Acl logging, Configuration notes for acl logging – Brocade FastIron Ethernet Switch Security Configuration Guide User Manual
Page 126
ACL logging
Brocade devices support ACL logging of inbound packets that are sent to the CPU for processing
(denied packets).
NOTE
ACL logging is not supported for outbound packets or any packets that are processed in hardware
(permitted packets).
You may want the software to log entries in the Syslog for packets that are denied by ACL filters. ACL
logging is disabled by default; it must be explicitly enabled on a port.
When you enable logging for ACL entries, statistics for packets that match the deny conditions of the
ACL entries are logged. For example, if you configure a standard ACL entry to deny all packets from
source address 10.157.22.26, statistics for packets that are explicitly denied by the ACL entry are
logged in the Syslog buffer and in SNMP traps sent by the Brocade device.
The first time an ACL entry denies a packet, the software immediately generates a Syslog entry and
an SNMP trap. The software also starts a five-minute timer. The timer keeps track of all packets
explicitly denied by the ACL entries. After five minutes, the software generates a single Syslog entry
for each ACL entry that denied a packet. The Syslog entry (message) indicates the number of packets
denied by the ACL entry during the previous five minutes. Note however, that packet count may be
inaccurate if the packet rate is high and exceeds the CPU processing rate.
If no ACL entries explicitly deny packets during an entire five-minute timer interval, the timer stops.
The timer restarts when an ACL entry explicitly denies a packet.
NOTE
The timer for logging packets denied by MAC address filters is a different timer than the ACL logging
timer.
Configuration notes for ACL logging
Note the following points before configuring ACL logging:
• ACL logging is supported for denied packets, which are sent to the CPU for logging. ACL logging is
not supported for permitted packets.
• ACL logging is not supported for dynamic ACLs with multi-device port authentication and 802.1X.
• Packets that are denied by ACL filters are logged in the Syslog based on a sample time-period.
• You can enable ACL logging on physical and virtual interfaces.
• When ACL logging is disabled, packets that match the ACL rule are forwarded or dropped in
hardware.
• ACL logging is supported on FCX and ICX devices for ACLs that are applied to network
management access features such as Telnet, SSH, and SNMP.
• When an ACL that includes an entry with a logging option is applied to a port that has logging
enabled, and then the same ACL is applied to another port on the same system, traffic on the latter
port is also logged, whether logging is explicitly enabled for that latter port or not.On the other hand,
when an ACL is applied to a port that has logging disabled, and then the same ACL is applied to
another port on the same system, traffic on the latter port is also not logged, whether logging is
explicitly enabled for that latter port or not.
ACL logging
126
FastIron Ethernet Switch Security Configuration Guide
53-1003088-03