Courseiva
ACLCCNA 200-301

ACL Deny Entries Without log Keyword — Can't Identify Blocked Traffic

Presenting Symptom

Network engineer observes that traffic is being blocked by an ACL but cannot identify which specific deny entry is dropping the traffic because the deny entries lack the 'log' keyword.

Network Context

A small branch office with a Cisco 4321 ISR running IOS XE 16.9 connects the LAN (192.168.1.0/24) to the WAN. An extended ACL is applied inbound on the WAN interface to filter traffic. The ACL has multiple deny entries, but none include the 'log' keyword, making it impossible to see which deny entry is matching and dropping traffic.

Diagnostic Steps

1

Check the ACL configuration and its application

show running-config | include access-list
access-list 100 deny tcp any any eq 23
access-list 100 deny tcp any any eq 22
access-list 100 permit ip any any
interface GigabitEthernet0/0/0
 ip access-group 100 in

The ACL is applied inbound on the WAN interface. Note that deny entries do not have the 'log' keyword. Without 'log', the router will not generate log messages when traffic matches a deny entry.

2

Check ACL hit counts to see which entries are matching

show access-list 100
Extended IP access list 100
    10 deny tcp any any eq telnet (12 matches)
    20 deny tcp any any eq 22 (5 matches)
    30 permit ip any any (1000 matches)

The hit counts show that deny entries are matching traffic, but without the 'log' keyword, the router does not log the source/destination of the dropped packets. The engineer can see that entries are being hit but cannot identify the specific traffic being blocked.

3

Enable logging on the deny entries to identify blocked traffic

configure terminal ip access-list extended 100 10 deny tcp any any eq telnet log 20 deny tcp any any eq 22 log exit
No immediate output; configuration is applied.

Adding the 'log' keyword to deny entries will cause the router to generate a log message each time a packet matches that entry, including source and destination IP addresses and ports.

4

Monitor log messages to identify the blocked traffic

show log | include %SEC-6-IPACCESSLOGP
%SEC-6-IPACCESSLOGP: list 100 denied tcp 10.0.0.1(49152) -> 192.168.1.100(23), 1 packet
%SEC-6-IPACCESSLOGP: list 100 denied tcp 10.0.0.2(49153) -> 192.168.1.101(22), 1 packet

The log messages now show the source and destination IP addresses and ports of the blocked traffic. This allows the engineer to identify which specific traffic is being denied and determine if it is legitimate or malicious.

Root Cause

The ACL deny entries were configured without the 'log' keyword. By default, Cisco IOS does not log matches on deny entries unless the 'log' keyword is explicitly added. This prevents the network engineer from identifying the source and destination of blocked traffic, making troubleshooting difficult.

Resolution

Add the 'log' keyword to each deny entry in the ACL. Commands: configure terminal ip access-list extended 100 10 deny tcp any any eq telnet log 20 deny tcp any any eq 22 log end Explanation: The 'log' keyword enables logging for that specific ACE. When a packet matches, the router generates a syslog message with details about the packet. This helps in identifying blocked traffic without affecting the ACL's filtering behavior.

Verification

After applying the fix, verify that log messages appear for denied traffic. Command: show log | include %SEC-6-IPACCESSLOGP Expected output: %SEC-6-IPACCESSLOGP: list 100 denied tcp 10.0.0.1(49152) -> 192.168.1.100(23), 1 packet %SEC-6-IPACCESSLOGP: list 100 denied tcp 10.0.0.2(49153) -> 192.168.1.101(22), 1 packet Also verify hit counts still increment: show access-list 100 should show increased match counts.

Prevention

["Always include the 'log' keyword on deny entries in ACLs to enable logging of denied traffic for troubleshooting and security monitoring.","Use a centralized logging server (syslog) to collect and analyze ACL log messages.","Regularly review ACL hit counts and logs to identify unusual traffic patterns or misconfigurations."]

CCNA Exam Relevance

On the CCNA 200-301 exam, this scenario may appear as a troubleshooting question where you must identify why ACL deny entries are not generating log messages. The exam tests knowledge of ACL configuration, the 'log' keyword, and how to interpret ACL hit counts and syslog messages. A CCNA candidate must know that the 'log' keyword is required for deny entries to generate log messages, and that 'show access-list' shows hit counts but not packet details.

Exam Tips

1.

Remember that the 'log' keyword is optional on deny entries; without it, no syslog message is generated for denied packets.

2.

The 'show access-list' command shows match counts but not the specific traffic details; use 'show log' to see logged denies.

3.

On the exam, if a question asks why blocked traffic cannot be identified, the answer is often that the deny entries lack the 'log' keyword.

Commands Used in This Scenario

ip access-list extended [name]

Creates or enters an extended named access list to filter traffic based on source/destination IP, protocol, and port numbers, used for granular traffic control.

Test Your CCNA Knowledge

Practice with scenario-based questions to prepare for the CCNA 200-301 exam.

Practice CCNA Questions