions (severity=5)
warnings           Warning conditions                (severity=4)
xml                Enable logging in XML to XML logging buffer
<cr>
If you specify a severity of 5 (Notifications), then the router or switch will log all messages up to and including that severity level. In other words, the device will log message levels 1 through 5, inclusive. To see debugging output, you must enable a severity of 7. When logging debugging messages, ensure that there is enough buffer space for these messages. Use the logging buffered <4096-2147483647> command to specify the buffer size.

Task 4:
R3#conf t
Enter configuration commands, one per line.  End with CTRL/Z.
R3(config)#ip access-list extended MyACL
R3(config-ext-nacl)#permit tcp any any eq telnet log
R3(config-ext-nacl)#permit icmp any any log
R3(config-ext-nacl)#exit
R3(config)#int s0/0
R3(config-if)#ip access-group MyACL in
R3(config-if)#end
R3#show ip access-lists
Extended IP access list MyACL
  10 permit tcp any any eq telnet log
  20 permit icmp any any log
Task 5:
For information on how to ping or telnet from Cisco routers, please see the earlier labs. Ensure that you enable Telnet access.

R3#clear log
Clear logging buffer [confirm]
R3#
R3#show log
Syslog logging: enabled (0 messages dropped, 1 messages rate-limited, 0 flushes, 0 overruns, xml disabled)
Console logging: disabled
Monitor logging: level debugging, 0 messages logged, xml disabled
Buffer logging: level informational, 6 messages logged, xml disabled
Logging Exception size (4096 bytes)
Count and timestamp logging messages: disabled
Trap logging: level informational, 35 message lines logged

Log Buffer (4096 bytes):

*Mar  1 01:29:00.370: %SEC-6-IPACCESSLOGDP: list MyACL permitted icmp 172.16.1.1 -> 172.16.1.2 (0/0), 1 packet
*Mar  1 01:29:54.771: %SEC-6-IPACCESSLOGP: list MyACL permitted tcp 172.16.1.1(17218) -> 172.16.1.2(23), 1 packet
*Mar  1 01:30:16.751: %SEC-6-IPACCESSLOGDP: list MyACL permitted icmp 172.16.1.1 -> 172.16.1.2 (8/0), 1 packet
*Mar  1 01:30:23.186: %SEC-6-IPACCESSLOGP: list MyACL permitted tcp 172.16.1.1(604

来源: CCNA LAB39: Configuring and Applying Extended Named ACLs Inbound
来源: CCNA LAB40: Configuring and Applying Extended Numbered ACLs
来源: CCNA LAB41: Restricting Inbound Telnet Access Using Extended ACLs
来源: CCNA LAB42: Debugging Network Traffic Using Extended ACLs
来源: CCNA LAB43: ACL Sequence Numbers