The cookie-feature of logging in router access-lists is new for me and I fell in love with it at first sight! I don´t know how often I debug complexe acls trying to find where specific traffic hits. By adding a “cookie” after the log-statement in an ace you get that cookie tagged to all log-events. Look:
R5(config-ext-nacl)#deny ip any any log ?
WORD User defined cookie (max of 64 char)
Applied to an acl:
ip access-list extended acl_vlan1256
permit icmp any any echo
permit icmp any any echo-reply
permit icmp any any traceroute
deny tcp any host 9.4.45.4 eq www time-range MAINT
permit tcp any host 9.4.45.4 eq www
deny tcp any eq bgp any log SOURCE-BGP
deny tcp any any eq bgp log DEST-BGP
deny udp any any eq ntp log BLOCKING_THAT_DAMN_NTP_THINGIE
deny ip any any log BLOCK-ALL
And the logging looks like this:
*Jan 14 22:25:59.246: %SEC-6-IPACCESSLOGP: list acl_vlan1256 denied tcp 9.9.156.9(25402) -> 9.9.156.5(179), 1 packet [DEST-BGP]
*Jan 14 22:26:23.586: %SEC-6-IPACCESSLOGP: list acl_vlan1256 denied tcp 9.9.156.9(18382) -> 9.9.156.5(23), 1 packet [BLOCK-ALL]
*Jan 14 22:26:28.438: %SEC-6-IPACCESSLOGP: list acl_vlan1256 denied tcp 9.9.156.9(179) -> 9.9.156.5(14918), 1 packet [SOURCE-BGP]
*Jan 14 22:26:33.267: %SEC-6-IPACCESSLOGP: list acl_vlan1256 denied tcp 9.9.156.9(26842) -> 9.9.156.5(179), 1 packet [DEST-BGP]
Cool!
To: Santa
Hi, dude!
Next christmas I wish the logging-cookie-feature-thing in ASA. Can I have it, please?
Regards Jimmy
