The cool feature of access lists allow monitoring / logging ACL violations and it can be used to characterize traffic associated with network attacks, by logging the suspect traffic. By using the log keyword at the end of the acl you can do logging
Access-list 120 deny ip any any log
This option causes logging of the IP addresses and port numbers associated with packets matching an access list entry. Newer versions of IOS also provide the log-input keyword, which adds information about the interface from which the packet was received, and the MAC address of the host that sent it. Either option causes an informational logging message about the matching packet to be sent to the console (by default). The message is generated for the first packet that matches, and then at 5-minute intervals, including the number of packets permitted or denied in the prior 5-minute interval.
This logging mechanism may drop some messages if either too many messages or more than one message in 1 second need to be displayed. This prevents the router from crashing due to too many logging packets. Therefore, the logging facility cannot be treated as an accurate source of information in terms of number of matches to an access list.
A more accurate tracking tool is accounting on the interface:
ip accounting [access-violations] [output-packets]
To display IP access violations use the following command:
show ip accounting access-violations
which shows information about packets that failed access lists and were not routed.
