SmartSwitch Router User Reference Manual 273Chapter 19: Access Control List Configuration GuideEnabling ACL LoggingTo see whether incoming packets are permitted or denied because of an ACL, you canenable ACL logging. You can enable logging when applying the ACL or you can enablelogging for a specific ACL rule.The following commands define an ACL and apply the ACL to an interface, with loggingenabled for the ACL:When ACL logging is turned on, the router prints out a message on the console aboutwhether a packet is dropped or forwarded. If you have a Syslog server configured for theSSR, the same information will also be sent to the Syslog server.The following commands define an ACL and apply the ACL to an interface. In this case,logging is enabled for a specific ACL rule:For the above commands, the router prints out messages on the console only whenpackets that come from subnet 10.2.0.0/16 on interface ‘int1’ are dropped.Note that when logging is enabled on a per-rule basis, you do not need to specify thelogging on option when the ACL is applied to an interface. With per-rule logging enabled,only the logging off option has an effect when the ACL is applied; this option turns off allACL logging.Before enabling ACL logging, you should consider its impact on performance. With ACLlogging enabled, the router prints out a message at the console before the packet isactually forwarded or dropped. Even if the console is connected to the router at a highbaud rate, the delay caused by the console message is still significant. This can get worse ifthe console is connected at a low baud rate, for example, 1200 baud. Furthermore, if aSyslog server is configured, then a Syslog packet must also be sent to the Syslog server,creating additional delay. Therefore, you should consider the potential performanceimpact before turning on ACL logging.acl 101 deny ip 10.2.0.0/16 any any anyacl 101 permit ip any any any anyacl 101 apply interface int1 input logging onacl 101 deny ip 10.2.0.0/16 any any any logacl 101 permit ip any any any anyacl 101 apply interface int1 input