ACL syslog correlation is a Cisco IOS feature which provides the ability to identify which access list entry (ACE) was responsible for a permit or deny action appearing in syslog.
Consider the following access list applied to filter externally-sourced traffic destined for the internal network:
When an inbound packet is matched and discard by rule 50, the following syslog message is generated:
Here we enable hash generation and add a few more ACEs to our ACL:
Consider the following access list applied to filter externally-sourced traffic destined for the internal network:
Router# show ip access-lists Extended IP access list EXTERNAL->INTERNAL 10 permit icmp any any echo-reply 20 permit udp any eq domain any 30 permit tcp any any established 40 permit tcp any host 172.16.0.202 eq www 50 deny tcp any any eq 22 log 999 deny ip any anyLines 10 through 40 allow miscellaneous traffic types in, and line 50 explicitly denies inbound traffic destined to TCP/22 for the purpose of logging. Line 60 defines an explicit "deny any"; this isn't required, but included here for clarity.
When an inbound packet is matched and discard by rule 50, the following syslog message is generated:
%SEC-6-IPACCESSLOGP: list EXTERNAL->INTERNAL denied tcp 10.0.0.2(57289) -> 10.0.0.1(22), 1 packetThis log message informs the administrator of the action taken and the ACL which matched the packet, but in some cases we may want more detail readily available. This is where ACL hash correlation comes in handy. We can redefine the ACL rule to include an arbitrary keyword, up to 64 characters in length:
Router(config)# ip access-list ext EXTERNAL->INTERNAL Router(config-ext-nacl)# 50 deny tcp any any eq 22 log Deny_SSH Router(config-ext-nacl)# ^Z Router# show ip access-lists Extended IP access list EXTERNAL->INTERNAL 10 permit icmp any any echo-reply 20 permit udp any eq domain any 30 permit tcp any any established 40 permit tcp any host 172.16.0.202 eq www 50 deny tcp any any eq 22 log (tag = Deny_SSH) 999 deny ip any anyNow when that rule discards a packet, its log message includes our tag:
%SEC-6-IPACCESSLOGP: list EXTERNAL->INTERNAL denied tcp 10.0.0.2(54843) ->
10.0.0.1(22), 1 packet [Deny_SSH]
These tags can be reused by multiple ACEs. Continuing our example, say we also want to deny traffic to SSH servers running on an alternate port, TCP/2222:Router(config)# ip access-list ext EXTERNAL->INTERNAL
Router(config-ext-nacl)# 60 deny tcp any any eq 2222 log Deny_SSH
Router(config-ext-nacl)# ^Z
Router# show ip access-lists
Extended IP access list EXTERNAL->INTERNAL
10 permit icmp any any echo-reply
20 permit udp any eq domain any
30 permit tcp any any established
40 permit tcp any host 172.16.0.202 eq www
50 deny tcp any any eq 22 log (1 match) (tag = Deny_SSH)
60 deny tcp any any eq 2222 log (tag = Deny_SSH)
999 deny ip any any
ACL logging tags are great for readily identifying ACE matches, particularly when you expect certain matches to occur, but manually defining a tag for each ACE isn't always practical. This is especially true when you want to maintain syslog correlation among hundreds or thousands of individual ACL rules. In such cases, automatically generated hashes would be the preferred option. Automatic hashing is enabled globally, and applied to any ACE with the log keyword with no argument following it.Here we enable hash generation and add a few more ACEs to our ACL:
Router(config)# ip access-list logging hash-generation Router(config)# ip access-list extended EXTERNAL->INTERNAL Router(config-ext-nacl)# 70 deny tcp any any eq 1000 log Router(config-ext-nacl)# 80 deny tcp any any eq 2000 log Router(config-ext-nacl)# 90 deny tcp any any eq 3000 log Router(config-ext-nacl)# ^Z Router# show ip access-lists Extended IP access list EXTERNAL->INTERNAL 10 permit icmp any any echo-reply 20 permit udp any eq domain any 30 permit tcp any any established 40 permit tcp any host 172.16.0.202 eq www 50 deny tcp any any eq 22 log (1 match) (tag = Deny_SSH) 60 deny tcp any any eq 2222 log (tag = Deny_SSH) 70 deny tcp any any eq 1000 log (hash = 0x594F8697) 80 deny tcp any any eq 2000 log (hash = 0xE471528C) 90 deny tcp any any eq 3000 log (hash = 0x34CC0DD6) 999 deny ip any anyAs expected, a trigger by any of the ACEs with a hash appended works just as it does with tags:
%SEC-6-IPACCESSLOGP: list EXTERNAL->INTERNAL denied tcp 10.0.0.2(21196) -> 10.0.0.1(1000), 1 packet [0x594F8697]While not immediately useful, a hash can be used to filter an ACL configuration and quickly identify the ACE responsible for an action:
Router# show ip access-lists EXTERNAL->INTERNAL | include 594F8697 70 deny tcp any any eq 1000 log (1 match) (hash = 0x594F8697)
Another thing worth talking about is using this in conjunction with configuration archives.
http://www.cisco.com/en/US/docs/ios/12_3t/12_3t7/feature/guide/gtrollbk.html